Release notes

New values added

Bonita Test Toolkit - Subscription editions

When working on complex, core, and critical automation projects it is critical to ensure the right business logic is applied. Secure your automation project with the new development suite component: the Bonita Test Toolkit.

This toolkit allows professional developers to write end-to-end or integration test scenarios for your automation project. It provides powerful methods to execute all the steps of a process and check the corresponding outputs (statuses, business data, tasks used)

It can be used in any IDE and can easily be integrated into a Continuous Integration.

For more information, go visit the dedicated new menu in the documentation web site.

Improvements

Runtime Health check endpoint - Subscription editions

A healthcheck endpoint has been added to Bonita Runtime to help you monitor the status of all engine layers, up to the database:

  • general status and connection type

  • uptime in seconds

  • platform state

  • platform version

  • platform node status started

  • days till license expiration

  • execution time in milliseconds

This end-point is available on the 'https://<yourruntime>/bonita/healthz' URL, the access being protected with Basic Auth authentication.

Credentials can be consulted here:

  • in the <BONITA>/server/conf/tomcat-users.xml file, in a Bonita Tomcat bundle

  • using monitoring credentials, when starting a Bonita Docker image

For more information, go visit the dedicated documentation page.

Those credentials MUST be changed.

Log level change without restart

It is now possible to change the log level of Bonita Runtime without restarting it, thanks to Log4j2 (details available in the Technical updates chapter).

Functional changes

Engine HTTP APIs protected with Basic Auth

Previously, engine HTTP APIs were used to access Bonita Engine Java APIs directly through HTTP. starting with Bonita 2022.1, their access is protected with Basic Access authentication.

The configuration is different depending on the Bonita package:

  • In Bonita Tomcat bundle, HTTP APIs are active by default, and default credentials of client configuration using programmatic configuration are used. They can be changed in file <BONITA>/server/conf/tomcat-users.xml.

  • In Bonita Docker image, HTTP APIs are disabled by default, with http-api as the default username, and no default password. The password must be provided, otherwise the Docker container will refuse to start.

Prometheus monitoring active by default - Subscription editions

From Bonita 2022.1 on, the Prometheus metrics publisher is now active by default and can be disabled if needed.
Its access is now controlled with Basic Auth authentication to protect against DOS attacks.

This end-point is available on the 'https://<yourruntime>/bonita/healthz' URL, with the access protected with Basic Auth authentication.

These credentials can be consulted:

  • in the <BONITA>/server/conf/tomcat-users.xml file, in a Bonita Tomcat bundle

  • using monitoring credentials, when starting a Bonita Docker image

Those credentials MUST be changed.

Dynamic permissions authorization check is enabled by default - Subscription editions

Dynamic permissions authorization check is active by default for new Enterprise edition installations.
When updating to 2022.1, the existing activated access control mechanism will not be changed. A set of default dynamic rules are provided in Bonita Runtime. Go through them before creating custom ones for your application pages.

This change can have an impact when updating a project in Bonita Studio for which permissions have been neglected.

For example, if a non-admin user was allowed to perform REST requests intended for administrators only, having dynamic permissions activated by default will not allow this access anymore. Pages with "403 error" have been prepared for this case. You can troubleshoot these issues using Bonita Engine logs.

For Community users who update to 2022.1, dynamic permission authorization checks will not be executed anymore, even if the configuration stays unchanged. Obviously, you can develop a custom execution script or upgrade to Bonita Enterprise edition (as the configuration will not be changed by Bonita, it will be fully functional).

Connector Retry

When Bonita Engine fails to evaluate the output operations of a connector, the retry mechanism is not automatic. It is the platform administrator’s choice to re-execute the connector or not, based on the impact analysis. Go through the connector documentation for details about connector failure and replay.

Technical updates

Log4j2 Logger

Bonita Runtime now uses Log4j2 as its logger. One of the multitudes of advantages brought by this tool is the automatic reload of configuration files. There is no more need to restart Bonita Runtime to have the log level change effective. In the configuration file, the log level can be changed ON THE RUN and can be different for each package.

For example: By changing the log level of the org.bonitasoft package and setting it to DEBUG, more information will be provided in the terminal at the next connection.

More information on how to use it in Bonita Docker image here and in the bundle here.

If, in the previous version, you customized the logging.properties file, you should update log4j2-loggers.xml as described in the logger configuration documentation pages here and there.

A conversion table between logger levels in JUL and in Log4j2 is available here.

If you want to continue using the previous log format, the previous pattern is present in the log4j2-appenders.xml file but commented.

The Tomcat bundle does not log anymore in the console but only in bonita.log file. It can be changed in log4j2-appenders.xml

Enterprise Docker image

Docker image is now focused on the RUN phase, with environment preparation being handled as on-premise installations. This means that the database schema and the associated user will not be created when starting the Docker image. The database has to be created before the Docker image starts. NOTE: We provide pre-configured database images with included schema and users on Bonitasoft Docker Hub.

LDAP Synchronizer is now out of Bonita Docker image and is available as an independent Docker image ready for download from quay.io as detailed in the documentation.

Robustness and self-recovery capabilities were added to the data source to overcome network lags.

Folder structure inside Bonita Docker images has been simplified: instead of having /opt/bonita/BonitaCommunity-2022.1 or /opt/bonita/BonitaSubscription-2022.1, we now simply have /opt/bonita.

If you have scripts using the former folder structure, please update them.

To ensure a smooth and intuitive Bonita Runtime configuration experience, environment properties and configuration variables naming have been reviewed.

The following environment properties were removed:

  • ENSURE_DB_CHECK_AND_CREATION

  • DB_DROP_EXISTING

  • BIZ_DB_DROP_EXISTING

  • DB_ADMIN_USER

  • DB_ADMIN_PASS

To rationalize the Bonita configuration variables, some properties have been renamed:

  • REST_API_DYN_AUTH_CHECKS flag is replaced by BONITA_RUNTIME_AUTHORIZATION_DYNAMICCHECK_ENABLED. See the dedicated section for details.

Also, to make the Bonita Docker image configuration easier, new environment variables have been added:

  • HTTP_API_USERNAME

  • HTTP_API_PASSWORD

  • JMX_REMOTE_ACCESS

  • REMOTE_IP_VALVE_ENABLED

  • ACCESSLOGS_STDOUT_ENABLED

  • ACCESSLOGS_FILES_ENABLED

  • ACCESSLOGS_PATH

  • ACCESSLOGS_PATH_APPEND_HOSTNAME

  • ACCESSLOGS_MAX_DAYS

  • HTTP_MAX_THREADS

Feature deprecations and removals

SVN

The SVN feature is now deprecated. We recommend that you migrate your repositories to a GIT repository. This documentation page describes how to migrate an SVN repository to Github.

REST API

  • Deprecated: filter page using the isHidden attribute on the api API/portal/page. That field is not used anymore and is always false. Bonita Runtime produces a warning log if the filter is set and ignores it.

  • Removed: the ReportingAPI is removed as well as its associated engine API.

Multi-Tenancy

The tenant creation method has been deprecated following our 2021.1 decision to deprecate the Multi-Tenants architecture.

Potential need of declaring external Maven Repository

From version 2022.1-u2, if you embed bonita-server(-sp).jar in your application, you need to configure an additional Maven Repository. This is due to Security Fixes that required the use of a dependency NOT present in default Maven Repository (aka Maven Central).

To do so, you can abstract this additional complexity by putting this configuration in your enterprise repository manager which acts as a proxy to any external repositories you may have.

You can also simply add it in your pom.xml / build.gradle (or globally in your Maven settings.xml):

Pom.xml

<repositories>
    [...]
    <repository>
        <id>terracotta.org</id>
        <name>terracotta.org</name>
        <url>https://repo.terracotta.org/maven2/</url>
    </repository>
</repositories>

build.gradle

repositories {
    mavenCentral()
    maven {
        url 'https://repo.terracotta.org/maven2/'
    }
}

Bug fixes

Fixes in Bonita 2022.1-u8 (2024-01-29)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-1802 - Search fields don’t work when search term contain special characters

  • RUNTIME-1811 - "jaasAuthenticationService" and "authenticationService" beans not created if custom authentication service is configured

  • CVE-58 - Some UI screens in administration panel have been secured against stored XSS attacks. We also introduced a backend input validation to prevent storing XSS attacks in the database.
    We would like to thank both Tomas Castro Rojas and Mohammad A’mir for reporting this high severity issue to us.

Fixes in Bonita Studio including Bonita UI Designer

  • UID-727 - Invalid js minification

Fixes in Bonita 2022.1-u7 (2023-11-24)

Fixes in Bonita Studio including Bonita UI Designer

  • STUDIO-4468 - Some of shortcuts in script editor not working in Debian 10/11

  • STUDIO-4478 - BPMN Export text as CDATA

  • STUDIO-4483 - BonitaMarketplace: NPE generated in the log file when the HTTP response’s entity-body is empty

  • STUDIO-4490 - Exception at runtime: the Call activity is wrong in the process-design.xml generated

  • UID-723 - Update to 7.14: Web browser’s disk and memory caches break the product and custom pages

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-38 - hasContent column stays as TRUE after using deleteContentOfArchivedDocument method

  • RUNTIME-1049 - Error message not explicit in Portal when creating a user with password policy enforced

  • RUNTIME-1642 - Visual glitch in the categories label

  • RUNTIME-1679 - We can’t set a timezone to bonita containers

  • RUNTIME-1704 - Process supervisor mapping cannot be deleted

  • RUNTIME-1730 - Update several dependencies

  • RUNTIME-1753 - ClientAbortException: java.io.IOException: Broken pipe errors in runtime logs

  • RUNTIME-1775 - Modify java modules permissions for Hazelcast

  • RUNTIME-1785 - OIDC SSO: "Basic" authentication header is encoded in 8-bit and is not compatible with some IdPs

Fixes in Bonita 2022.1-u6 (2023-05-22)

Fixes in Bonita Studio including Bonita UI Designer

  • STUDIO-4451 - Dependency remote lookup failed when central is not reachable

  • STUDIO-4452 - Groovy script validation marker disappear on refresh validation

  • STUDIO-4454 - Changing tabs in expression editor duplicates the expression

  • STUDIO-4455 - Deploying an organisation fails if a parent and child process instances are still running in the Studio’s engine Tomcat

  • STUDIO-4457 - Error when importing an API EXT via zip file

  • STUDIO-4458 - Custom page name conflict not detected at deploy

  • STUDIO-4460 - Some of shortcuts in script editor not working when using studio 2022.2 compared to studio 7.11.5.

  • STUDIO-4461 - Studio 7.13+ → the import of a .bos file generated with a 7.7 Studio generates java lib dependency errors

  • STUDIO-4462 - Validate action stuck

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-369 - Uploaded file names are not XSS proof

  • RUNTIME-747 - 2 requests to install the BDM generate errors

  • RUNTIME-1016 - Connection Pool attribute name testWithIdle is wrong in bonita template and default files - correct name is testWhileIdle

  • RUNTIME-1555 - [Users mapped to process manager profile] - If select one user in search list then all users are selected

  • RUNTIME-1566 - Logger configuration failure with Bonita docker image

  • RUNTIME-1567 - When deploying a layout, the permissions corresponding to the 'resources' in page.properties are not added into the compound-permissions-mapping-internal.properties

  • RUNTIME-1578 - [Security] Update several dependencies for 2022.1-u6 (7.14.6)

  • RUNTIME-1582 - [Permissions] New ProcessPermissionRule grants access to ANY user provided the process has pending tasks.

  • RUNTIME-1590 - Users have access to overview of process even if they are not involved in it

  • RUNTIME-1591 - [SSO] OIDC packaging (ECDSA KeyFactory not available)

  • RUNTIME-1625 - REST API extension does not match when url starts with a / in page.properties resulting in 403 error

  • RUNTIME-1630 - bonita/portal/custom-page: HTTP status 500 Internal error + NPE

  • RUNTIME-1639 - In Bonita Admin app - keep the selected filter when going "back"

  • RUNTIME-1645 - [SSO] OIDC client adds port 0 to redirect-uri-path configured in keycloak-oidc.json when using HTTPS

  • RUNTIME-1648 - [Permissions][Admin App] Page permission warning is not implemented in resource page

  • RUNTIME-1650 - [SSO] OIDC missing authentication method client_credential_post for token request

  • RUNTIME-1656 - Process list filter remain empty in user case list

  • RUNTIME-1662 - [SSO] OIDC front channel logout is not working

  • RUNTIME-1663 - In a Bonita cluster, configuration updates are not effective unless all the nodes are stopped at once, then restarted one after another

  • RUNTIME-1666 - Process variables information missing in case details section for archived cases.

  • RUNTIME-1668 - Error message displayed when mapping 6th role to process actors

  • RUNTIME-1672 - An HTTP call to portal back-end generates a wrong redirect instead of an error

  • RUNTIME-1680 - [Permissions] Dynamic permission DownloadDocumentPermissionRule - user doesn’t have access to downloaded document

  • RUNTIME-1688 - The X-Frame-Options header set in bonita pages no longer allows to specify authorized origins for parent frames

  • RUNTIME-1699 - CSRF Token Validation Filter and RestAPI Authorization Filter copy multiparts requests content in memory

  • RUNTIME-1700 - Some parameters from JAVA_OPTS environment variable (Docker image) are not taken into account

  • RUNTIME-1701 - Event USER_CREATED is never raised

Fixes in Bonita 2022.1-u5 (2022-11-30)

Fixes in Bonita Studio including Bonita UI Designer

  • STUDIO-4426 - Fix Type lost on condition after variable removal

  • STUDIO-4437 - Fix SNAPSHOT external lib not displayed in "add dependency" in process configuration

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-145 - Fix User creation on the fly when role doesn’t exist

  • RUNTIME-626 - Fix Waiting events of Start events not created when process is deployed using BCD and has a .bconf file

  • RUNTIME-752 - Fix Error 404 resulting in blank task list

  • RUNTIME-1225 - Fix LDAP Synch: trailing whitespaces/tab characters not stripped when parsing configuration file values

  • RUNTIME-1431 - Fix Instantiation REST service Exposing the groovy script after an exception

  • RUNTIME-1434 - Fix custom user information truncated in admin app

  • RUNTIME-1451 - Fix [Security] Update several dependencies for 2022.1-u5 (7.14.5)

  • RUNTIME-1476 - Fix Default dynamic permissions: process deployers, process initiators and process managers should access GET bpm/process

  • RUNTIME-1485 - Fix [SSO] Allow the usage of any claim of the ID token for the OIDC adapter to fetch the username value from

  • RUNTIME-1486 - Fix [Rest API Extension]Archetype generating bad InputStream management code

  • RUNTIME-1527 - Fix Platform API resources access should not need an API session along with the platform session

  • RUNTIME-1545 - Fix [SSO] OIDC auto detect bearer only option breaking json requests

  • RUNTIME-1552 - Fix [SSO] OIDC bearer requests blocked by CSRF protection

  • RUNTIME-1559 - Fix LDAP Synch: when number of members in an Active Directory group > MaxValRange, last page of members not synchronised

  • RUNTIME-1562 - Fix Session invalidated when accessing the license page in admin application

Fixes in Bonita 2022.1-u3 (2022-09-07)

Fixes in Bonita Studio including Bonita UI Designer

  • STUDIO-4237 - Improve BPMN2 export when using messages not defined in the same diagram.

  • STUDIO-4366 - Fix View source link on extension card when maven propreties are used in the scmUrl tag.

  • STUDIO-4367 - Fix Add custom extension when the dependency has a classifier.

  • STUDIO-4381 - Fix import artifacts order to have a consistent migration.

  • STUDIO-4383 - Fix a regression from 2022.1-u1 where some variable or parameters references type may be lost during edition.

  • STUDIO-4388 - Fix a regression where the Bonita code templates where not available in the script editor content assist.

  • STUDIO-4399 - Fix a race condition issue when switching project.

  • STUDIO-4400 - Fix [Organization] Password resolution

  • STUDIO-4419 - Improve .bpmn file import error management when bpmn contains vertical lanes

  • UID-675 - Fix generated page.properties file to include fragments resources

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-211 - Fix Access to a non existing token in an app raise a 403 instead of a 404

  • RUNTIME-334 - Fix REST API ../API/identity/user/-1?d=professionalData as it returns the list of users

  • RUNTIME-335 - Fix REST API ../API/identity/user/-1 as it returns a APIMissingIdException

  • RUNTIME-869 - Fix Administrator app - BPM process: The 2 Popups to Disable and Enable installed process do not close

  • RUNTIME-978 - Fix Organisation import does not update 'lastUpdate' field in user entries

  • RUNTIME-1011 - Fix ProcessId in URL not taken into account in admin case list

  • RUNTIME-1156 - Fix BConf file deployment is broken for non existing processes

  • RUNTIME-1217 - Fix Process and case visu only display the diagram

  • RUNTIME-1220 - Fix Admin case list doesn’t have 'case_delete' permissions

  • RUNTIME-1234 - [Security] Update several dependencies for 2022.1-u3 (see specific note])

  • RUNTIME-1273 - Fix Admin app BPM pages should be editable in subscription editions

  • RUNTIME-1275 - Fix bonita-sp- maven-repository 7.13.x contains extra files

  • RUNTIME-1296 - Fix Missing REST API static permissions

  • RUNTIME-1390 - Fix issuedFor (azp) claim in OIDC ID token should be treated as optional

  • RUNTIME-1408 - Fix slow REST API extension requests due to a java sycnhronized block

Fixes in Bonita 2022.1-u1 (2022-05-03)

Fixes in Bonita Studio including Bonita UI Designer

  • STUDIO-4187 - The evaluate dialog cannot be resized, some fields can be hidden which make the feature unusable

  • STUDIO-4279 - Use H2 driver on setup tool instead of server folder of distrib

  • STUDIO-4296 - Start after install fails to validate license

  • STUDIO-4297 - [Expression editor] Invalid Constant expression type resolution

  • STUDIO-4305 - "Save" label is disabled when it should not

  • STUDIO-4309 - After generating a pdf from the documentation, some symbols cannot be displayed

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-755 - [PERF] Accessing the case list takes minutes

  • RUNTIME-1003 - [Security] Update several dependencies for 2022.1-u1

Fixes in Bonita 2022.1 (2022-03-30)

For the users of Bonita Community edition, Bonita 2022.1 also comes with all the bug fixes released in the Maintenance versions of Bonita 2021.2.
You can access the list by checking the "What’s new in Bonita 2021.2" page, in the "Bug fixes" section.

Fixes in Bonita Runtime including Bonita native Applications

  • RUNTIME-178 - Case deletion throws 500 instead of 404 when the case does not exist

  • RUNTIME-477 - Case overview does not paginate attached document list

  • RUNTIME-814 - [Security] Update several dependencies

  • RUNTIME-885 - [Security] Issue with authorization mechanism

Known issues

Bonita Studio

  • Windows environments only: Launching Bonita Studio in any of the Subscription version with the installer (.exe file) leads to a minor issue on license management:
    Even if you provide the license in the installer, once the installation is done, Bonita Studio opens and asks for the license again.
    You will have the impression that the license is not valid, or not taken into account. This is not the case:

    • Cancel the modal window asking you for the license

    • In your File explorer, go to the folder where Bonita has been installed and launch BonitaStudioSubscription.exe

It will work just fine.

  • The Run As JUnit test action for Groovy REST API Extension project is broken (Eclipse issue)