• A significant reduction of software security vulnerabilities in third party libraries used. This is both due to higher software versions are much easier to patch, but also due to more robust and proactive approach by incorporating mandatory vulnerability (OWASP) checks when building and testing the software. The software build process will now explicitly catch and warn about presence of critical and high severity vulnerabilities acc. to CVSSv3 scoring. Together this contributes to an overall more secure and resilient system, shielding against potential threats and enhancing the reliability of the codebase.
• New PAS features and enhancements will from now on be built on top of the 5.0 branch. By upgrading to 5.0, you are proactively ensuring the preparedness of your environment to receive upcoming features and enhancements. These upcoming features are designed not only to augment the overall security measures but also to enhance the user experience and functionality. Simultaneously, the 4.7 branch is transitioning into a maintenance phase. This strategic move ensures new features are built on a more modern platform, whereas the 4.7 branch remains stable and secure with continued application of updates, with a primary focus on security fixes and selected defect resolutions.
• Inclusion of additional modules and valves in the product. Prior the 5.0 release, some specific modules and valves were treated as standalone entities necessitating separate installation procedures. By consolidating these components into the core product, you benefit from a more cohesive and streamlined life cycle management process, guaranteeing the availability of the latest and most secure versions - thereby fortifying the overall integrity and security of the system. See more below

(from 4.7 and earlier versions)

• Java-based extensions customized for specific customers may not function as expected by default after the update, requiring adjustments to align with the new Java version:
  • This applies particularly to Java classes directly integrated with the PAS product
  • Extensions that interact with PAS through published and standardized APIs, like REST APIs, remain unaffected by this update
• Customizations or additions should now be placed in the new modsoverlay directory, similar to how it was done in the mods directory before the 5.0 release. More info here and here and here
• For MSSQL database, a small fix of database schema is necessary. More info here
• (MySQL internal testing/QA is still pending)

Below is a list of specific updates included in PAS 5.0.

Valves now included in Product lifecycle:

• BolagsverketRollLookupValve
• BolagsverketEngagemangLookupValve
• BolagsverketPropertySetOrganizationStructureValve
• GetHsaPersonValve
• GetMiuForPersonValve
• MiuMergeDataFromItemsToSessionPropertyValve
• NavetLookupValve
• SPARLookupValve
• FrejaeIDAuthenticateValve

Valves deprecated, no longer included in Product as of 5.0:

• FrejaeIDAuthenticateValve
• FrejaeIDStatusAuthenticateValve

Defect fixes and minor enhancements requested by customers, delivered in 5.0 release:

PHX-3210 Implement support for http/2

PHX-3062 Rate limit policy for SMTP

PHX-3053 Add support for TLS 1.3

PHX-3163 (defect) NavetLookupValve needs to have it's default value updated, as V2 is deprecated and no longer usable.

PHX-3069 (defect) Waffles/JNA/Sspi/Windows SSO: Old dependencies, relying on VC 2010++ (not shipped with JRE anymore)

PHX-3059 (defect) SessionLockToSourceIP (prevent cookie hijacking)

PHX-3031 (defect) /config authentication is reachable on all http connection ports

PHX-3015 (defect) SPARLookupValve is not working anymore. SPAR has changed their schema

PAS 5.0 is mainly a technical upgrade aiming to up the versions av Java (from 8 to 11) as well as the asynchronous / event-driven framework Vert.x. from version 2 to 4. Main advantage is to run versions of software (incl. third party dependencies) that are still supported, are actively maintained in communities and where security vulnerabilities can be addressed more swiftly.

This strategic upgrade of the core architecture also equips the system with the flexibility to seamlessly integrate with emerging technologies and evolving industry standards, thereby safeguarding its relevance and efficacy in the face of future developments. This ensures that the PAS product remains a robust and forward-looking solution for the long term.

For customers and partners running standard “vanilla” PAS without any unique extensions or customizations, the upgrade is straightforward. If customer-specific extensions or customizations have been made - by customer, implementation partner, or by PhenixID as one-off consulting assignment - the upgrade may introduce breaking changes (with respect to these extensions), that will need to be managed. It will in most cases be straightforward to fix the breaking points, once identified. For example, by changing Java import declarations in the extensions.

If in doubt regarding what extensions or customizations are made, or how they might be impacted by the upgrade, contact PhenixID for advice regarding course of action.