Release notes

Bonita 2023.1 release note

Bonita project packaged as a self-contained application

With Bonita 2023.1 comes a new recommendation on how to deploy your Bonita applications. Each development team using Bonita platform has several options. Here are the options proposed by Bonitasoft:

  1. Create a dedicated project that is completely independent from the existing Bonita projects (i.e. the generated application will be deployed independently from the existing ones)

  2. Integrate it into an existing project, so that a single application will be generated and deployed (backward compatible way of doing things)

The first choice is already possible today and the second one will only be possible in future Bonita versions.

For those who want to try out deploying a Bonita project as a self-contained application, we have developped an experimental packaging tool. The outcome will be an appplication packaged either in Tomcat Bundle or a docker image, you choose. For everyone that wants to get a glance at the future, the tool is available here Bonita Application Packager.

The update process of the self-contained application packaged with the experimental tool will not be covered with Update Tool, hence we advice deployement in non-production environments.

New product values

Bonita Runtime

Technical version change to 8.x.y

Bonita 2023.1 introduces a new multi-runtime architecture. This change comes with a new way to handle multi-tenants use cases and thus the removal of the multi-tenancy as it is currently known. Based on the semantic versioning management standards, these changes require a technical version change.

User account provisioning with Single Sign-on

For Subscription editions only.

Starting with Bonita 2021.1, creating user accounts on the fly at user authentication through SSO (Single Sign-on) was possible with configuration in Bonita Runtime. The user accounts were created with a username attribute, a default role and group - created beforehand in Bonita Runtime database.

Additional capabilities have been added in 2023.1 for single sign-on with SAML or OIDC:

  • possibility to integrate additionnal information from the Identity Provider of the SSO at user account creation (like first name, last name, email, etc…​)

  • user groups can be retrieved from the SAML response or OIDC ID token and created automatically in Bonita Runtime database at user account creation

More details are available in the dedicated documentation page User Account Provisioning.

Development suite changes

Bonita project layout

Bonita projects layout has been changed to take advantage of Maven multi-module project perks.

First project component that will benefit from Maven multi-module project is the Business Data Model. We decided to align the way the Business Data Model is handled in Bonita with the standard dependency handling practices by using Maven submodules. Submodules, or subprojects, are regular Maven projects that inherit from the parent POM.

With the chosen solution, the users will have the possibility to publish and consume the Business Data Model java dependencies independently. The project will pull the required dependencies from a specified repository - Maven Central or Bonita Artifact Repository - to generate the BDM java sources. Here are details on how to configure access to Bonita Artifact Repository(Subscription only) and Maven Central.

Business Data Model content check at build or deploy will still be developer’s responsibility along with handling data-deletion risks at build or deploy. For this Bonita version, reusing the generated artifacts in another Bonita project is not supported with refactoring capabilities. All changes will have to be handled manually by developers.

Bonita UI Designer

Develop digitally accessible applications

The following improvements have been made so that digitally accessible applications could be developed natively with Bonita UI Designer with less custom code:

  • An attribute lang is now available and based on the BOS_locale cookies at page initialization will automatically get filled without developer’s or end-user’s action.

  • Table and data-table widget have a new caption property available for adding a title

  • The default widgets in the palette that contain a html input tag have now an associated label, which will facilitate the use of computer tools (screen readers for example)

  • To be more accessible for speech synthesizers, screen readers or some other tools, the internal html template of checklist and radio buttons widget has been updated.

The changes will automatically be available when changing a page in Bonita UI Designer <2023.1> developed with a previous Bonita UI Designer version. Custom styling could be impacted so take this fact into account in your development estimates.

Manual web resource declaration in UID page metadata

In addition to the automatic permission mapping done at a Custom page deployment, it is now possible to declare web resources manually in a page/fragment/widget metadata. Less time spent now on post deployment configuration requests by DevOps team managing Bonita instances

It is the good practice we are introducing regarding web resource’s for a page declaration.

Custom widget editor

To add the web resource section in custom widget editor, we should reorganize the layout of this page. We hope it will more usable.

You can now use the search (ctrl + f) or search and replace (ctrl + h) keybinding in the code editor (custom-widget, assets content and edit).

Security fixes for all the application pages developped using UI Designer

During the last year we explored all possible options for providing a supported AngularJS version. In the end we decided to handle the need in-house. The first step of the long term project we initiated is correcting all critical and high CVEs in the AngularJS version used to run our Bonita application pages developped using UI Designer. For that, we made a fork of the AngularJS project and adapted the fixes to the version that is used.

Want to hear more? Check this page.

Version update for default Bonita application pages developed in AngularJS

An update to the latest version of AngularJS (1.8.3) was done on the following pages provided by Bonita:

  • User task list

  • Admin application list

  • Admin application details

  • BDM page (both Admin and Super-Admin applications)

  • Admin user details

  • Admin process details

  • Admin license

  • Admin monitoring

Feature deprecations and removals

Custom Rest API Extension and BDM dependencies

When updating a Bonita project in Bonita Studio 2023.1 version, BDM dependencies will be directed to use the new the *-bdm-model artifact introduced with the Bonita project layout changes. Meaning that bdm-client and bdm-dao dependencies will automatically be replaced with project’s bdm-model dependency.

Additionnally, the dependency containing the client DAO implementation will be removed from the dependencies list. It can affect the code directly referencing the *DAOImpl classes. To avoid this situation, change the code to use the DAO interfaces present in the bdm-model dependency. The changes can be done before or after updating to the 2023.1 version without breaking the project.

Reminder : in case *DAOImpl class was instantiated in the code, APIClient#getDAO factory method has to be used instead.

For example, for a given BusinessObject Customer
// Direct instantiation
CustomerDAOImpl dao = new CustomerDAOImpl(context.getApiSession());

// Replace it with APIClient factory
CustomerDAO dao = context.getApiClient().getDAO(CustomerDAO.class);

Multi-tenancy removal

For Subscription editions only.

Deprecated multi-tenancy has been removed.

To cover the multi-tenancy use cases in the best technical way, Bonitasoft is proposing a new architecture solution. For customers running a Bonita multi-tenancy platform, the technical path from multi-tenancy proposed by Bonitasoft is multi-runtime. This choice will require to split the current multi-tenant platform into several runtimes, each one with their own Bonita engine database.

As this path can be challenging for customers using multi-tenancy, Bonitasoft developed a conversion tool, available for download on Bonitasoft Customer Portal. We strongly suggest our customers to take the time and use the tool in a pre-production environment before using it on a production environment.

Multi-tenancy to multi-runtime conversion tool can be executed on Bonita Runtimes starting with Bonita 7.11 and up to Bonita 7.15.

In case you are using a Bonita non-supported version, perform the update to a Bonita supported version before the conversion to multi-runtime.

Reminder : For commercial and support questions, please refer to your Customer Success referent.

Deprecated resources removed from HTTP API

userXP/profile, userXP/profileMember, userXP/profileEntry and userXP/bonitaPage resources have been removed. Use their replacement instead: portal/profile, portal/profileMember, portal/profileEntry and portal/bonitaPage.

Bug fixes

Fixes in Bonita 2023.1-u6 (2024-09-09)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-48 - SFlowNodeNotFoundException: Quartz’s Trigger associated to a Boundary timer does not get deleted when the process instance terminates

Fixes in Bonita 2023.1-u5 (2024-07-18)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-1884 - password attribute silently removed from org.bonitasoft.engine.identity.impl.UserImpl class. Add removal information in the release note. Make the XStream deserialization less strict to avoid deserialization exception when a some fields are unknown.

  • RUNTIME-1887 - Regression in ServerProxifier algorithm produce a greater number of SQL requests.

  • RUNTIME-1833 - SanitizerFilter policy has been fine-tuned to be less restrictive (add support for links, pre elements and tables)

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4515 - Improve error management when migrating inconsistent project data

Fixes in Bonita 2023.1-u4 (2024-04-23)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-1848 ArchivedTasks filter on type is generating java.lang.ClassCastException

  • RUNTIME-407 Open Cases Administrator call API/bpm/case performance slowness in 2021.1-0617

  • RUNTIME-1816 New sanitize filter makes payloads with "null" attribute values fail

  • RUNTIME-1817 Compilation Errors when non 7 bit US ascii chars are used in the description of a Business0Object in the BDM - generate-bdm-model goals

  • RUNTIME-1818 [Kerberos SSO] - IOException: conf/login.conf (No such file or directory)

  • RUNTIME-1819 [SAML SSO]: Decrypt of encrypted assertion fails with error: java.lang.ClassNotFoundException: org.apache.xml.security.encryption.EncryptedData

  • RUNTIME-1820 [SAML SSO]: Decrypt of encrypted assertion fails with error: java.lang.NoSuchMethodError: 'org.codehaus.stax2.ri.SingletonIterator org.codehaus.stax2.ri.SingletonIterator.create(java.lang.Object)'

  • RUNTIME-1821 Docker image fails to start with JMX_REMOTE_ACCESS=true

  • RUNTIME-1824 Filter on "caller" does not work when searching for ArchivedProcessInstance

  • RUNTIME-1825 Bad rendering in the Admin Group List page to display Parent Group column

  • RUNTIME-1828 ArchivedProcessInstance are not deleted when not Root Process Instances

  • RUNTIME-1832 Initialize Keycloak CryptoIntegration to fix java.lang.RuntimeException: java.lang.IllegalStateException: Illegal state. Please init first before obtaining provider

  • RUNTIME-1833 SanitizerFilter removes html tags from HTTP payload

  • RUNTIME-1835 SInvalidExpressionException generated when a parameter is used from within a groovy script

  • CVE-56 X-Frame-Options and Content-Security-Policy header is missing on some URLs.

  • CVE-62 Regular Expression Denial of Service (ReDoS) in AngularJS (CVE-2024-21490)

  • CVE-63 Upgrade Apache Tomcat version (fixing CVE-2024-24549)

Fixes in Bonita 2023.1-u3 (2024-01-30)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-1725 - graphical issue with admin living app

  • RUNTIME-1802 - Search fields don’t work when search term contain special characters

  • RUNTIME-1811 - "jaasAuthenticationService" and "authenticationService" beans not created if custom authentication service is configured

  • CVE-58 - Some UI screens in administration panel have been secured against stored XSS attacks. We also introduced a backend input validation to prevent storing XSS attacks in the database.
    We would like to thank both Tomas Castro Rojas and Mohammad A’mir for reporting this high severity issue to us.

Fixes in Bonita Studio (including Bonita UI Designer)

  • UID-727 - Invalid js minification

Fixes in Bonita 2023.1-u2 (2023-11-28)

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4494 - Classcast Exception in Export BOS Dialog

Fixes in Bonita Runtime (including Bonita Applications)

  • RUNTIME-1797 - STenantNotFoundException: tenant 1 is not found after using MT2MR and update to 8.0

Fixes in Bonita 2023.1-u1 (2023-11-22)

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4466 - FR is no more available for portal

  • STUDIO-4478 - BPMN Export text as CDATA

  • STUDIO-4486 - Pages exported from UID missing js resources

  • STUDIO-4490 - Exception at runtime: the Call activity is wrong in the process-design.xml generated

  • UID-723 - Update to 8.0.0: Web browser’s disk and memory caches break the product and custom pages

  • CVE-50 - Removing from the packaged maven repository an old vulnerable log4j library which wasn’t executed

Fixes in Bonita Runtime (including Bonita Applications)

  • RUNTIME-1364 - Search users triggers API call for each keystroke

  • RUNTIME-1556 - Graphical issue with admin app in monitoring case section

  • RUNTIME-1642 - [Admin App][Process details] Visual glitch in the categories label

  • RUNTIME-1662 - [SSO] OIDC front channel logout is not working

  • RUNTIME-1679 - Timezone cannot be set in bonita containers

  • RUNTIME-1687 - ApplicationInstaller - a NullPointerException is generated when there is no artifact provided in the zip

  • RUNTIME-1693 - Downloaded Files do not have file extension

  • RUNTIME-1713 - Apply debounce to official pages using a search box

  • RUNTIME-1739 - Update several dependencies for 2023.1-u1

  • RUNTIME-1744 - Unable to update a 7.11.2 project into 2023.1 studio

  • RUNTIME-1749 - Custom Event Handler is never called

  • RUNTIME-1753 - ClientAbortException: java.io.IOException: Broken pipe errors in runtime logs

  • RUNTIME-1769 - Translations of non-UIDesigner provided pages subscription parts are randomly not loaded

  • RUNTIME-1770 - Portal backend web.xml: the Cache-Control max-age is set to 6 month whereas it should be set to 10 hours

  • RUNTIME-1775 - Bad access to java modules in Hazelcast

  • RUNTIME-1784 - REST API authorisation: renaming of 'process_categories' permission breaks permissions after update to 7.15 or 8.0

  • RUNTIME-1785 - OIDC SSO: "Basic" authentication header is encoded in 8-bit and is not compatible with some IdPs

  • CVE-4 - Path-relative style sheet import