Add WebAuthn4J 0.29.0.wso2v1

[madurangasiriwardena]

Summary by CodeRabbit

• Chores
  • Added WebAuthn4J v0.29.0.wso2v1 bundle with core authentication, metadata, and serialization dependencies configured.

[coderabbitai]

Walkthrough

This change adds a new Maven POM file for building a WebAuthn4J orbit bundle with OSGi support, defining project coordinates, dependencies (webauthn4j-core, webauthn4j-metadata, Jackson libraries), and maven-bundle-plugin configuration for package exports.

Changes

Cohort / File(s)	Summary
WebAuthn4J OSGi Bundle Configuration webauthn4j/0.29.0.wso2v1/pom.xml	New Maven POM file defining OSGi bundle build configuration with dependencies, distribution management, and maven-bundle-plugin setup for exporting webauthn4j and Jackson packages.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A bundle so neat, with packages wrapped tight,
OSGi exports shining, everything right!
WebAuthn4J's journey, from core to the clouds,
Maven builds proudly, wearing its shrouds! 📦✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is empty and does not follow the required template structure. Critical sections like Purpose, Goals, Approach, Release notes, and others are entirely missing.	Add a complete pull request description following the repository template, at minimum including Purpose, Goals, Approach, and Release notes sections to provide context for reviewers.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add WebAuthn4J 0.29.0.wso2v1' clearly and directly describes the main change: adding a new Maven POM file for WebAuthn4J orbit bundle with the specified version.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@webauthn4j/0.29.0.wso2v1/pom.xml`:
- Around line 28-52: The POM dependencies (artifactId values webauthn4j-core,
webauthn4j-metadata, jackson-databind, jackson-dataformat-cbor, jackson-core)
must be marked optional to prevent transitive leakage into consumers; for each
<dependency> block that references those artifactIds add an
<optional>true</optional> element directly under the dependency so the orbit
bundle does not expose raw upstream JARs to downstream classpaths.
- Around line 80-85: The pom currently exports Jackson packages (Export-Package
entries like com.fasterxml.jackson.databind.*, com.fasterxml.jackson.core.*,
com.fasterxml.jackson.dataformat.cbor.*) which should instead be imported and
embedded; change the OSGi headers so Jackson packages are listed under
Import-Package (not Export-Package), add com.fasterxml.jackson.annotation.* to
the Import-Package list, and add an <Embed-Dependency> section to the pom to
bundle the Jackson artifacts (jackson-databind, jackson-core,
jackson-annotations, jackson-dataformat-cbor) following the pattern used by
yubico-webauthn/swagger-parser; update/remove the Export-Package Jackson entries
so only the bundle’s own packages (e.g. com.webauthn4j.*) remain exported.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

All dependencies must be marked <optional>true</optional>

Without <optional>, every consumer of this orbit bundle will transitively receive the five upstream JARs alongside the bundle itself. In an OSGi runtime this produces duplicate packages from two different classloaders (the orbit bundle exporting the packages and the raw JARs on the classpath), causing split-package or wiring-ambiguity failures.

🛠️ Proposed fix – mark all dependencies optional

     <dependencies>
         <dependency>
             <groupId>com.webauthn4j</groupId>
             <artifactId>webauthn4j-core</artifactId>
             <version>${webauthn4j.version}</version>
+            <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>com.webauthn4j</groupId>
             <artifactId>webauthn4j-metadata</artifactId>
             <version>${webauthn4j.version}</version>
+            <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
             <version>${jackson.version}</version>
+            <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-cbor</artifactId>
             <version>${jackson.version}</version>
+            <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>
             <version>${jackson.version}</version>
+            <optional>true</optional>
         </dependency>
     </dependencies>

Based on learnings: orbit bundles where dependencies are not marked optional cause transitive dependency leakage, which is the established WSO2 orbit pattern concern.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<dependency>
	<groupId>com.webauthn4j</groupId>
	<artifactId>webauthn4j-core</artifactId>
	<version>${webauthn4j.version}</version>
	</dependency>
	<dependency>
	<groupId>com.webauthn4j</groupId>
	<artifactId>webauthn4j-metadata</artifactId>
	<version>${webauthn4j.version}</version>
	</dependency>
	<dependency>
	<groupId>com.fasterxml.jackson.core</groupId>
	<artifactId>jackson-databind</artifactId>
	<version>${jackson.version}</version>
	</dependency>
	<dependency>
	<groupId>com.fasterxml.jackson.dataformat</groupId>
	<artifactId>jackson-dataformat-cbor</artifactId>
	<version>${jackson.version}</version>
	</dependency>
	<dependency>
	<groupId>com.fasterxml.jackson.core</groupId>
	<artifactId>jackson-core</artifactId>
	<version>${jackson.version}</version>
	</dependency>
	<dependency>
	<groupId>com.webauthn4j</groupId>
	<artifactId>webauthn4j-core</artifactId>
	<version>${webauthn4j.version}</version>
	<optional>true</optional>
	</dependency>
	<dependency>
	<groupId>com.webauthn4j</groupId>
	<artifactId>webauthn4j-metadata</artifactId>
	<version>${webauthn4j.version}</version>
	<optional>true</optional>
	</dependency>
	<dependency>
	<groupId>com.fasterxml.jackson.core</groupId>
	<artifactId>jackson-databind</artifactId>
	<version>${jackson.version}</version>
	<optional>true</optional>
	</dependency>
	<dependency>
	<groupId>com.fasterxml.jackson.dataformat</groupId>
	<artifactId>jackson-dataformat-cbor</artifactId>
	<version>${jackson.version}</version>
	<optional>true</optional>
	</dependency>
	<dependency>
	<groupId>com.fasterxml.jackson.core</groupId>
	<artifactId>jackson-core</artifactId>
	<version>${jackson.version}</version>
	<optional>true</optional>
	</dependency>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@webauthn4j/0.29.0.wso2v1/pom.xml` around lines 28 - 52, The POM dependencies
(artifactId values webauthn4j-core, webauthn4j-metadata, jackson-databind,
jackson-dataformat-cbor, jackson-core) must be marked optional to prevent
transitive leakage into consumers; for each <dependency> block that references
those artifactIds add an <optional>true</optional> element directly under the
dependency so the orbit bundle does not expose raw upstream JARs to downstream
classpaths.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -path "*/webauthn4j/0.29.0.wso2v1/pom.xml" -type f

Repository: wso2/orbit

Length of output: 88

---

🏁 Script executed:

# List Jackson-related directories to see what Jackson bundles exist
fd -i "jackson" --max-depth 2 --type d | head -20

Repository: wso2/orbit

Length of output: 232

---

🏁 Script executed:

# Search for existing Jackson orbit bundles in the repo
rg "org.wso2.orbit.*jackson" --type xml | head -20

Repository: wso2/orbit

Length of output: 2224

---

🏁 Script executed:

cat -n ./webauthn4j/0.29.0.wso2v1/pom.xml

Repository: wso2/orbit

Length of output: 5007

---

🏁 Script executed:

# Find Jackson orbit bundles that match the Jackson version being used
# First, let's check what version of Jackson is in webauthn4j pom
rg "jackson.version|jackson-databind|jackson-core" ./webauthn4j/0.29.0.wso2v1/pom.xml

Repository: wso2/orbit

Length of output: 632

---

🏁 Script executed:

# Check if there's a Jackson 2.18 orbit bundle
fd -type d "jackson.*2.18" | head -20

Repository: wso2/orbit

Length of output: 224

---

🏁 Script executed:

# Check all Jackson orbit bundle versions available
find ./jackson-* -maxdepth 1 -type d -name "*2.*" | sort

Repository: wso2/orbit

Length of output: 1200

---

🏁 Script executed:

# Check what version of Jackson is imported in related WSO2 products
rg "jackson.version" --type xml | grep -v "orbit.*pom.xml" | head -20

Repository: wso2/orbit

Length of output: 2931

---

🏁 Script executed:

# Check the exact dependency configurations in webauthn4j pom
cat -n ./webauthn4j/0.29.0.wso2v1/pom.xml | sed -n '27,53p'

Repository: wso2/orbit

Length of output: 1299

---

🏁 Script executed:

# Check if any of the jackson versions 2.18 exist in orbit
find ./jackson-* -type d | grep "2.18"

Repository: wso2/orbit

Length of output: 36

---

🏁 Script executed:

# Let's look at a similar bundle (yubico-webauthn) to see how they handle Jackson
cat ./yubico-webauthn/2.4.0.wso2v1/pom.xml | grep -A 50 "Export-Package\|Import-Package" | head -60

Repository: wso2/orbit

Length of output: 2745

---

🏁 Script executed:

# Let's check if jackson-annotations is a transitive dependency of jackson-databind
cat ./jackson-databind/2.14.1.wso2v1/pom.xml | grep -A 20 "<dependencies>" | head -30

Repository: wso2/orbit

Length of output: 837

---

🏁 Script executed:

# Check if there are any references to Jackson 2.18 orbit bundles in products or elsewhere
rg "jackson.*2.18" --type xml

Repository: wso2/orbit

Length of output: 223

---

🏁 Script executed:

# Verify what the maven-bundle-plugin does when Embed-Dependency is missing
# Check if there are any bundles without Embed-Dependency but with Jackson exports
rg -A 3 "Embed-Dependency" ./webauthn4j/ ./jackson-*/ 2>/dev/null | head -30

Repository: wso2/orbit

Length of output: 36

---

🏁 Script executed:

# Verify if jackson-annotations is a transitive dep of jackson-databind at 2.18 by checking closest available version
cat ./jackson-databind/2.14.1.wso2v1/pom.xml | grep -A 30 "<dependencies>"

Repository: wso2/orbit

Length of output: 1140

---

🏁 Script executed:

# Check what swagger-parser does with Jackson 2.18.3
cat ./swagger-parser/2.1.25.wso2v1/pom.xml | grep -A 50 "<Export-Package\|<Import-Package"

Repository: wso2/orbit

Length of output: 3994

---

Move Jackson to Import-Package; don't export packages that should be embedded or re-exported from other bundles

Jackson packages should be imported, not exported from this bundle. Exporting them creates unnecessary coupling and diverges from the established pattern in other WSO2 orbit bundles like yubico-webauthn and swagger-parser, both of which import Jackson and use <Embed-Dependency> to manage their bundled classes.

Additionally, com.fasterxml.jackson.annotation.* (a direct dependency of jackson-databind classes) is currently missing from both Export-Package and Import-Package, leaving it to fall through to DynamicImport-Package: *.

The Jackson dependencies should be configured to import rather than export, and <Embed-Dependency> should be added to control what gets packed into the bundle. Consider the pattern used by similar bundles:

🛠️ Suggested approach – import Jackson instead of exporting it

             <Export-Package>
                 com.webauthn4j.*;version="${project.version}"
             </Export-Package>
             <Private-Package>
             </Private-Package>
             <Import-Package>
+                com.fasterxml.jackson.databind.*;version="[2.18,3)",
+                com.fasterxml.jackson.annotation.*;version="[2.18,3)",
+                com.fasterxml.jackson.core.*;version="[2.18,3)",
+                com.fasterxml.jackson.dataformat.cbor.*;version="[2.18,3)",
+                org.slf4j.*;version="[1.7,3)",
             </Import-Package>
+            <Embed-Dependency>*;scope=compile|runtime;inline=false;</Embed-Dependency>
+            <Embed-Transitive>true</Embed-Transitive>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@webauthn4j/0.29.0.wso2v1/pom.xml` around lines 80 - 85, The pom currently
exports Jackson packages (Export-Package entries like
com.fasterxml.jackson.databind.*, com.fasterxml.jackson.core.*,
com.fasterxml.jackson.dataformat.cbor.*) which should instead be imported and
embedded; change the OSGi headers so Jackson packages are listed under
Import-Package (not Export-Package), add com.fasterxml.jackson.annotation.* to
the Import-Package list, and add an <Embed-Dependency> section to the pom to
bundle the Jackson artifacts (jackson-databind, jackson-core,
jackson-annotations, jackson-dataformat-cbor) following the pattern used by
yubico-webauthn/swagger-parser; update/remove the Export-Package Jackson entries
so only the bundle’s own packages (e.g. com.webauthn4j.*) remain exported.