cloudfoundry · duanemay · Dec 15, 2025
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -52,7 +52,7 @@ jobs:
       uses: actions/setup-java@v5
       with:
         distribution: 'liberica'
-        java-version: '21'
+        java-version: '25'
         cache: 'gradle'
       if: ${{ matrix.language == 'java' }}
 

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -16,7 +16,7 @@ jobs:
         uses: actions/setup-java@v5
         with:
           distribution: 'liberica'
-          java-version: '21'
+          java-version: '25'
           cache: 'gradle'
       - name: Login to Docker Hub
         uses: docker/login-action@v3

diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -16,7 +16,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        java: [ '21', '25' ]
+        java: [ '25' ]
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-java@v5

diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-java@v5
         with:
           distribution: 'liberica'
-          java-version: '21'
+          java-version: '25'
           cache: 'gradle'
       - name: Analyze with SonarCloud
         env:

diff --git a/build.gradle b/build.gradle
@@ -43,12 +43,11 @@ allprojects {
     }
 }
 
-
 subprojects {
     apply(plugin: "java")
     java {
-        sourceCompatibility = JavaVersion.VERSION_21
-        targetCompatibility = JavaVersion.VERSION_21
+        sourceCompatibility = JavaVersion.VERSION_25
+        targetCompatibility = JavaVersion.VERSION_25
     }
 
     configurations.configureEach {

diff --git a/metrics-data/src/main/java/org/cloudfoundry/identity/uaa/metrics/MetricsQueue.java b/metrics-data/src/main/java/org/cloudfoundry/identity/uaa/metrics/MetricsQueue.java
@@ -92,7 +92,7 @@ public RequestMetricSummary getTotals() {
         MutableDouble averageDatabaseQueryTime = new MutableDouble(0);
         MutableLong databaseIntolerableQueryCount = new MutableLong(0);
         MutableDouble averageDatabaseIntolerableQueryTime = new MutableDouble(0);
-        statistics.forEach((key, summary) -> {
+        statistics.forEach((_, summary) -> {
             averageTime.set(addAverages(count.get(),
                     averageTime.get(),
                     summary.getCount(),

diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/OAuth2RestTemplate.java b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/OAuth2RestTemplate.java
@@ -139,7 +139,7 @@ protected <T> T doExecute(URI url, HttpMethod method, RequestCallback requestCal
         catch (AccessTokenRequiredException | OAuth2AccessDeniedException e) {
             rethrow = e;
         }
-        catch (InvalidTokenException e) {
+        catch (InvalidTokenException _) {
             // Don't reveal the token value in case it is logged
             rethrow = new OAuth2AccessDeniedException("Invalid token for client=" + getClientId());
         }
@@ -148,7 +148,7 @@ protected <T> T doExecute(URI url, HttpMethod method, RequestCallback requestCal
             try {
                 return super.doExecute(url, method, requestCallback, responseExtractor);
             }
-            catch (InvalidTokenException e) {
+            catch (InvalidTokenException _) {
                 // Don't reveal the token value in case it is logged
                 rethrow = new OAuth2AccessDeniedException("Invalid token for client=" + getClientId());
             }

diff --git a/...rg/cloudfoundry/identity/uaa/oauth/client/grant/AuthorizationCodeAccessTokenProvider.java b/...rg/cloudfoundry/identity/uaa/oauth/client/grant/AuthorizationCodeAccessTokenProvider.java
@@ -147,7 +147,7 @@ public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resou
         try {
             return retrieveToken(request, resource, form, getHeadersForTokenRequest());
         }
-        catch (OAuth2AccessDeniedException e) {
+        catch (OAuth2AccessDeniedException _) {
             throw getRedirectForAuthorization((AuthorizationCodeResourceDetails) resource, request);
         }
     }

diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/http/OAuth2ErrorHandler.java b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/http/OAuth2ErrorHandler.java
@@ -124,10 +124,7 @@ public int getRawStatusCode() throws IOException {
                         throw oauth2Exception;
                     }
                 }
-                catch (RestClientException e) {
-                    // ignore
-                }
-                catch (HttpMessageConversionException e) {
+                catch (RestClientException | HttpMessageConversionException _) {
                     // ignore
                 }
 
@@ -143,7 +140,7 @@ public int getRawStatusCode() throws IOException {
                 // then delegate to the custom handler
                 errorHandler.handleError(bufferedResponse);
             }
-            catch (InvalidTokenException ex) {
+            catch (InvalidTokenException _) {
                 // Special case: an invalid token can be renewed so tell the caller what to do
                 throw new AccessTokenRequiredException(resource);
             }

diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/common/DefaultOAuth2AccessToken.java b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/common/DefaultOAuth2AccessToken.java
@@ -144,7 +144,7 @@ public static OAuth2AccessToken valueOf(Map<String, String> tokenParams) {
                 // Convert to string before parseLong, tokenParams is not always a Map<String, String> might contain Integer
                 expiration = Long.parseLong(String.valueOf(tokenParams.get(EXPIRES_IN)));
             }
-            catch (NumberFormatException e) {
+            catch (NumberFormatException _) {
                 // fall through...
             }
             token.setExpiration(new Date(System.currentTimeMillis() + (expiration * 1000L)));

diff --git a/...ava/org/cloudfoundry/identity/uaa/oauth/common/OAuth2AccessTokenJackson2Deserializer.java b/...ava/org/cloudfoundry/identity/uaa/oauth/common/OAuth2AccessTokenJackson2Deserializer.java
@@ -58,7 +58,7 @@ public OAuth2AccessToken deserialize(JsonParser jp, DeserializationContext ctxt)
             } else if (OAuth2AccessToken.EXPIRES_IN.equals(name)) {
                 try {
                     expiresIn = jp.getLongValue();
-                } catch (JsonParseException e) {
+                } catch (JsonParseException _) {
                     expiresIn = Long.valueOf(jp.getText());
                 }
             } else if (OAuth2AccessToken.SCOPE.equals(name)) {

diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/OAuth2AccessTokenSupport.java b/model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/OAuth2AccessTokenSupport.java
@@ -239,7 +239,7 @@ public void handleError(ClientHttpResponse response) throws IOException {
                     try {
                         ex = ((HttpMessageConverter<OAuth2Exception>) converter).read(OAuth2Exception.class, response);
                     }
-                    catch (Exception e) {
+                    catch (Exception _) {
                         // ignore
                         continue;
                     }

diff --git a/.../src/main/java/org/cloudfoundry/identity/uaa/provider/SamlIdentityProviderDefinition.java b/.../src/main/java/org/cloudfoundry/identity/uaa/provider/SamlIdentityProviderDefinition.java
@@ -104,7 +104,7 @@ public static MetadataLocation getType(String urlOrXmlData) {
                 // Check if it is a valid URL
                 new URL(trimmedValue);
                 return MetadataLocation.URL;
-            } catch (MalformedURLException e) {
+            } catch (MalformedURLException _) {
                 //invalid URL
             }
         }
@@ -128,7 +128,7 @@ private static boolean validateXml(String xml) {
         try {
             DocumentBuilder builder = ObjectUtils.getDocumentBuilder();
             builder.parse(new InputSource(new StringReader(xml)));
-        } catch (ParserConfigurationException | SAXException | IOException e) {
+        } catch (ParserConfigurationException | SAXException | IOException _) {
             return false;
         }
 

diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/util/UaaStringUtils.java b/model/src/main/java/org/cloudfoundry/identity/uaa/util/UaaStringUtils.java
@@ -243,7 +243,8 @@ public static String getHostIfArgIsURL(String arg) {
         try {
             URL uri = new URL(arg);
             return uri.getHost();
-        } catch (MalformedURLException ignored) {
+        } catch (MalformedURLException _) {
+            // ignore
         }
         return arg;
     }

diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneConfiguration.java b/model/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneConfiguration.java
@@ -80,7 +80,7 @@ public void setIssuer(String issuer) {
         try {
             new URL(issuer);
             this.issuer = issuer;
-        } catch (MalformedURLException e) {
+        } catch (MalformedURLException _) {
             throw new IllegalArgumentException("Invalid issuer format. Must be valid URL.");
         }
     }

diff --git a/model/src/main/java/org/cloudfoundry/identity/uaa/zone/SamlConfig.java b/model/src/main/java/org/cloudfoundry/identity/uaa/zone/SamlConfig.java
@@ -56,9 +56,9 @@ public void setEntityID(String entityID) {
     @JsonProperty("certificate")
     public void setCertificate(String certificate) {
         if (hasText(certificate)) {
-            keys.computeIfAbsent(LEGACY_KEY_ID, k -> new SamlKey());
+            keys.computeIfAbsent(LEGACY_KEY_ID, _ -> new SamlKey());
         }
-        keys.computeIfPresent(LEGACY_KEY_ID, (k, v) -> {
+        keys.computeIfPresent(LEGACY_KEY_ID, (_, v) -> {
             v.setCertificate(certificate);
             return v;
         });
@@ -67,9 +67,9 @@ public void setCertificate(String certificate) {
     @JsonProperty("privateKey")
     public void setPrivateKey(String privateKey) {
         if (hasText(privateKey)) {
-            keys.computeIfAbsent(LEGACY_KEY_ID, k -> new SamlKey());
+            keys.computeIfAbsent(LEGACY_KEY_ID, _ -> new SamlKey());
         }
-        keys.computeIfPresent(LEGACY_KEY_ID, (k, v) -> {
+        keys.computeIfPresent(LEGACY_KEY_ID, (_, v) -> {
             v.setKey(privateKey);
             return v;
         });
@@ -78,9 +78,9 @@ public void setPrivateKey(String privateKey) {
     @JsonProperty("privateKeyPassword")
     public void setPrivateKeyPassword(String privateKeyPassword) {
         if (hasText(privateKeyPassword)) {
-            keys.computeIfAbsent(LEGACY_KEY_ID, k -> new SamlKey());
+            keys.computeIfAbsent(LEGACY_KEY_ID, _ -> new SamlKey());
         }
-        keys.computeIfPresent(LEGACY_KEY_ID, (k, v) -> {
+        keys.computeIfPresent(LEGACY_KEY_ID, (_, v) -> {
             v.setPassphrase(privateKeyPassword);
             return v;
         });

diff --git a/model/src/test/java/org/cloudfoundry/identity/uaa/oauth/client/OAuth2RestTemplateTests.java b/model/src/test/java/org/cloudfoundry/identity/uaa/oauth/client/OAuth2RestTemplateTests.java
@@ -161,7 +161,7 @@ void doubleEncodingOfAccessTokenValue() {
     @Test
     void noRetryAccessDeniedExceptionForNoExistingToken() {
         restTemplate.setAccessTokenProvider(new StubAccessTokenProvider());
-        restTemplate.setRequestFactory((uri, httpMethod) -> {
+        restTemplate.setRequestFactory((_, _) -> {
             throw new AccessTokenRequiredException(resource);
         });
         assertThatExceptionOfType(AccessTokenRequiredException.class).isThrownBy(() ->
@@ -300,7 +300,7 @@ public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails detail
             OAuth2AccessToken newToken = restTemplate.getAccessToken();
             assertThat(newToken).isNotNull();
             fail("Expected UserRedirectRequiredException");
-        } catch (UserRedirectRequiredException e) {
+        } catch (UserRedirectRequiredException _) {
             // planned
         }
         // context token should be reset as it is invalid at this point

diff --git a/...uaa/oauth/client/token/grant/AuthorizationCodeAccessTokenProviderWithConversionTests.java b/...uaa/oauth/client/token/grant/AuthorizationCodeAccessTokenProviderWithConversionTests.java
@@ -197,7 +197,7 @@ public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod) {
     void getErrorFromForm() {
         final HttpHeaders responseHeaders = new HttpHeaders();
         responseHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
-        requestFactory = (uri, httpMethod) -> new StubClientHttpRequest(HttpStatus.BAD_REQUEST, responseHeaders,
+        requestFactory = (_, _) -> new StubClientHttpRequest(HttpStatus.BAD_REQUEST, responseHeaders,
                 "error=invalid_client&error_description=FOO");
         AccessTokenRequest request = new DefaultAccessTokenRequest();
         request.setAuthorizationCode("foo");

diff --git a/.../org/cloudfoundry/identity/uaa/oauth/common/OAuth2AccessTokenJackson2SerializerTests.java b/.../org/cloudfoundry/identity/uaa/oauth/common/OAuth2AccessTokenJackson2SerializerTests.java
@@ -58,7 +58,7 @@ void writeValueAsStringWithNullScope() {
             accessToken.getScope().clear();
             try {
                 accessToken.getScope().add(null);
-            } catch (NullPointerException e) {
+            } catch (NullPointerException _) {
                 // short circuit NPE from Java 7 (which is correct but only relevant for this test)
                 throw new JsonMappingException("Scopes cannot be null or empty. Got [null]");
             }

diff --git a/model/src/test/java/org/cloudfoundry/identity/uaa/scim/ScimUserTests.java b/model/src/test/java/org/cloudfoundry/identity/uaa/scim/ScimUserTests.java
@@ -556,7 +556,7 @@ void patchUserChangeUserName() {
         try {
             user.patch(patch);
             fail("username is a required field, can't nullify it.");
-        } catch (IllegalArgumentException ignored) {
+        } catch (IllegalArgumentException _) {
             // ignore
         }
         assertThat(user.getUserName()).isNotNull();

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/account/AccountsController.java b/server/src/main/java/org/cloudfoundry/identity/uaa/account/AccountsController.java
@@ -86,7 +86,7 @@ public String sendActivationEmail(Model model, HttpServletResponse response,
         }
         try {
             accountCreationService.beginActivation(email.getEmail(), password, clientId, redirectUri);
-        } catch (UaaException e) {
+        } catch (UaaException _) {
             return handleUnprocessableEntity(model, response, "error_message_code", "username_exists");
         } catch (InvalidPasswordException e) {
             return handleUnprocessableEntity(model, response, "error_message", e.getMessagesAsOneString());
@@ -113,7 +113,7 @@ public String verifyUser(Model model,
         AccountCreationService.AccountCreationResponse accountCreation;
         try {
             accountCreation = accountCreationService.completeActivation(code);
-        } catch (HttpClientErrorException e) {
+        } catch (HttpClientErrorException _) {
             model.addAttribute("error_message_code", "code_expired");
             response.setStatus(HttpStatus.UNPROCESSABLE_ENTITY.value());
             return "accounts/link_prompt";

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/account/ChangeEmailController.java b/server/src/main/java/org/cloudfoundry/identity/uaa/account/ChangeEmailController.java
@@ -93,14 +93,14 @@ public String verifyEmail(Model model, @RequestParam String code, RedirectAttrib
 
         try {
             response = changeEmailService.completeVerification(code);
-        } catch (UaaException e) {
+        } catch (UaaException _) {
             return handleExceptionConsideringAuthentication(model, httpServletResponse);
         }
 
         UaaUser user;
         try {
             user = uaaUserDatabase.retrieveUserById(response.get("userId"));
-        } catch (UsernameNotFoundException e) {
+        } catch (UsernameNotFoundException _) {
             return handleExceptionConsideringAuthentication(model, httpServletResponse);
         }
 

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/account/ChangePasswordController.java b/server/src/main/java/org/cloudfoundry/identity/uaa/account/ChangePasswordController.java
@@ -61,7 +61,7 @@ public String changePassword(
             }
             securityContext.setAuthentication(authentication);
             return "redirect:profile";
-        } catch (BadCredentialsException e) {
+        } catch (BadCredentialsException _) {
             model.addAttribute("message_code", "unauthorized");
         } catch (InvalidPasswordException e) {
             model.addAttribute("message", e.getMessagesAsOneString());

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/account/EmailAccountCreationService.java b/server/src/main/java/org/cloudfoundry/identity/uaa/account/EmailAccountCreationService.java
@@ -80,7 +80,7 @@ public void beginActivation(String email, String password, String clientId, Stri
         try {
             ScimUser scimUser = createUser(email, password, OriginKeys.UAA);
             generateAndSendCode(email, clientId, subject, scimUser.getId(), redirectUri, identityZoneManager.getCurrentIdentityZone());
-        } catch (ScimResourceAlreadyExistsException e) {
+        } catch (ScimResourceAlreadyExistsException _) {
             List<ScimUser> users = scimUserProvisioning.retrieveByUsernameAndOriginAndZone(email, OriginKeys.UAA, identityZoneManager.getCurrentIdentityZoneId());
             if (!users.isEmpty()) {
                 if (users.getFirst().isVerified()) {

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/account/EmailChangeEmailService.java b/server/src/main/java/org/cloudfoundry/identity/uaa/account/EmailChangeEmailService.java
@@ -128,7 +128,8 @@ public Map<String, String> completeVerification(String code) {
                         clientDetails.getRegisteredRedirectUri();
                 String changeEmailRedirectUrl = (String) clientDetails.getAdditionalInformation().get(CHANGE_EMAIL_REDIRECT_URL);
                 redirectLocation = findMatchingRedirectUri(redirectUris, redirectUri, changeEmailRedirectUrl);
-            } catch (NoSuchClientException ignored) {
+            } catch (NoSuchClientException _) {
+                // ignore
             }
         }
 

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/account/PasswordResetEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/account/PasswordResetEndpoint.java
@@ -82,7 +82,7 @@ public ResponseEntity<PasswordResetResponse> resetPassword(@RequestBody String e
         } catch (ConflictException e) {
             response.setUserId(e.getUserId());
             return new ResponseEntity<>(response, CONFLICT);
-        } catch (NotFoundException e) {
+        } catch (NotFoundException _) {
             return new ResponseEntity<>(NOT_FOUND);
         }
     }
@@ -110,13 +110,13 @@ public ResponseEntity<LostPasswordChangeResponse> changePassword(@RequestBody Lo
                 response.setEmail(user.getPrimaryEmail());
                 response.setLoginCode(loginCode.getCode());
                 return new ResponseEntity<>(response, OK);
-            } catch (BadCredentialsException e) {
+            } catch (BadCredentialsException _) {
                 return new ResponseEntity<>(UNAUTHORIZED);
-            } catch (ScimResourceNotFoundException e) {
+            } catch (ScimResourceNotFoundException _) {
                 return new ResponseEntity<>(NOT_FOUND);
             } catch (InvalidPasswordException | InvalidCodeException e) {
                 throw e;
-            } catch (Exception e) {
+            } catch (Exception _) {
                 return new ResponseEntity<>(INTERNAL_SERVER_ERROR);
             }
         } else {

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/account/ProfileController.java b/server/src/main/java/org/cloudfoundry/identity/uaa/account/ProfileController.java
@@ -149,7 +149,7 @@ private Map<String, List<DescribedApproval>> getCurrentApprovalsForUser(String u
         for (DescribedApproval approval : approvals) {
             List<DescribedApproval> clientApprovals = result.computeIfAbsent(
                     approval.getClientId(),
-                    k -> new ArrayList<>()
+                    _ -> new ArrayList<>()
             );
 
             String scope = approval.getScope();

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/account/ResetPasswordController.java b/server/src/main/java/org/cloudfoundry/identity/uaa/account/ResetPasswordController.java
@@ -109,7 +109,7 @@ private void forgotPassword(String username, String clientId, String redirectUri
             email = e.getEmail();
             htmlContent = getResetUnavailableEmailHtml(email);
             userId = e.getUserId();
-        } catch (NotFoundException e) {
+        } catch (NotFoundException _) {
             logger.error("User with email address {} not found.", username);
         }
 
@@ -210,7 +210,7 @@ private ExpiringCode checkIfUserExists(ExpiringCode code) {
         String userId = data.get("user_id");
         try {
             userDatabase.retrieveUserById(userId);
-        } catch (UsernameNotFoundException e) {
+        } catch (UsernameNotFoundException _) {
             logger.debug("reset_password ExpiringCode[{}] user_id is invalid. Aborting.", code.getCode());
             return null;
         }

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/account/UaaResetPasswordService.java b/server/src/main/java/org/cloudfoundry/identity/uaa/account/UaaResetPasswordService.java
@@ -96,7 +96,7 @@ private ResetPasswordResponse changePasswordCodeAuthenticated(ExpiringCode expir
         PasswordChange change;
         try {
             change = JsonUtils.readValue(expiringCode.getData(), PasswordChange.class);
-        } catch (JsonUtils.JsonUtilException x) {
+        } catch (JsonUtils.JsonUtilException _) {
             throw new InvalidCodeException("invalid_code", "Sorry, your reset password link is no longer valid. Please request a new one", 422);
         }
         userId = change.getUserId();
@@ -131,7 +131,8 @@ private ResetPasswordResponse changePasswordCodeAuthenticated(ExpiringCode expir
                     if (matchingRedirectUri != null) {
                         redirectLocation = matchingRedirectUri;
                     }
-                } catch (NoSuchClientException nsce) {
+                } catch (NoSuchClientException _) {
+                    // ignore
                 }
             }
             return new ResetPasswordResponse(user, redirectLocation, clientId);

diff --git a/...c/main/java/org/cloudfoundry/identity/uaa/account/event/PasswordChangeEventPublisher.java b/...c/main/java/org/cloudfoundry/identity/uaa/account/event/PasswordChangeEventPublisher.java
@@ -76,7 +76,7 @@ UaaUser getUser(String userId) {
                         scimUser.getSalt(),
                         scimUser.getPasswordLastModified());
             }
-        } catch (ScimResourceNotFoundException e) {
+        } catch (ScimResourceNotFoundException _) {
             // ignore
         }
         return null;