Release notes

The required Java version is now Java 17.

We’re proud to announce Bonita 2024.1, the first major Bonita platform release of this year! This new major release improves security, search capabilities and performance.

The 2024.1 release in a nutshell

  • Java 17 update for more security, better performance and language enhancements

  • Improved security in Bonita REST APIs

  • Boosted search experience on all APIs and pages

  • Better platform performance thanks to the L2 Cache (Enterprise Edition only), extended to clustered environments.

  • Bonita Studio packaging changes

  • REST API authorizations in Community edition

  • Find out how Bonitasoft handles GDPR

New available values

Bonita Runtime

Java 17 update

We’re updating to the next long-term support (LTS) Java version: Java 17. Worldwide adoption of Java 17 has been growing since last year, including among our Bonita users. In Bonita 2024.1, we have updated the version from 11 to 17!

Following the Java 17 update, it is now required to specify the following jvm arguments when using the bonita-client library in a standalone application:

--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED

Docker image parent update

The bonita and images now inherit from the official eclipse-temurin image in its alpine flavor. As a consequence, if you need to add additional Certificate Authority in the Java TrustStore you may proceed like described here. It also applies to Self Contained Application images.

Second-Level Cache available in a Bonita clustered environment

For Subscription editions only.

Bonita 2024.1 now handles second-level caching data (also known as L2 Cache) when running Bonita within a cluster environment.

It is available by default with a preset configuration. It can be disabled by setting the property bonita.platform.persistence.use_second_level_cache=false or the environment variable BONITA_PLATFORM_PERSISTENCE_USE_SECOND_LEVEL_CACHE=false.

This L2 Cache mechanism is implemented with Hazelcast. At the same time, it replaces the Ehcache implementation that was previously used to support L2 caching data within a non-cluster environment.

For more information on how to tune the L2 Cache with Bonita, please refer to the dedicated documentation.

Bonita 2024.1 introduces a new search engine algorithm on all APIs and the Bonita pages included by default on Bonita User Application, Bonita Administrator and Super Administrator Applications. This new “like-based” search algorithm replaces the previous “word-based” search and it will allow you to rapidly find all matching records for a given search string anywhere in a phrase or a word. This is now the default search behavior for all search APIs and pages of Bonita Runtime.

The result is simple: a better understanding of your queries without any configuration changes!

For more information on how like-based search works, please refer to the dedicated documentation.

Development suite

Bonita Studio packaging changes

All Bonita Studio binaries now embed a Java runtime. The former "all-in-one" archive which was mixing both Windows and Linux environment will not be published anymore.

The Linux binaries are now published as tar.gz archives only, while Windows and MacOs platforms still uses an installer. Consult Bonita Studio installation article for more information.

Bonita UI Designer

Functional changes

Oracle case-insensitiveness

The Oracle search is now case-insensitive.

REST API authorizations in Community edition

In order to improve security of Bonita Runtime REST API, the dynamic authorization mechanism has been extended to Bonita Runtime community edition but it is limited to the set of provided rules and default configuration for Bonita REST API resources and cannot be extended. Customizing an extensibility (new PermissionRules definition) remains available in the subscription editions only. Dynamic authorizations are active by default, and although it is not advised, it can still be deactivated to avoid 403 errors using a property (see dedicated doc page).

Feature deprecations and removals

The optional "word-based" and default "start-with" search algorithms cannot be used anymore as they have been replaced by a "like-based" search algorithm that is used in all search APIs and pages of Bonita Runtime.

API Removals

All editions

Class#Method Comment

org-com.bonitasoft.engine.api.PermissionAPI#checkAPICallWithScript(String className, APICallContext apiCallContext, boolean reload)

It was deprecated since Bonita 2022.1. Use org-com.bonitasoft.engine.api.PermissionAPI#isAllowed instead to execute both static and dynamic permissions check.

Configuration changes

Word-based search

Since "Word-based" search can no longer be used, its configuration has been removed.
The properties bonita.platform.persistence.platform.enableWordSearch and bonita.platform.persistence.tenant.enableWordSearch are removed from the configuration file platform_engine/ when using the update tool, and they no longer have any effect.
If you used them to configure Bonita Runtime for "word-based" search and specified some objects to exclude using the bean wordSearchExclusionMappings in platform_engine/bonita-platform-custom.xml, you should remove this bean after updating since it is no longer used. The new "like-based" search is active on all objects that have API search methods.

REST API authorizations

The property allowing to enable/disable dynamic authorization checks has been moved from the configuration file to the file in the tenant folder when using the setup tool. When updating Bonita in Subscription editions, if the property was used, Bonita update tool will keep its value. When the property is set using a system property or an environment variable, it will continue to override the value of the configuration file.

Bug fixes

Fixes in Bonita 2024.1 (2024-04-11)

Fixes in Bonita Runtime (including Bonita Applications)

  • RUNTIME-407 - Open Cases Administrator call API/bpm/case performance slowness since 2021.1-0617

  • RUNTIME-1398 - Prevent login via GET request by default

  • RUNTIME-1725 - graphical issue with admin living app

  • RUNTIME-1790 - When server is unavailable due to maintenance, or any error page is displayed, language cookie is systematically set to french

  • RUNTIME-1797 - STenantNotFoundException: tenant 1 is not found after using MT2MR and update

  • RUNTIME-1802 - Search fields don’t work when search term contain special characters

  • RUNTIME-1808 - Local project build fails due to old files checked in in bin folder

  • RUNTIME-1811 - "jaasAuthenticationService" and "authenticationService" beans not created if custom authentication service is configured

  • RUNTIME-1813 - [OIDC SSO] Session sharing does not support opaque access tokens

  • RUNTIME-1815 - Cannot update application information after updated logo file of the application

  • RUNTIME-1816 - New sanitize filter makes payloads with "null" attribute values fail

  • RUNTIME-1817 - Compilation Errors when non 7 bit US ascii chars are used in the description of a Business Object in the BDM

  • RUNTIME-1818 - [Kerberos SSO] - IOException: conf/login.conf (No such file or directory)

  • RUNTIME-1819 - [SAML SSO] Decrypt of encrypted assertion fails with ClassNotFoundException: EncryptedData

  • RUNTIME-1820 - [SAML SSO] Decrypt of encrypted assertion fails with NoSuchMethodError: SingletonIterator.create

  • RUNTIME-1821 - Docker image fails to start with JMX_REMOTE_ACCESS=true

  • RUNTIME-1824 - Filter on "caller" does not work when searching for ArchivedProcessInstance

  • RUNTIME-1825 - Bad rendering in the Admin Group List page to display Parent Group column

  • RUNTIME-1829 - Application directory page sign out button no longer redirects the top window when using OIDC

  • RUNTIME-1832 - Missing call to the CryptoIntegration class

  • CVE-58 - Some UI screens in administration panel have been secured against stored XSS attacks. We also introduced a backend input validation to prevent storing XSS attacks in the database. This countermeasure is enabled by default in 2024.1.
    We would like to thank both Tomas Castro Rojas and Mohammad A’mir for reporting this high severity issue to us.

Fixes in Bonita Studio (including Bonita UI Designer)

  • STUDIO-4494 - Classcast Exception in Export Bos Dialog

  • STUDIO-4498 - Error when trying to build a project migrated to 9.0.0 due to old files checked in bin folder

  • STUDIO-4505 - NPE when creating a contract from data

  • STUDIO-4507 - Cannot deploy organization when another one already exists and is active

  • UID-727 - Invalid js minification