*   bump tomcat version to mitigate cve as explain here (spring-framework-rce-mitigation-alternative)[https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative]

*   bump tomcat version to mitigate cve as explain here (spring-framework-rce-mitigation-alternative)[https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative]

Bump tomcat version to  8.5.76 and 9.0.58 to fix cve
[CVE-2022-23181](https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9)

Relates to [RUNTIME-880](https://bonitasoft.atlassian.net/browse/RUNTIME-880)

Bump tomcat version to  8.5.76 and 9.0.58 to fix cve
[CVE-2022-23181](https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9)

Relates to [RUNTIME-880](https://bonitasoft.atlassian.net/browse/RUNTIME-880)

This was set to false because engin code never let a stop using a connection without releasing it. However, extensions like custom page might do that (even if it's not recommended to use bonita datasource to do sql queries)

Remove deprecated `removeAbandoned` property.

Closes [RUNTIME-918](https://bonitasoft.atlassian.net/browse/RUNTIME-918)
Closes [RUNTIME-862](https://bonitasoft.atlassian.net/browse/RUNTIME-862)

* bump tomcat version to  9.0.58 to fix cve
[CVE-2022-23181](https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9)

Our internal repository was mirroring restlet repository, it's not the case anymore.

Fix it by adding restlet repo to the pom

also update tomcat 9 version

Covers [RUNTIME-818](https://bonitasoft.atlassian.net/browse/RUNTIME-818)

bump tomcat version to 9.0.56 to fix cve [CVE-2021-42340](https://security.netapp.com/advisory/ntap-20211104-0001/)

cherry pick commit 872fd7d and 5aeb603 PRs #430 and #431  to enable formatMsgNoLookups to mitigate impact CVE-2021-44228 with custom client's code

* fix(datasource): make proposed changes to datasource
* specify removeAbandoned="false"

Relates to [RUNTIME-495](https://bonitasoft.atlassian.net/browse/RUNTIME-495)

revert adding of wrong add of `LOGGING_MANAGER`

*  Enable `formatMsgNoLookups` to mitigate [CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q) with custom client's code

That period was poluting logs in case of a xa resource that is not
recoverable.
This can happen when a arjuna is commiting an XA transaction but the
connection fails at that time. In that case Arjuna does not know what to
do with the XA transaction and tries to recover it each time (it is in
HEURISTIC_HAZARD state). This happens even if there is a single
resource. In that case, it requires an human action to remove the
resource form the transaction log.

Set that period to 2 hours by default to reduce the impact on logs while
keeping the issue visible.

Relates to [RUNTIME-45](https://bonitasoft.atlassian.net/browse/RUNTIME-45)
Relates to [RUNTIME-625](https://bonitasoft.atlassian.net/browse/RUNTIME-625)

Backported from #415 commit b74c3a583886dc838e1d78a10c428f36b0166107

Previously, when attempting to recover a XAConnection, no new connection was initialized. The recovery failed, and was retried indefinitely.

We now check if there is an active connection, attempt to close it properly and then create a new one.

Closes [RUNTIME-45](https://bonitasoft.atlassian.net/browse/RUNTIME-45)

Backported from #411 commit 2136f42b134275cf6ef60a80b7679ec451278ddd

That period was poluting logs in case of a xa resource that is not
recoverable.
This can happen when a arjuna is commiting an XA transaction but the
connection fails at that time. In that case Arjuna does not know what to
do with the XA transaction and tries to recover it each time (it is in
HEURISTIC_HAZARD state). This happens even if there is a single
resource. In that case, it requires an human action to remove the
resource form the transaction log.

Set that period to 2 hours by default to reduce the impact on logs while
keeping the issue visible.

Relates to [RUNTIME-45](https://bonitasoft.atlassian.net/browse/RUNTIME-45)
Relates to [RUNTIME-625](https://bonitasoft.atlassian.net/browse/RUNTIME-625)

default web.xml added with 60min session-timeout.
The change was needed to match with bonita config:
#bonita.tenant.session.duration=3600000

The timeout is set while building the bundle zip

Closes [RUNTIME-117](https://bonitasoft.atlassian.net/browse/RUNTIME-117)

Previously, when attempting to recover a XAConnection, no new connection was initialized. The recovery failed, and was retried indefinitely.

We now check if there is an active connection, attempt to close it properly and then create a new one.

Closes [RUNTIME-45](https://bonitasoft.atlassian.net/browse/RUNTIME-45)

* remove jattach (removed in 7.13)
* unzip bonita.war and remove them after unzip. (required for setting permission)

Co-authored-by: Baptiste Mesta <baptiste.mesta@bonitasoft.com>

* there is no conflict with commons-collections
* commons-logging and commons-codec seem to be uses in a different version in bundle-test only but bundle-test depends on bonita-client only and those are server dependencies

Allow to specify the user with docker run parameter `--user`.

Doing this will change the user with which the container is run.
If the user given is not root, we do not try to change some of the folders ownership using `chown` or `chmod`.
To allow this behavior, at docker build, we open access rights of few folders to 777 (all users can do anything) and then restrict them if we are root at startup. This is a common strategy to support that. See:
https://github.com/docker-library/postgres/pull/253


This comes with some limitation: mounted folder need to have correct access rights configured when running with this option

Closes [RUNTIME-547](https://bonitasoft.atlassian.net/browse/RUNTIME-547)
Relates to [PF-6998](https://bonitasoft.atlassian.net/browse/PF-6998)

move all ENV and ARG as low as possible to restore cache-ability

on Maven Central, by removing the parent pom

Closes [RUNTIME-540](https://bonitasoft.atlassian.net/browse/RUNTIME-540)