Release notes

Bonita 2023.2 release note at a glance

Self Contained Application (SCA)

Build, package, run, update. SCA is the new differentiating deployment mode of Bonitasoft is ready to go live and in production. By embracing the latest containerization approach, users will experience faster deployment times, allowing your IT team to respond rapidly to business needs.

In 2023.2 version, we will keep the platform mode in parallel with the SCA mode which is Bonitasoft’s recommendation in order to correspond to market standards from an application development point of view. It is simply deprecated because we want to highlight the new SCA mode. Platform mode allows you to generate an application which will then be launched on an existing Bonita runtime, while SCA mode allows you to build an application which integrates a runtime and can therefore be directly launched. Our dedicated team will be here to guide you through this new updated mode, answer your questions, and provide the assistance you need.

User session sharing mechanism between nodes

Service continuity is a key element of operational performance, so we are introducing a new native capability to help to ensure access to applications. Even when a node experiences downtime, users will remain seamlessly connected and will be able to continue working without interruptions, ensuring smooth operations and increased user satisfaction.

Test toolkit V2

Ensuring effective testing by keeping track of the scope performed and identifying errors is a real concern for our developers. To support this, a test report is generated, which is adding a visual representation of the test sequence directly on the BPMN diagrams. This provides a clearer and more intuitive way of tracking progress, collaborating effectively and aligning with business/process owners. A concrete step towards shorter iterations and streamlined project tracking.

Maintenance page/service interruption notification

Our latest feature designed to be proactive and keep users informed/prepared of service interruptions. A new kit to build info page on service maintenance and page interruption to notify users and ensure a smoother and more predictable experience.

New product values

Bonita Runtime

User session sharing between nodes (Cluster)

When configuring a Bonita cluster (Enterprise and Performance editions only), HTTP sessions are now shared between all the nodes of the cluster. As a result, the load balancer no longer needs to be configured to use sticky sessions. If a node becomes unavailable, and a user request to this node fails, the user won’t need to log back in as their session will remain active. The load balancer will dispatch the new requests to the other nodes.

Maintenance mode

A new 'Maintenance mode' replaces the 'pause/resume BPM services' feature.
The behavior when activating this mode is the same as what was happening when pausing the BPM services (making the BPM and BDM services and API unavailable to users aud pausing the scheduled work while updating the platform, BDM, apps, etc…​) except the user sessions are no longer destroyed. A 'Platform under maintenance' 503 error page is displayed instead. Like the other Error pages, this page is part of Bonita App Directory application and can be modified with Bonita UI Designer.
In Bonita Super Administrator Application, the page 'BPM services' has been replaced with a new 'Platform maintenance' page allowing to activate/deactivate the maintenance mode and set a scheduled maintenance message to inform the users that a maintenance is scheduled and the platform will not be available for a while. This message, when activated, appears in Bonita Layout, as an alert header that can be hidden and in the user details modal. It also appears on the Maintenance page (503 error page) during the maintenance operations.
To benefit from this feature when updating to Bonita 2023.2, it is required to use the provided Bonita layout or to re-base your custom layout modifications on the provided Bonita Layout.
At REST API level, when the maintenance mode is active, the BPM and BDM API (except BDM installation) will respond with a 503 error. Bonita UI Designer pages now handle this error code and display a modal dialog informing the users of the running maintenance and proposing to redirect them to the maintenance page. To benefit from this feature when updating to Bonita 2023.2, it is required to migrate existing pages by migrating your apps using Bonita Studio 2023.2.

Exit on error

When starting a Bonita application, if an error occurs during the startup phase, the process will now exit with an error status code (1).

Default log pattern with color highlighting in console output

The default log configuration enables color highlighting in the console output.

Development suite

Bonita UI Designer

Session timeout and Maintenance handling

Bonita UI Designer pages now handle 401 and 503 errors for requests to Bonita REST API and display a modal dialog informing the users of the invalid session (401) or the running maintenance (503) and proposing to redirect them to the login or maintenance page. By clicking on cancel in this dialog, the users can remain on the current page (to not lose un-submitted form content) and log in another tab to renew their session or wait for the maintenance to end.
To benefit from this feature when updating to Bonita 2023.2, it is required to migrate existing pages by migrating your applications using Bonita Studio 2023.2.

Bonita Test Toolkit V2

The tests essentials to the successful completion of you project are now enhanced with the ability to provide the test results for a process execution under the form of a process diagram with an enhanced BPMN visualization. The result of your test is generated in an HTML file including BPMN diagrams, execution counters and execution paths.

Functional changes

REST API and file upload

When using the end point portal/fileUpload to upload a file before using it in Bonita REST API or a REST API extension, the size of the file that can be uploaded is now limited to 25MB. This can be changed in the configuration file console-config.properties using the setup tool, but be aware that this will affect upload limit for all users.

Feature deprecations and removals

Legacy custom connectors and actor filters

Since Bonita Studio 2021.2 it was not supported anymore to create custom connectors or actor filters in a Bonita project. Using the project composition with Maven extensions is the recommended way to integrate custom extensions.
In this version, those deprecated custom extensions are removed from the project when importing a .bos file or cloning a Git repository from an older version.
If you were coming from an older version of Bonita Studio with those custom connectors and actor filters, it will be required to migrate them into a separate Maven project using the dedicated archetypes. Visit their respective documentation pages for connectors and actor filters.

Provided Groovy classes

Deprecated since 2021.1, BonitaUsers, BonitaSql, BonitaXML and BonitaTypes Groovy classes are no more available. You may use suggested code templates in the Groovy script expression editor instead.

API Deprecations

Tenant pause and resume

With new Maintenance mode, following API resources are deprecated.

REST API Class#Method Comment

GET /API/system/tenant/[id]

APITenantAdmin#get(APIID) TenantAdministrationAPI#isPaused()

Use GET /API/system/maintenance / MaintenanceAPI#getMaintenanceDetails() instead.

PUT /API/system/tenant/[id]

APITenantAdmin#update(APIID, Map) TenantAdministrationAPI#pause() TenantAdministrationAPI#resume()

Use PUT /API/system/maintenance / MaintenanceAPI#enableMaintenanceMode() / MaintenanceAPI#disableMaintenanceMode() instead.

Subscription login implementation

REST API Class#Method Comment

N/A

com.bonitasoft.engine.api.LoginAPI com.bonitasoft.engine.api.LoginAPI#login(long, String, String) com.bonitasoft.engine.api.LoginAPI#login(long, Map)

Following multi-tenancy removal, this Subscription implementation is deprecated. Use Community implementation org.bonitasoft.engine.api.LoginAPI instead.

Bonita artifacts creation and update

With the new Self-Contained Application (abbr. SCA) approach, creating or updating Bonita artifacts are done at Runtime startup. We recommend to use this new approach. So we deprecate some APIs, along with associated servlets and services, that are related to the creation or the update of Bonita artifacts.

All editions
REST API Class#Method Comment

PUT /API/bpm/actor/[id]

APIActor#update(APIID, Map) ProcessManagementAPI#updateActor(long, ActorUpdater)

No replacement, an actor should be updated at startup using the SCA approach.

POST /API/bpm/process

APIProcess#add(ProcessItem)

No replacement, a process should be created at startup using the SCA approach.

PUT /API/bpm/process/[id]

APIProcess#update(APIID, Map) ProcessManagementAPI#updateProcessDeploymentInfo(long, ProcessDeploymentInfoUpdater)

No replacement, a process should be updated at startup using the SCA approach.

POST /API/living/application

APIApplication#add(ApplicationItem) ApplicationAPI#createApplication(ApplicationCreator)

No replacement, an application should be created at startup using the SCA approach.

PUT /API/living/application/[id]

APIApplication#update(APIID, Map) ApplicationAPI#updateApplication(long, ApplicationUpdater)

No replacement, an application should be updated at startup using the SCA approach.

POST /API/living/application-menu

APIApplicationMenu#add(ApplicationMenuItem) ApplicationAPI#createApplicationMenu(ApplicationMenuCreator)

No replacement, an application menu should be created at startup using the SCA approach.

PUT /API/living/application-menu/[id]

APIApplicationMenu#update(APIID, Map) ApplicationAPI#updateApplicationMenu(long, ApplicationMenuUpdater)

No replacement, an application menu should be updated at startup using the SCA approach.

POST /API/living/application-page

APIApplicationPage#add(ApplicationPageItem) ApplicationAPI#createApplicationPage(long, long, String)

No replacement, an application page should be created at startup using the SCA approach.

POST /API/portal/page

APIPage#add(PageItem) PageAPI#createPage(PageCreator, byte[]) PageAPI#createPage(String, byte[])

No replacement, a page should be created at startup using the SCA approach.

PUT /API/portal/page/[id]

APIPage#update(APIID, Map) PageAPI#updatePage(long, PageUpdater) PageAPI#updatePageContent(long, byte[])

No replacement, a page should be updated at startup using the SCA approach.

POST /API/tenant/bdm

BusinessDataModelResource#addBDM(BusinessDataModelItem) TenantAdministrationAPI#updateBusinessDataModel(byte[])

No replacement, the BDM should be updated at startup using the SCA approach. Use the SCA approach instead.

POST /portal/applicationsUpload

N/A

No replacement, uploading a Living Application using the portal is deprecated. Use the SCA approach instead.

POST /portal/pageUpload

PageUploadServlet

No replacement, uploading an Application page using the portal is deprecated. Use the SCA approach instead.

POST /portal/processUpload

N/A

No replacement, uploading a Process using the portal is deprecated. Use the SCA approach instead.

POST /services/application/import

ApplicationsImportService

No replacement, importing a Living Application using this service is deprecated. Use the SCA approach instead.
Subscription editions specific
REST API Class#Method Comment

PUT /API/bpm/processConnector/[id]/[connectorImplId]/[connectorImplVersion]

APIProcessConnectorExt#update(APIID, Map) ProcessManagementAPI#setConnectorImplementation(long, String, String, byte[])

No replacement, a process connector should be updated at startup using the SCA approach.

PUT /API/bpm/processParameter/[id]/[name]

APIProcessParameterExt#update(APIID, Map) ProcessManagementAPI#updateParameterInstanceValue(long, String, String)

No replacement, a process parameter should be updated at startup using the SCA approach.

PUT /API/form/mapping/[id]

FormMappingResourceExt#updateFormMapping(PageReference) ProcessManagementAPI#updateFormMapping(long, String, Long)

No replacement, a form mapping should be updated at startup using the SCA approach.

POST /API/portal/profile

APIProfileExt#add(ProfileItem) ProfileAPI#createProfile(ProfileCreator) ProfileAPI#createProfile(String, String)

No replacement, a profile should be created at startup using the SCA approach.

PUT /API/portal/profile/[id]

APIProfileExt#update(APIID, Map) ProfileAPI#updateProfile(long, ProfileUpdater)

No replacement, a profile should be updated at startup using the SCA approach.

POST /APIv2/service/install

EngineServlet

No replacement, the Bonita Application Configuration (.bconf) should be applied at startup using the SCA approach.

POST /portal/bdmAccessControlUpload

N/A

No replacement, uploading BDM Access Controls using the portal is deprecated. Use the SCA approach instead.

POST /portal/profilesUpload

N/A

No replacement, uploading Profiles using the portal is deprecated. Use the SCA approach instead.

POST /services/bdmAccessControl/install

AccessControlInstallService

No replacement, importing BDM Access Controls using this service is deprecated. Use the SCA approach instead.

POST /services/profile/import

ProfilesImportService

No replacement, importing Profiles using this service is deprecated. Use the SCA approach instead.

API Removals

All editions

Class#Method Comment

org.bonitasoft.engine.api.OrganizationAPI#importOrganization(String, ImportPolicy)

Use org.bonitasoft.engine.api.OrganizationAPI#importOrganizationWithWarnings(String, ImportPolicy) instead.

org.bonitasoft.engine.api.PlatformAPI#cleanPlatform()

No replacement, delete the database schema instead.

org.bonitasoft.engine.api.PlatformAPI#isPlatformInitialized()

No replacement, platform initialization is always done at startup.

org.bonitasoft.engine.api.ProcessRuntimeAPI#getComments(long)

Use org.bonitasoft.engine.api.ProcessRuntimeAPI#searchComments(SearchOptions) instead

org.bonitasoft.engine.api.TenantAdministrationAPI#installBusinessDataModel(byte[])

Use org.bonitasoft.engine.api.TenantAdministrationAPI#updateBusinessDataModel(byte[]) instead.

org.bonitasoft.engine.api.ThemeAPI

No replacement, the feature was removed.

org.bonitasoft.engine.identity.User#getPassword()

No replacement, the method was removed.

org.bonitasoft.engine.identity.User#getIconName()

Use org.bonitasoft.engine.identity.User#getIconId() instead.

org.bonitasoft.engine.identity.User#getIconPath()

Use org.bonitasoft.engine.identity.User#getIconId() instead.

org.bonitasoft.engine.identity.User#getManagerUserName()

Use org.bonitasoft.engine.identity.User#getManagerUserId() instead.
Subscription editions specific
Class#Method Comment

com.bonitasoft.engine.api.PlatformAPI#activateTenant(long)

No replacement, the multi-tenancy feature was removed.

com.bonitasoft.engine.api.PlatformAPI#deactiveTenant(long)

No replacement, the multi-tenancy feature was removed.

com.bonitasoft.engine.api.ProcessManagementAPI#getParameterInstance(long, String)

Use org.bonitasoft.engine.api.ProcessManagementAPI#getParameterInstance(long, String) instead.

com.bonitasoft.engine.api.ProcessManagementAPI#getParameterInstances(long, int, int, ParameterCriterion)

Use org.bonitasoft.engine.api.ProcessManagementAPI#getParameterInstances(long, int, int, ParameterCriterion) instead.

com.bonitasoft.engine.api.ProcessRuntimeAPI#updateProcessInstanceIndex(long, Index, String)

Use org.bonitasoft.engine.api.ProcessRuntimeAPI#updateProcessInstanceIndex(long, Index, String) instead.

com.bonitasoft.engine.api.ProcessRuntimeAPI#updateProcessInstance(long, ProcessInstanceUpdater)

Use org.bonitasoft.engine.api.ProcessRuntimeAPI#updateProcessInstance(long, ProcessInstanceUpdater) instead.

com.bonitasoft.engine.api.ProcessRuntimeAPI#getProcessBusinessDataReference(String, long)

Use org.bonitasoft.engine.api.BusinessDataAPI#getProcessBusinessDataReference(String, long) instead.

com.bonitasoft.engine.api.ProcessRuntimeAPI#getProcessBusinessDataReferences(long, int, int)

Use org.bonitasoft.engine.api.BusinessDataAPI#getProcessBusinessDataReferences(long, int, int) instead.

com.bonitasoft.engine.api.ProfileAPI#createProfile(String, String, String)

Use com.bonitasoft.engine.api.ProfileAPI#createProfile(String, String) instead.

com.bonitasoft.engine.api.ProfileAPI#importProfilesUsingSpecifiedPolicy(byte[], ImportPolicy)

Use com.bonitasoft.engine.api.ProfileAPI#importProfiles(byte[], ImportPolicy) instead.

com.bonitasoft.engine.api.ThemeAPI

No replacement, the feature was removed.

Configuration changes

Update only startup

A new bonita.runtime.startup.update-only configuration boolean property has been added to perform an update only startup. When enabled, the application will start, go through its initialization and update phase and exit afterward. Exit status can be successful (0) or in error (1).

Properties source priority order

Prior to Bonita 2023.2, properties files from database had priority over environment or system variables. We decide to reverse this order so that you can easily override database properties with environment or system variables, and to be in line with the Spring / Spring Boot philosophy.

To be backward compatible, we introduce the boolean property bonita.runtime.properties.order.legacy-mode (default: false) to enable the previous priority order of properties source.

Full details can be found on the dedicated page.

Runtime property renaming

In order to improve Bonita property naming coherence, a work is in progress to change some property names. In this release, the following properties have been renamed:

  • bonita.tenant.session.duration has been renamed to bonita.runtime.session.duration. If you happened to customize this property, please update it in file bonita-tenant-community-custom.properties (The old property is still supported but will be removed in a later version)

  • userName has been renamed to bonita.runtime.admin.username. The property renaming is handled by the Update Tool.

  • userPassword has been renamed to bonita.runtime.admin.password. The property renaming is handled by the Update Tool.

  • TENANT_LOGIN has been renamed to BONITA_RUNTIME_ADMIN_USERNAME. If you happened to set this property in your Docker configuration, please update it (The old property is still supported but will be removed in a later version)

  • TENANT_PASSWORD has been renamed to BONITA_RUNTIME_ADMIN_PASSWORD. If you happened to set this property in your Docker configuration, please update it (The old property is still supported but will be removed in a later version)

Removal of the property install-provided-pages

With Bonita 2023.1, we introduced the new concept of Self-Contained Application (SCA). When building an SCA, Bonita Admin Application and Bonita User Application are no longer installed after the packaging process. If the SCA is using pages from one of those applications, setting the property bonita.runtime.custom-application.install-provided-pages and its relative environment variable for Docker INSTALL_PROVIDED_PAGES will have those pages installed anyway at Bonita Runtime startup.

Those two properties are no longer required and are removed. Instead, we detect the usage of Admin/User Application pages and install them automatically.

Setting a timezone for a Bonita container

The timezone can be set via TZ environment variable. Check the supported timezones.

Bug fixes

Fixes in Bonita 2023.2-u6 (2024-09-09)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-48 - SFlowNodeNotFoundException: Quartz’s Trigger associated to a Boundary timer does not get deleted when the process instance terminates

  • RUNTIME-1845 - Oracle ORA-00060: deadlock detected when multiple cases are done simultaneously

  • RUNTIME-1895 - [SAML & OIDC SSO]: Bonita redirects to IdP if redirected target URL request lands on different node than the one where the original request was received

Fixes in Bonita 2023.2-u5 (2024-07-15)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-1697 - Avoid reading configuration from database, in favor to caching
    Bonita Runtime makes heavy usage of cache to improve performance. In that context, most configuration changes require server restart to be taken into account. In particular, all SSO activations and configuration changes fall into this category (OIDC, SAML, Kerberos, JAAS, …​).

  • RUNTIME-1877 - Session Sharing x sameSiteCookies value systematically set to "lax" when cluster is enabled. New configuration properties specific to cluster mode and session cookie have been added.

  • RUNTIME-1833 - SanitizerFilter policy has been fine-tuned to be less restrictive (add support for links, pre elements and tables)

  • RUNTIME-1884 - password attribute silently removed from org.bonitasoft.engine.identity.impl.UserImpl class. Add removal information in the release note. Make the XStream deserialization less strict to avoid deserialization exception when a some fields are unknown.

  • RUNTIME-1887 - Regression in ServerProxifier algorithm produce a greater number of SQL requests.

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4515 - Improve error management when migrating inconsistent project data

  • STUDIO-4530 - ResourceException when using Switch Workspace from a 9.0.x

  • STUDIO-4531 - Getting started tutorial not working out of the box in Subscription editions.

  • STUDIO-4533 - Refreshing a project after a git switch branch now adds/removes submodules as expected.

  • STUDIO-4535 - Renaming a project without bdm or extensions fails

Fixes in Bonita 2023.2-u4 (2024-04-19)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-1848 - ArchivedTasks filter on type is generating java.lang.ClassCastException

  • RUNTIME-407 - Open Cases Administrator call API/bpm/case performance slowness in 2021.1-0617

  • RUNTIME-1818 - [Kerberos SSO] - IOException: conf/login.conf (No such file or directory)

  • RUNTIME-1821 - Docker image fails to start with JMX_REMOTE_ACCESS=true

  • RUNTIME-1824 - Filter on "caller" does not work when searching for ArchivedProcessInstance

  • RUNTIME-1825 - Bad rendering in the Admin Group List page to display Parent Group column

  • RUNTIME-1827 - [Update] Bonita User and Administrator applications and some pages of the User application missing after one-step update from 7.12 to 9.0

  • RUNTIME-1828 - ArchivedProcessInstance are not deleted when not Root Process Instances

  • RUNTIME-1829 - Application directory page sign out button no longer redirects the top window when using OIDC

  • RUNTIME-1832 - Initialize Keycloak CryptoIntegration to fix java.lang.RuntimeException: java.lang.IllegalStateException: Illegal state. Please init first before obtaining provider

  • RUNTIME-1833 - SanitizerFilter removes html tags from HTTP payload

  • RUNTIME-1835 - SInvalidExpressionException generated when a parameter is used from within a groovy script

  • CVE-62 - Regular Expression Denial of Service (ReDoS) in AngularJS (CVE-2024-21490)

  • CVE-63 - Upgrade Apache Tomcat version (fixing CVE-2024-24549)

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4505 - NPE when creating a contract from data

  • STUDIO-4507 - Cannot deploy organization when another one already exists and is active

  • STUDIO-4513 - Dissappearing BDM in a migrated project

Fixes in Bonita 2023.3-u3 (2024-02-08)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-1815 - Cannot update application information after updated logo file of the application

  • RUNTIME-1816 - New sanitize filter makes payloads with "null" attribute values fail

  • RUNTIME-1817 - Compilation Errors when non 7 bit US ascii chars are used in the description of a Business Object in the BDM

  • RUNTIME-1819 - [SAML SSO] Decrypt of encrypted assertion fails with ClassNotFoundException: EncryptedData

  • RUNTIME-1820 - [SAML SSO] Decrypt of encrypted assertion fails with NoSuchMethodError: SingletonIterator.create

  • CVE-56 - X-Frame-Options and Content-Security-Policy header is missing on some URLs.

Fixes in Bonita 2023.2-u2 (2024-02-01)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-1725 - graphical issue with admin living app

  • RUNTIME-1802 - Search fields don’t work when search term contain special characters

  • RUNTIME-1811 - "jaasAuthenticationService" and "authenticationService" beans not created if custom authentication service is configured

  • RUNTIME-1813 - [OIDC SSO] Session sharing does not support opaque access tokens

  • CVE-58 - Some UI screens in administration panel have been secured against stored XSS attacks. We also introduced a backend input validation to prevent storing XSS attacks in the database.
    We would like to thank both Tomas Castro Rojas and Mohammad A’mir for reporting this high severity issue to us.

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4498 - Error due to files in bin folder when trying to build a project migrated to 9.0.

  • UID-727 - Invalid js minification

Fixes in Bonita 2023.2-u1 (2023-11-29)

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4494 - Classcast Exception in Export BOS Dialog

  • CVE-50 - Removing from the packaged maven repository an old vulnerable log4j library which wasn’t executed

Fixes in Bonita Runtime (including Bonita Applications)

  • RUNTIME-1790 - When server is unavailable due to maintenance, or any error page is displayed, language cookie is systematically set to french

  • RUNTIME-1797 - STenantNotFoundException: tenant 1 is not found after using MT2MR and update to 9.0