Feature/support for jakarta

.github/workflows/cd.yaml

@@ -44,11 +44,11 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v5
 
-      - name: Set up JDK 8
+      - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
-          java-version: '8'
-          distribution: 'adopt'
+          java-version: '17'
+          distribution: 'temurin'
 
       - name: Import GPG key
         run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import --passphrase "$GPG_PASSPHRASE"
@@ -61,7 +61,7 @@ jobs:
         run: gpg --list-secret-keys --keyid-format LONG
 
       - name: Deploy a new version
-        run: mvn clean deploy -P build-extras,sign --settings deploy/mvnsettings.xml
+        run: mvn clean deploy -P build-extras,sign --settings deploy/mvnsettings.xml -pl perimeterx-sdk,perimeterx-sdk-jakarta -am
         env:
           GPG_KEY_NAME: ${{ vars.GPG_KEY_NAME }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

.github/workflows/ci.yml

@@ -10,6 +10,19 @@ jobs:
         uses: actions/setup-java@v3
         with:
           java-version: '8'
-          distribution: 'adopt'
-      - name: Build and run unit tests
-        run: mvn test -f pom.xml
+          distribution: 'temurin'
+      - name: Build and run unit tests (SDK module only)
+        run: mvn test -f pom.xml -pl perimeterx-sdk -am
+
+  build-jakarta:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+      - name: Build Jakarta module
+        run: mvn clean install -pl perimeterx-sdk-jakarta -am -DskipTests=true

.github/workflows/ci_e2e.yaml

@@ -23,11 +23,19 @@ jobs:
 
 
   CI:
-    name: "E2E tests"
+    name: E2E tests (${{ matrix.variant }})
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - variant: javax
+            dockerfile: Dockerfile
+          - variant: jakarta
+            dockerfile: Dockerfile.jakarta
     env:
       MOCK_COLLECTOR_IMAGE_TAG: 2.0.6
       SAMPLE_SITE_IMAGE_TAG: 1.0.0
-      ENFORCER_SPEC_TESTS_IMAGE_TAG: 1.23.4
+      ENFORCER_SPEC_TESTS_IMAGE_TAG: 1.23.5
 
     runs-on: ubuntu-latest
     timeout-minutes: 60
@@ -47,7 +55,7 @@ jobs:
 
       - name: Build Enforcer Docker image
         run: |
-          docker build . -t localhost:5001/java-enforcer-sample-site:$SAMPLE_SITE_IMAGE_TAG && \
+          docker build -f ${{ matrix.dockerfile }} . -t localhost:5001/java-enforcer-sample-site:$SAMPLE_SITE_IMAGE_TAG
           docker push localhost:5001/java-enforcer-sample-site:$SAMPLE_SITE_IMAGE_TAG
 
       - uses: azure/setup-helm@v4

.github/workflows/ci_verify_version.yaml

@@ -25,16 +25,19 @@ jobs:
         run: |
           echo "project=$( mvn help:evaluate -Dexpression=project.version -q -DforceStdout )" >> "$GITHUB_OUTPUT" && \
           echo "px_metadata=$( cat px_metadata.json | jq -r '.version' )" >> "$GITHUB_OUTPUT" && \
-          echo "demo_app_dependency=$( mvn help:evaluate -Dexpression=com.perimeterx.version -q -DforceStdout -f web/pom.xml)" >> "$GITHUB_OUTPUT"
+          echo "demo_app_dependency=$( mvn help:evaluate -Dexpression=com.perimeterx.version -q -DforceStdout -f web/pom.xml)" >> "$GITHUB_OUTPUT" && \
+          echo "demo_jakarta_dependency=$( mvn help:evaluate -Dexpression=com.perimeterx.version -q -DforceStdout -f web-jakarta/pom.xml)" >> "$GITHUB_OUTPUT"
 
       - name: Verify same version
         run: |
           [ $PROJECT_VERSION = $PX_METADATA_VERSION ] && \
-          [ $PROJECT_VERSION = $DEMO_APP_DEPENDENCY_VERSION ]
+          [ $PROJECT_VERSION = $DEMO_APP_DEPENDENCY_VERSION ] && \
+          [ $PROJECT_VERSION = $DEMO_JAKARTA_DEPENDENCY_VERSION ]
         env:
           PROJECT_VERSION: ${{ steps.new-version.outputs.project }}
           PX_METADATA_VERSION: ${{ steps.new-version.outputs.px_metadata }}
           DEMO_APP_DEPENDENCY_VERSION: ${{ steps.new-version.outputs.demo_app_dependency }}
+          DEMO_JAKARTA_DEPENDENCY_VERSION: ${{ steps.new-version.outputs.demo_jakarta_dependency }}
 
       - name: Verify version increment
         run: ./ci_files/verify-version-inc.sh $BASE_VERSION $NEW_VERSION

.github/workflows/fuzzer.yaml

@@ -26,7 +26,7 @@ jobs:
     name: "Fuzzing Test"
     env:
       MOCK_COLLECTOR_IMAGE_TAG: 2.0.6
-      FUZZER_TAG: 1.1.0
+      FUZZER_TAG: 1.1.1
       SAMPLE_SITE_IMAGE_TAG: 1.0.0
       ENFORCER_TAG: ${{ needs.extract_version.outputs.version }}
 

.gitignore

@@ -11,4 +11,5 @@ examples/examples.iml
 .classpath
 .project
 .factorypath
-.smarttomcat
+.smarttomcat
+.tools/

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Change Log
-## [v6.16.0](https://github.com/PerimeterX/perimeterx-java-sdk/compare/6.16.0...HEAD) (2025-11-12)
+## [XX.XX.XX](https://github.com/PerimeterX/perimeterx-java-sdk/compare/xx.xx.xx...HEAD) (xxxx-xx-xx)
+- Fixed first party captcha reverse proxy to use `startsWith` instead of `contains` when matching the captcha prefix
+- Fixed first party captcha reverse proxy to correctly return `true` (handled) after rendering the default response when first party is disabled
+
+## [v6.16.0](https://github.com/PerimeterX/perimeterx-java-sdk/compare/xx.xx.xx...HEAD) (2025-11-12)
+- Fixed first party captcha reverse proxy handling
 - Added support for data enrichment header feature (`px_data_enrichment_header_name` configuration)
 - Added support for AD user identifiers feature
 - Added `px_secured_pxhd_enabled` configuration option to enable secure flag on `pxhd` cookie

Dockerfile

@@ -1,29 +1,36 @@
 FROM maven:3.8.6-openjdk-11-slim as builder
 WORKDIR /app
 
-# Building the SDK.
+# Build javax SDK only (demo app uses javax / Tomcat 9).
 COPY pom.xml .
-COPY src/main/resources src/main/resources
-RUN mvn verify clean -f pom.xml
-COPY src ./src
-RUN mvn clean install -DskipTests=true
-
-# Building the Demo app.
-COPY web/pom.xml web/pom.xml
-RUN mvn verify clean -f web/pom.xml
+COPY perimeterx-sdk/pom.xml perimeterx-sdk/pom.xml
+COPY perimeterx-sdk-jakarta/pom.xml perimeterx-sdk-jakarta/pom.xml
+COPY perimeterx-sdk/src perimeterx-sdk/src
+RUN mvn clean install -pl perimeterx-sdk -am -DskipTests=true -q
+
+# Build the demo WAR (depends on perimeterx-sdk in local repo).
 COPY web ./web
-RUN mvn clean install war:war -DskipTests=true -f web/pom.xml
+RUN mvn clean install war:war -DskipTests=true -f web/pom.xml -q
 
 FROM tomcat:9.0.68
 
-COPY --from=builder /app/web/target/web-1.0.0 /usr/local/tomcat/webapps/ROOT
+COPY --from=builder /app/web/target/ROOT /usr/local/tomcat/webapps/ROOT
+
+## Remove the template config from the classpath so Utils.getEnforcerConfig() falls back to the
+## filesystem path below, where Kubernetes mounts the real enforcer config at runtime.
+RUN rm -f /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/enforcer_config.json
 
 ## Enforcer configuration json file is located at:
 ## /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/src/main/resources/enforcer_config.json
 COPY web/src/main/resources/ /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/src/main/resources
 
+## relaxedQueryChars allows fuzz/special characters (`, {, }, |, ^, \, [, ]) in query strings
+## that Tomcat rejects by default per RFC 7230 strict mode.
+RUN sed -i 's@protocol="HTTP/1.1"@protocol="HTTP/1.1" relaxedQueryChars="`{}|^\\[]"@' \
+    /usr/local/tomcat/conf/server.xml
+
 EXPOSE 8080
 
 ENV CATALINA_OPTS="-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
 
-CMD ["catalina.sh", "run"]
+CMD ["catalina.sh", "run"]

Dockerfile.jakarta

@@ -0,0 +1,34 @@
+FROM maven:3.9.6-eclipse-temurin-17 AS builder
+WORKDIR /app
+
+# Build Jakarta SDK + demo WAR (Tomcat 10 / Servlet 5).
+COPY pom.xml .
+COPY perimeterx-sdk/pom.xml perimeterx-sdk/pom.xml
+COPY perimeterx-sdk-jakarta/pom.xml perimeterx-sdk-jakarta/pom.xml
+COPY perimeterx-sdk/src perimeterx-sdk/src
+RUN mvn clean install -pl perimeterx-sdk-jakarta -am -DskipTests=true -q
+
+COPY web-jakarta ./web-jakarta
+RUN mvn clean install war:war -DskipTests=true -f web-jakarta/pom.xml -q
+
+FROM tomcat:10.1-jre17-temurin
+
+COPY --from=builder /app/web-jakarta/target/ROOT /usr/local/tomcat/webapps/ROOT
+
+## Remove the template config from the classpath so Utils.getEnforcerConfig() falls back to the
+## filesystem path below, where Kubernetes mounts the real enforcer config at runtime.
+RUN rm -f /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/enforcer_config.json
+
+## Enforcer configuration json file is located at:
+## /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/src/main/resources/enforcer_config.json
+COPY web-jakarta/src/main/resources/ /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/src/main/resources
+
+## Tomcat 10.1 introduced the encodedSolidusHandling connector attribute which defaults to
+## path as-is so getRequestURL() returns the literal encoded form expected by the enforcer.
+## "reject" (returning 400 for any path containing %2F).
+RUN sed -i 's|protocol="HTTP/1.1"|protocol="HTTP/1.1" encodedSolidusHandling="passthrough"|' \
+    /usr/local/tomcat/conf/server.xml
+
+EXPOSE 8080
+
+CMD ["catalina.sh", "run"]