feat: AC OIDC IdP issues tokens, allowing customization of username parameters other than the sub parameter from the userinfo API; when logging into AC OIDC IdP, the code_verifier value of cookies cannot be retrieved, displaying "Login time too long, exceeding 5 minutes, please log in again"; if the user does not have dashboard permissions, the keeper status card will not be displayed; the webhook has been changed to an AI Proxy; the maximum capacity of the adaptive cache has been increased from 1MB to 10MB.

Author: mini-lee-tpi

build.gradle

@@ -22,7 +22,7 @@ licenseReport {
 
 allprojects {
 	group = 'tpi.dgrv4'
-	version = 'release-v4.7.3'
+	version = 'release-rc-v4.7.10.0-14-g81f406576'
 	apply plugin:  'io.spring.dependency-management'
 
 	repositories {
@@ -59,22 +59,32 @@ subprojects {
     }
 
 	dependencies {
-		implementation files("${rootDir}/libsext/dgrv4_CodecUtil-v4.7.3.5-lib.jar")
-		implementation files("${rootDir}/libsext/dgrv4_HttpUtil-v4.7.3.5-lib.jar")
+		implementation files("${rootDir}/libsext/dgrv4_CodecUtil-v4.7.10.0-14-g81f406576-lib.jar")
+		implementation files("${rootDir}/libsext/dgrv4_HttpUtil-v4.7.10.0-14-g81f406576-lib.jar")
 
 		implementation ('org.springframework.boot:spring-boot-starter-data-jpa'){
 			//CVE-2025-41249
 			exclude group:'org.springframework', module:'spring-core'
-			//CVE-2025-11226
+			//CVE-2026-1225
 			exclude group:'ch.qos.logback', module:'logback-core'
+			//CVE-2026-1225
+			exclude group:'ch.qos.logback', module:'logback-classic'
 		}
 
 		// Correct the above exclusions, CVE-2025-41249
 		implementation 'org.springframework:spring-core:6.2.11'
-		// Correct the above exclusions, CVE-2025-11226
-		implementation 'ch.qos.logback:logback-core:1.5.19'
+		// Correct the above exclusions, CVE-2026-1225
+		implementation 'ch.qos.logback:logback-core:1.5.25'
+		// Correct the above exclusions, CVE-2026-1225
+		implementation 'ch.qos.logback:logback-classic:1.5.25'
 
-		implementation 'org.springframework.boot:spring-boot-starter-web'
+		implementation ('org.springframework.boot:spring-boot-starter-web'){
+			//CVE-2025-66614, CVE-2026-24733
+			exclude group:'org.apache.tomcat.embed', module:'tomcat-embed-core'
+		}
+		
+		// Correct the above exclusions, CVE-2025-66614, CVE-2026-24733
+		implementation 'org.apache.tomcat.embed:tomcat-embed-core:10.1.49'
 
 		implementation 'org.jboss.xnio:xnio-nio:3.8.16.Final'
 		implementation 'jakarta.servlet:jakarta.servlet-api:6.1.0'

dgrv4_Common_lib/.settings/org.eclipse.buildship.core.prefs

@@ -1,2 +1,2 @@
-connection.project.dir=..
+connection.project.dir=../dgrv4_Gateway_serv
 eclipse.preferences.version=1

dgrv4_Common_lib/bin/.gitignore

@@ -8,15 +8,11 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.util.Map;
 import java.util.Optional;
-import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import org.springframework.util.StringUtils;
 import org.springframework.web.multipart.MultipartFile;
 
-import jakarta.servlet.http.HttpServletResponse;
 import tpi.dgrv4.common.keeper.ITPILogger;
 
 public class CheckmarxCommUtils {
@@ -132,131 +128,7 @@ public static boolean sanitizeForCheckmarxMatches(String resourceUrl, String pat
 	public static void sanitizeForCheckmarx(MultipartFile file, Path savedFilePath) throws IllegalStateException, IOException {
 		file.transferTo(savedFilePath.toFile());
 	}
-	
-	public static String sanitizeForCheckmarx(Map<String, String> maskInfo, String mbody) {
-		if (maskInfo != null) {
-
-			String bodyMaskPolicy = maskInfo.get("bodyMaskPolicy");
-			String bodyMaskPolicySymbol = maskInfo.get("bodyMaskPolicySymbol");
-			String bodyMaskKeyword = maskInfo.get("bodyMaskKeyword");
-			if (StringUtils.hasLength(bodyMaskKeyword)) {
-				String[] bodyMaskKeywordArr = bodyMaskKeyword.split(",");
-				int bodyMaskPolicyNum = Integer.parseInt(maskInfo.get("bodyMaskPolicyNum"));
-				if (mbody.length() > (bodyMaskPolicyNum * 2)) {
-
-					if ("1".equals(bodyMaskPolicy)) {
-						for (String key : bodyMaskKeywordArr) {
-							int startIndex = 0;
-							//checkmarx, Unchecked Input for Loop Condition
-							while (mbody.indexOf(key, startIndex) >= 0) {
-								int matchIndex = mbody.indexOf(key, startIndex);
-
-								int startindex = matchIndex - bodyMaskPolicyNum;
-								if (startindex < 0) {
-									startindex = 0;
-								}
-								int endindex = matchIndex + key.length() + bodyMaskPolicyNum;
-								if (endindex > mbody.length() - 1) {
-									endindex = mbody.length();
-								}
-
-								mbody = mbody.substring(0, startindex) + bodyMaskPolicySymbol
-										+ mbody.substring(matchIndex, matchIndex + key.length()) + bodyMaskPolicySymbol
-										+ mbody.substring(endindex);
-
-								startIndex = matchIndex + key.length() + 1;
-							}
-						}
-						return mbody;
-					}
-					if ("2".equals(bodyMaskPolicy)) {
-						for (String key : bodyMaskKeywordArr) {
-							int startIndex = 0;
-							//checkmarx, Unchecked Input for Loop Condition
-							while (mbody.indexOf(key, startIndex) >= 0) {
-								int matchIndex = mbody.indexOf(key, startIndex);
-
-								int startindex = matchIndex - bodyMaskPolicyNum;
-								if (startindex < 0) {
-									startindex = 0;
-								}
-
-								mbody = mbody.substring(0, startindex) + bodyMaskPolicySymbol
-										+ mbody.substring(matchIndex);
-
-								startIndex = matchIndex + key.length() + 1;
-							}
-						}
-						return mbody;
-
-					}
-					if ("3".equals(bodyMaskPolicy)) {
-						for (String key : bodyMaskKeywordArr) {
-							int startIndex = 0;
-							//checkmarx, Unchecked Input for Loop Condition
-							while (mbody.indexOf(key, startIndex) >= 0) {
-								int matchIndex = mbody.indexOf(key, startIndex);
-
-								int endindex = matchIndex + key.length() + bodyMaskPolicyNum;
-								if (endindex > mbody.length() - 1) {
-									endindex = mbody.length();
-								}
-								mbody = mbody.substring(0, matchIndex + key.length()) + bodyMaskPolicySymbol
-										+ mbody.substring(endindex);
-
-								startIndex = matchIndex + key.length() + 1;
-							}
-						}
-						return mbody;
-					}
-					if ("4".equals(bodyMaskPolicy)) {
-						String regex = "(?<jsonField>\\\"(" + bodyMaskKeyword
-								+ ")\\\"\\s*?:)\\s*?(?<jsonvalue>(true|false|\\d+|\\\"\\{.*?\\}\\\")|\\\".*?\\\"|\\[.*?\\])|(?<xmlField><(?<fieldname>"
-								+ bodyMaskKeyword + ")>)\\s*?(?<xmlvalue>.*?)\\s*?(?<xmlEnd><\\/\\k<fieldname>>)";
-
-						Pattern pattern = Pattern.compile(regex, Pattern.MULTILINE);
 
-						Matcher matcher = pattern.matcher(mbody);// 不接受 null
-
-						// 遍歷所有匹配的字段，進行替換
-						StringBuffer result = new StringBuffer();
-						//checkmarx, Unchecked Input for Loop Condition
-						while (matcher.find()) {
-							String field = matcher.group("jsonField");
-
-							if (!StringUtils.hasLength(field)) {
-								field = matcher.group("xmlField");
-							}
-							String fieldValue = matcher.group("jsonvalue");
-
-							if (!StringUtils.hasLength(fieldValue))
-								fieldValue = matcher.group("xmlvalue");
-
-							if (StringUtils.hasLength(fieldValue)) {
-								String maskedField = maskField(fieldValue, bodyMaskPolicyNum, bodyMaskPolicySymbol);
-								String xmlEnd = StringUtils.hasLength(matcher.group("xmlEnd")) ? matcher.group("xmlEnd")
-										: new String();
-
-								matcher.appendReplacement(result, (field + maskedField + xmlEnd));
-							}
-						}
-						matcher.appendTail(result);
-						mbody = result.toString();
-					}
-				}
-			}
-		}
-		return mbody;
-	}
-
-	private static String maskField(String fieldValue, int bodyMaskPolicyNum, String bodyMaskPolicySymbol) {
-
-		if (fieldValue.length() > bodyMaskPolicyNum) {
-			return fieldValue.substring(0, bodyMaskPolicyNum) + bodyMaskPolicySymbol + fieldValue.charAt(fieldValue.length() - 1);
-		}
-		return fieldValue;
-	}
-	
 	public static void sanitizeForCheckmarxConn(String targetHostName, int targetPort, int connectTimeout) throws IOException {
 		try (Socket socket = new Socket()) {
             socket.connect(new InetSocketAddress(targetHostName, targetPort), connectTimeout);

dgrv4_Common_lib/src/main/java/tpi/dgrv4/common/utils/CheckmarxCommUtils.java

@@ -0,0 +1,23 @@
+package tpi.dgrv4.common.utils;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+public class ClientIpUtil {
+    public static String getClientIp(HttpServletRequest request) {
+        if (request == null) {
+            return null;
+        }
+        String xff = request.getHeader("X-Forwarded-For");
+
+        if (xff == null || xff.isEmpty() || "unknown".equalsIgnoreCase(xff)) {
+            return request.getRemoteAddr();
+        }
+
+        // 處理多重代理，只取第一個非 unknown 的 IP
+        String[] ips = xff.split(",");
+        String clientIp = ips[0].trim();
+
+        return clientIp;
+    }
+
+}

dgrv4_Common_lib/src/main/java/tpi/dgrv4/common/utils/ClientIpUtil.java

@@ -354,10 +354,10 @@ public List<TsmpFuncVo> insertTsmpFunc(LicenseEditionTypeVo licenseEdition, bool
 			createTsmpFunc("AI0005","User AI Prompt Template","User AI Prompt Template","userAiPromptTemplateSetting","","en-US","manager",DateTimeUtil.now());
 			createTsmpFunc("AI0005","使用者 AI 提示詞樣板設定","使用者預設 AI 提示詞樣板設定","userAiPromptTemplateSetting","","zh-TW","manager",DateTimeUtil.now());
 
-			createTsmpFunc("LB0011","Webhook","Webhook","Real time event notification mechanism","","en-US","manager",DateTimeUtil.now());
-			createTsmpFunc("LB0011","Webhook","Webhook","即時事件通知推送機制","","zh-TW","manager",DateTimeUtil.now());
-			createTsmpFunc("LB0012","Webhook Logs","Webhook Logs","Real time event notification logs","","en-US","manager",DateTimeUtil.now());
-			createTsmpFunc("LB0012","Webhook Logs","Webhook Logs","即時事件通知推送紀錄","","zh-TW","manager",DateTimeUtil.now());
+			createTsmpFunc("LB0011","AI Proxy","AI Proxy","Real time event notification mechanism","","en-US","manager",DateTimeUtil.now());
+			createTsmpFunc("LB0011","AI Proxy","AI Proxy","即時事件通知推送機制","","zh-TW","manager",DateTimeUtil.now());
+			createTsmpFunc("LB0012","AI Proxy Logs","AI Proxy Logs","Real time event notification logs","","en-US","manager",DateTimeUtil.now());
+			createTsmpFunc("LB0012","AI Proxy Logs","AI Proxy Logs","即時事件通知推送紀錄","","zh-TW","manager",DateTimeUtil.now());
 
 			createTsmpFunc("AC0322","API List Export","API List Export","apiListExport","","en-US","manager",DateTimeUtil.now());
 			createTsmpFunc("AC0322","API列表匯出","API List Export","apiListExport","","zh-TW","manager",DateTimeUtil.now());

dgrv4_Common_lib/src/main/java/tpi/dgrv4/common/utils/autoInitSQL/Initializer/TsmpFuncTableInitializer.java

@@ -72,10 +72,8 @@ public List<TsmpSettingVo> insertTsmpSetting() {
 			createTsmpSetting("LDAP_DN","uid={{0}},dc=tstpi,dc=com","ldap login user DN");
 			createTsmpSetting("LDAP_TIMEOUT","3000","Connection timeout for ldap login, in milliseconds(ms)");
 			createTsmpSetting("LDAP_CHECK_ACCT_ENABLE","false","LDAP check account function enablement - true/false");
-
 			createTsmpSetting("TSMP_AC_CLIENT_ID","YWRtaW5Db25zb2xl","Login AC account (do not modify)");
 			createTsmpSetting("TSMP_AC_CLIENT_PW","dHNtcDEyMw==","AC login password (do not modify)");
-
 			createTsmpSetting("TSMP_FAIL_THRESHOLD","6","Allowed \"User password\" fail THRESHOLD");
 			createTsmpSetting("SSO_PKCE","true","PKCE Level AuthCode verification enablement - true/false");
 			createTsmpSetting("SSO_DOUBLE_CHECK","true","Enablement of Double-check verification - true/false");
@@ -126,12 +124,12 @@ public List<TsmpSettingVo> insertTsmpSetting() {
 			createTsmpSetting((id = "ES_URL"), (value = "https://es.example.com:19200/"), (memo = "The URL of ES, there must be a / line at the end, multiple groups are separated by commas (,), EX: https://es.example.com:19200/, https://es.example.com:29200/"));
 			createTsmpSetting((id = "ES_ID_PWD"), (value = "ENC(cGxlYXNlIHNldCB5b3VyIGVzIGlkIGFuZCBwYXNzd29yZCwgU2V0dGluZyBpcyBFU19JRF9QV0Q=)"), (memo = "ES's ID:PWD is combined and encrypted with Base64; you can press the button\"ENC\" to encrypt with ENC. If you want to set for multiple URLs - Separated by commas before ENC encryption, EX:ENC(id1:pwd1,id2:pwd2)"));
 			createTsmpSetting((id = "ES_TEST_TIMEOUT"), (value = "3000"), (memo = "ES connection timeout setting for testing"));
-			createTsmpSetting((id = "ES_MBODY_MASK_FLAG"), (value = "false"), (memo = "Mask all mbody, true is masking, false is not masking"));
+			createTsmpSetting((id = "ES_MBODY_MASK_FLAG"), (value = "false"), (memo = "ES log and log, mask all mbody, true is masking, false is not masking"));
 			createTsmpSetting((id = "ES_IGNORE_API"), (value = ""), (memo = "Ignore the assigned API transation recording in the ES, API list can be list and separated by commas (,), and the value is moduleName/apiId"));
-			createTsmpSetting((id = "ES_MBODY_MASK_API"), (value = ""), (memo = "Do mbody mask for the API of tsmpc, API list can be separated by commas (,), and the value is moduleName/apiId"));
+			//createTsmpSetting((id = "ES_MBODY_MASK_API"), (value = ""), (memo = "Do mbody mask for the API of tsmpc, API list can be separated by commas (,), and the value is moduleName/apiId"));
 			createTsmpSetting((id = "ES_TOKEN_MASK_FLAG"), (value = "true"), (memo = "Mask token, true is masking, false is not masking"));
-			createTsmpSetting((id = "ES_MAX_SIZE_MBODY_MASK"), (value = "0"), (memo = "Auto mbody mask when the length exceeding the mbody content value byte, the unit is byte, and the value below 10 (inclusive) will not be masked"));
-			createTsmpSetting((id = "ES_DGRC_MBODY_MASK_URI"), (value = ""), (memo = "Make an mbody mask on the URI of dgrc (value contains /dgrc), URL lists are separate by commas, Value format / dgrc/aa/bb/cc"));
+			createTsmpSetting((id = "ES_MAX_SIZE_MBODY_MASK"), (value = "0"), (memo = "ES log and log, auto mbody mask when the length exceeding the mbody content value byte, the unit is byte, and the value below 10 (inclusive) will not be masked"));
+			//createTsmpSetting((id = "ES_DGRC_MBODY_MASK_URI"), (value = ""), (memo = "Make an mbody mask on the URI of dgrc (value contains /dgrc), URL lists are separate by commas, Value format / dgrc/aa/bb/cc"));
 			createTsmpSetting((id = "ES_DGRC_IGNORE_URI"), (value = ""), (memo = "ES does not record URIs for dgrc(Value contains /dgrc), URL lists are separate by commas (,),Value is /dgrc/aa/bb/cc"));
 			createTsmpSetting((id = "ES_LOG_DISABLE"), (value = "true"), (memo = "Whether to prohibit the recording of ES LOG, true means yes, false means no"));
 			createTsmpSetting((id = "DGR_PATHS_COMPATIBILITY"), (value = "2"), (memo = "URL Path compatibility, 0: tsmpc only, 1 : dgrc only, 2 : tsmpc dgrc Compatible"));
@@ -199,6 +197,7 @@ public List<TsmpSettingVo> insertTsmpSetting() {
 	        //對外公開的Port
 	        createTsmpSetting((id = "DGR_PUBLIC_PORT"), (value = "18080"), (memo = "Public port, ex: 80"));
 
+
 //	      -- 20230421, v4 GTW IdP 的設定, Mini Lee
 			// 前端 GTW IdP errMsg 顯示訊息的URL
 	        createTsmpSetting((id = "GTW_IDP_MSG_URL"), (value = "https://localhost:8080/dgrv4/ac4/gtwidp/errMsg"), (memo = "URL of frontend GTW IdP error message display message"));
@@ -340,7 +339,22 @@ public List<TsmpSettingVo> insertTsmpSetting() {
   			// -- 2025/12/01, Mini Lee, AC_IDP 登入時, username 是否做 base64 編碼 (true/false)(default: false)
   			createTsmpSetting((id = "AC_IDP_USERNAME_B64_ENCODE"), (value = "false"), (memo = "When logging into AC_IDP, does the username use base64 encoding (true/false) (default: false)"));
 
-		} catch (Exception e) {
+           // --2025/12/15, Session Cookie token, Tom
+            createTsmpSetting((id = "DGR_SESSION_COOKIE_TOKEN_ENABLE"),(value = "false"),(memo="Specifies whether the session cookie token is enabled. The default value is false (true/false)."));
+            
+            // -- 2025/12/22, Zoe Lee 對外公開的 scheme
+            createTsmpSetting("DGR_PUBLIC_SCHEME", "https", "Public scheme ex: http https");
+            
+            // --2026/1/13, Global masking preserves characters, Tom
+            createTsmpSetting((id = "ES_MBODY_MASK_RESERVED_CHAR"),(value = "5"),(memo="ES log and log, global mask reserved characters, minimum value is 5."));
+
+            // -- 2026/01/15 , Zoe Lee kibana cookie bypass path
+            createTsmpSetting("KIBANA_COOKIE_BYPASS_PATHS", "/api/monitoring/", "A list of Kibana's internal API paths that should bypass the one-minute cookie expiration check. Used for background polling APIs.");
+
+            // -- 2026/01/15, token的設定, Mini Lee, 核發 client_credentials token 是否使用 cache? (true/false) (預設為false)
+            createTsmpSetting("DGR_TOKEN_CLIENT_CREDENTIALS_CACHE_ENABLE", "false", "Does the client_credentials token use a cache? (true/false) (default: false)");
+            
+        } catch (Exception e) {
 			StackTraceUtil.logStackTrace(e);
 			throw e;
 		}

dgrv4_Common_lib/src/main/java/tpi/dgrv4/common/utils/autoInitSQL/Initializer/TsmpSettingTableInitializer.java

@@ -1,2 +1,2 @@
-connection.project.dir=..
+connection.project.dir=../dgrv4_Gateway_serv
 eclipse.preferences.version=1

dgrv4_Entity_lib/.settings/org.eclipse.buildship.core.prefs

@@ -56,6 +56,9 @@ public class DpUser implements Serializable, DgrSequenced {
 	@Column(name = "dp_user_name")
 	private String dpUserName;
 
+	@Column(name = "status")
+	private String status;
+	
 	public Long getDpUserId() {
 		return dpUserId;
 	}
@@ -152,13 +155,21 @@ public void setDpUserName(String dpUserName) {
 		this.dpUserName = dpUserName;
 	}
 
+	public String getStatus() {
+		return status;
+	}
+
+	public void setStatus(String status) {
+		this.status = status;
+	}
+
 	@Override
 	public String toString() {
-		return "DpUser [dpUserId=" + dpUserId + ", userAlias=" + userAlias
-				+ ", idTokenJwtstr=" + idTokenJwtstr + ", userIdentity=" + userIdentity + ", createDateTime="
-				+ createDateTime + ", createUser=" + createUser + ", updateDateTime=" + updateDateTime + ", updateUser="
-				+ updateUser + ", version=" + version + ", keywordSearch=" + keywordSearch + ", iss=" + iss
-				+ ", dpUserName=" + dpUserName + "]";
+		return "DpUser [dpUserId=" + dpUserId + ", userAlias=" + userAlias + ", idTokenJwtstr=" + idTokenJwtstr
+				+ ", userIdentity=" + userIdentity + ", createDateTime=" + createDateTime + ", createUser=" + createUser
+				+ ", updateDateTime=" + updateDateTime + ", updateUser=" + updateUser + ", version=" + version
+				+ ", keywordSearch=" + keywordSearch + ", iss=" + iss + ", dpUserName=" + dpUserName + ", status="
+				+ status + "]";
 	}
 
 	@Override

dgrv4_Entity_lib/src/main/java/tpi/dgrv4/entity/entity/DpUser.java

@@ -162,7 +162,7 @@ public List<TsmpGroupApiTopN> findReferApiBindDpApp(String apiKey, String module
 
 		sb.append(
 				" SELECT new tpi.dgrv4.entity.entity.TsmpGroupApiTopN(tga.moduleName, tga.apiKey, COUNT(DISTINCT da.dpApplicationId)) ");
-		sb.append(" FROM TsmpGroupApi tga, TsmpClientGroup tcg, TsmpClient tc, DpApp da , TsmpApi ta");
+		sb.append(" FROM TsmpGroupApi tga, TsmpClientGroup tcg, TsmpClient tc, DpApp da");
 		sb.append(" WHERE 3 = 3 ");
 
 		if (StringUtils.hasText(apiKey) && StringUtils.hasText(moduleNmae)) {