7.0.3: Secure XML parsing

Small maintenance release to upgrade dependency to signature-api-specification-jaxb, which features a securely configured XML parser denying DOCTYPE declarations. This is not a critical update, since XML-parsing is only done on responses from the Posten signering API.

What's Changed

• Upgrade signature-api-specification by @runeflobakk in #320

Full Changelog: 7.0.2...7.0.3

7.0.2

What's Changed

• Readme fixup by @runeflobakk in #312
• Less drama, more information by @runeflobakk in #313

Full Changelog: 7.0.1...7.0.2

See also release notes for v7.

Jakarta Compatibility

This release makes the library compatible with the Jakarta EE v9 and later APIs. This means the library is compatible with Spring Boot 3, but compatibility with earlier versions are retained, as the library is not tied to any particular Java/Jakarta EE API level (javax vs. jakarta).

Under the hood, Spring OXM has been removed and replaced with direct use of the underlying jaxb-api for JAXB marshalling, thus eliminating all Spring dependencies. And the use of Jersey Client has been replaced with Apache Http Client v5.2. Under normal circumstances you do not need to pay any attention to this, as this is encapsulated as internal to the library.

Changes: Configuration API

The Configuration.Builder API is slightly changed, though the other parts of the API remain unchanged. Please refer to Create client configuration (choose the "Java" tab) in the documentation if you need help with migrating from v6 to v7. The changes can be summarized as:

• "serviceUri" and "trustStore" has been combined and replaced with ServiceEnvironment. Instead of separately specifying the former two, instead specify either ServiceEnvironment.STAGING or ServiceEnvironment.PRODUCTION depending on which API you intend to use.
• the concept "global sender" has been renamed to defaultSender.

@implNote javax.xml.bind

The observant developer will notice that we have actually not upgraded the internal JAXB stack to Jakarta JAXB, but still depend on the older JAXB v2 (javax.xml.bind). This is done to preserve compatibility with users who have not migrated to newer Jakarta libraries/frameworks (e.g. Spring Boot 3), and care has been taken, with help of jaxb-resolver-com.sun.xml.bind, to depend on JAXB v2 artifacts which may exist alongside any Jakarta EE artifacts (also Jakarta JAXB) without interfering. This also enables us to keep the library compatible with Java 8 (although we strongly advise to upgrade your Javas ☕️).

Posten signering uses already uses this library with Spring Boot v3, with no additional tweaking besides depending on the library.

Bugfix: TrustStore load crash on Windows

See #248

Support SEID2 server certificate

The library now supports the SEID2 profile when validating the Posten signering server certificate when establishing secure TLS connection.

Posten signering has not yet migrated to a new SEID2 enterprise certificate, but this will eventually happen, and clients must include the new SEID2 trust hierarchy and be able to extract the organization number which is embedded differently in SEID2 certificates. The library now uses the implementation from the Digipost certificate-validator to extract the organization number.

Preliminary support for multiple documents in Direct and Portal flow

Merge pull request #190 from digipost/multiple-documents-direct-job

Support multiple documents for direct jobs

Bugfix: sending jobs without specifying a globalSender

Fix for #169

Also see https://github.com/digipost/signature-api-client-java/releases/tag/5.0 for what is new in version 5.0.

Bugfix: sending jobs without specifying a globalSender

Fix for #169

Preliminary support for multiple documents

Merge branch '5.0-final' into multiple-documents

* 5.0-final:
  Upgrade to java-8-matchers 1.9
  Upgrade dependencies
  Configure japicmp to support LOCAL-SNAPSHOT in pom

Retryable DirectJob signing, API brushups, archive

The 5.0 client introduces a way to request new URLs for redirecting users for signing direct jobs. In addition, there are various brush-ups on the API. Lastly, a new client is introduced for the archive of Posten signering. At this point, this service is only relevant for certain clients.