From 6e94ec3476a279c0a130186209c50a2991ba4c84 Mon Sep 17 00:00:00 2001
From: Farah Juma <fjuma@redhat.com>
Date: Mon, 20 Nov 2023 16:16:33 -0500
Subject: [PATCH 1/7] [JBEAP-26097] CVE-2023-6236: Compare the provider-url for
 a cached account against the provider-url required for a request to determine
 if a cached token can be used

---
 .../java/org/wildfly/security/http/oidc/Oidc.java  | 14 ++++++++++++++
 .../security/http/oidc/OidcCookieTokenStore.java   |  4 ++--
 .../security/http/oidc/OidcSessionTokenStore.java  |  5 ++---
 3 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java
index 496749c97a1..319d91920aa 100644
--- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java
+++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java
@@ -333,4 +333,18 @@ public static void logToken(String name, String token) {
         }
     }
 
+    protected static boolean checkCachedAccountMatchesRequest(OidcAccount account, OidcClientConfiguration deployment) {
+        if (deployment.getRealm() != null
+                && ! deployment.getRealm().equals(account.getOidcSecurityContext().getRealm())) {
+            log.debug("Account in session belongs to a different realm than for this request.");
+            return false;
+        }
+        if (deployment.getProviderUrl() != null
+                && ! deployment.getProviderUrl().equals(account.getOidcSecurityContext().getOidcClientConfiguration().getProviderUrl())) {
+            log.debug("Account in session belongs to a different provider than for this request.");
+            return false;
+        }
+        return true;
+    }
+
 }
diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java
index 3039192f0a7..f24fe9008f8 100644
--- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java
+++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java
@@ -20,6 +20,7 @@
 
 import static org.wildfly.security.http.oidc.ElytronMessages.log;
 import static org.wildfly.security.http.oidc.Oidc.OIDC_STATE_COOKIE;
+import static org.wildfly.security.http.oidc.Oidc.checkCachedAccountMatchesRequest;
 
 import java.net.URISyntaxException;
 import java.util.List;
@@ -72,8 +73,7 @@ public boolean isCached(RequestAuthenticator authenticator) {
             return false;
         }
         OidcAccount account = new OidcAccount(principal);
-        if (deployment.getRealm() != null && ! deployment.getRealm().equals(account.getOidcSecurityContext().getRealm())) {
-            log.debug("Account in session belongs to a different realm than for this request.");
+        if (! checkCachedAccountMatchesRequest(account, deployment)) {
             return false;
         }
 
diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcSessionTokenStore.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcSessionTokenStore.java
index c2e6838f7a7..cb6206177cd 100644
--- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcSessionTokenStore.java
+++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcSessionTokenStore.java
@@ -19,6 +19,7 @@
 package org.wildfly.security.http.oidc;
 
 import static org.wildfly.security.http.oidc.ElytronMessages.log;
+import static org.wildfly.security.http.oidc.Oidc.checkCachedAccountMatchesRequest;
 
 import java.util.ArrayList;
 import java.util.Collection;
@@ -88,9 +89,7 @@ public boolean isCached(RequestAuthenticator authenticator) {
         }
 
         OidcClientConfiguration deployment = httpFacade.getOidcClientConfiguration();
-
-        if (deployment.getRealm() != null && ! deployment.getRealm().equals(account.getOidcSecurityContext().getRealm())) {
-            log.debug("Account in session belongs to a different realm than for this request.");
+        if (! checkCachedAccountMatchesRequest(account, deployment)) {
             return false;
         }
 

From 9e44f50d62243ed68ee2f46c24c8b39d12795722 Mon Sep 17 00:00:00 2001
From: Farah Juma <fjuma@redhat.com>
Date: Tue, 21 Nov 2023 11:52:28 -0500
Subject: [PATCH 2/7] [JBEAP-26097] CVE-2023-6236: Add tests for multi-tenancy
 to ensure that a valid token from one tenant cannot be used to access another
 tenant

---
 .../http/oidc/KeycloakConfiguration.java      |  71 +++-
 .../http/oidc/MultiTenantResolver.java        |  67 ++++
 .../security/http/oidc/OidcBaseTest.java      |  78 ++++-
 .../wildfly/security/http/oidc/OidcTest.java  | 305 +++++++++++++++++-
 .../http/impl/AbstractBaseHttpTest.java       |  25 +-
 5 files changed, 523 insertions(+), 23 deletions(-)
 create mode 100644 http/oidc/src/test/java/org/wildfly/security/http/oidc/MultiTenantResolver.java

diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/KeycloakConfiguration.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/KeycloakConfiguration.java
index 5dfa052ed28..9a663136b28 100644
--- a/http/oidc/src/test/java/org/wildfly/security/http/oidc/KeycloakConfiguration.java
+++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/KeycloakConfiguration.java
@@ -18,6 +18,9 @@
 
 package org.wildfly.security.http.oidc;
 
+import static org.wildfly.security.http.oidc.OidcBaseTest.TENANT1_REALM;
+import static org.wildfly.security.http.oidc.OidcBaseTest.TENANT2_REALM;
+
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -48,6 +51,16 @@ public class KeycloakConfiguration {
     private static final String BOB_PASSWORD = "bob123+";
     public static final String ALLOWED_ORIGIN = "http://somehost";
 
+    // the users below are for multi-tenancy tests specifically
+    public static final String TENANT1_USER = "tenant1_user";
+    public static final String TENANT1_PASSWORD = "tenant1_password";
+    public static final String TENANT2_USER = "tenant2_user";
+    public static final String TENANT2_PASSWORD = "tenant2_password";
+    public static final String CHARLIE = "charlie";
+    public static final String CHARLIE_PASSWORD =" charlie123+";
+    public static final String DAN = "dan";
+    public static final String DAN_PASSWORD =" dan123+";
+
     /**
      * Configure RealmRepresentation as follows:
      * <ul>
@@ -64,6 +77,12 @@ public static RealmRepresentation getRealmRepresentation(final String realmName,
         return createRealm(realmName, clientId, clientSecret, clientHostName, clientPort, clientApp);
     }
 
+    public static RealmRepresentation getRealmRepresentation(final String realmName, String clientId, String clientSecret,
+                                                             String clientHostName, int clientPort, String clientApp, int accessTokenLifespan,
+                                                             int ssoSessionMaxLifespan, boolean multiTenancyApp) {
+        return createRealm(realmName, clientId, clientSecret, clientHostName, clientPort, clientApp, accessTokenLifespan, ssoSessionMaxLifespan, multiTenancyApp);
+    }
+
     public static RealmRepresentation getRealmRepresentation(final String realmName, String clientId, String clientSecret,
                                                              String clientHostName, int clientPort, String clientApp,
                                                              boolean directAccessGrantEnabled, String bearerOnlyClientId,
@@ -106,18 +125,30 @@ private static RealmRepresentation createRealm(String name, String clientId, Str
         return createRealm(name, clientId, clientSecret, clientHostName, clientPort, clientApp, false, null, null);
     }
 
+    private static RealmRepresentation createRealm(String name, String clientId, String clientSecret,
+                                                   String clientHostName, int clientPort, String clientApp, int accessTokenLifeSpan, int ssoSessionMaxLifespan,
+                                                   boolean multiTenancyApp) {
+        return createRealm(name, clientId, clientSecret, clientHostName, clientPort, clientApp, false, null, null, accessTokenLifeSpan, ssoSessionMaxLifespan, multiTenancyApp);
+    }
+
     private static RealmRepresentation createRealm(String name, String clientId, String clientSecret,
                                                    String clientHostName, int clientPort, String clientApp,
                                                    boolean directAccessGrantEnabled, String bearerOnlyClientId,
                                                    String corsClientId) {
-        RealmRepresentation realm = new RealmRepresentation();
+        return createRealm(name, clientId, clientSecret, clientHostName, clientPort, clientApp, directAccessGrantEnabled, bearerOnlyClientId, corsClientId, 3, 3, false);
+    }
 
+    private static RealmRepresentation createRealm(String name, String clientId, String clientSecret,
+                                                   String clientHostName, int clientPort, String clientApp,
+                                                   boolean directAccessGrantEnabled, String bearerOnlyClientId,
+                                                   String corsClientId, int accessTokenLifespan, int ssoSessionMaxLifespan, boolean multiTenancyApp) {
+        RealmRepresentation realm = new RealmRepresentation();
         realm.setRealm(name);
         realm.setEnabled(true);
         realm.setUsers(new ArrayList<>());
         realm.setClients(new ArrayList<>());
-        realm.setAccessTokenLifespan(3);
-        realm.setSsoSessionMaxLifespan(3);
+        realm.setAccessTokenLifespan(accessTokenLifespan);
+        realm.setSsoSessionMaxLifespan(ssoSessionMaxLifespan);
 
         RolesRepresentation roles = new RolesRepresentation();
         List<RoleRepresentation> realmRoles = new ArrayList<>();
@@ -128,33 +159,53 @@ private static RealmRepresentation createRealm(String name, String clientId, Str
         realm.getRoles().getRealm().add(new RoleRepresentation("user", null, false));
         realm.getRoles().getRealm().add(new RoleRepresentation("admin", null, false));
 
-        realm.getClients().add(createWebAppClient(clientId, clientSecret, clientHostName, clientPort, clientApp, directAccessGrantEnabled));
+        realm.getClients().add(createWebAppClient(clientId, clientSecret, clientHostName, clientPort, clientApp, directAccessGrantEnabled, multiTenancyApp));
 
         if (bearerOnlyClientId != null) {
             realm.getClients().add(createBearerOnlyClient(bearerOnlyClientId));
         }
 
         if (corsClientId != null) {
-            realm.getClients().add(createWebAppClient(corsClientId, clientSecret, clientHostName, clientPort, clientApp, directAccessGrantEnabled, ALLOWED_ORIGIN));
+            realm.getClients().add(createWebAppClient(corsClientId, clientSecret, clientHostName, clientPort, clientApp, directAccessGrantEnabled, ALLOWED_ORIGIN, multiTenancyApp));
         }
 
-        realm.getUsers().add(createUser(ALICE, ALICE_PASSWORD, Arrays.asList(USER_ROLE, ADMIN_ROLE)));
-        realm.getUsers().add(createUser(BOB, BOB_PASSWORD, Arrays.asList(USER_ROLE)));
+        if (name.equals(TENANT1_REALM)) {
+            realm.getUsers().add(createUser(TENANT1_USER, TENANT1_PASSWORD, Arrays.asList(USER_ROLE, ADMIN_ROLE)));
+            realm.getUsers().add(createUser(CHARLIE, CHARLIE_PASSWORD, Arrays.asList(USER_ROLE, ADMIN_ROLE)));
+            realm.getUsers().add(createUser(DAN, DAN_PASSWORD, Arrays.asList(USER_ROLE, ADMIN_ROLE)));
+        } else if (name.equals(TENANT2_REALM)) {
+            realm.getUsers().add(createUser(TENANT2_USER, TENANT2_PASSWORD, Arrays.asList(USER_ROLE, ADMIN_ROLE)));
+            realm.getUsers().add(createUser(CHARLIE, CHARLIE_PASSWORD, Arrays.asList(USER_ROLE, ADMIN_ROLE)));
+            realm.getUsers().add(createUser(DAN, DAN_PASSWORD, Arrays.asList(USER_ROLE, ADMIN_ROLE)));
+        } else {
+            realm.getUsers().add(createUser(ALICE, ALICE_PASSWORD, Arrays.asList(USER_ROLE, ADMIN_ROLE)));
+            realm.getUsers().add(createUser(BOB, BOB_PASSWORD, Arrays.asList(USER_ROLE)));
+        }
         return realm;
     }
 
-    private static ClientRepresentation createWebAppClient(String clientId, String clientSecret, String clientHostName, int clientPort, String clientApp, boolean directAccessGrantEnabled) {
-        return createWebAppClient(clientId, clientSecret, clientHostName, clientPort, clientApp, directAccessGrantEnabled, null);
+    private static ClientRepresentation createWebAppClient(String clientId, String clientSecret, String clientHostName, int clientPort, String clientApp,
+                                                           boolean directAccessGrantEnabled, boolean multiTenancyApp) {
+        return createWebAppClient(clientId, clientSecret, clientHostName, clientPort, clientApp, directAccessGrantEnabled, null, multiTenancyApp);
     }
 
     private static ClientRepresentation createWebAppClient(String clientId, String clientSecret, String clientHostName, int clientPort,
                                                            String clientApp, boolean directAccessGrantEnabled, String allowedOrigin) {
+        return createWebAppClient(clientId, clientSecret, clientHostName, clientPort, clientApp, directAccessGrantEnabled, allowedOrigin, false);
+    }
+
+    private static ClientRepresentation createWebAppClient(String clientId, String clientSecret, String clientHostName, int clientPort,
+                                                           String clientApp, boolean directAccessGrantEnabled, String allowedOrigin, boolean multiTenancyApp) {
         ClientRepresentation client = new ClientRepresentation();
         client.setClientId(clientId);
         client.setPublicClient(false);
         client.setSecret(clientSecret);
         //client.setRedirectUris(Arrays.asList("*"));
-        client.setRedirectUris(Arrays.asList("http://" + clientHostName + ":" + clientPort + "/" + clientApp));
+        if (multiTenancyApp) {
+            client.setRedirectUris(Arrays.asList("http://" + clientHostName + ":" + clientPort + "/" + clientApp + "/*"));
+        } else {
+            client.setRedirectUris(Arrays.asList("http://" + clientHostName + ":" + clientPort + "/" + clientApp));
+        }
         client.setEnabled(true);
         client.setDirectAccessGrantsEnabled(directAccessGrantEnabled);
         if (allowedOrigin != null) {
diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/MultiTenantResolver.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/MultiTenantResolver.java
new file mode 100644
index 00000000000..e8fad971837
--- /dev/null
+++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/MultiTenantResolver.java
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2024 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wildfly.security.http.oidc;
+
+import static org.wildfly.security.http.oidc.OidcBaseTest.CLIENT_APP;
+
+import java.io.InputStream;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * Multi-tenant resolver.
+ *
+ * @author <a href="mailto:fjuma@redhat.com">Farah Juma</a>
+ */
+public class MultiTenantResolver implements OidcClientConfigurationResolver {
+    private final boolean useAuthServerUrl;
+
+    public MultiTenantResolver(boolean useAuthServerUrl) {
+        this.useAuthServerUrl = useAuthServerUrl;
+    }
+
+    private final Map<String, OidcClientConfiguration> cache = new ConcurrentHashMap<>();
+
+    @Override
+    public OidcClientConfiguration resolve(OidcHttpFacade.Request request) {
+        String path = request.getURI();
+        int multitenantIndex = path.indexOf(CLIENT_APP + "/");
+        if (multitenantIndex == -1) {
+            throw new IllegalStateException("Cannot resolve the configuration to use from the request");
+        }
+
+        String tenant = path.substring(multitenantIndex).split("/")[1];
+        if (tenant.contains("?")) {
+            tenant = tenant.split("\\?")[0];
+        }
+
+        OidcClientConfiguration clientConfiguration = cache.get(tenant);
+        if (clientConfiguration == null) {
+            // not found in the simple cache, try to load it instead
+            InputStream is = useAuthServerUrl ? OidcTest.getTenantConfigWithAuthServerUrl(tenant) : OidcTest.getTenantConfigWithProviderUrl(tenant);
+            if (is == null) {
+                throw new IllegalStateException("Cannot find tenant configuration");
+            }
+            clientConfiguration = OidcClientConfigurationBuilder.build(is);
+            cache.put(tenant, clientConfiguration);
+        }
+        return clientConfiguration;
+    }
+
+}
+
diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java
index b1fb8ea2d2e..cee8c1b11eb 100644
--- a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java
+++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcBaseTest.java
@@ -19,16 +19,20 @@
 package org.wildfly.security.http.oidc;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 import java.io.IOException;
 import java.net.URI;
 import java.util.List;
+import java.util.Map;
 
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.sasl.AuthorizeCallback;
 
+import org.apache.http.HttpStatus;
 import org.junit.AfterClass;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.testcontainers.DockerClientFactory;
@@ -68,6 +72,8 @@ public class OidcBaseTest extends AbstractBaseHttpTest {
     public static final String CLIENT_SECRET = "secret";
     public static KeycloakContainer KEYCLOAK_CONTAINER;
     public static final String TEST_REALM = "WildFly";
+    public static final String TENANT1_REALM = "tenant1";
+    public static final String TENANT2_REALM = "tenant2";
     public static final String KEYCLOAK_USERNAME = "username";
     public static final String KEYCLOAK_PASSWORD = "password";
     public static final String KEYCLOAK_LOGIN = "login";
@@ -76,6 +82,8 @@ public class OidcBaseTest extends AbstractBaseHttpTest {
     public static final String CLIENT_PAGE_TEXT = "Welcome page!";
     public static final String CLIENT_HOST_NAME = "localhost";
     public static MockWebServer client; // to simulate the application being secured
+    public static final String TENANT1_ENDPOINT = "tenant1";
+    public static final String TENANT2_ENDPOINT = "tenant2";
 
     protected HttpServerAuthenticationMechanismFactory oidcFactory;
 
@@ -163,7 +171,71 @@ public MockResponse dispatch(RecordedRequest recordedRequest) throws Interrupted
         };
     }
 
-    protected WebClient getWebClient() {
+    protected static Dispatcher createAppResponse(HttpServerAuthenticationMechanism mechanism, int expectedStatusCode, String expectedLocation, String clientPageText,
+                                                  Map<String, Object> sessionScopeAttachments) {
+        return new Dispatcher() {
+            @Override
+            public MockResponse dispatch(RecordedRequest recordedRequest) throws InterruptedException {
+                String path = recordedRequest.getPath();
+                if (path.contains("/" + CLIENT_APP) && path.contains("&code=")) {
+                    try {
+                        TestingHttpServerRequest request = new TestingHttpServerRequest(new String[0],
+                                new URI(recordedRequest.getRequestUrl().toString()), recordedRequest.getHeader("Cookie"));
+                        mechanism.evaluateRequest(request);
+                        TestingHttpServerResponse response = request.getResponse();
+                        assertEquals(expectedStatusCode, response.getStatusCode());
+                        assertEquals(expectedLocation, response.getLocation());
+                        for (String key : request.getSessionScopeAttachments().keySet()) {
+                            sessionScopeAttachments.put(key, request.getSessionScopeAttachments().get(key));
+                        }
+                        return new MockResponse().setBody(clientPageText);
+                    } catch (Exception e) {
+                        throw new RuntimeException(e);
+                    }
+                }
+                return new MockResponse()
+                        .setBody("");
+            }
+        };
+    }
+
+    protected static Dispatcher createAppResponse(HttpServerAuthenticationMechanism mechanism, String clientPageText,
+                                                  Map<String, Object> sessionScopeAttachments, String tenant, boolean sameTenant) {
+        return new Dispatcher() {
+            @Override
+            public MockResponse dispatch(RecordedRequest recordedRequest) throws InterruptedException {
+                String path = recordedRequest.getPath();
+                if (path.contains("/" + CLIENT_APP + "/" + tenant)) {
+                    try {
+                        TestingHttpServerRequest request = new TestingHttpServerRequest(new String[0],
+                                new URI(recordedRequest.getRequestUrl().toString()), sessionScopeAttachments);
+                        mechanism.evaluateRequest(request);
+                        TestingHttpServerResponse response = request.getResponse();
+                        if (sameTenant) {
+                            // should be able to access the same tenant without logging in again
+                            assertEquals(Status.COMPLETE, request.getResult());
+                            return new MockResponse().setBody(clientPageText);
+                        } else {
+                            // should be redirected to Keycloak to access the other tenant
+                            assertEquals(Status.NO_AUTH, request.getResult());
+                            assertEquals(HttpStatus.SC_MOVED_TEMPORARILY, response.getStatusCode());
+                            assertTrue(response.getLocation().contains(KEYCLOAK_CONTAINER.getAuthServerUrl()));
+                            HtmlPage keycloakLoginPage = getWebClient().getPage(response.getLocation());
+                            HtmlForm loginForm = keycloakLoginPage.getForms().get(0);
+                            assertNotNull(loginForm.getInputByName(KEYCLOAK_USERNAME));
+                            assertNotNull(loginForm.getInputByName(KEYCLOAK_PASSWORD));
+                        }
+                    } catch (Exception e) {
+                        throw new RuntimeException(e);
+                    }
+                }
+                return new MockResponse()
+                        .setBody("");
+            }
+        };
+    }
+
+    static WebClient getWebClient() {
         WebClient webClient = new WebClient();
         webClient.setCssErrorHandler(new SilentCssErrorHandler());
         webClient.setJavaScriptErrorListener(new SilentJavaScriptErrorListener());
@@ -174,6 +246,10 @@ protected static String getClientUrl() {
         return "http://" + CLIENT_HOST_NAME + ":" + CLIENT_PORT + "/" + CLIENT_APP;
     }
 
+    protected static String getClientUrlForTenant(String tenant) {
+        return "http://" + CLIENT_HOST_NAME + ":" + CLIENT_PORT + "/" + CLIENT_APP + "/" + tenant;
+    }
+
     protected HtmlInput loginToKeycloak(String username, String password, URI requestUri, String location, List<HttpServerCookie> cookies) throws IOException {
         WebClient webClient = getWebClient();
         if (cookies != null) {
diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java
index 84132472d1c..7b211c9e38e 100644
--- a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java
+++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java
@@ -19,8 +19,17 @@
 package org.wildfly.security.http.oidc;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assume.assumeTrue;
+import static org.wildfly.security.http.oidc.KeycloakConfiguration.CHARLIE;
+import static org.wildfly.security.http.oidc.KeycloakConfiguration.CHARLIE_PASSWORD;
+import static org.wildfly.security.http.oidc.KeycloakConfiguration.DAN;
+import static org.wildfly.security.http.oidc.KeycloakConfiguration.DAN_PASSWORD;
+import static org.wildfly.security.http.oidc.KeycloakConfiguration.TENANT1_PASSWORD;
+import static org.wildfly.security.http.oidc.KeycloakConfiguration.TENANT1_USER;
+import static org.wildfly.security.http.oidc.KeycloakConfiguration.TENANT2_PASSWORD;
+import static org.wildfly.security.http.oidc.KeycloakConfiguration.TENANT2_USER;
 import static org.wildfly.security.http.oidc.Oidc.OIDC_NAME;
 
 import java.io.ByteArrayInputStream;
@@ -37,6 +46,7 @@
 import org.wildfly.security.http.HttpServerAuthenticationMechanism;
 
 import com.gargoylesoftware.htmlunit.TextPage;
+import com.gargoylesoftware.htmlunit.WebClient;
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
 
 import io.restassured.RestAssured;
@@ -50,12 +60,18 @@
  */
 public class OidcTest extends OidcBaseTest {
 
+    // setting a high number for the token lifespan so we can test that a valid token from tenant1 can't be used for tenant2
+    private static final int ACCESS_TOKEN_LIFESPAN = 120;
+    private static final int SESSION_MAX_LIFESPAN = 120;
+
     @BeforeClass
     public static void startTestContainers() throws Exception {
         assumeTrue("Docker isn't available, OIDC tests will be skipped", isDockerAvailable());
         KEYCLOAK_CONTAINER = new KeycloakContainer();
         KEYCLOAK_CONTAINER.start();
         sendRealmCreationRequest(KeycloakConfiguration.getRealmRepresentation(TEST_REALM, CLIENT_ID, CLIENT_SECRET, CLIENT_HOST_NAME, CLIENT_PORT, CLIENT_APP));
+        sendRealmCreationRequest(KeycloakConfiguration.getRealmRepresentation(TENANT1_REALM, CLIENT_ID, CLIENT_SECRET, CLIENT_HOST_NAME, CLIENT_PORT, CLIENT_APP, ACCESS_TOKEN_LIFESPAN, SESSION_MAX_LIFESPAN, true));
+        sendRealmCreationRequest(KeycloakConfiguration.getRealmRepresentation(TENANT2_REALM, CLIENT_ID, CLIENT_SECRET, CLIENT_HOST_NAME, CLIENT_PORT, CLIENT_APP, ACCESS_TOKEN_LIFESPAN, SESSION_MAX_LIFESPAN, true));
         client = new MockWebServer();
         client.start(CLIENT_PORT);
     }
@@ -68,6 +84,16 @@ public static void generalCleanup() throws Exception {
                     .auth().oauth2(KeycloakConfiguration.getAdminAccessToken(KEYCLOAK_CONTAINER.getAuthServerUrl()))
                     .when()
                     .delete(KEYCLOAK_CONTAINER.getAuthServerUrl() + "/admin/realms/" + TEST_REALM).then().statusCode(204);
+            RestAssured
+                    .given()
+                    .auth().oauth2(KeycloakConfiguration.getAdminAccessToken(KEYCLOAK_CONTAINER.getAuthServerUrl()))
+                    .when()
+                    .delete(KEYCLOAK_CONTAINER.getAuthServerUrl() + "/admin/realms/" + TENANT1_REALM).then().statusCode(204);
+            RestAssured
+                    .given()
+                    .auth().oauth2(KeycloakConfiguration.getAdminAccessToken(KEYCLOAK_CONTAINER.getAuthServerUrl()))
+                    .when()
+                    .delete(KEYCLOAK_CONTAINER.getAuthServerUrl() + "/admin/realms/" + TENANT2_REALM).then().statusCode(204);
             KEYCLOAK_CONTAINER.stop();
         }
         if (client != null) {
@@ -106,13 +132,13 @@ public void testWrongPassword() throws Exception {
 
     @Test
     public void testWrongAuthServerUrl() throws Exception {
-        performAuthentication(getOidcConfigurationInputStream(CLIENT_SECRET, "http://fakeauthserver/auth"), KeycloakConfiguration.ALICE,
+        loginToAppMultiTenancy(getOidcConfigurationInputStream(CLIENT_SECRET, "http://fakeauthserver/auth"), KeycloakConfiguration.ALICE,
                 KeycloakConfiguration.ALICE_PASSWORD, false, -1, null, null);
     }
 
     @Test
     public void testWrongClientSecret() throws Exception {
-        performAuthentication(getOidcConfigurationInputStream("WRONG_CLIENT_SECRET"), KeycloakConfiguration.ALICE,
+        loginToAppMultiTenancy(getOidcConfigurationInputStream("WRONG_CLIENT_SECRET"), KeycloakConfiguration.ALICE,
                 KeycloakConfiguration.ALICE_PASSWORD, true, HttpStatus.SC_FORBIDDEN, null,"Forbidden");
     }
 
@@ -123,19 +149,19 @@ public void testMissingRequiredConfigurationOption() {
 
     @Test
     public void testSucessfulAuthenticationWithAuthServerUrl() throws Exception {
-        performAuthentication(getOidcConfigurationInputStream(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
+        loginToAppMultiTenancy(getOidcConfigurationInputStream(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
                 true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT);
     }
 
     @Test
     public void testSucessfulAuthenticationWithProviderUrl() throws Exception {
-        performAuthentication(getOidcConfigurationInputStreamWithProviderUrl(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
+        loginToAppMultiTenancy(getOidcConfigurationInputStreamWithProviderUrl(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
                 true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT);
     }
 
     @Test
     public void testSucessfulAuthenticationWithProviderUrlTrailingSlash() throws Exception {
-        performAuthentication(getOidcConfigurationInputStreamWithProviderUrlTrailingSlash(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
+        loginToAppMultiTenancy(getOidcConfigurationInputStreamWithProviderUrlTrailingSlash(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
                 true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT);
     }
 
@@ -145,25 +171,200 @@ public void testSucessfulAuthenticationWithEnvironmentVariableExpression() throw
         String providerUrlEnv = System.getenv("OIDC_PROVIDER_URL_ENV");
         assertEquals(oidcProviderUrl, providerUrlEnv);
 
-        performAuthentication(getOidcConfigurationInputStreamWithEnvironmentVariableExpression(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
+        loginToAppMultiTenancy(getOidcConfigurationInputStreamWithEnvironmentVariableExpression(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
                 true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT);
     }
 
     @Test
     public void testSucessfulAuthenticationWithSystemPropertyExpression() throws Exception {
-        performAuthentication(getOidcConfigurationInputStreamWithSystemPropertyExpression(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
+        loginToAppMultiTenancy(getOidcConfigurationInputStreamWithSystemPropertyExpression(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
                 true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT);
     }
 
     @Test
     public void testTokenSignatureAlgorithm() throws Exception {
         // keycloak uses RS256
-        performAuthentication(getOidcConfigurationInputStreamWithTokenSignatureAlgorithm(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
+        loginToAppMultiTenancy(getOidcConfigurationInputStreamWithTokenSignatureAlgorithm(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
                 true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT);
     }
 
-    private void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak,
-                                       int expectedDispatcherStatusCode, String expectedLocation, String clientPageText) throws Exception {
+    /*****************************************************************************************************************************************
+     * Tests for multi-tenancy.
+     *
+     * The tests below involve two tenants:
+     * Tenant1: http://localhost:5002/clientApp/tenant1
+     * Tenant2: http://localhost:5002/clientApp/tenant2
+     *
+     * Tenant1 is secured using the tenant1 Keycloak Realm which contains the following users:
+     * tenant1_user
+     * charlie
+     * dan
+     *
+     * Tenant2 is secured using the tenant2 Keycloak Realm which contains the following users:
+     * tenant2_user
+     * charlie
+     * dan
+     *
+     * The first set of tests will make use of Keycloak-specific OIDC configuration.
+     * The second set of tests will make use of a provider-url in the OIDC configuration.
+     *****************************************************************************************************************************************/
+
+    /**********************************************************
+     * 1. Tests using Keycloak-specific OIDC configuration
+     **********************************************************/
+
+    /**
+     * Test that logging into each tenant with a non-existing user fails.
+     */
+    @Test
+    public void testNonExistingUserWithAuthServerUrl() throws Exception {
+        testNonExistingUserWithAuthServerUrl(TENANT2_USER, TENANT2_PASSWORD, TENANT1_ENDPOINT);
+        testNonExistingUserWithAuthServerUrl(TENANT1_USER, TENANT1_PASSWORD, TENANT2_ENDPOINT);
+        testNonExistingUserWithAuthServerUrl(KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD, TENANT1_ENDPOINT);
+    }
+
+    /**
+     * Test successfully logging into /tenant1 with the tenant1_user and successfully logging into /tenant2 with the tenant2_user.
+     */
+    @Test
+    public void testSuccessfulAuthenticationWithAuthServerUrl() throws Exception {
+        performTenantRequestWithAuthServerUrl(TENANT1_USER, TENANT1_PASSWORD, TENANT1_ENDPOINT, null);
+        performTenantRequestWithAuthServerUrl(TENANT2_USER, TENANT2_PASSWORD, TENANT2_ENDPOINT, null);
+    }
+
+    /**
+     * Test successfully logging into /tenant1 with the tenant1_user and then attempt to access /tenant1 again.
+     * We should be able to access /tenant1 again without needing to log in again.
+     *
+     * Then test successfully logging into /tenant2 with the tenant2_user and then attempt to access /tenant2 again.
+     * We should be able to access /tenant2 again without needing to log in again.
+     */
+    @Test
+    public void testLoggedInUserWithAuthServerUrl() throws Exception {
+        performTenantRequestWithAuthServerUrl(TENANT1_USER, TENANT1_PASSWORD, TENANT1_ENDPOINT, TENANT1_ENDPOINT);
+        performTenantRequestWithAuthServerUrl(TENANT2_USER, TENANT2_PASSWORD, TENANT2_ENDPOINT, TENANT2_ENDPOINT);
+    }
+
+    /**
+     * Test logging into /tenant1 with the tenant1_user and then attempt to access /tenant2.
+     * We should be redirected to Keycloak to log in since the user's cached token isn't valid for
+     * /tenant2.
+     *
+     * Then test logging into /tenant2 with the tenant2_user and then attempt to access /tenant1.
+     * We should be redirected to Keycloak to log in since the user's cached token isn't valid for
+     * /tenant1.
+     */
+    @Test
+    public void testUnauthorizedAccessWithAuthServerUrl() throws Exception {
+        performTenantRequestWithAuthServerUrl(TENANT1_USER, TENANT1_PASSWORD, TENANT1_ENDPOINT, TENANT2_ENDPOINT);
+        performTenantRequestWithAuthServerUrl(TENANT2_USER, TENANT2_PASSWORD, TENANT2_ENDPOINT, TENANT1_ENDPOINT);
+    }
+
+    /**
+     * Test logging into /tenant1 with a username that exists in both tenant realms and then attempt to access /tenant2.
+     * We should be redirected to Keycloak to log in since the user's cached token isn't valid for /tenant2.
+     *
+     * Test logging into /tenant2 with a username that exists in both tenant realms and then attempt to access /tenant1.
+     * We should be redirected to Keycloak to log in since the user's cached token isn't valid for /tenant1.
+     */
+    @Test
+    public void testUnauthorizedAccessWithAuthServerUrlValidUser() throws Exception {
+        performTenantRequestWithAuthServerUrl(CHARLIE, CHARLIE_PASSWORD, TENANT1_ENDPOINT, TENANT2_ENDPOINT);
+        performTenantRequestWithAuthServerUrl(DAN, DAN_PASSWORD, TENANT2_ENDPOINT, TENANT1_ENDPOINT);
+    }
+
+    /**********************************************************
+     * 2. Tests using a provider-url in the OIDC configuration
+     **********************************************************/
+
+    /**
+     * Test that logging into each tenant with a non-existing user fails.
+     */
+    @Test
+    public void testNonExistingUserWithProviderUrl() throws Exception {
+        testNonExistingUserWithProviderUrl(TENANT2_USER, TENANT2_PASSWORD, TENANT1_ENDPOINT);
+        testNonExistingUserWithProviderUrl(TENANT1_USER, TENANT1_PASSWORD, TENANT2_ENDPOINT);
+        testNonExistingUserWithProviderUrl(KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD, TENANT1_ENDPOINT);
+    }
+
+    /**
+     * Test successfully logging into /tenant1 with the tenant1_user and successfully logging into /tenant2 with the tenant2_user.
+     */
+    @Test
+    public void testSuccessfulAuthenticationWithProviderUrl() throws Exception {
+        performTenantRequestWithProviderUrl(TENANT1_USER, TENANT1_PASSWORD, TENANT1_ENDPOINT, null);
+        performTenantRequestWithProviderUrl(TENANT2_USER, TENANT2_PASSWORD, TENANT2_ENDPOINT, null);
+    }
+
+    /**
+     * Test successfully logging into /tenant1 with the tenant1_user and then attempt to access /tenant1 again.
+     * We should be able to access /tenant1 again without needing to log in again.
+     *
+     * Then test successfully logging into /tenant2 with the tenant2_user and then attempt to access /tenant2 again.
+     * We should be able to access /tenant2 again without needing to log in again.
+     */
+    @Test
+    public void testLoggedInUserWithProviderUrl() throws Exception {
+        performTenantRequestWithProviderUrl(TENANT1_USER, TENANT1_PASSWORD, TENANT1_ENDPOINT, TENANT1_ENDPOINT);
+        performTenantRequestWithProviderUrl(TENANT2_USER, TENANT2_PASSWORD, TENANT2_ENDPOINT, TENANT2_ENDPOINT);
+    }
+
+    /**
+     * Test logging into /tenant1 with the tenant1_user and then attempt to access /tenant2.
+     * We should be redirected to Keycloak to log in since the user's cached token isn't valid for
+     * /tenant2.
+     *
+     * Then test logging into /tenant2 with the tenant2_user and then attempt to access /tenant1.
+     * We should be redirected to Keycloak to log in since the user's cached token isn't valid for
+     * /tenant1.
+     */
+    @Test
+    public void testUnauthorizedAccessWithProviderUrl() throws Exception {
+        performTenantRequestWithProviderUrl(TENANT1_USER, TENANT1_PASSWORD, TENANT1_ENDPOINT, TENANT2_ENDPOINT);
+        performTenantRequestWithProviderUrl(TENANT2_USER, TENANT2_PASSWORD, TENANT2_ENDPOINT, TENANT1_ENDPOINT);
+    }
+
+    /**
+     * Test logging into /tenant1 with a username that exists in both tenant realms and then attempt to access /tenant2.
+     * We should be redirected to Keycloak to log in since the user's cached token isn't valid for /tenant2.
+     *
+     * Test logging into /tenant2 with a username that exists in both tenant realms and then attempt to access /tenant1.
+     * We should be redirected to Keycloak to log in since the user's cached token isn't valid for /tenant1.
+     */
+    @Test
+    public void testUnauthorizedAccessWithProviderUrlValidUser() throws Exception {
+        performTenantRequestWithProviderUrl(CHARLIE, CHARLIE_PASSWORD, TENANT1_ENDPOINT, TENANT2_ENDPOINT);
+        performTenantRequestWithProviderUrl(DAN, DAN_PASSWORD, TENANT2_ENDPOINT, TENANT1_ENDPOINT);
+    }
+
+    private void testNonExistingUserWithAuthServerUrl(String username, String password, String tenant) throws Exception {
+        testNonExistingUser(username, password, tenant, true);
+    }
+
+    private void testNonExistingUserWithProviderUrl(String username, String password, String tenant) throws Exception {
+        testNonExistingUser(username, password, tenant, false);
+    }
+
+    private void testNonExistingUser(String username, String password, String tenant, boolean useAuthServerUrl) throws Exception {
+        Map<String, Object> props = new HashMap<>();
+        MultiTenantResolver multiTenantResolver = new MultiTenantResolver(useAuthServerUrl);
+        OidcClientContext oidcClientContext = new OidcClientContext(multiTenantResolver);
+        oidcFactory = new OidcMechanismFactory(oidcClientContext);
+        HttpServerAuthenticationMechanism mechanism = oidcFactory.createAuthenticationMechanism(OIDC_NAME, props, getCallbackHandler());
+
+        URI requestUri = new URI(getClientUrlForTenant(tenant));
+        TestingHttpServerRequest request = new TestingHttpServerRequest(null, requestUri);
+        mechanism.evaluateRequest(request);
+        TestingHttpServerResponse response = request.getResponse();
+        assertEquals(HttpStatus.SC_MOVED_TEMPORARILY, response.getStatusCode());
+        assertEquals(Status.NO_AUTH, request.getResult());
+
+        HtmlPage page = loginToKeycloak(username, password, requestUri, response.getLocation(), response.getCookies()).click();
+        assertTrue(page.getBody().asText().contains("Invalid username or password"));
+    }
+
+    private void loginToAppMultiTenancy(InputStream oidcConfig, String username, String password, boolean loginToKeycloak,
+                                        int expectedDispatcherStatusCode, String expectedLocation, String clientPageText) throws Exception {
         try {
             Map<String, Object> props = new HashMap<>();
             OidcClientConfiguration oidcClientConfiguration = OidcClientConfigurationBuilder.build(oidcConfig);
@@ -191,6 +392,59 @@ private void performAuthentication(InputStream oidcConfig, String username, Stri
         }
     }
 
+    private void performTenantRequestWithAuthServerUrl(String username, String password, String tenant, String otherTenant) throws Exception {
+        performTenantRequest(username, password, tenant, otherTenant, true);
+    }
+
+    private void performTenantRequestWithProviderUrl(String username, String password, String tenant, String otherTenant) throws Exception {
+        performTenantRequest(username, password, tenant, otherTenant, false);
+    }
+
+    private void performTenantRequest(String username, String password, String tenant, String otherTenant, boolean useAuthServerUrl) throws Exception {
+        try {
+            Map<String, Object> props = new HashMap<>();
+            Map<String, Object> sessionScopeAttachments = new HashMap<>();
+            String clientPageText = getClientPageTestForTenant(tenant);
+            String expectedLocation = getClientUrlForTenant(tenant);
+
+            // the resolver will be used to obtain the OIDC configuration
+            MultiTenantResolver multiTenantResolver = new MultiTenantResolver(useAuthServerUrl);
+            OidcClientContext oidcClientContext = new OidcClientContext(multiTenantResolver);
+
+            oidcFactory = new OidcMechanismFactory(oidcClientContext);
+            HttpServerAuthenticationMechanism mechanism = oidcFactory.createAuthenticationMechanism(OIDC_NAME, props, getCallbackHandler());
+
+            // attempt to access the specified tenant, we should be redirected to Keycloak to login
+            URI requestUri = new URI(getClientUrlForTenant(tenant));
+            TestingHttpServerRequest request = new TestingHttpServerRequest(null, requestUri);
+            mechanism.evaluateRequest(request);
+            TestingHttpServerResponse response = request.getResponse();
+            assertEquals(HttpStatus.SC_MOVED_TEMPORARILY, response.getStatusCode());
+            assertEquals(Status.NO_AUTH, request.getResult());
+
+            // log into Keycloak, we should then be redirected back to the tenant upon successful authentication
+            client.setDispatcher(createAppResponse(mechanism, HttpStatus.SC_MOVED_TEMPORARILY, expectedLocation, clientPageText, sessionScopeAttachments));
+            TextPage page = loginToKeycloak(username, password, requestUri, response.getLocation(),
+                    response.getCookies()).click();
+            assertTrue(page.getContent().contains(clientPageText));
+
+            if (otherTenant != null) {
+                // attempt to access the other tenant
+                client.setDispatcher(createAppResponse(mechanism, clientPageText, sessionScopeAttachments, otherTenant, tenant.equals(otherTenant)));
+                WebClient webClient = getWebClient();
+                page = webClient.getPage(getClientUrlForTenant(otherTenant));
+                if (otherTenant.equals(tenant)) {
+                    // accessing the same tenant as above, already logged in
+                    assertTrue(page.getContent().contains(clientPageText));
+                } else {
+                    assertFalse(page.getContent().contains(clientPageText));
+                }
+            }
+        } finally {
+            client.setDispatcher(new QueueDispatcher());
+        }
+    }
+
     private InputStream getOidcConfigurationInputStream() {
         return getOidcConfigurationInputStream(CLIENT_SECRET);
     }
@@ -290,4 +544,35 @@ private InputStream getOidcConfigurationInputStreamWithTokenSignatureAlgorithm()
                 "}";
         return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8));
     }
+
+    static InputStream getTenantConfigWithAuthServerUrl(String tenant) {
+        String oidcConfig = "{\n" +
+                "    \"realm\" : \"" + tenant + "\",\n" +
+                "    \"resource\" : \"" + CLIENT_ID + "\",\n" +
+                "    \"public-client\" : \"false\",\n" +
+                "    \"auth-server-url\" : \"" + KEYCLOAK_CONTAINER.getAuthServerUrl() + "\",\n" +
+                "    \"ssl-required\" : \"EXTERNAL\",\n" +
+                "    \"credentials\" : {\n" +
+                "        \"secret\" : \"" + CLIENT_SECRET + "\"\n" +
+                "    }\n" +
+                "}";
+        return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8));
+    }
+
+    static InputStream getTenantConfigWithProviderUrl(String tenant) {
+        String oidcConfig = "{\n" +
+                "    \"provider-url\" : \"" + KEYCLOAK_CONTAINER.getAuthServerUrl() + "/realms/" + tenant + "\",\n" +
+                "    \"client-id\" : \"" + CLIENT_ID + "\",\n" +
+                "    \"public-client\" : \"false\",\n" +
+                "    \"ssl-required\" : \"EXTERNAL\",\n" +
+                "    \"credentials\" : {\n" +
+                "        \"secret\" : \"" + CLIENT_SECRET + "\"\n" +
+                "    }\n" +
+                "}";
+        return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8));
+    }
+
+    private static final String getClientPageTestForTenant(String tenant) {
+        return tenant.equals(TENANT1_ENDPOINT) ? TENANT1_ENDPOINT : TENANT2_ENDPOINT + ":" + CLIENT_PAGE_TEXT;
+    }
 }
diff --git a/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java b/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java
index 52c7bde6181..5ffc16fa88b 100644
--- a/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java
+++ b/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java
@@ -137,6 +137,7 @@ protected static class TestingHttpServerRequest implements HttpServerRequest {
         private List<HttpServerCookie> cookies;
         private String requestMethod = "GET";
         private Map<String, List<String>> requestHeaders = new HashMap<>();
+        private Map<String, Object> sessionScopeAttachments = new HashMap<>();
 
         public TestingHttpServerRequest(String[] authorization) {
             if (authorization != null) {
@@ -155,6 +156,16 @@ public TestingHttpServerRequest(String[] authorization, URI requestURI) {
             this.cookies = new ArrayList<>();
         }
 
+        public TestingHttpServerRequest(String[] authorization, URI requestURI, Map<String, Object> sessionScopeAttachments) {
+            if (authorization != null) {
+                requestHeaders.put(AUTHORIZATION, Arrays.asList(authorization));
+            }
+            this.remoteUser = null;
+            this.requestURI = requestURI;
+            this.cookies = new ArrayList<>();
+            this.sessionScopeAttachments = sessionScopeAttachments;
+        }
+
         public TestingHttpServerRequest(String[] authorization, URI requestURI, List<HttpServerCookie> cookies) {
             if (authorization != null) {
                 requestHeaders.put(AUTHORIZATION, Arrays.asList(authorization));
@@ -356,12 +367,18 @@ public boolean supportsInvalidation() {
 
                 @Override
                 public void setAttachment(String key, Object value) {
-                    // no-op
+                    if (scope.equals(Scope.SESSION)) {
+                        sessionScopeAttachments.put(key, value);
+                    }
                 }
 
                 @Override
                 public Object getAttachment(String key) {
-                    return null;
+                    if (scope.equals(Scope.SESSION)) {
+                        return sessionScopeAttachments.get(key);
+                    } else {
+                        return null;
+                    }
                 }
 
             };
@@ -383,6 +400,10 @@ public void setRemoteUser (String remoteUser) {
         public String getRemoteUser() {
             return remoteUser;
         }
+
+        public Map<String, Object> getSessionScopeAttachments() {
+            return sessionScopeAttachments;
+        }
     }
 
     protected static class TestingHttpServerResponse implements HttpServerResponse {

From d9c0e1fae3dbd10cf8dcad53abd5c9872e17eb9c Mon Sep 17 00:00:00 2001
From: Farah Juma <fjuma@redhat.com>
Date: Tue, 13 Feb 2024 15:42:11 -0500
Subject: [PATCH 3/7] [JBEAP-26556] CVE-2024-1233 Validate the jku header
 parameter during token validation to make sure it exactly matches a value
 from a configured list of allowed values

---
 .../realm/token/_private/ElytronMessages.java |   4 +
 .../realm/token/validator/JwkManager.java     |   5 +-
 .../realm/token/validator/JwtValidator.java   |  26 +++-
 .../realm/token/JwtSecurityRealmTest.java     | 115 ++++++++++++++++++
 4 files changed, 148 insertions(+), 2 deletions(-)

diff --git a/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/_private/ElytronMessages.java b/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/_private/ElytronMessages.java
index 3d23a845fe4..229776e39a1 100644
--- a/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/_private/ElytronMessages.java
+++ b/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/_private/ElytronMessages.java
@@ -98,5 +98,9 @@ public interface ElytronMessages extends BasicLogger {
     @LogMessage(level = WARN)
     @Message(id = 1181, value = "Not sending new request to jwks url \"%s\". Last request time was %d.")
     void avoidingFetchJwks(URL url, long timestamp);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1182, value = "Allowed jku values haven't been configured for the JWT validator. Token validation will fail if the token contains a 'jku' header parameter.")
+    void allowedJkuValuesNotConfigured();
 }
 
diff --git a/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwkManager.java b/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwkManager.java
index cf4a8a80ef7..71b889c0659 100644
--- a/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwkManager.java
+++ b/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwkManager.java
@@ -41,6 +41,7 @@
 import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.Set;
 
 import static org.wildfly.security.auth.realm.token._private.ElytronMessages.log;
 
@@ -54,6 +55,7 @@ class JwkManager {
     private final Map<URL, CacheEntry> keys = new LinkedHashMap<>();
     private final SSLContext sslContext;
     private final HostnameVerifier hostnameVerifier;
+    private final Set<String> allowedJkuValues;
 
     private final long updateTimeout;
     private final int minTimeBetweenRequests;
@@ -61,13 +63,14 @@ class JwkManager {
     private final int connectionTimeout;
     private final int readTimeout;
 
-    JwkManager(SSLContext sslContext, HostnameVerifier hostnameVerifier, long updateTimeout, int connectionTimeout, int readTimeout, int minTimeBetweenRequests) {
+    JwkManager(SSLContext sslContext, HostnameVerifier hostnameVerifier, long updateTimeout, int connectionTimeout, int readTimeout, int minTimeBetweenRequests, Set<String> allowedJkuValues) {
         this.sslContext = sslContext;
         this.hostnameVerifier = hostnameVerifier;
         this.updateTimeout = updateTimeout;
         this.connectionTimeout = connectionTimeout;
         this.readTimeout = readTimeout;
         this.minTimeBetweenRequests = minTimeBetweenRequests;
+        this.allowedJkuValues = allowedJkuValues;
     }
 
     /**
diff --git a/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java b/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java
index adcea12fb47..d6cde8c6bb7 100644
--- a/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java
+++ b/auth/realm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java
@@ -77,6 +77,7 @@ public static Builder builder() {
 
     private final Set<String> issuers;
     private final Set<String> audiences;
+    private final Set<String> allowedJkuValues;
     private final JwkManager jwkManager;
     private final Map<String, PublicKey> namedKeys;
 
@@ -85,12 +86,14 @@ public static Builder builder() {
     JwtValidator(Builder configuration) {
         this.issuers = checkNotNullParam("issuers", configuration.issuers);
         this.audiences = checkNotNullParam("audience", configuration.audience);
+        this.allowedJkuValues = checkNotNullParam("allowedJkuValues", configuration.allowedJkuValues);
         this.defaultPublicKey = configuration.publicKey;
         this.namedKeys = configuration.namedKeys;
         if (configuration.sslContext != null) {
             this.jwkManager = new JwkManager(configuration.sslContext,
                                             configuration.hostnameVerifier != null ? configuration.hostnameVerifier : HttpsURLConnection.getDefaultHostnameVerifier(),
-                                            configuration.updateTimeout, configuration.connectionTimeout, configuration.readTimeout, configuration.minTimeBetweenRequests);
+                                            configuration.updateTimeout, configuration.connectionTimeout, configuration.readTimeout, configuration.minTimeBetweenRequests,
+                                            configuration.allowedJkuValues);
         }
         else {
             log.tokenRealmJwtNoSSLIgnoringJku();
@@ -106,6 +109,9 @@ public static Builder builder() {
         if (audiences.isEmpty()) {
             log.tokenRealmJwtWarnNoAudienceIgnoringAudienceCheck();
         }
+        if (allowedJkuValues.isEmpty()) {
+            log.allowedJkuValuesNotConfigured();
+        }
 
     }
 
@@ -311,6 +317,10 @@ private PublicKey resolvePublicKey(JsonObject headers) {
                 log.debugf("Cannot validate token with jku [%s]. SSL is not configured and jku claim is not supported.", jku);
                 return null;
             }
+            if (! allowedJkuValues.contains(jku.getString())) {
+                log.debug("Cannot validate token, jku value is not allowed");
+                return null;
+            }
             try {
                 return jwkManager.getPublicKey(kid.getString(), new URL(jku.getString()));
             } catch (MalformedURLException e) {
@@ -340,6 +350,7 @@ public static class Builder {
 
         private Set<String> issuers = new LinkedHashSet<>();
         private Set<String> audience = new LinkedHashSet<>();
+        private Set<String> allowedJkuValues = new LinkedHashSet<>();
         private PublicKey publicKey;
         private Map<String, PublicKey> namedKeys = new LinkedHashMap<>();
         private HostnameVerifier hostnameVerifier;
@@ -495,6 +506,19 @@ public Builder setJkuMinTimeBetweenRequests(int minTimeBetweenRequests) {
             return this;
         }
 
+        /**
+         * One or more string values representing the jku values that are supported by this configuration.
+         * During JWT validation, if the jku header parameter is present in a token, it must exactly match
+         * one of the strings defined here or token validation will fail.
+         *
+         * @param allowedJkuValues the allowed values for the jku header parameter
+         * @return this instance
+         */
+        public Builder setAllowedJkuValues(String... allowedJkuValues) {
+            this.allowedJkuValues.addAll(asList(allowedJkuValues));
+            return this;
+        }
+
         /**
          * Returns a {@link JwtValidator} instance based on all the configuration provided with this builder.
          *
diff --git a/tests/base/src/test/java/org/wildfly/security/auth/realm/token/JwtSecurityRealmTest.java b/tests/base/src/test/java/org/wildfly/security/auth/realm/token/JwtSecurityRealmTest.java
index 25abd2a9b06..4827738fabc 100644
--- a/tests/base/src/test/java/org/wildfly/security/auth/realm/token/JwtSecurityRealmTest.java
+++ b/tests/base/src/test/java/org/wildfly/security/auth/realm/token/JwtSecurityRealmTest.java
@@ -245,6 +245,7 @@ public void testChangedKeys() throws Exception {
                 .validator(JwtValidator.builder()
                         .issuer("elytron-oauth2-realm")
                         .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50831")
                         .setJkuTimeout(0) //refresh jwks every time
                         .setJkuMinTimeBetweenRequests(0)
                         .useSslContext(sslContext)
@@ -276,6 +277,7 @@ public void testNewRotationKeys() throws Exception {
                 .validator(JwtValidator.builder()
                         .issuer("elytron-oauth2-realm")
                         .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50831")
                         .setJkuTimeout(60000L) // 60s of cache
                         .setJkuMinTimeBetweenRequests(0) // no time betweeen requests
                         .useSslContext(sslContext)
@@ -309,6 +311,7 @@ public void testNewRotationKeysTimeBetweenRequests() throws Exception {
                 .validator(JwtValidator.builder()
                         .issuer("elytron-oauth2-realm")
                         .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50831")
                         .setJkuTimeout(60000L) // 60s of cache
                         .setJkuMinTimeBetweenRequests(10000) // 10s between calls
                         .useSslContext(sslContext)
@@ -352,6 +355,7 @@ public void testMultipleTokenTypes() throws Exception {
                 .validator(JwtValidator.builder()
                         .issuer("elytron-oauth2-realm")
                         .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50831")
                         .publicKeys(namedKeys)
                         .publicKey(keyPair3.getPublic())
                         .useSslContext(sslContext)
@@ -382,6 +386,7 @@ public void testUnsecuredJkuEndpoint() throws Exception {
                 .validator(JwtValidator.builder()
                         .issuer("elytron-oauth2-realm")
                         .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50832")
                         .useSslContext(sslContext)
                         .useSslHostnameVerifier((a,b) -> true).build())
                 .build();
@@ -429,6 +434,7 @@ public void testStoppedJkuEndpoint() throws Exception {
                 .validator(JwtValidator.builder()
                         .issuer("elytron-oauth2-realm")
                         .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50831")
                         .setJkuTimeout(0) //Keys will be downloaded on every request
                         .setJkuMinTimeBetweenRequests(0)
                         .useSslContext(sslContext)
@@ -457,6 +463,7 @@ public void testJkuMultipleKeys() throws Exception {
                 .validator(JwtValidator.builder()
                         .issuer("elytron-oauth2-realm")
                         .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50831")
                         .useSslContext(sslContext)
                         .useSslHostnameVerifier((a,b) -> true).build())
                 .build();
@@ -477,6 +484,7 @@ public void testInvalidJku() throws Exception {
                 .validator(JwtValidator.builder()
                         .issuer("elytron-oauth2-realm")
                         .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:80")
                         .useSslContext(sslContext).useSslHostnameVerifier((a,b) -> true).build())
                 .build();
 
@@ -496,6 +504,7 @@ public void testInvalidKid() throws Exception {
                 .validator(JwtValidator.builder()
                         .issuer("elytron-oauth2-realm")
                         .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50831")
                         .useSslContext(sslContext)
                         .useSslHostnameVerifier((a,b) -> true).build())
                 .build();
@@ -722,6 +731,112 @@ public void testAltPrincipaNamesSubFallback() throws Exception {
         assertEquals("elytron@jboss.org", realmIdentity.getRealmIdentityPrincipal().getName());
     }
 
+    @Test
+    public void testTokenWithJkuValueAllowed() throws Exception {
+        BearerTokenEvidence evidence = new BearerTokenEvidence(
+                JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
+
+        X509TrustManager tm = getTrustManager();
+        SSLContext sslContext = new SSLContextBuilder()
+                .setTrustManager(tm)
+                .setClientMode(true)
+                .setSessionTimeout(10)
+                .build()
+                .create();
+
+        TokenSecurityRealm securityRealm = TokenSecurityRealm.builder()
+                .principalClaimName("sub")
+                .validator(JwtValidator.builder()
+                        .issuer("elytron-oauth2-realm")
+                        .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50832", "https://localhost:50831")
+                        .useSslContext(sslContext)
+                        .useSslHostnameVerifier((a,b) -> true).build())
+                .build();
+
+        // token validation should succeed
+        assertIdentityExist(securityRealm, evidence);
+    }
+
+    @Test
+    public void testTokenWithJkuValueNotAllowed() throws Exception {
+        BearerTokenEvidence evidence = new BearerTokenEvidence(
+                JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50834")));
+
+        X509TrustManager tm = getTrustManager();
+        SSLContext sslContext = new SSLContextBuilder()
+                .setTrustManager(tm)
+                .setClientMode(true)
+                .setSessionTimeout(10)
+                .build()
+                .create();
+
+        TokenSecurityRealm securityRealm = TokenSecurityRealm.builder()
+                .principalClaimName("sub")
+                .validator(JwtValidator.builder()
+                        .issuer("elytron-oauth2-realm")
+                        .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50832", "https://localhost:50831")
+                        .useSslContext(sslContext)
+                        .useSslHostnameVerifier((a,b) -> true).build())
+                .build();
+
+        // token validation should fail
+        assertIdentityNotExist(securityRealm, evidence);
+    }
+
+    @Test
+    public void testAllowedJkuValuesNotConfigured() throws Exception {
+        BearerTokenEvidence evidence = new BearerTokenEvidence(
+                JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
+
+        X509TrustManager tm = getTrustManager();
+        SSLContext sslContext = new SSLContextBuilder()
+                .setTrustManager(tm)
+                .setClientMode(true)
+                .setSessionTimeout(10)
+                .build()
+                .create();
+
+        TokenSecurityRealm securityRealm = TokenSecurityRealm.builder()
+                .principalClaimName("sub")
+                .validator(JwtValidator.builder()
+                        .issuer("elytron-oauth2-realm")
+                        .audience("my-app-valid")
+                        .useSslContext(sslContext)
+                        .useSslHostnameVerifier((a,b) -> true).build())
+                .build();
+
+        // token validation should fail
+        assertIdentityNotExist(securityRealm, evidence);
+    }
+
+    @Test
+    public void testTokenWithoutJkuValue() throws Exception {
+        BearerTokenEvidence evidence1 = new BearerTokenEvidence(
+                createJwt(keyPair1, 60, -1, "1", null));
+        BearerTokenEvidence evidence2 = new BearerTokenEvidence(
+                createJwt(keyPair2, 60, -1, "2", null));
+
+        Map<String, PublicKey> namedKeys = new LinkedHashMap<>();
+        namedKeys.put("1", keyPair1.getPublic());
+        namedKeys.put("2", keyPair2.getPublic());
+
+        TokenSecurityRealm securityRealm = TokenSecurityRealm.builder()
+                .principalClaimName("sub")
+                .validator(JwtValidator.builder()
+                        .issuer("elytron-oauth2-realm")
+                        .audience("my-app-valid")
+                        .setAllowedJkuValues("https://localhost:50832", "https://localhost:50831")
+                        .publicKeys(namedKeys)
+                        .build())
+                .build();
+
+        // token validation should succeed
+        assertIdentityExist(securityRealm, evidence1);
+        assertIdentityExist(securityRealm, evidence2);
+    }
+
     private void assertIdentityNotExist(SecurityRealm realm, Evidence evidence) throws RealmUnavailableException {
         RealmIdentity identity = realm.getRealmIdentity(evidence);
         assertNotNull(identity);

From cc6158af3c64fa8d4ec32a5c47c02007879f0275 Mon Sep 17 00:00:00 2001
From: Farah Juma <fjuma@redhat.com>
Date: Mon, 11 Mar 2024 11:23:38 -0400
Subject: [PATCH 4/7] [JBEAP-26556] Move some methods from JwtSecurityRealmTest
 into a new utility class

---
 .../realm/token/JwtSecurityRealmTest.java     | 177 +++---------------
 tests/common/pom.xml                          |  26 +++
 .../realm/token/test/util/JwtTestUtil.java    | 149 +++++++++++++++
 .../realm/token/test/util}/RsaJwk.java        |   2 +-
 4 files changed, 201 insertions(+), 153 deletions(-)
 create mode 100644 tests/common/src/test/java/org/wildfly/security/realm/token/test/util/JwtTestUtil.java
 rename tests/{base/src/test/java/org/wildfly/security/auth/realm/token => common/src/test/java/org/wildfly/security/realm/token/test/util}/RsaJwk.java (96%)

diff --git a/tests/base/src/test/java/org/wildfly/security/auth/realm/token/JwtSecurityRealmTest.java b/tests/base/src/test/java/org/wildfly/security/auth/realm/token/JwtSecurityRealmTest.java
index 4827738fabc..250e0f4e272 100644
--- a/tests/base/src/test/java/org/wildfly/security/auth/realm/token/JwtSecurityRealmTest.java
+++ b/tests/base/src/test/java/org/wildfly/security/auth/realm/token/JwtSecurityRealmTest.java
@@ -18,38 +18,25 @@
 
 package org.wildfly.security.auth.realm.token;
 
-import com.nimbusds.jose.JOSEObjectType;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jose.JWSObject;
-import com.nimbusds.jose.JWSSigner;
 import com.nimbusds.jose.Payload;
 import com.nimbusds.jose.PlainHeader;
 import com.nimbusds.jose.PlainObject;
-import com.nimbusds.jose.crypto.RSASSASigner;
 
 import jakarta.json.Json;
-import jakarta.json.JsonArrayBuilder;
 import jakarta.json.JsonObject;
 import jakarta.json.JsonObjectBuilder;
-import jakarta.json.JsonValue;
 
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
-import java.math.BigInteger;
 import java.net.URI;
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.KeyStore;
-import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
-import java.security.interfaces.RSAPublicKey;
-import java.util.Arrays;
-import java.util.Base64;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import javax.net.ssl.HttpsURLConnection;
@@ -83,6 +70,7 @@
 import org.wildfly.security.evidence.BearerTokenEvidence;
 import org.wildfly.security.evidence.Evidence;
 import org.wildfly.security.pem.Pem;
+import org.wildfly.security.realm.token.test.util.RsaJwk;
 import org.wildfly.security.ssl.SSLContextBuilder;
 import org.wildfly.security.x500.cert.SelfSignedX509CertificateAndSigningKey;
 
@@ -90,6 +78,11 @@
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
+import static org.wildfly.security.realm.token.test.util.JwtTestUtil.createClaims;
+import static org.wildfly.security.realm.token.test.util.JwtTestUtil.createJwt;
+import static org.wildfly.security.realm.token.test.util.JwtTestUtil.createRsaJwk;
+import static org.wildfly.security.realm.token.test.util.JwtTestUtil.createTokenDispatcher;
+import static org.wildfly.security.realm.token.test.util.JwtTestUtil.jwksToJson;
 
 /**
  * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@@ -117,50 +110,18 @@ public class JwtSecurityRealmTest {
 
     private static String jwksResponse;
 
-    // rfc7518 dictates the use of Base64urlUInt for "n" and "e" and it explicitly mentions that the
-    // minimum number of octets should be used and the 0 leading sign byte should not be included
-    private static byte[] toBase64urlUInt(final BigInteger bigInt) {
-        byte[] bytes = bigInt.toByteArray();
-        int i = 0;
-        while (i < bytes.length && bytes[i] == 0) {
-            i++;
-        }
-        if (i > 0 && i < bytes.length) {
-            return Arrays.copyOfRange(bytes, i, bytes.length);
-        } else {
-            return bytes;
-        }
-    }
-
     @BeforeClass
     public static void setup() throws GeneralSecurityException, IOException {
         System.setProperty("wildfly.config.url", JwtSecurityRealmTest.class.getResource("wildfly-jwt-test-config.xml").toExternalForm());
 
         keyPair1 = KeyPairGenerator.getInstance("RSA").generateKeyPair();
-        keyPair2 = KeyPairGenerator.getInstance("RSA").generateKeyPair();
-        keyPair3 = KeyPairGenerator.getInstance("RSA").generateKeyPair();
-
-        RSAPublicKey pk1 = (RSAPublicKey) keyPair1.getPublic();
-        RSAPublicKey pk2 = (RSAPublicKey) keyPair2.getPublic();
-        RSAPublicKey pk3 = (RSAPublicKey) keyPair3.getPublic();
-
-        jwk1.setAlg("RS256");
-        jwk1.setKid("1");
-        jwk1.setKty("RSA");
-        jwk1.setE(Base64.getUrlEncoder().withoutPadding().encodeToString(toBase64urlUInt(pk1.getPublicExponent())));
-        jwk1.setN(Base64.getUrlEncoder().withoutPadding().encodeToString(toBase64urlUInt(pk1.getModulus())));
+        jwk1 = createRsaJwk(keyPair1, "1");
 
-        jwk2.setAlg("RS256");
-        jwk2.setKid("2");
-        jwk2.setKty("RSA");
-        jwk2.setE(Base64.getUrlEncoder().withoutPadding().encodeToString(toBase64urlUInt(pk2.getPublicExponent())));
-        jwk2.setN(Base64.getUrlEncoder().withoutPadding().encodeToString(toBase64urlUInt(pk2.getModulus())));
+        keyPair2 = KeyPairGenerator.getInstance("RSA").generateKeyPair();
+        jwk2 = createRsaJwk(keyPair2, "2");
 
-        jwk3.setAlg("RS256");
-        jwk3.setKid("3");
-        jwk3.setKty("RSA");
-        jwk3.setE(Base64.getUrlEncoder().withoutPadding().encodeToString(toBase64urlUInt(pk3.getPublicExponent())));
-        jwk3.setN(Base64.getUrlEncoder().withoutPadding().encodeToString(toBase64urlUInt(pk3.getModulus())));
+        keyPair3 = KeyPairGenerator.getInstance("RSA").generateKeyPair();
+        jwk3 = createRsaJwk(keyPair3, "3");
 
         JsonObject jwks = jwksToJson(jwk1, jwk2);
 
@@ -734,15 +695,9 @@ public void testAltPrincipaNamesSubFallback() throws Exception {
     @Test
     public void testTokenWithJkuValueAllowed() throws Exception {
         BearerTokenEvidence evidence = new BearerTokenEvidence(
-                JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
+                createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
 
-        X509TrustManager tm = getTrustManager();
-        SSLContext sslContext = new SSLContextBuilder()
-                .setTrustManager(tm)
-                .setClientMode(true)
-                .setSessionTimeout(10)
-                .build()
-                .create();
+        SSLContext sslContext = getSSLContext();
 
         TokenSecurityRealm securityRealm = TokenSecurityRealm.builder()
                 .principalClaimName("sub")
@@ -761,15 +716,9 @@ public void testTokenWithJkuValueAllowed() throws Exception {
     @Test
     public void testTokenWithJkuValueNotAllowed() throws Exception {
         BearerTokenEvidence evidence = new BearerTokenEvidence(
-                JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50834")));
+                createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50834")));
 
-        X509TrustManager tm = getTrustManager();
-        SSLContext sslContext = new SSLContextBuilder()
-                .setTrustManager(tm)
-                .setClientMode(true)
-                .setSessionTimeout(10)
-                .build()
-                .create();
+        SSLContext sslContext = getSSLContext();
 
         TokenSecurityRealm securityRealm = TokenSecurityRealm.builder()
                 .principalClaimName("sub")
@@ -788,15 +737,9 @@ public void testTokenWithJkuValueNotAllowed() throws Exception {
     @Test
     public void testAllowedJkuValuesNotConfigured() throws Exception {
         BearerTokenEvidence evidence = new BearerTokenEvidence(
-                JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
+                createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
 
-        X509TrustManager tm = getTrustManager();
-        SSLContext sslContext = new SSLContextBuilder()
-                .setTrustManager(tm)
-                .setClientMode(true)
-                .setSessionTimeout(10)
-                .build()
-                .create();
+        SSLContext sslContext = getSSLContext();
 
         TokenSecurityRealm securityRealm = TokenSecurityRealm.builder()
                 .principalClaimName("sub")
@@ -849,64 +792,6 @@ private void assertIdentityExist(SecurityRealm realm, Evidence evidence) throws
         assertTrue(identity.exists());
     }
 
-    private String createJwt(KeyPair keyPair, int expirationOffset, int notBeforeOffset) throws Exception {
-        return createJwt(keyPair, expirationOffset, notBeforeOffset, null, null);
-    }
-
-    private String createJwt(KeyPair keyPair, int expirationOffset) throws Exception {
-        return createJwt(keyPair, expirationOffset, -1);
-    }
-
-    private String createJwt(KeyPair keyPair, int expirationOffset, int notBeforeOffset, String kid, URI jku) throws Exception {
-        PrivateKey privateKey = keyPair.getPrivate();
-        JWSSigner signer = new RSASSASigner(privateKey);
-        JsonObjectBuilder claimsBuilder = createClaims(expirationOffset, notBeforeOffset);
-
-        JWSHeader.Builder headerBuilder = new JWSHeader.Builder(JWSAlgorithm.RS256)
-                .type(new JOSEObjectType("jwt"));
-
-        if (jku != null) {
-            headerBuilder.jwkURL(jku);
-        }
-        if (kid != null) {
-            headerBuilder.keyID(kid);
-        }
-
-        JWSObject jwsObject = new JWSObject(headerBuilder.build(), new Payload(claimsBuilder.build().toString()));
-
-        jwsObject.sign(signer);
-
-        return jwsObject.serialize();
-    }
-
-    private String createJwt(KeyPair keyPair) throws Exception {
-        return createJwt(keyPair, 60);
-    }
-
-    private JsonObjectBuilder createClaims(int expirationOffset, int notBeforeOffset) {
-        return createClaims(expirationOffset, notBeforeOffset, null);
-    }
-    private JsonObjectBuilder createClaims(int expirationOffset, int notBeforeOffset, JsonObject additionalClaims) {
-        JsonObjectBuilder claimsBuilder = Json.createObjectBuilder()
-                .add("active", true)
-                .add("sub", "elytron@jboss.org")
-                .add("iss", "elytron-oauth2-realm")
-                .add("aud", Json.createArrayBuilder().add("my-app-valid").add("third-app-valid").add("another-app-valid").build())
-                .add("exp", (System.currentTimeMillis() / 1000) + expirationOffset);
-
-        if (additionalClaims != null) {
-            for(String name : additionalClaims.keySet()) {
-                JsonValue value = additionalClaims.get(name);
-                claimsBuilder.add(name, value);
-            }
-        }
-        if (notBeforeOffset > 0) {
-            claimsBuilder.add("nbf", (System.currentTimeMillis() / 1000) + notBeforeOffset);
-        }
-
-        return claimsBuilder;
-    }
-
     private X509TrustManager getTrustManager() throws Exception {
         KeyStore trustStore = KeyStore.getInstance("JKS");
         trustStore.load(new FileInputStream(trustStoreFile), PASSWORD);
@@ -923,18 +808,14 @@ private X509TrustManager getTrustManager() throws Exception {
         return tm;
     }
 
-    private static JsonObject jwksToJson(RsaJwk... jwks) {
-        JsonArrayBuilder jab = Json.createArrayBuilder();
-        for (int i = 0; i < jwks.length; i++){
-            JsonObjectBuilder jwk = Json.createObjectBuilder()
-                    .add("kty", jwks[i].getKty())
-                    .add("alg", jwks[i].getAlg())
-                    .add("kid", jwks[i].getKid())
-                    .add("n", jwks[i].getN())
-                    .add("e", jwks[i].getE());
-            jab.add(jwk);
-        }
-        return Json.createObjectBuilder().add("keys", jab).build();
+    private SSLContext getSSLContext() throws Exception {
+        X509TrustManager trustManager = getTrustManager();
+        return new SSLContextBuilder()
+                .setTrustManager(trustManager)
+                .setClientMode(true)
+                .setSessionTimeout(10)
+                .build()
+                .create();
     }
 
     private static Dispatcher createOneTimeDispatcher(String response) {
@@ -952,12 +833,4 @@ public MockResponse dispatch(RecordedRequest recordedRequest) {
         };
     }
 
-    private static Dispatcher createTokenDispatcher(String response) {
-        return new Dispatcher() {
-            @Override
-            public MockResponse dispatch(RecordedRequest recordedRequest) {
-                return new MockResponse().setBody(response);
-            }
-        };
-    }
 }
diff --git a/tests/common/pom.xml b/tests/common/pom.xml
index 3e5f0bfbac6..d557749604c 100644
--- a/tests/common/pom.xml
+++ b/tests/common/pom.xml
@@ -47,6 +47,22 @@
     </build>
 
     <dependencies>
+        <dependency>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>net.minidev</groupId>
+                    <artifactId>json-smart</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-client</artifactId>
@@ -57,11 +73,21 @@
             <artifactId>junit</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.glassfish</groupId>
+            <artifactId>jakarta.json</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.jmockit</groupId>
             <artifactId>jmockit</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>mockwebserver</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
 </project>
diff --git a/tests/common/src/test/java/org/wildfly/security/realm/token/test/util/JwtTestUtil.java b/tests/common/src/test/java/org/wildfly/security/realm/token/test/util/JwtTestUtil.java
new file mode 100644
index 00000000000..67781984931
--- /dev/null
+++ b/tests/common/src/test/java/org/wildfly/security/realm/token/test/util/JwtTestUtil.java
@@ -0,0 +1,149 @@
+/*
+ * Copyright The WildFly Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.wildfly.security.realm.token.test.util;
+
+import com.nimbusds.jose.JOSEObjectType;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.Payload;
+import com.nimbusds.jose.crypto.RSASSASigner;
+
+import jakarta.json.Json;
+import jakarta.json.JsonArrayBuilder;
+import jakarta.json.JsonObject;
+import jakarta.json.JsonObjectBuilder;
+import jakarta.json.JsonValue;
+
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Arrays;
+import java.util.Base64;
+
+import okhttp3.mockwebserver.Dispatcher;
+import okhttp3.mockwebserver.MockResponse;
+import okhttp3.mockwebserver.RecordedRequest;
+
+/**
+ * A utility class containing common methods for working with token realms.
+ *
+ * @author <a href="mailto:fjuma@redhat.com">Farah Juma</a>
+ */
+public final class JwtTestUtil {
+
+    public static JsonObject jwksToJson(RsaJwk... jwks) {
+        JsonArrayBuilder jab = Json.createArrayBuilder();
+        for (int i = 0; i < jwks.length; i++){
+            JsonObjectBuilder jwk = Json.createObjectBuilder()
+                    .add("kty", jwks[i].getKty())
+                    .add("alg", jwks[i].getAlg())
+                    .add("kid", jwks[i].getKid())
+                    .add("n", jwks[i].getN())
+                    .add("e", jwks[i].getE());
+            jab.add(jwk);
+        }
+        return Json.createObjectBuilder().add("keys", jab).build();
+    }
+
+    public static String createJwt(KeyPair keyPair, int expirationOffset, int notBeforeOffset) throws Exception {
+        return createJwt(keyPair, expirationOffset, notBeforeOffset, null, null);
+    }
+
+    public static String createJwt(KeyPair keyPair, int expirationOffset) throws Exception {
+        return createJwt(keyPair, expirationOffset, -1);
+    }
+
+    public static String createJwt(KeyPair keyPair, int expirationOffset, int notBeforeOffset, String kid, URI jku) throws Exception {
+        PrivateKey privateKey = keyPair.getPrivate();
+        JWSSigner signer = new RSASSASigner(privateKey);
+        JsonObjectBuilder claimsBuilder = createClaims(expirationOffset, notBeforeOffset);
+
+        JWSHeader.Builder headerBuilder = new JWSHeader.Builder(JWSAlgorithm.RS256)
+                .type(new JOSEObjectType("jwt"));
+
+        if (jku != null) {
+            headerBuilder.jwkURL(jku);
+        }
+        if (kid != null) {
+            headerBuilder.keyID(kid);
+        }
+
+        JWSObject jwsObject = new JWSObject(headerBuilder.build(), new Payload(claimsBuilder.build().toString()));
+
+        jwsObject.sign(signer);
+
+        return jwsObject.serialize();
+    }
+
+    public static String createJwt(KeyPair keyPair) throws Exception {
+        return createJwt(keyPair, 60);
+    }
+
+    public static JsonObjectBuilder createClaims(int expirationOffset, int notBeforeOffset) {
+        return createClaims(expirationOffset, notBeforeOffset, null);
+    }
+    public static JsonObjectBuilder createClaims(int expirationOffset, int notBeforeOffset, JsonObject additionalClaims) {
+        JsonObjectBuilder claimsBuilder = Json.createObjectBuilder()
+                .add("active", true)
+                .add("sub", "elytron@jboss.org")
+                .add("iss", "elytron-oauth2-realm")
+                .add("aud", Json.createArrayBuilder().add("my-app-valid").add("third-app-valid").add("another-app-valid").build())
+                .add("exp", (System.currentTimeMillis() / 1000) + expirationOffset);
+
+        if (additionalClaims != null) {
+            for(String name : additionalClaims.keySet()) {
+                JsonValue value = additionalClaims.get(name);
+                claimsBuilder.add(name, value);
+            }
+        }
+        if (notBeforeOffset > 0) {
+            claimsBuilder.add("nbf", (System.currentTimeMillis() / 1000) + notBeforeOffset);
+        }
+
+        return claimsBuilder;
+    }
+
+    public static RsaJwk createRsaJwk(KeyPair keyPair, String kid) {
+        RSAPublicKey pk = (RSAPublicKey) keyPair.getPublic();
+        RsaJwk jwk = new RsaJwk();
+
+        jwk.setAlg("RS256");
+        jwk.setKid(kid);
+        jwk.setKty("RSA");
+        jwk.setE(Base64.getUrlEncoder().withoutPadding().encodeToString(toBase64urlUInt(pk.getPublicExponent())));
+        jwk.setN(Base64.getUrlEncoder().withoutPadding().encodeToString(toBase64urlUInt(pk.getModulus())));
+
+        return jwk;
+    }
+
+    public static Dispatcher createTokenDispatcher(String response) {
+        return new Dispatcher() {
+            @Override
+            public MockResponse dispatch(RecordedRequest recordedRequest) {
+                return new MockResponse().setBody(response);
+            }
+        };
+    }
+
+    // rfc7518 dictates the use of Base64urlUInt for "n" and "e" and it explicitly mentions that the
+    // minimum number of octets should be used and the 0 leading sign byte should not be included
+    private static byte[] toBase64urlUInt(final BigInteger bigInt) {
+        byte[] bytes = bigInt.toByteArray();
+        int i = 0;
+        while (i < bytes.length && bytes[i] == 0) {
+            i++;
+        }
+        if (i > 0 && i < bytes.length) {
+            return Arrays.copyOfRange(bytes, i, bytes.length);
+        } else {
+            return bytes;
+        }
+    }
+
+}
diff --git a/tests/base/src/test/java/org/wildfly/security/auth/realm/token/RsaJwk.java b/tests/common/src/test/java/org/wildfly/security/realm/token/test/util/RsaJwk.java
similarity index 96%
rename from tests/base/src/test/java/org/wildfly/security/auth/realm/token/RsaJwk.java
rename to tests/common/src/test/java/org/wildfly/security/realm/token/test/util/RsaJwk.java
index 4047eb29c2e..f7a7a69f948 100644
--- a/tests/base/src/test/java/org/wildfly/security/auth/realm/token/RsaJwk.java
+++ b/tests/common/src/test/java/org/wildfly/security/realm/token/test/util/RsaJwk.java
@@ -15,7 +15,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.wildfly.security.auth.realm.token;
+package org.wildfly.security.realm.token.test.util;
 
 public class RsaJwk {
     private String kty;

From a6d344e257a3227ede8435b16ef775b2a00e57b3 Mon Sep 17 00:00:00 2001
From: Farah Juma <fjuma@redhat.com>
Date: Fri, 15 Mar 2024 16:30:59 -0400
Subject: [PATCH 5/7] [ELY-2734] Perform API check against 2.2.4.Final

---
 wildfly-elytron/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wildfly-elytron/pom.xml b/wildfly-elytron/pom.xml
index e30bf306c0f..ba2f517ea19 100644
--- a/wildfly-elytron/pom.xml
+++ b/wildfly-elytron/pom.xml
@@ -553,7 +553,7 @@
                                 <dependency>
                                     <groupId>org.wildfly.security</groupId>
                                     <artifactId>wildfly-elytron</artifactId>
-                                    <version>2.2.3.Final</version> <!-- When updating to next release, clear all exclusions. -->
+                                    <version>2.2.4.Final</version> <!-- When updating to next release, clear all exclusions. -->
                                     <type>jar</type>
                                 </dependency>
                             </oldVersion>

From bb95f550a7feb044aab027ad86c6f23878920d66 Mon Sep 17 00:00:00 2001
From: Farah Juma <fjuma@redhat.com>
Date: Fri, 15 Mar 2024 16:32:12 -0400
Subject: [PATCH 6/7] [JBEAP-25377] Release WildFly Elytron 2.2.4.SP01

---
 asn1/pom.xml                         | 2 +-
 audit/pom.xml                        | 2 +-
 auth/base/pom.xml                    | 2 +-
 auth/client/pom.xml                  | 2 +-
 auth/realm/base/pom.xml              | 2 +-
 auth/realm/jdbc/pom.xml              | 2 +-
 auth/realm/ldap/pom.xml              | 2 +-
 auth/realm/token/pom.xml             | 2 +-
 auth/server/base/pom.xml             | 2 +-
 auth/server/deprecated/pom.xml       | 2 +-
 auth/server/http/pom.xml             | 2 +-
 auth/server/sasl/pom.xml             | 2 +-
 auth/util/pom.xml                    | 2 +-
 base/pom.xml                         | 2 +-
 credential/base/pom.xml              | 2 +-
 credential/source/deprecated/pom.xml | 2 +-
 credential/source/impl/pom.xml       | 2 +-
 credential/store/pom.xml             | 2 +-
 digest/pom.xml                       | 2 +-
 encryption/pom.xml                   | 2 +-
 http/base/pom.xml                    | 2 +-
 http/basic/pom.xml                   | 2 +-
 http/bearer/pom.xml                  | 2 +-
 http/cert/pom.xml                    | 2 +-
 http/deprecated/pom.xml              | 2 +-
 http/digest/pom.xml                  | 2 +-
 http/external/pom.xml                | 2 +-
 http/form/pom.xml                    | 2 +-
 http/oidc/pom.xml                    | 2 +-
 http/spnego/pom.xml                  | 2 +-
 http/sso/pom.xml                     | 2 +-
 http/stateful-basic/pom.xml          | 2 +-
 http/util/pom.xml                    | 2 +-
 jose/jwk/pom.xml                     | 2 +-
 jose/util/pom.xml                    | 2 +-
 json-util/pom.xml                    | 2 +-
 keystore/pom.xml                     | 2 +-
 manager/action/pom.xml               | 2 +-
 manager/base/pom.xml                 | 2 +-
 mechanism/base/pom.xml               | 2 +-
 mechanism/digest/pom.xml             | 2 +-
 mechanism/gssapi/pom.xml             | 2 +-
 mechanism/http/pom.xml               | 2 +-
 mechanism/oauth2/pom.xml             | 2 +-
 mechanism/scram/pom.xml              | 2 +-
 password/impl/pom.xml                | 2 +-
 permission/pom.xml                   | 2 +-
 pom.xml                              | 2 +-
 provider/util/pom.xml                | 2 +-
 sasl/anonymous/pom.xml               | 2 +-
 sasl/auth/util/pom.xml               | 2 +-
 sasl/base/pom.xml                    | 2 +-
 sasl/deprecated/pom.xml              | 2 +-
 sasl/digest/pom.xml                  | 2 +-
 sasl/entity/pom.xml                  | 2 +-
 sasl/external/pom.xml                | 2 +-
 sasl/gs2/pom.xml                     | 2 +-
 sasl/gssapi/pom.xml                  | 2 +-
 sasl/localuser/pom.xml               | 2 +-
 sasl/oauth2/pom.xml                  | 2 +-
 sasl/otp/pom.xml                     | 2 +-
 sasl/plain/pom.xml                   | 2 +-
 sasl/scram/pom.xml                   | 2 +-
 ssh/util/pom.xml                     | 2 +-
 ssl/pom.xml                          | 2 +-
 tests/base/pom.xml                   | 2 +-
 tests/common/pom.xml                 | 2 +-
 tool/pom.xml                         | 2 +-
 util/pom.xml                         | 2 +-
 wildfly-elytron/pom.xml              | 2 +-
 x500/base/pom.xml                    | 2 +-
 x500/cert/acme/pom.xml               | 2 +-
 x500/cert/base/pom.xml               | 2 +-
 x500/cert/util/pom.xml               | 2 +-
 x500/deprecated/pom.xml              | 2 +-
 x500/principal/pom.xml               | 2 +-
 76 files changed, 76 insertions(+), 76 deletions(-)

diff --git a/asn1/pom.xml b/asn1/pom.xml
index bcfa5e0ec3a..3a2e2f6817c 100644
--- a/asn1/pom.xml
+++ b/asn1/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/audit/pom.xml b/audit/pom.xml
index 319f7e154c3..b5c6511860f 100644
--- a/audit/pom.xml
+++ b/audit/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/auth/base/pom.xml b/auth/base/pom.xml
index 22b720caa89..0f660d76735 100644
--- a/auth/base/pom.xml
+++ b/auth/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/client/pom.xml b/auth/client/pom.xml
index d52990d4c35..1bb285048f5 100644
--- a/auth/client/pom.xml
+++ b/auth/client/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/realm/base/pom.xml b/auth/realm/base/pom.xml
index 62908b8bd8e..0c64e8cb2c8 100644
--- a/auth/realm/base/pom.xml
+++ b/auth/realm/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/realm/jdbc/pom.xml b/auth/realm/jdbc/pom.xml
index e9b71edc73a..a0c65119ea1 100644
--- a/auth/realm/jdbc/pom.xml
+++ b/auth/realm/jdbc/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/realm/ldap/pom.xml b/auth/realm/ldap/pom.xml
index 0ec8a4062fb..51830615020 100644
--- a/auth/realm/ldap/pom.xml
+++ b/auth/realm/ldap/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/realm/token/pom.xml b/auth/realm/token/pom.xml
index 8007d5790f6..4e5cc4ed320 100644
--- a/auth/realm/token/pom.xml
+++ b/auth/realm/token/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/server/base/pom.xml b/auth/server/base/pom.xml
index 143aba541f1..cfcf65de230 100644
--- a/auth/server/base/pom.xml
+++ b/auth/server/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/server/deprecated/pom.xml b/auth/server/deprecated/pom.xml
index bd1787a0902..a4576bc7726 100644
--- a/auth/server/deprecated/pom.xml
+++ b/auth/server/deprecated/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/server/http/pom.xml b/auth/server/http/pom.xml
index 9264a8c3de4..da73dfed3d4 100644
--- a/auth/server/http/pom.xml
+++ b/auth/server/http/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/server/sasl/pom.xml b/auth/server/sasl/pom.xml
index 7536d60b582..665f9836401 100644
--- a/auth/server/sasl/pom.xml
+++ b/auth/server/sasl/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/util/pom.xml b/auth/util/pom.xml
index fb0471fdd1f..f2151132ee9 100644
--- a/auth/util/pom.xml
+++ b/auth/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/base/pom.xml b/base/pom.xml
index c9da39dd45b..727fdd35265 100644
--- a/base/pom.xml
+++ b/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/credential/base/pom.xml b/credential/base/pom.xml
index 227c4555c1a..03463f43f53 100644
--- a/credential/base/pom.xml
+++ b/credential/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/credential/source/deprecated/pom.xml b/credential/source/deprecated/pom.xml
index c789dc869a0..264a36dc921 100644
--- a/credential/source/deprecated/pom.xml
+++ b/credential/source/deprecated/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/credential/source/impl/pom.xml b/credential/source/impl/pom.xml
index 9b0b9ca8f6f..5632a36102e 100644
--- a/credential/source/impl/pom.xml
+++ b/credential/source/impl/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/credential/store/pom.xml b/credential/store/pom.xml
index 8fa18b44791..36dc5a75096 100644
--- a/credential/store/pom.xml
+++ b/credential/store/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/digest/pom.xml b/digest/pom.xml
index eacfdebbcca..2f9fb718061 100644
--- a/digest/pom.xml
+++ b/digest/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/encryption/pom.xml b/encryption/pom.xml
index 57ea366f9a3..eb67a01f4f4 100644
--- a/encryption/pom.xml
+++ b/encryption/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/http/base/pom.xml b/http/base/pom.xml
index 1171d27b616..c31775d1607 100644
--- a/http/base/pom.xml
+++ b/http/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/basic/pom.xml b/http/basic/pom.xml
index 9d0ca01a8da..f8c18d7a293 100644
--- a/http/basic/pom.xml
+++ b/http/basic/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/bearer/pom.xml b/http/bearer/pom.xml
index ae9c683e056..32120e6e70e 100644
--- a/http/bearer/pom.xml
+++ b/http/bearer/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/cert/pom.xml b/http/cert/pom.xml
index 6dfbe7c1f34..b3e1cd2ec5c 100644
--- a/http/cert/pom.xml
+++ b/http/cert/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/deprecated/pom.xml b/http/deprecated/pom.xml
index 089544c3a8c..adda91689bf 100644
--- a/http/deprecated/pom.xml
+++ b/http/deprecated/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/digest/pom.xml b/http/digest/pom.xml
index 742745c9bad..5da77129bd1 100644
--- a/http/digest/pom.xml
+++ b/http/digest/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/external/pom.xml b/http/external/pom.xml
index 58206b6b3a1..756acdfdd8d 100644
--- a/http/external/pom.xml
+++ b/http/external/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/form/pom.xml b/http/form/pom.xml
index 84b16caaf09..d159b40602c 100644
--- a/http/form/pom.xml
+++ b/http/form/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/oidc/pom.xml b/http/oidc/pom.xml
index 74e907ec7f7..0857afdbe62 100644
--- a/http/oidc/pom.xml
+++ b/http/oidc/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/spnego/pom.xml b/http/spnego/pom.xml
index 9218db88873..b946bf0008b 100644
--- a/http/spnego/pom.xml
+++ b/http/spnego/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/sso/pom.xml b/http/sso/pom.xml
index 8a13fcdca9a..efcbeac616f 100644
--- a/http/sso/pom.xml
+++ b/http/sso/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/stateful-basic/pom.xml b/http/stateful-basic/pom.xml
index 237ca9b1bd8..0c8a368659f 100644
--- a/http/stateful-basic/pom.xml
+++ b/http/stateful-basic/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/util/pom.xml b/http/util/pom.xml
index 03b9fc6a99d..597436923e9 100644
--- a/http/util/pom.xml
+++ b/http/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/jose/jwk/pom.xml b/jose/jwk/pom.xml
index f517fe80d55..52a3a5f3402 100644
--- a/jose/jwk/pom.xml
+++ b/jose/jwk/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/jose/util/pom.xml b/jose/util/pom.xml
index 5ac5d2659b6..74e630c9535 100644
--- a/jose/util/pom.xml
+++ b/jose/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/json-util/pom.xml b/json-util/pom.xml
index 864d0ef1836..b9563f88211 100644
--- a/json-util/pom.xml
+++ b/json-util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/keystore/pom.xml b/keystore/pom.xml
index 9afeb1fe37e..3cfd1e5d22c 100644
--- a/keystore/pom.xml
+++ b/keystore/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/manager/action/pom.xml b/manager/action/pom.xml
index 1e1d444c665..9617941ed11 100644
--- a/manager/action/pom.xml
+++ b/manager/action/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/manager/base/pom.xml b/manager/base/pom.xml
index 6ab0f2adeae..e955f530b78 100644
--- a/manager/base/pom.xml
+++ b/manager/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/base/pom.xml b/mechanism/base/pom.xml
index 4a77cb5122f..56e45ab0337 100644
--- a/mechanism/base/pom.xml
+++ b/mechanism/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/digest/pom.xml b/mechanism/digest/pom.xml
index 162ccd7d9a9..9182825c06e 100644
--- a/mechanism/digest/pom.xml
+++ b/mechanism/digest/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/gssapi/pom.xml b/mechanism/gssapi/pom.xml
index 0800d7b5107..be33f6a839e 100644
--- a/mechanism/gssapi/pom.xml
+++ b/mechanism/gssapi/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/http/pom.xml b/mechanism/http/pom.xml
index 1409519ea2f..21a805cd367 100644
--- a/mechanism/http/pom.xml
+++ b/mechanism/http/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/oauth2/pom.xml b/mechanism/oauth2/pom.xml
index a25e242fcc5..7e4f60b3ef7 100644
--- a/mechanism/oauth2/pom.xml
+++ b/mechanism/oauth2/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/scram/pom.xml b/mechanism/scram/pom.xml
index 4bf5288c25b..b85b8e18596 100644
--- a/mechanism/scram/pom.xml
+++ b/mechanism/scram/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/password/impl/pom.xml b/password/impl/pom.xml
index be6f684862c..6699fe3bcea 100644
--- a/password/impl/pom.xml
+++ b/password/impl/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/permission/pom.xml b/permission/pom.xml
index 2e3434b67ec..7d13e688534 100644
--- a/permission/pom.xml
+++ b/permission/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/pom.xml b/pom.xml
index 2ad80672066..84a93768e47 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,7 +31,7 @@
 
     <groupId>org.wildfly.security</groupId>
     <artifactId>wildfly-elytron-parent</artifactId>
-    <version>2.2.5.CR1-SNAPSHOT</version>
+    <version>2.2.4.SP01</version>
     <packaging>pom</packaging>
 
     <name>WildFly Elytron Parent</name>
diff --git a/provider/util/pom.xml b/provider/util/pom.xml
index 357c4bca885..1becf76f4f0 100644
--- a/provider/util/pom.xml
+++ b/provider/util/pom.xml
@@ -23,7 +23,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/anonymous/pom.xml b/sasl/anonymous/pom.xml
index bc4fe9e710b..3b18f7eb4a6 100644
--- a/sasl/anonymous/pom.xml
+++ b/sasl/anonymous/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/auth/util/pom.xml b/sasl/auth/util/pom.xml
index b4deed80549..3c11cfa49e2 100644
--- a/sasl/auth/util/pom.xml
+++ b/sasl/auth/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>        
     </parent>
 
diff --git a/sasl/base/pom.xml b/sasl/base/pom.xml
index 9e0de1ade91..2b89ec24e65 100644
--- a/sasl/base/pom.xml
+++ b/sasl/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/deprecated/pom.xml b/sasl/deprecated/pom.xml
index ec9d80b0479..fbb366d1501 100644
--- a/sasl/deprecated/pom.xml
+++ b/sasl/deprecated/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/digest/pom.xml b/sasl/digest/pom.xml
index e8f92c55e65..24922d02865 100644
--- a/sasl/digest/pom.xml
+++ b/sasl/digest/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/entity/pom.xml b/sasl/entity/pom.xml
index 3e951e4f4da..f32f6bc0c4f 100644
--- a/sasl/entity/pom.xml
+++ b/sasl/entity/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/external/pom.xml b/sasl/external/pom.xml
index 5472a9103d6..af779806175 100644
--- a/sasl/external/pom.xml
+++ b/sasl/external/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/gs2/pom.xml b/sasl/gs2/pom.xml
index 6abd2506fc1..c44d117bd38 100644
--- a/sasl/gs2/pom.xml
+++ b/sasl/gs2/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/gssapi/pom.xml b/sasl/gssapi/pom.xml
index 1c79432d878..f1057328c04 100644
--- a/sasl/gssapi/pom.xml
+++ b/sasl/gssapi/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/localuser/pom.xml b/sasl/localuser/pom.xml
index 558c7a56816..6e53f9deeea 100644
--- a/sasl/localuser/pom.xml
+++ b/sasl/localuser/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/oauth2/pom.xml b/sasl/oauth2/pom.xml
index 7a527a07d59..e0779bcc94e 100644
--- a/sasl/oauth2/pom.xml
+++ b/sasl/oauth2/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/otp/pom.xml b/sasl/otp/pom.xml
index 9137f83f5ae..b7119a925d7 100644
--- a/sasl/otp/pom.xml
+++ b/sasl/otp/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/plain/pom.xml b/sasl/plain/pom.xml
index 14b55112b01..75e2ebd9c9b 100644
--- a/sasl/plain/pom.xml
+++ b/sasl/plain/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/scram/pom.xml b/sasl/scram/pom.xml
index 653081253ed..4f7efb0fa48 100644
--- a/sasl/scram/pom.xml
+++ b/sasl/scram/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/ssh/util/pom.xml b/ssh/util/pom.xml
index 99ddd05dcac..49d14d9654d 100644
--- a/ssh/util/pom.xml
+++ b/ssh/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/ssl/pom.xml b/ssl/pom.xml
index 231f9075280..767f8ef6d32 100644
--- a/ssl/pom.xml
+++ b/ssl/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/tests/base/pom.xml b/tests/base/pom.xml
index 9f7dd257f5c..b97f2c13792 100644
--- a/tests/base/pom.xml
+++ b/tests/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/tests/common/pom.xml b/tests/common/pom.xml
index 76f8df6df0a..b960b4472cc 100644
--- a/tests/common/pom.xml
+++ b/tests/common/pom.xml
@@ -5,7 +5,7 @@
     <parent>
         <artifactId>wildfly-elytron-parent</artifactId>
         <groupId>org.wildfly.security</groupId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/tool/pom.xml b/tool/pom.xml
index 748ba25c969..2152eb17d01 100644
--- a/tool/pom.xml
+++ b/tool/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/util/pom.xml b/util/pom.xml
index 0eec5dbcd5e..1833c36381e 100644
--- a/util/pom.xml
+++ b/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/wildfly-elytron/pom.xml b/wildfly-elytron/pom.xml
index ba2f517ea19..c86fab35e2c 100644
--- a/wildfly-elytron/pom.xml
+++ b/wildfly-elytron/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/x500/base/pom.xml b/x500/base/pom.xml
index b5515475763..80c8f183662 100644
--- a/x500/base/pom.xml
+++ b/x500/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>        
     </parent>
 
diff --git a/x500/cert/acme/pom.xml b/x500/cert/acme/pom.xml
index 3108c07eacd..6083a17cdc4 100644
--- a/x500/cert/acme/pom.xml
+++ b/x500/cert/acme/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/x500/cert/base/pom.xml b/x500/cert/base/pom.xml
index d037c6293bf..0e6de955e13 100644
--- a/x500/cert/base/pom.xml
+++ b/x500/cert/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/x500/cert/util/pom.xml b/x500/cert/util/pom.xml
index 0653e426aef..ffa626df514 100644
--- a/x500/cert/util/pom.xml
+++ b/x500/cert/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/x500/deprecated/pom.xml b/x500/deprecated/pom.xml
index e9958e305ef..5f819442424 100644
--- a/x500/deprecated/pom.xml
+++ b/x500/deprecated/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/x500/principal/pom.xml b/x500/principal/pom.xml
index abe9c96e968..8ae194c80dd 100644
--- a/x500/principal/pom.xml
+++ b/x500/principal/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.5.CR1-SNAPSHOT</version>
+        <version>2.2.4.SP01</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

From bfab97913c41aa444ef9621cb7e7dc80819ce8dd Mon Sep 17 00:00:00 2001
From: Farah Juma <fjuma@redhat.com>
Date: Fri, 15 Mar 2024 16:33:05 -0400
Subject: [PATCH 7/7] Next is 2.2.5

---
 asn1/pom.xml                         | 2 +-
 audit/pom.xml                        | 2 +-
 auth/base/pom.xml                    | 2 +-
 auth/client/pom.xml                  | 2 +-
 auth/realm/base/pom.xml              | 2 +-
 auth/realm/jdbc/pom.xml              | 2 +-
 auth/realm/ldap/pom.xml              | 2 +-
 auth/realm/token/pom.xml             | 2 +-
 auth/server/base/pom.xml             | 2 +-
 auth/server/deprecated/pom.xml       | 2 +-
 auth/server/http/pom.xml             | 2 +-
 auth/server/sasl/pom.xml             | 2 +-
 auth/util/pom.xml                    | 2 +-
 base/pom.xml                         | 2 +-
 credential/base/pom.xml              | 2 +-
 credential/source/deprecated/pom.xml | 2 +-
 credential/source/impl/pom.xml       | 2 +-
 credential/store/pom.xml             | 2 +-
 digest/pom.xml                       | 2 +-
 encryption/pom.xml                   | 2 +-
 http/base/pom.xml                    | 2 +-
 http/basic/pom.xml                   | 2 +-
 http/bearer/pom.xml                  | 2 +-
 http/cert/pom.xml                    | 2 +-
 http/deprecated/pom.xml              | 2 +-
 http/digest/pom.xml                  | 2 +-
 http/external/pom.xml                | 2 +-
 http/form/pom.xml                    | 2 +-
 http/oidc/pom.xml                    | 2 +-
 http/spnego/pom.xml                  | 2 +-
 http/sso/pom.xml                     | 2 +-
 http/stateful-basic/pom.xml          | 2 +-
 http/util/pom.xml                    | 2 +-
 jose/jwk/pom.xml                     | 2 +-
 jose/util/pom.xml                    | 2 +-
 json-util/pom.xml                    | 2 +-
 keystore/pom.xml                     | 2 +-
 manager/action/pom.xml               | 2 +-
 manager/base/pom.xml                 | 2 +-
 mechanism/base/pom.xml               | 2 +-
 mechanism/digest/pom.xml             | 2 +-
 mechanism/gssapi/pom.xml             | 2 +-
 mechanism/http/pom.xml               | 2 +-
 mechanism/oauth2/pom.xml             | 2 +-
 mechanism/scram/pom.xml              | 2 +-
 password/impl/pom.xml                | 2 +-
 permission/pom.xml                   | 2 +-
 pom.xml                              | 2 +-
 provider/util/pom.xml                | 2 +-
 sasl/anonymous/pom.xml               | 2 +-
 sasl/auth/util/pom.xml               | 2 +-
 sasl/base/pom.xml                    | 2 +-
 sasl/deprecated/pom.xml              | 2 +-
 sasl/digest/pom.xml                  | 2 +-
 sasl/entity/pom.xml                  | 2 +-
 sasl/external/pom.xml                | 2 +-
 sasl/gs2/pom.xml                     | 2 +-
 sasl/gssapi/pom.xml                  | 2 +-
 sasl/localuser/pom.xml               | 2 +-
 sasl/oauth2/pom.xml                  | 2 +-
 sasl/otp/pom.xml                     | 2 +-
 sasl/plain/pom.xml                   | 2 +-
 sasl/scram/pom.xml                   | 2 +-
 ssh/util/pom.xml                     | 2 +-
 ssl/pom.xml                          | 2 +-
 tests/base/pom.xml                   | 2 +-
 tests/common/pom.xml                 | 2 +-
 tool/pom.xml                         | 2 +-
 util/pom.xml                         | 2 +-
 wildfly-elytron/pom.xml              | 2 +-
 x500/base/pom.xml                    | 2 +-
 x500/cert/acme/pom.xml               | 2 +-
 x500/cert/base/pom.xml               | 2 +-
 x500/cert/util/pom.xml               | 2 +-
 x500/deprecated/pom.xml              | 2 +-
 x500/principal/pom.xml               | 2 +-
 76 files changed, 76 insertions(+), 76 deletions(-)

diff --git a/asn1/pom.xml b/asn1/pom.xml
index 3a2e2f6817c..bcfa5e0ec3a 100644
--- a/asn1/pom.xml
+++ b/asn1/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/audit/pom.xml b/audit/pom.xml
index b5c6511860f..319f7e154c3 100644
--- a/audit/pom.xml
+++ b/audit/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/auth/base/pom.xml b/auth/base/pom.xml
index 0f660d76735..22b720caa89 100644
--- a/auth/base/pom.xml
+++ b/auth/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/client/pom.xml b/auth/client/pom.xml
index 1bb285048f5..d52990d4c35 100644
--- a/auth/client/pom.xml
+++ b/auth/client/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/realm/base/pom.xml b/auth/realm/base/pom.xml
index 0c64e8cb2c8..62908b8bd8e 100644
--- a/auth/realm/base/pom.xml
+++ b/auth/realm/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/realm/jdbc/pom.xml b/auth/realm/jdbc/pom.xml
index a0c65119ea1..e9b71edc73a 100644
--- a/auth/realm/jdbc/pom.xml
+++ b/auth/realm/jdbc/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/realm/ldap/pom.xml b/auth/realm/ldap/pom.xml
index 51830615020..0ec8a4062fb 100644
--- a/auth/realm/ldap/pom.xml
+++ b/auth/realm/ldap/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/realm/token/pom.xml b/auth/realm/token/pom.xml
index 4e5cc4ed320..8007d5790f6 100644
--- a/auth/realm/token/pom.xml
+++ b/auth/realm/token/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/server/base/pom.xml b/auth/server/base/pom.xml
index cfcf65de230..143aba541f1 100644
--- a/auth/server/base/pom.xml
+++ b/auth/server/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/server/deprecated/pom.xml b/auth/server/deprecated/pom.xml
index a4576bc7726..bd1787a0902 100644
--- a/auth/server/deprecated/pom.xml
+++ b/auth/server/deprecated/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/server/http/pom.xml b/auth/server/http/pom.xml
index da73dfed3d4..9264a8c3de4 100644
--- a/auth/server/http/pom.xml
+++ b/auth/server/http/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/server/sasl/pom.xml b/auth/server/sasl/pom.xml
index 665f9836401..7536d60b582 100644
--- a/auth/server/sasl/pom.xml
+++ b/auth/server/sasl/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/util/pom.xml b/auth/util/pom.xml
index f2151132ee9..fb0471fdd1f 100644
--- a/auth/util/pom.xml
+++ b/auth/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/base/pom.xml b/base/pom.xml
index 727fdd35265..c9da39dd45b 100644
--- a/base/pom.xml
+++ b/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/credential/base/pom.xml b/credential/base/pom.xml
index 03463f43f53..227c4555c1a 100644
--- a/credential/base/pom.xml
+++ b/credential/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/credential/source/deprecated/pom.xml b/credential/source/deprecated/pom.xml
index 264a36dc921..c789dc869a0 100644
--- a/credential/source/deprecated/pom.xml
+++ b/credential/source/deprecated/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/credential/source/impl/pom.xml b/credential/source/impl/pom.xml
index 5632a36102e..9b0b9ca8f6f 100644
--- a/credential/source/impl/pom.xml
+++ b/credential/source/impl/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/credential/store/pom.xml b/credential/store/pom.xml
index 36dc5a75096..8fa18b44791 100644
--- a/credential/store/pom.xml
+++ b/credential/store/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/digest/pom.xml b/digest/pom.xml
index 2f9fb718061..eacfdebbcca 100644
--- a/digest/pom.xml
+++ b/digest/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/encryption/pom.xml b/encryption/pom.xml
index eb67a01f4f4..57ea366f9a3 100644
--- a/encryption/pom.xml
+++ b/encryption/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/http/base/pom.xml b/http/base/pom.xml
index c31775d1607..1171d27b616 100644
--- a/http/base/pom.xml
+++ b/http/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/basic/pom.xml b/http/basic/pom.xml
index f8c18d7a293..9d0ca01a8da 100644
--- a/http/basic/pom.xml
+++ b/http/basic/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/bearer/pom.xml b/http/bearer/pom.xml
index 32120e6e70e..ae9c683e056 100644
--- a/http/bearer/pom.xml
+++ b/http/bearer/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/cert/pom.xml b/http/cert/pom.xml
index b3e1cd2ec5c..6dfbe7c1f34 100644
--- a/http/cert/pom.xml
+++ b/http/cert/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/deprecated/pom.xml b/http/deprecated/pom.xml
index adda91689bf..089544c3a8c 100644
--- a/http/deprecated/pom.xml
+++ b/http/deprecated/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/digest/pom.xml b/http/digest/pom.xml
index 5da77129bd1..742745c9bad 100644
--- a/http/digest/pom.xml
+++ b/http/digest/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/external/pom.xml b/http/external/pom.xml
index 756acdfdd8d..58206b6b3a1 100644
--- a/http/external/pom.xml
+++ b/http/external/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/form/pom.xml b/http/form/pom.xml
index d159b40602c..84b16caaf09 100644
--- a/http/form/pom.xml
+++ b/http/form/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/oidc/pom.xml b/http/oidc/pom.xml
index 0857afdbe62..74e907ec7f7 100644
--- a/http/oidc/pom.xml
+++ b/http/oidc/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/spnego/pom.xml b/http/spnego/pom.xml
index b946bf0008b..9218db88873 100644
--- a/http/spnego/pom.xml
+++ b/http/spnego/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/sso/pom.xml b/http/sso/pom.xml
index efcbeac616f..8a13fcdca9a 100644
--- a/http/sso/pom.xml
+++ b/http/sso/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/stateful-basic/pom.xml b/http/stateful-basic/pom.xml
index 0c8a368659f..237ca9b1bd8 100644
--- a/http/stateful-basic/pom.xml
+++ b/http/stateful-basic/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/http/util/pom.xml b/http/util/pom.xml
index 597436923e9..03b9fc6a99d 100644
--- a/http/util/pom.xml
+++ b/http/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/jose/jwk/pom.xml b/jose/jwk/pom.xml
index 52a3a5f3402..f517fe80d55 100644
--- a/jose/jwk/pom.xml
+++ b/jose/jwk/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/jose/util/pom.xml b/jose/util/pom.xml
index 74e630c9535..5ac5d2659b6 100644
--- a/jose/util/pom.xml
+++ b/jose/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/json-util/pom.xml b/json-util/pom.xml
index b9563f88211..864d0ef1836 100644
--- a/json-util/pom.xml
+++ b/json-util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/keystore/pom.xml b/keystore/pom.xml
index 3cfd1e5d22c..9afeb1fe37e 100644
--- a/keystore/pom.xml
+++ b/keystore/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/manager/action/pom.xml b/manager/action/pom.xml
index 9617941ed11..1e1d444c665 100644
--- a/manager/action/pom.xml
+++ b/manager/action/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/manager/base/pom.xml b/manager/base/pom.xml
index e955f530b78..6ab0f2adeae 100644
--- a/manager/base/pom.xml
+++ b/manager/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/base/pom.xml b/mechanism/base/pom.xml
index 56e45ab0337..4a77cb5122f 100644
--- a/mechanism/base/pom.xml
+++ b/mechanism/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/digest/pom.xml b/mechanism/digest/pom.xml
index 9182825c06e..162ccd7d9a9 100644
--- a/mechanism/digest/pom.xml
+++ b/mechanism/digest/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/gssapi/pom.xml b/mechanism/gssapi/pom.xml
index be33f6a839e..0800d7b5107 100644
--- a/mechanism/gssapi/pom.xml
+++ b/mechanism/gssapi/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/http/pom.xml b/mechanism/http/pom.xml
index 21a805cd367..1409519ea2f 100644
--- a/mechanism/http/pom.xml
+++ b/mechanism/http/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/oauth2/pom.xml b/mechanism/oauth2/pom.xml
index 7e4f60b3ef7..a25e242fcc5 100644
--- a/mechanism/oauth2/pom.xml
+++ b/mechanism/oauth2/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/mechanism/scram/pom.xml b/mechanism/scram/pom.xml
index b85b8e18596..4bf5288c25b 100644
--- a/mechanism/scram/pom.xml
+++ b/mechanism/scram/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/password/impl/pom.xml b/password/impl/pom.xml
index 6699fe3bcea..be6f684862c 100644
--- a/password/impl/pom.xml
+++ b/password/impl/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/permission/pom.xml b/permission/pom.xml
index 7d13e688534..2e3434b67ec 100644
--- a/permission/pom.xml
+++ b/permission/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/pom.xml b/pom.xml
index 84a93768e47..2ad80672066 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,7 +31,7 @@
 
     <groupId>org.wildfly.security</groupId>
     <artifactId>wildfly-elytron-parent</artifactId>
-    <version>2.2.4.SP01</version>
+    <version>2.2.5.CR1-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <name>WildFly Elytron Parent</name>
diff --git a/provider/util/pom.xml b/provider/util/pom.xml
index 1becf76f4f0..357c4bca885 100644
--- a/provider/util/pom.xml
+++ b/provider/util/pom.xml
@@ -23,7 +23,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/anonymous/pom.xml b/sasl/anonymous/pom.xml
index 3b18f7eb4a6..bc4fe9e710b 100644
--- a/sasl/anonymous/pom.xml
+++ b/sasl/anonymous/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/auth/util/pom.xml b/sasl/auth/util/pom.xml
index 3c11cfa49e2..b4deed80549 100644
--- a/sasl/auth/util/pom.xml
+++ b/sasl/auth/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>        
     </parent>
 
diff --git a/sasl/base/pom.xml b/sasl/base/pom.xml
index 2b89ec24e65..9e0de1ade91 100644
--- a/sasl/base/pom.xml
+++ b/sasl/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/deprecated/pom.xml b/sasl/deprecated/pom.xml
index fbb366d1501..ec9d80b0479 100644
--- a/sasl/deprecated/pom.xml
+++ b/sasl/deprecated/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/digest/pom.xml b/sasl/digest/pom.xml
index 24922d02865..e8f92c55e65 100644
--- a/sasl/digest/pom.xml
+++ b/sasl/digest/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/entity/pom.xml b/sasl/entity/pom.xml
index f32f6bc0c4f..3e951e4f4da 100644
--- a/sasl/entity/pom.xml
+++ b/sasl/entity/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/external/pom.xml b/sasl/external/pom.xml
index af779806175..5472a9103d6 100644
--- a/sasl/external/pom.xml
+++ b/sasl/external/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/gs2/pom.xml b/sasl/gs2/pom.xml
index c44d117bd38..6abd2506fc1 100644
--- a/sasl/gs2/pom.xml
+++ b/sasl/gs2/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/gssapi/pom.xml b/sasl/gssapi/pom.xml
index f1057328c04..1c79432d878 100644
--- a/sasl/gssapi/pom.xml
+++ b/sasl/gssapi/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/localuser/pom.xml b/sasl/localuser/pom.xml
index 6e53f9deeea..558c7a56816 100644
--- a/sasl/localuser/pom.xml
+++ b/sasl/localuser/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/oauth2/pom.xml b/sasl/oauth2/pom.xml
index e0779bcc94e..7a527a07d59 100644
--- a/sasl/oauth2/pom.xml
+++ b/sasl/oauth2/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/otp/pom.xml b/sasl/otp/pom.xml
index b7119a925d7..9137f83f5ae 100644
--- a/sasl/otp/pom.xml
+++ b/sasl/otp/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/plain/pom.xml b/sasl/plain/pom.xml
index 75e2ebd9c9b..14b55112b01 100644
--- a/sasl/plain/pom.xml
+++ b/sasl/plain/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/sasl/scram/pom.xml b/sasl/scram/pom.xml
index 4f7efb0fa48..653081253ed 100644
--- a/sasl/scram/pom.xml
+++ b/sasl/scram/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/ssh/util/pom.xml b/ssh/util/pom.xml
index 49d14d9654d..99ddd05dcac 100644
--- a/ssh/util/pom.xml
+++ b/ssh/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/ssl/pom.xml b/ssl/pom.xml
index 767f8ef6d32..231f9075280 100644
--- a/ssl/pom.xml
+++ b/ssl/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/tests/base/pom.xml b/tests/base/pom.xml
index b97f2c13792..9f7dd257f5c 100644
--- a/tests/base/pom.xml
+++ b/tests/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/tests/common/pom.xml b/tests/common/pom.xml
index b960b4472cc..76f8df6df0a 100644
--- a/tests/common/pom.xml
+++ b/tests/common/pom.xml
@@ -5,7 +5,7 @@
     <parent>
         <artifactId>wildfly-elytron-parent</artifactId>
         <groupId>org.wildfly.security</groupId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/tool/pom.xml b/tool/pom.xml
index 2152eb17d01..748ba25c969 100644
--- a/tool/pom.xml
+++ b/tool/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/util/pom.xml b/util/pom.xml
index 1833c36381e..0eec5dbcd5e 100644
--- a/util/pom.xml
+++ b/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/wildfly-elytron/pom.xml b/wildfly-elytron/pom.xml
index c86fab35e2c..ba2f517ea19 100644
--- a/wildfly-elytron/pom.xml
+++ b/wildfly-elytron/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
diff --git a/x500/base/pom.xml b/x500/base/pom.xml
index 80c8f183662..b5515475763 100644
--- a/x500/base/pom.xml
+++ b/x500/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>        
     </parent>
 
diff --git a/x500/cert/acme/pom.xml b/x500/cert/acme/pom.xml
index 6083a17cdc4..3108c07eacd 100644
--- a/x500/cert/acme/pom.xml
+++ b/x500/cert/acme/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/x500/cert/base/pom.xml b/x500/cert/base/pom.xml
index 0e6de955e13..d037c6293bf 100644
--- a/x500/cert/base/pom.xml
+++ b/x500/cert/base/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/x500/cert/util/pom.xml b/x500/cert/util/pom.xml
index ffa626df514..0653e426aef 100644
--- a/x500/cert/util/pom.xml
+++ b/x500/cert/util/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
 
diff --git a/x500/deprecated/pom.xml b/x500/deprecated/pom.xml
index 5f819442424..e9958e305ef 100644
--- a/x500/deprecated/pom.xml
+++ b/x500/deprecated/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
diff --git a/x500/principal/pom.xml b/x500/principal/pom.xml
index 8ae194c80dd..abe9c96e968 100644
--- a/x500/principal/pom.xml
+++ b/x500/principal/pom.xml
@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
-        <version>2.2.4.SP01</version>
+        <version>2.2.5.CR1-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>