OpenConext · tbeekman · Aug 5, 2025 · Jul 8, 2025 · Aug 5, 2025
diff --git a/oc-sso-notificatie/pom.xml b/oc-sso-notificatie/pom.xml
@@ -59,6 +59,12 @@
             <artifactId>jackson-databind</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>${commons-lang3.version}</version>
+        </dependency>
+
         <dependency>
             <groupId>net.logstash.logback</groupId>
             <artifactId>logstash-logback-encoder</artifactId>
@@ -74,7 +80,7 @@
         <dependency>
             <groupId>co.elastic.logging</groupId>
             <artifactId>logback-ecs-encoder</artifactId>
-            <version>${ecs-logging-java.version}</version>
+            <version>${logback-ecs-encoder.version}</version>
         </dependency>
 
     </dependencies>

diff --git a/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/config/WebSecurityConfig.java b/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/config/WebSecurityConfig.java
@@ -38,6 +38,9 @@ public class WebSecurityConfig {
     @Value("${management.security.roles:#{null}}")
     private String managementSecurityRoles;
 
+    @Value("${security.headers.enabled}")
+    private Boolean securityHeadersEnabled;
+
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         // This application only contains public pages. The Spring Boot Actuator Endpoints can be protected by the
@@ -48,15 +51,16 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     .anyRequest().permitAll()
             ).httpBasic(Customizer.withDefaults());
         } else {
-            http.authorizeHttpRequests(authz -> authz
-                    .anyRequest().permitAll());
+            http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
         }
 
         // We have to disable the X-Frame-Options since this SSO Notification service can be invoked within an iframe.
         // Disable all security headers so this service can be invoked within 3rd-party applications.
-        http.headers(headers -> headers
-                .frameOptions(Customizer.withDefaults())
-                .disable());
+        if (!securityHeadersEnabled) {
+            http.headers(headers -> headers
+                    .frameOptions(Customizer.withDefaults())
+                    .disable());
+        }
 
         return http.build();
     }

diff --git a/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/service/CookiesHandler.java b/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/service/CookiesHandler.java
@@ -22,7 +22,7 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import net.logstash.logback.encoder.org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import nl.kennisnet.services.web.model.CookieValueDTO;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

diff --git a/oc-sso-notificatie/src/test/resources/application.properties b/oc-sso-notificatie/src/test/resources/application.properties
@@ -14,6 +14,9 @@
 # limitations under the License.
 #
 
+# Security headers - set to false to drop security headers and enhance interoperability between domains
+security.headers.enabled=false
+
 # API settings
 # Url of the API which returns the SSO notification information by id.
 api.endpoint.url=http://localhost:3000/api/sso-notification

diff --git a/pom.xml b/pom.xml
@@ -38,25 +38,25 @@
 
     <inceptionYear>2021</inceptionYear>
 
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>3.5.4</version>
+    </parent>
+
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <java.version>17</java.version>
         <doxia-module-markdown.version>1.5</doxia-module-markdown.version>
         <jacoco.version>0.8.10</jacoco.version>
-        <dependency-check-maven.version>12.1.1</dependency-check-maven.version>
-        <ecs-logging-java.version>1.6.0</ecs-logging-java.version>
-        <logback.encoder.version>5.3</logback.encoder.version>
+        <dependency-check-maven.version>12.1.3</dependency-check-maven.version>
+        <logback-ecs-encoder.version>1.7.0</logback-ecs-encoder.version>
+        <logback.encoder.version>7.4</logback.encoder.version>
         <maven-project-info-reports-plugin.version>2.8</maven-project-info-reports-plugin.version>
         <maven-release-plugin.version>2.5.3</maven-release-plugin.version>
         <maven-site-plugin.version>3.8.2</maven-site-plugin.version>
     </properties>
 
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.4.7</version>
-    </parent>
-
     <build>
         <plugins>
             <plugin>

diff --git a/release/pom.xml b/release/pom.xml
@@ -31,7 +31,7 @@
     <properties>
         <!-- A list of all the previous versions in reverse order, separated by a comma separator -->
         <!-- The current version is automatically added in the release-notes-all overview. -->
-        <versions>2.3.5,2.3.4,2.3.3,2.3.2,2.3.1,2.3.0,2.2.1,2.2.0,2.1.1,2.1.0,2.0.6,2.0.5,2.0.4,2.0.3,2.0.2,2.0.1,1.0.0</versions>
+        <versions>2.3.6,2.3.5,2.3.4,2.3.3,2.3.2,2.3.1,2.3.0,2.2.1,2.2.0,2.1.1,2.1.0,2.0.6,2.0.5,2.0.4,2.0.3,2.0.2,2.0.1,1.0.0</versions>
     </properties>
 
     <dependencies>

diff --git a/release/src/main/resources/sample/config/application.properties b/release/src/main/resources/sample/config/application.properties
@@ -17,6 +17,9 @@
 # The port Tomcat will listen to
 server.port=8083
 
+# Security headers - set to false to drop security headers and enhance interoperability between domains
+security.headers.enabled=false
+
 # API settings
 # Url of the API which returns the SSO notification information by id.
 api.endpoint.url=

diff --git a/release/src/site/markdown/docs/2.3.6/release-notes.md b/release/src/site/markdown/docs/2.3.6/release-notes.md
@@ -0,0 +1,30 @@
+# OC SSO Notification Service - Release Notes
+
+| Field                     | Value                       |
+|:--------------------------|:----------------------------|
+| Application               | OC SSO Notification Service |
+| Version                   | 2.3.6                       |
+| Changes since version     | 2.3.5                       |
+| Release date              | 05-08-2025 (dd-mm-yyyy)     |
+| Delivery type             | Full release                |
+
+## Changes
+
+| #        | Description                             |
+|:---------|:----------------------------------------|
+| ENT-5230 | Build release OC SSO Notification 2.3.6 |
+
+
+## Configuration changes
+
+An additional parameter is added to control the setting of security headers.
+
+    # Security headers - set to false to drop security headers and enhance interoperability between domains
+    security.headers.enabled=false
+
+If set to true, the headers will be set and security will be enhanced. This may affect the interoperability of the 
+application between domains.
+
+## Known vulnerabilities
+
+At the time of release, this version of the application had no known vulnerabilities with a CVE of 7 or higher.