feat(cloud-native): enable TLSv1.3 in java.security file

[iromli]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #13165

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• Bug Fixes

  • Disabled legacy and weak cryptographic algorithms in Java configuration.

• Chores

  • Updated Docker build configuration for plugin management.
  • Enhanced file permissions and security directory structure.
  • Added conditional Java security property configuration for plugin compatibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes exclude the shibboleth plugin from config-api installations, introduce a new security configuration directory structure, and add a Java security properties file that disables legacy and weak TLS/cryptographic algorithms. The admin-ui plugin conditionally triggers application of this configuration.

Changes

Cohort / File(s)	Summary
Shibboleth Plugin Exclusion docker-jans-config-api/Dockerfile, docker-jans-config-api/scripts/plugins.py	Removes shibboleth plugin from the downloaded plugins loop and marks it as excluded with a comment annotation.
Java Security Configuration docker-jans-config-api/templates/jans-config-api/java.security, docker-jans-config-api/scripts/entrypoint.sh	Adds a new Java security properties file disabling weak TLS versions (SSLv3, TLSv1, TLSv1.1) and cryptographic algorithms. Entrypoint script conditionally applies this configuration when the admin-ui plugin is present.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main feature change: enabling TLSv1.3 in the java.security file, which aligns with the primary objective of the PR.
Description check	✅ Passed	The PR description follows the template structure with required sections completed. Target issue #13165 is linked, static code analysis confirmed, and documentation impact confirmed as none.
Linked Issues check	✅ Passed	The PR addresses the objective from #13165 by adding TLSv1.3 support through new java.security file with disabled weak algorithms and conditional Java options when admin-ui plugin is present.
Out of Scope Changes check	✅ Passed	Changes to Dockerfile, entrypoint.sh, plugins.py, and java.security template are all directly related to enabling TLSv1.3 support and configuring Java security. No extraneous changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cn-aui-plugin-security

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.