github bastillion-io/Bastillion v5.0.0
5.0.0

3 hours ago

Highlights

  • Licensing model — Bastillion now runs unlicensed at up to 5 registered systems.
    Paid tiers (Starter/Team/Business) raise the cap; a .lic file is supplied via the
    LICENSE_KEY env var or licenseKey in BastillionConfig.properties. New
    LicenseUtil validates the license, enforces the system cap, and surfaces
    licensee/expiry info (with a 90-day pre-expiry warning) under Settings.
  • Self-contained jar — the app now runs as java -jar with an embedded Jetty
    server and HTTPS out of the box (new io.bastillion.Main), instead of requiring a
    separate servlet container distribution.
  • Upgraded to Java 21 and Jakarta EE 11, with dependency updates across the board.
  • Full Ed25519 (default) and Ed448 SSH key support.
  • v4 → v5 migration tool (tools/migrate) — a standalone export/import utility
    that moves users, systems, profiles, scripts, public keys, audit logs, and the
    Bastillion application SSH key/identity from a v4 H2 database into a fresh v5
    instance, re-encrypting secrets under the new instance's keystore. See
    tools/migrate/README.md for the full procedure.

Security

  • New SecurityHeadersFilter adds hardened response headers app-wide.
  • New CSRFFilter (part of the bundled MVC framework) protects state-changing
    requests.
  • Session cookies now set secure in addition to the existing http-only.
  • EncryptionUtil and KeyStoreUtil were reworked; AuthDB/password verification
    now supports the newer PBKDF2 hash format alongside the legacy single-round
    SHA-256 formats (including v4's own concatenation scheme), so users can migrate
    and log in with existing passwords unchanged.

Internal / build

  • The previously external io.bastillion:lmvc framework dependency is now merged
    directly into the codebase as loophole.mvc, so the whole app builds from one
    pom.xml.
  • Added unit test coverage: AppConfigTest, EncryptionUtilTest, LicenseUtilTest,
    and new tests for the loophole.mvc framework (dispatcher, base controller, CSRF
    and security filters).
  • CI (.github/workflows/github-build.yml) now runs the build/test on every push
    and pull request, in addition to the existing hourly schedule — previously it
    only ran on cron, so commits weren't verified until the next scheduled run.
  • README overhauled with an updated feature walkthrough, licensing section, and
    screenshots.

Upgrading from v4

Use tools/migrate to bring your data forward — see tools/migrate/README.md.
Password hashes migrate as-is; existing users can log in immediately without a
reset.

Don't miss a new Bastillion release

NewReleases is sending notifications on new releases.