Release notes

The required Java version is now Java 17.

We’re proud to announce Bonita 2024.1, the first major Bonita platform release of this year! This new major release improves security, search capabilities and performance.

The 2024.1 release in a nutshell

  • Java 17 update for more security, better performance and language enhancements

  • Improved security in Bonita REST APIs

  • Boosted search experience on all APIs and pages

  • Better platform performance thanks to the L2 Cache (Enterprise Edition only), extended to clustered environments.

  • Bonita Studio packaging changes

  • REST API authorizations in Community edition

  • Find out how Bonitasoft handles GDPR

New available values

Bonita Runtime

Java 17 update

We’re updating to the next long-term support (LTS) Java version: Java 17. Worldwide adoption of Java 17 has been growing since last year, including among our Bonita users. In Bonita 2024.1, we have updated the version from 11 to 17!

Following the Java 17 update, it is now required to specify the following jvm arguments when using the bonita-client library in a standalone application:

--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED

Docker image parent update

The bonita and bonitasoft.jfrog.io/docker/bonita-subscription images now inherit from the official eclipse-temurin image in its alpine flavor. As a consequence, if you need to add additional Certificate Authority in the Java TrustStore you may proceed like described here. It also applies to Self Contained Application images.

Second-Level Cache available in a Bonita clustered environment

For Subscription editions only.

Bonita 2024.1 now handles second-level caching data (also known as L2 Cache) when running Bonita within a cluster environment.

It is available by default with a preset configuration. It can be disabled by setting the property bonita.platform.persistence.use_second_level_cache=false or the environment variable BONITA_PLATFORM_PERSISTENCE_USE_SECOND_LEVEL_CACHE=false.

This L2 Cache mechanism is implemented with Hazelcast. At the same time, it replaces the Ehcache implementation that was previously used to support L2 caching data within a non-cluster environment.

For more information on how to tune the L2 Cache with Bonita, please refer to the dedicated documentation.

Bonita 2024.1 introduces a new search engine algorithm on all APIs and the Bonita pages included by default on Bonita User Application, Bonita Administrator and Super Administrator Applications. This new “like-based” search algorithm replaces the previous “word-based” search and it will allow you to rapidly find all matching records for a given search string anywhere in a phrase or a word. This is now the default search behavior for all search APIs and pages of Bonita Runtime.

The result is simple: a better understanding of your queries without any configuration changes!

For more information on how like-based search works, please refer to the dedicated documentation.

Development suite

Bonita Studio packaging changes

All Bonita Studio binaries now embed a Java runtime. The former "all-in-one" archive which was mixing both Windows and Linux environment will not be published anymore.

The Linux binaries are now published as tar.gz archives only, while Windows and MacOs platforms still uses an installer. Consult Bonita Studio installation article for more information.

Bonita UI Designer

Functional changes

Oracle case-insensitiveness

The Oracle search is now case-insensitive.

REST API authorizations in Community edition

In order to improve security of Bonita Runtime REST API, the dynamic authorization mechanism has been extended to Bonita Runtime community edition but it is limited to the set of provided rules and default configuration for Bonita REST API resources and cannot be extended. Customizing an extensibility (new PermissionRules definition) remains available in the subscription editions only. Dynamic authorizations are active by default, and although it is not advised, it can still be deactivated to avoid 403 errors using a property (see dedicated doc page).

Feature deprecations and removals

The optional "word-based" and default "start-with" search algorithms cannot be used anymore as they have been replaced by a "like-based" search algorithm that is used in all search APIs and pages of Bonita Runtime.

API Removals

All editions

Class#Method Comment

org-com.bonitasoft.engine.api.PermissionAPI#checkAPICallWithScript(String className, APICallContext apiCallContext, boolean reload)

It was deprecated since Bonita 2022.1. Use org-com.bonitasoft.engine.api.PermissionAPI#isAllowed instead to execute both static and dynamic permissions check.

Configuration changes

Word-based search

Since "Word-based" search can no longer be used, its configuration has been removed.
The properties bonita.platform.persistence.platform.enableWordSearch and bonita.platform.persistence.tenant.enableWordSearch are removed from the configuration file platform_engine/bonita-platform-community-custom.properties when using the update tool, and they no longer have any effect.
If you used them to configure Bonita Runtime for "word-based" search and specified some objects to exclude using the bean wordSearchExclusionMappings in platform_engine/bonita-platform-custom.xml, you should remove this bean after updating since it is no longer used. The new "like-based" search is active on all objects that have API search methods.

REST API authorizations

The property allowing to enable/disable dynamic authorization checks has been moved from the configuration file bonita-tenant-sp-custom.properties to the file bonita-tenant-community-custom.properties in the tenant folder when using the setup tool. When updating Bonita in Subscription editions, if the property was used, Bonita update tool will keep its value. When the property is set using a system property or an environment variable, it will continue to override the value of the configuration file.

Bug fixes

Fixes in Bonita 2024.1-u5 (2024-12-06)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-1786 - When updating an SCA application with profiles mapping, the log is deceitful

  • RUNTIME-1870 - REST API: JSON in the HTTP GET response cannot be parsed /API/bpm/caseInfo/{id}

  • RUNTIME-1885 - Doubtful queries on application_* tables each time we navigate to a page

  • RUNTIME-1889 - Super Admin App page is refreshed for each page switch

  • RUNTIME-1911 - Using tenantid column in index causing query performance degradation

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4477 - Some reserved keyword (limit) are missing during validation on Business Data Attributes

  • STUDIO-4516 - Errors at .bos file import and migration

  • STUDIO-4540 - Cloning a community project into a Subscription studio should migrate the internal build for subscription

  • STUDIO-4542 - Due to Maven archetype plugin update, rest api generation generates invalid test class

  • STUDIO-4543 - Rest API Extension validation fails with NPE when project folder and artifactId does not match

  • STUDIO-4547 - Git repository clone failed when migrating a project which has already been cloned in the workspace.

  • STUDIO-4551 - Bonita Project Analyze Plugin Market Type error

  • UID-732 - $form.$invalid x Tabs container : the Submit button is enabled when the widgets' Required of the current tab have a value, and even if there are empty Required widgets in other tabs

Fixes in Bonita 2024.1-u4 (2024-09-05)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-48 - SFlowNodeNotFoundException: Quartz’s Trigger associated to a Boundary timer does not get deleted when the process instance terminates

  • RUNTIME-1845 - Oracle ORA-00060: deadlock detected when multiple cases are done simultaneously

  • RUNTIME-1890 - [LDAP Synchronizer] - InaccessibleObjectException: Unable to make field private accessible

  • RUNTIME-1895 - [SAML & OIDC SSO]: Bonita redirects to IdP if redirected target URL request lands on different node than the one where the original request was received

Fixes in Bonita 2024.1-u3 (2024-07-18)

Fixes in Bonita Runtime including Bonita Applications

  • RUNTIME-1883 - Add extra java 17 open packages instructions for Bundle packaging

  • RUNTIME-1697 - Avoid reading configuration from database, in favor to caching
    Bonita Runtime makes heavy usage of cache to improve performance. In that context, most configuration changes require server restart to be taken into account. In particular, all SSO activations and configuration changes fall into this category (OIDC, SAML, Kerberos, JAAS, …​).

  • RUNTIME-1877 - Session Sharing x sameSiteCookies value systematically set to "lax" when cluster is enabled. New configuration properties specific to cluster mode and session cookie have been added.

  • RUNTIME-1884 - password attribute silently removed from org.bonitasoft.engine.identity.impl.UserImpl class. Add removal information in the release note. Make the XStream deserialization less strict to avoid deserialization exception when some fields are unknown.

  • RUNTIME-1887 - Regression in ServerProxifier algorithm produce a greater number of SQL requests.

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4526 - Cannot add or edit a database connector

  • STUDIO-4536 - Hazecalst discovery is enabled by default for Studio embedded Runtime

  • STUDIO-4515 - Improve error management when migrating inconsistent project data

  • STUDIO-4517 - Improve error management when migrating inconsistent project data

  • STUDIO-4530 - ResourceException when using Switch Workspace from a 9.0.x

  • STUDIO-4531 - Getting started tutorial not working out of the box in Subscription editions.

  • STUDIO-4533 - Refreshing a project after a git switch branch now adds/removes submodules as expected.

  • STUDIO-4535 - Renaming a project without bdm or extensions fails

Fixes in Bonita 2024.1-u2 (2024-06-07)

Fixes in Bonita Runtime (including Bonita Applications)

  • RUNTIME-1844 - Update Tomcat to latest 9.0.87

  • RUNTIME-1833 - SanitizerFilter removes html tags from HTTP payload

  • RUNTIME-1835 - SInvalidExpressionException generated when a parameter is used from within a groovy script

  • RUNTIME-1848 - ArchivedTasks filter on type is generating java.lang.ClassCastException

  • RUNTIME-1860 - Access Control panel is displayed in all subscription editions even when the feature is not active

  • RUNTIME-1864 - SCA cannot be started without BDM_ACCESS_CONTROL license key activated

  • CVE-63 - Upgrade Apache Tomcat version (fixing CVE-2024-24549)

Fixes in Bonita 2024.1-u0 (2024-04-11)

Fixes in Bonita Runtime (including Bonita Applications)

  • RUNTIME-407 - Open Cases Administrator call API/bpm/case performance slowness since 2021.1-0617

  • RUNTIME-1398 - Prevent login via GET request by default

  • RUNTIME-1725 - graphical issue with admin living app

  • RUNTIME-1790 - When server is unavailable due to maintenance, or any error page is displayed, language cookie is systematically set to french

  • RUNTIME-1797 - STenantNotFoundException: tenant 1 is not found after using MT2MR and update

  • RUNTIME-1802 - Search fields don’t work when search term contain special characters

  • RUNTIME-1808 - Local project build fails due to old files checked in in bin folder

  • RUNTIME-1811 - "jaasAuthenticationService" and "authenticationService" beans not created if custom authentication service is configured

  • RUNTIME-1813 - [OIDC SSO] Session sharing does not support opaque access tokens

  • RUNTIME-1815 - Cannot update application information after updated logo file of the application

  • RUNTIME-1816 - New sanitize filter makes payloads with "null" attribute values fail

  • RUNTIME-1817 - Compilation Errors when non 7 bit US ascii chars are used in the description of a Business Object in the BDM

  • RUNTIME-1818 - [Kerberos SSO] - IOException: conf/login.conf (No such file or directory)

  • RUNTIME-1819 - [SAML SSO] Decrypt of encrypted assertion fails with ClassNotFoundException: EncryptedData

  • RUNTIME-1820 - [SAML SSO] Decrypt of encrypted assertion fails with NoSuchMethodError: SingletonIterator.create

  • RUNTIME-1821 - Docker image fails to start with JMX_REMOTE_ACCESS=true

  • RUNTIME-1824 - Filter on "caller" does not work when searching for ArchivedProcessInstance

  • RUNTIME-1825 - Bad rendering in the Admin Group List page to display Parent Group column

  • RUNTIME-1829 - Application directory page sign out button no longer redirects the top window when using OIDC

  • RUNTIME-1832 - Missing call to the CryptoIntegration class

  • CVE-56 - X-Frame-Options and Content-Security-Policy header is missing on some URLs.

  • CVE-58 - Some UI screens in administration panel have been secured against stored XSS attacks. We also introduced a backend input validation to prevent storing XSS attacks in the database. This countermeasure is enabled by default in 2024.1.
    We would like to thank both Tomas Castro Rojas and Mohammad A’mir for reporting this high severity issue to us.

  • CVE-59 - (CVE-2024-28087) IDOR due to the absence of dynamic authorization checking in Community edition
    We would like to thank Mohammad A’mir for reporting this medium severity issue to us.

  • CVE-62 - Regular Expression Denial of Service (ReDoS) in AngularJS (CVE-2024-21490)

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4494 - Classcast Exception in Export Bos Dialog

  • STUDIO-4498 - Error when trying to build a project migrated to 9.0.0 due to old files checked in bin folder

  • STUDIO-4505 - NPE when creating a contract from data

  • STUDIO-4507 - Cannot deploy organization when another one already exists and is active

  • UID-727 - Invalid js minification

  • CVE-50 - Removing from the packaged maven repository an old vulnerable log4j library which wasn’t executed

  • CVE-53 - Studio was vulnerable to XXE attack (CVE-2023-4218)