prepare release v1.5.3

test: run IT against Vault 1.20.3
add token_bound_cidrs field to AppRoleSecret model (#110 )
2025-09-09 11:47:52 +02:00 · 2025-09-09 11:39:32 +02:00 · 2025-09-08 10:25:39 +02:00 · 2025-09-05 09:46:48 +02:00 · 2025-09-02 13:27:29 +02:00 · 2025-08-30 09:53:46 +02:00
94 changed files with 2399 additions and 1805 deletions
--- a/.github/workflows/ci-it.yml
+++ b/.github/workflows/ci-it.yml
@@ -15,18 +15,18 @@ jobs:
    strategy:
      matrix:
        jdk: [ 11, 17, 21 ]
-        vault: [ '1.2.0', '1.18.2' ]
+        vault: [ '1.2.0', '1.20.3' ]
        include:
          - jdk: 21
-            vault: '1.18.2'
+            vault: '1.20.3'
            analysis: true
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - name: Set up Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
        with:
          java-version: ${{ matrix.jdk }}
          distribution: 'temurin'
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,11 +21,11 @@ jobs:
            analysis: true
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - name: Set up Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
        with:
          java-version: ${{ matrix.jdk }}
          distribution: 'temurin'
--- a/.mvn/wrapper/maven-wrapper.properties
+++ b/.mvn/wrapper/maven-wrapper.properties
@@ -1,2 +1,2 @@
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip
+distributionType=only-script
-wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.11/apache-maven-3.9.11-bin.zip
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,60 @@
 ## 1.5.3 (2025-09-09)
 ### Dependencies
 * Updated Jackson to 2.20.0 (#106)
 ### Improvements
 * Extract API paths into a utility class (#108)
 * Encode user-provided URL parts (#109)
 * Add `token_bound_cidrs` field to `AppRoleSecret` model (#110)
 ### Fix
 * Prevent potential off-by-1 error in internal `mapOf()` helper (#107)
 ## 1.5.2 (2025-07-16)
 ### Dependencies
 * Updated Jackson to 2.19.1 (#101)
 ### Fix
 * Use `Long` for numeric TTL fields (#103) (#104)
 ### Test
 * Tested against Vault 1.2 to 1.20 (#102)
 ## 1.5.1 (2025-06-02)
 ### Improvements
 * Use `lookup-self` for token check instead of `lookup` (#98) (#99)
 ### Dependencies
 * Updated Jackson to 2.19.0 (#97)
 ## 1.5.0 (2025-04-13)
 ### Deprecations
 * `read...Credentials()` methods for specific database mounts (#92)
 ### Features
 * Support Vault transit API (#89)
 * Support PEM certificate string from `VAULT_CACERT` environment variable (#93)
 ### Improvements
 * Replace deprecated `java.net.URL` usage with `java.net.URI` (#94)
 ### Fix
 * Fix initialization from environment without explicit port
 ### Dependencies
 * Updated Jackson to 2.18.3 (#90)
 ### Test
 * Tested against Vault 1.2 to 1.19
 ## 1.4.0 (2024-12-07)
 ### Removal
--- a/README.md
+++ b/README.md
@@ -28,10 +28,11 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
    * Delete secrets
    * Renew/revoke leases
    * Raw secret content or JSON decoding
    * SQL secret handling
    * KV v1 and v2 support
    * Database secret handling
 * Transit API support
 * Connector Factory with builder pattern
-* Tested against Vault 1.2 to 1.18
+* Tested against Vault 1.2 to 1.20
 ## Maven Artifact
@@ -39,7 +40,7 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
 <dependency>
    <groupId>de.stklcode.jvault</groupId>
    <artifactId>jvault-connector</artifactId>
-    <version>1.4.0</version>
+    <version>1.5.3</version>
 </dependency>
 ```
--- a/485
+++ b/485
@@ -19,314 +19,277 @@
 # ----------------------------------------------------------------------------
 # ----------------------------------------------------------------------------
-# Apache Maven Wrapper startup batch script, version 3.3.2
+# Apache Maven Wrapper startup batch script, version 3.3.3
 #
 # Required ENV vars:
 # ------------------
 #   JAVA_HOME - location of a JDK home dir
 #
 # Optional ENV vars
 # -----------------
-#   MAVEN_OPTS - parameters passed to the Java VM when running Maven
+#   JAVA_HOME - location of a JDK home dir, required when download maven via java source
-#     e.g. to debug Maven itself, use
+#   MVNW_REPOURL - repo url base for downloading maven distribution
-#       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+#   MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven
-#   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+#   MVNW_VERBOSE - true: enable verbose log; debug: trace the mvnw script; others: silence the output
 # ----------------------------------------------------------------------------
-if [ -z "$MAVEN_SKIP_RC" ]; then
+set -euf
 [ "${MVNW_VERBOSE-}" != debug ] || set -x
-  if [ -f /usr/local/etc/mavenrc ]; then
+# OS specific support.
-    . /usr/local/etc/mavenrc
+native_path() { printf %s\\n "$1"; }
  fi
  if [ -f /etc/mavenrc ]; then
    . /etc/mavenrc
  fi
  if [ -f "$HOME/.mavenrc" ]; then
    . "$HOME/.mavenrc"
  fi
 fi
 # OS specific support.  $var _must_ be set to either true or false.
 cygwin=false
 darwin=false
 mingw=false
 case "$(uname)" in
-CYGWIN*) cygwin=true ;;
+CYGWIN* | MINGW*)
-MINGW*) mingw=true ;;
+  [ -z "${JAVA_HOME-}" ] || JAVA_HOME="$(cygpath --unix "$JAVA_HOME")"
-Darwin*)
+  native_path() { cygpath --path --windows "$1"; }
  darwin=true
  # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
  # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
  if [ -z "$JAVA_HOME" ]; then
    if [ -x "/usr/libexec/java_home" ]; then
      JAVA_HOME="$(/usr/libexec/java_home)"
      export JAVA_HOME
    else
      JAVA_HOME="/Library/Java/Home"
      export JAVA_HOME
    fi
  fi
  ;;
 esac
-if [ -z "$JAVA_HOME" ]; then
+# set JAVACMD and JAVACCMD
-  if [ -r /etc/gentoo-release ]; then
+set_java_home() {
-    JAVA_HOME=$(java-config --jre-home)
+  # For Cygwin and MinGW, ensure paths are in Unix format before anything is touched
-  fi
+  if [ -n "${JAVA_HOME-}" ]; then
 fi
 # For Cygwin, ensure paths are in UNIX format before anything is touched
 if $cygwin; then
  [ -n "$JAVA_HOME" ] \
    && JAVA_HOME=$(cygpath --unix "$JAVA_HOME")
  [ -n "$CLASSPATH" ] \
    && CLASSPATH=$(cygpath --path --unix "$CLASSPATH")
 fi
 # For Mingw, ensure paths are in UNIX format before anything is touched
 if $mingw; then
  [ -n "$JAVA_HOME" ] && [ -d "$JAVA_HOME" ] \
    && JAVA_HOME="$(
      cd "$JAVA_HOME" || (
        echo "cannot cd into $JAVA_HOME." >&2
        exit 1
      )
      pwd
    )"
 fi
 if [ -z "$JAVA_HOME" ]; then
  javaExecutable="$(which javac)"
  if [ -n "$javaExecutable" ] && ! [ "$(expr "$javaExecutable" : '\([^ ]*\)')" = "no" ]; then
    # readlink(1) is not available as standard on Solaris 10.
    readLink=$(which readlink)
    if [ ! "$(expr "$readLink" : '\([^ ]*\)')" = "no" ]; then
      if $darwin; then
        javaHome="$(dirname "$javaExecutable")"
        javaExecutable="$(cd "$javaHome" && pwd -P)/javac"
      else
        javaExecutable="$(readlink -f "$javaExecutable")"
      fi
      javaHome="$(dirname "$javaExecutable")"
      javaHome=$(expr "$javaHome" : '\(.*\)/bin')
      JAVA_HOME="$javaHome"
      export JAVA_HOME
    fi
  fi
 fi
 if [ -z "$JAVACMD" ]; then
  if [ -n "$JAVA_HOME" ]; then
    if [ -x "$JAVA_HOME/jre/sh/java" ]; then
      # IBM's JDK on AIX uses strange locations for the executables
      JAVACMD="$JAVA_HOME/jre/sh/java"
      JAVACCMD="$JAVA_HOME/jre/sh/javac"
    else
      JAVACMD="$JAVA_HOME/bin/java"
      JAVACCMD="$JAVA_HOME/bin/javac"
      if [ ! -x "$JAVACMD" ] || [ ! -x "$JAVACCMD" ]; then
        echo "The JAVA_HOME environment variable is not defined correctly, so mvnw cannot run." >&2
        echo "JAVA_HOME is set to \"$JAVA_HOME\", but \"\$JAVA_HOME/bin/java\" or \"\$JAVA_HOME/bin/javac\" does not exist." >&2
        return 1
      fi
    fi
  else
    JAVACMD="$(
-      \unset -f command 2>/dev/null
+      'set' +e
-      \command -v java
+      'unset' -f command 2>/dev/null
-    )"
+      'command' -v java
-  fi
+    )" || :
-fi
+    JAVACCMD="$(
      'set' +e
      'unset' -f command 2>/dev/null
      'command' -v javac
    )" || :
-if [ ! -x "$JAVACMD" ]; then
+    if [ ! -x "${JAVACMD-}" ] || [ ! -x "${JAVACCMD-}" ]; then
-  echo "Error: JAVA_HOME is not defined correctly." >&2
+      echo "The java/javac command does not exist in PATH nor is JAVA_HOME set, so mvnw cannot run." >&2
  echo "  We cannot execute $JAVACMD" >&2
  exit 1
 fi
 if [ -z "$JAVA_HOME" ]; then
  echo "Warning: JAVA_HOME environment variable is not set." >&2
 fi
 # traverses directory structure from process work directory to filesystem root
 # first directory with .mvn subdirectory is considered project base directory
 find_maven_basedir() {
  if [ -z "$1" ]; then
    echo "Path not specified to find_maven_basedir" >&2
      return 1
    fi
  fi
 }
-  basedir="$1"
+# hash string like Java String::hashCode
-  wdir="$1"
+hash_string() {
-  while [ "$wdir" != '/' ]; do
+  str="${1:-}" h=0
-    if [ -d "$wdir"/.mvn ]; then
+  while [ -n "$str" ]; do
-      basedir=$wdir
+    char="${str%"${str#?}"}"
-      break
+    h=$(((h * 31 + $(LC_CTYPE=C printf %d "'$char")) % 4294967296))
-    fi
+    str="${str#?}"
    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
    if [ -d "${wdir}" ]; then
      wdir=$(
        cd "$wdir/.." || exit 1
        pwd
      )
    fi
    # end of workaround
  done
-  printf '%s' "$(
+  printf %x\\n $h
    cd "$basedir" || exit 1
    pwd
  )"
 }
-# concatenates all lines of a file
+verbose() { :; }
-concat_lines() {
+[ "${MVNW_VERBOSE-}" != true ] || verbose() { printf %s\\n "${1-}"; }
  if [ -f "$1" ]; then
    # Remove \r in case we run on Windows within Git Bash
    # and check out the repository with auto CRLF management
    # enabled. Otherwise, we may read lines that are delimited with
    # \r\n and produce $'-Xarg\r' rather than -Xarg due to word
    # splitting rules.
    tr -s '\r\n' ' ' <"$1"
  fi
 }
-log() {
+die() {
-  if [ "$MVNW_VERBOSE" = true ]; then
+  printf %s\\n "$1" >&2
    printf '%s\n' "$1"
  fi
 }
 BASE_DIR=$(find_maven_basedir "$(dirname "$0")")
 if [ -z "$BASE_DIR" ]; then
  exit 1
-fi
+}
-MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
+trim() {
-export MAVEN_PROJECTBASEDIR
+  # MWRAPPER-139:
-log "$MAVEN_PROJECTBASEDIR"
+  #   Trims trailing and leading whitespace, carriage returns, tabs, and linefeeds.
  #   Needed for removing poorly interpreted newline sequences when running in more
  #   exotic environments such as mingw bash on Windows.
  printf "%s" "${1}" | tr -d '[:space:]'
 }
-##########################################################################################
+scriptDir="$(dirname "$0")"
-# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+scriptName="$(basename "$0")"
 # This allows using the maven wrapper in projects that prohibit checking in binary data.
 ##########################################################################################
 wrapperJarPath="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar"
 if [ -r "$wrapperJarPath" ]; then
  log "Found $wrapperJarPath"
 else
  log "Couldn't find $wrapperJarPath, downloading it ..."
-  if [ -n "$MVNW_REPOURL" ]; then
+# parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties
    wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
  else
    wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
  fi
 while IFS="=" read -r key value; do
-    # Remove '\r' from value to allow usage on windows as IFS does not consider '\r' as a separator ( considers space, tab, new line ('\n'), and custom '=' )
+  case "${key-}" in
-    safeValue=$(echo "$value" | tr -d '\r')
+  distributionUrl) distributionUrl=$(trim "${value-}") ;;
-    case "$key" in wrapperUrl)
+  distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;;
-      wrapperUrl="$safeValue"
+  esac
-      break
+done <"$scriptDir/.mvn/wrapper/maven-wrapper.properties"
 [ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties"
 case "${distributionUrl##*/}" in
 maven-mvnd-*bin.*)
  MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/
  case "${PROCESSOR_ARCHITECTURE-}${PROCESSOR_ARCHITEW6432-}:$(uname -a)" in
  *AMD64:CYGWIN* | *AMD64:MINGW*) distributionPlatform=windows-amd64 ;;
  :Darwin*x86_64) distributionPlatform=darwin-amd64 ;;
  :Darwin*arm64) distributionPlatform=darwin-aarch64 ;;
  :Linux*x86_64*) distributionPlatform=linux-amd64 ;;
  *)
    echo "Cannot detect native platform for mvnd on $(uname)-$(uname -m), use pure java version" >&2
    distributionPlatform=linux-amd64
    ;;
  esac
-  done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+  distributionUrl="${distributionUrl%-bin.*}-$distributionPlatform.zip"
  log "Downloading from: $wrapperUrl"
  if $cygwin; then
    wrapperJarPath=$(cygpath --path --windows "$wrapperJarPath")
  fi
  if command -v wget >/dev/null; then
    log "Found wget ... using wget"
    [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--quiet"
    if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
      wget $QUIET "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
    else
      wget $QUIET --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
    fi
  elif command -v curl >/dev/null; then
    log "Found curl ... using curl"
    [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--silent"
    if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
      curl $QUIET -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
    else
      curl $QUIET --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
    fi
  else
    log "Falling back to using Java to download"
    javaSource="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.java"
    javaClass="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.class"
    # For Cygwin, switch paths to Windows format before running javac
    if $cygwin; then
      javaSource=$(cygpath --path --windows "$javaSource")
      javaClass=$(cygpath --path --windows "$javaClass")
    fi
    if [ -e "$javaSource" ]; then
      if [ ! -e "$javaClass" ]; then
        log " - Compiling MavenWrapperDownloader.java ..."
        ("$JAVA_HOME/bin/javac" "$javaSource")
      fi
      if [ -e "$javaClass" ]; then
        log " - Running MavenWrapperDownloader.java ..."
        ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$wrapperUrl" "$wrapperJarPath") || rm -f "$wrapperJarPath"
      fi
    fi
  fi
 fi
 ##########################################################################################
 # End of extension
 ##########################################################################################
 # If specified, validate the SHA-256 sum of the Maven wrapper jar file
 wrapperSha256Sum=""
 while IFS="=" read -r key value; do
  case "$key" in wrapperSha256Sum)
    wrapperSha256Sum=$value
    break
  ;;
 maven-mvnd-*) MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ ;;
 *) MVN_CMD="mvn${scriptName#mvnw}" _MVNW_REPO_PATTERN=/org/apache/maven/ ;;
 esac
-done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+
-if [ -n "$wrapperSha256Sum" ]; then
+# apply MVNW_REPOURL and calculate MAVEN_HOME
-  wrapperSha256Result=false
+# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-<version>,maven-mvnd-<version>-<platform>}/<hash>
-  if command -v sha256sum >/dev/null; then
+[ -z "${MVNW_REPOURL-}" ] || distributionUrl="$MVNW_REPOURL$_MVNW_REPO_PATTERN${distributionUrl#*"$_MVNW_REPO_PATTERN"}"
-    if echo "$wrapperSha256Sum  $wrapperJarPath" | sha256sum -c >/dev/null 2>&1; then
+distributionUrlName="${distributionUrl##*/}"
-      wrapperSha256Result=true
+distributionUrlNameMain="${distributionUrlName%.*}"
 distributionUrlNameMain="${distributionUrlNameMain%-bin}"
 MAVEN_USER_HOME="${MAVEN_USER_HOME:-${HOME}/.m2}"
 MAVEN_HOME="${MAVEN_USER_HOME}/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")"
 exec_maven() {
  unset MVNW_VERBOSE MVNW_USERNAME MVNW_PASSWORD MVNW_REPOURL || :
  exec "$MAVEN_HOME/bin/$MVN_CMD" "$@" || die "cannot exec $MAVEN_HOME/bin/$MVN_CMD"
 }
 if [ -d "$MAVEN_HOME" ]; then
  verbose "found existing MAVEN_HOME at $MAVEN_HOME"
  exec_maven "$@"
 fi
 case "${distributionUrl-}" in
 *?-bin.zip | *?maven-mvnd-?*-?*.zip) ;;
 *) die "distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found '${distributionUrl-}'" ;;
 esac
 # prepare tmp dir
 if TMP_DOWNLOAD_DIR="$(mktemp -d)" && [ -d "$TMP_DOWNLOAD_DIR" ]; then
  clean() { rm -rf -- "$TMP_DOWNLOAD_DIR"; }
  trap clean HUP INT TERM EXIT
 else
  die "cannot create temp dir"
 fi
 mkdir -p -- "${MAVEN_HOME%/*}"
 # Download and Install Apache Maven
 verbose "Couldn't find MAVEN_HOME, downloading and installing it ..."
 verbose "Downloading from: $distributionUrl"
 verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName"
 # select .zip or .tar.gz
 if ! command -v unzip >/dev/null; then
  distributionUrl="${distributionUrl%.zip}.tar.gz"
  distributionUrlName="${distributionUrl##*/}"
 fi
 # verbose opt
 __MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR=''
 [ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v
 # normalize http auth
 case "${MVNW_PASSWORD:+has-password}" in
 '') MVNW_USERNAME='' MVNW_PASSWORD='' ;;
 has-password) [ -n "${MVNW_USERNAME-}" ] || MVNW_USERNAME='' MVNW_PASSWORD='' ;;
 esac
 if [ -z "${MVNW_USERNAME-}" ] && command -v wget >/dev/null; then
  verbose "Found wget ... using wget"
  wget ${__MVNW_QUIET_WGET:+"$__MVNW_QUIET_WGET"} "$distributionUrl" -O "$TMP_DOWNLOAD_DIR/$distributionUrlName" || die "wget: Failed to fetch $distributionUrl"
 elif [ -z "${MVNW_USERNAME-}" ] && command -v curl >/dev/null; then
  verbose "Found curl ... using curl"
  curl ${__MVNW_QUIET_CURL:+"$__MVNW_QUIET_CURL"} -f -L -o "$TMP_DOWNLOAD_DIR/$distributionUrlName" "$distributionUrl" || die "curl: Failed to fetch $distributionUrl"
 elif set_java_home; then
  verbose "Falling back to use Java to download"
  javaSource="$TMP_DOWNLOAD_DIR/Downloader.java"
  targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName"
  cat >"$javaSource" <<-END
 	public class Downloader extends java.net.Authenticator
 	{
 	  protected java.net.PasswordAuthentication getPasswordAuthentication()
 	  {
 	    return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() );
 	  }
 	  public static void main( String[] args ) throws Exception
 	  {
 	    setDefault( new Downloader() );
 	    java.nio.file.Files.copy( java.net.URI.create( args[0] ).toURL().openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() );
 	  }
 	}
 	END
  # For Cygwin/MinGW, switch paths to Windows format before running javac and java
  verbose " - Compiling Downloader.java ..."
  "$(native_path "$JAVACCMD")" "$(native_path "$javaSource")" || die "Failed to compile Downloader.java"
  verbose " - Running Downloader.java ..."
  "$(native_path "$JAVACMD")" -cp "$(native_path "$TMP_DOWNLOAD_DIR")" Downloader "$distributionUrl" "$(native_path "$targetZip")"
 fi
 # If specified, validate the SHA-256 sum of the Maven distribution zip file
 if [ -n "${distributionSha256Sum-}" ]; then
  distributionSha256Result=false
  if [ "$MVN_CMD" = mvnd.sh ]; then
    echo "Checksum validation is not supported for maven-mvnd." >&2
    echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2
    exit 1
  elif command -v sha256sum >/dev/null; then
    if echo "$distributionSha256Sum  $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c - >/dev/null 2>&1; then
      distributionSha256Result=true
    fi
  elif command -v shasum >/dev/null; then
-    if echo "$wrapperSha256Sum  $wrapperJarPath" | shasum -a 256 -c >/dev/null 2>&1; then
+    if echo "$distributionSha256Sum  $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 256 -c >/dev/null 2>&1; then
-      wrapperSha256Result=true
+      distributionSha256Result=true
    fi
  else
    echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2
-    echo "Please install either command, or disable validation by removing 'wrapperSha256Sum' from your maven-wrapper.properties." >&2
+    echo "Please install either command, or disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2
    exit 1
  fi
-  if [ $wrapperSha256Result = false ]; then
+  if [ $distributionSha256Result = false ]; then
-    echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised." >&2
+    echo "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised." >&2
-    echo "Investigate or delete $wrapperJarPath to attempt a clean download." >&2
+    echo "If you updated your Maven version, you need to update the specified distributionSha256Sum property." >&2
    echo "If you updated your Maven version, you need to update the specified wrapperSha256Sum property." >&2
    exit 1
  fi
 fi
-MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+# unzip and move
-
+if command -v unzip >/dev/null; then
-# For Cygwin, switch paths to Windows format before running java
+  unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" || die "failed to unzip"
-if $cygwin; then
+else
-  [ -n "$JAVA_HOME" ] \
+  tar xzf${__MVNW_QUIET_TAR:+"$__MVNW_QUIET_TAR"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -C "$TMP_DOWNLOAD_DIR" || die "failed to untar"
    && JAVA_HOME=$(cygpath --path --windows "$JAVA_HOME")
  [ -n "$CLASSPATH" ] \
    && CLASSPATH=$(cygpath --path --windows "$CLASSPATH")
  [ -n "$MAVEN_PROJECTBASEDIR" ] \
    && MAVEN_PROJECTBASEDIR=$(cygpath --path --windows "$MAVEN_PROJECTBASEDIR")
 fi
-# Provide a "standardized" way to retrieve the CLI args that will
+# Find the actual extracted directory name (handles snapshots where filename != directory name)
-# work with both Windows and non-Windows executions.
+actualDistributionDir=""
 MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $*"
 export MAVEN_CMD_LINE_ARGS
-WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+# First try the expected directory name (for regular distributions)
 if [ -d "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" ]; then
  if [ -f "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain/bin/$MVN_CMD" ]; then
    actualDistributionDir="$distributionUrlNameMain"
  fi
 fi
-# shellcheck disable=SC2086 # safe args
+# If not found, search for any directory with the Maven executable (for snapshots)
-exec "$JAVACMD" \
+if [ -z "$actualDistributionDir" ]; then
-  $MAVEN_OPTS \
+  # enable globbing to iterate over items
-  $MAVEN_DEBUG_OPTS \
+  set +f
-  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+  for dir in "$TMP_DOWNLOAD_DIR"/*; do
-  "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+    if [ -d "$dir" ]; then
-  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
+      if [ -f "$dir/bin/$MVN_CMD" ]; then
        actualDistributionDir="$(basename "$dir")"
        break
      fi
    fi
  done
  set -f
 fi
 if [ -z "$actualDistributionDir" ]; then
  verbose "Contents of $TMP_DOWNLOAD_DIR:"
  verbose "$(ls -la "$TMP_DOWNLOAD_DIR")"
  die "Could not find Maven distribution directory in extracted archive"
 fi
 verbose "Found extracted Maven distribution directory: $actualDistributionDir"
 printf %s\\n "$distributionUrl" >"$TMP_DOWNLOAD_DIR/$actualDistributionDir/mvnw.url"
 mv -- "$TMP_DOWNLOAD_DIR/$actualDistributionDir" "$MAVEN_HOME" || [ -d "$MAVEN_HOME" ] || die "fail to move MAVEN_HOME"
 clean || :
 exec_maven "$@"
--- a/mvnw.cmd
+++ b/mvnw.cmd
@@ -1,3 +1,4 @@
 <# : batch portion
@REM ----------------------------------------------------------------------------
@REM Licensed to the Apache Software Foundation (ASF) under one
@REM or more contributor license agreements.  See the NOTICE file
@@ -18,189 +19,171 @@
@REM ----------------------------------------------------------------------------
@REM ----------------------------------------------------------------------------
-@REM Apache Maven Wrapper startup batch script, version 3.3.2
+@REM Apache Maven Wrapper startup batch script, version 3.3.3
@REM
@REM Required ENV vars:
@REM JAVA_HOME - location of a JDK home dir
@REM
@REM Optional ENV vars
-@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM   MVNW_REPOURL - repo url base for downloading maven distribution
-@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
+@REM   MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven
-@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM   MVNW_VERBOSE - true: enable verbose log; others: silence the output
@REM     e.g. to debug Maven itself, use
@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
@REM ----------------------------------------------------------------------------
-@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@IF "%__MVNW_ARG0_NAME__%"=="" (SET __MVNW_ARG0_NAME__=%~nx0)
-@echo off
+@SET __MVNW_CMD__=
-@REM set title of command window
+@SET __MVNW_ERROR__=
-title %0
+@SET __MVNW_PSMODULEP_SAVE=%PSModulePath%
-@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
+@SET PSModulePath=
-@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
+@FOR /F "usebackq tokens=1* delims==" %%A IN (`powershell -noprofile "& {$scriptDir='%~dp0'; $script='%__MVNW_ARG0_NAME__%'; icm -ScriptBlock ([Scriptblock]::Create((Get-Content -Raw '%~f0'))) -NoNewScope}"`) DO @(
-
+  IF "%%A"=="MVN_CMD" (set __MVNW_CMD__=%%B) ELSE IF "%%B"=="" (echo %%A) ELSE (echo %%A=%%B)
@REM set %HOME% to equivalent of $HOME
 if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
@REM Execute a user defined script before this one
 if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
@REM check for pre script, once with legacy .bat ending and once with .cmd ending
 if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %*
 if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %*
 :skipRcPre
@setlocal
 set ERROR_CODE=0
@REM To isolate internal variables from possible post scripts, we use another setlocal
@setlocal
@REM ==== START VALIDATION ====
 if not "%JAVA_HOME%" == "" goto OkJHome
 echo. >&2
 echo Error: JAVA_HOME not found in your environment. >&2
 echo Please set the JAVA_HOME variable in your environment to match the >&2
 echo location of your Java installation. >&2
 echo. >&2
 goto error
 :OkJHome
 if exist "%JAVA_HOME%\bin\java.exe" goto init
 echo. >&2
 echo Error: JAVA_HOME is set to an invalid directory. >&2
 echo JAVA_HOME = "%JAVA_HOME%" >&2
 echo Please set the JAVA_HOME variable in your environment to match the >&2
 echo location of your Java installation. >&2
 echo. >&2
 goto error
@REM ==== END VALIDATION ====
 :init
@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
@REM Fallback to current working directory if not found.
 set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
 IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
 set EXEC_DIR=%CD%
 set WDIR=%EXEC_DIR%
 :findBaseDir
 IF EXIST "%WDIR%"\.mvn goto baseDirFound
 cd ..
 IF "%WDIR%"=="%CD%" goto baseDirNotFound
 set WDIR=%CD%
 goto findBaseDir
 :baseDirFound
 set MAVEN_PROJECTBASEDIR=%WDIR%
 cd "%EXEC_DIR%"
 goto endDetectBaseDir
 :baseDirNotFound
 set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
 cd "%EXEC_DIR%"
 :endDetectBaseDir
 IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
@setlocal EnableExtensions EnableDelayedExpansion
 for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
 :endReadAdditionalConfig
 SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
 set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
 set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
 set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
 FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
    IF "%%A"=="wrapperUrl" SET WRAPPER_URL=%%B
 )
@SET PSModulePath=%__MVNW_PSMODULEP_SAVE%
@SET __MVNW_PSMODULEP_SAVE=
@SET __MVNW_ARG0_NAME__=
@SET MVNW_USERNAME=
@SET MVNW_PASSWORD=
@IF NOT "%__MVNW_CMD__%"=="" ("%__MVNW_CMD__%" %*)
@echo Cannot start maven from wrapper >&2 && exit /b 1
@GOTO :EOF
 : end batch / begin powershell #>
-@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+$ErrorActionPreference = "Stop"
-@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if ($env:MVNW_VERBOSE -eq "true") {
-if exist %WRAPPER_JAR% (
+  $VerbosePreference = "Continue"
-    if "%MVNW_VERBOSE%" == "true" (
+}
        echo Found %WRAPPER_JAR%
    )
 ) else (
    if not "%MVNW_REPOURL%" == "" (
        SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
    )
    if "%MVNW_VERBOSE%" == "true" (
        echo Couldn't find %WRAPPER_JAR%, downloading it ...
        echo Downloading from: %WRAPPER_URL%
    )
-    powershell -Command "&{"^
+# calculate distributionUrl, requires .mvn/wrapper/maven-wrapper.properties
-		"$webclient = new-object System.Net.WebClient;"^
+$distributionUrl = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionUrl
-		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
+if (!$distributionUrl) {
-		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
+  Write-Error "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties"
-		"}"^
+}
 		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%WRAPPER_URL%', '%WRAPPER_JAR%')"^
 		"}"
    if "%MVNW_VERBOSE%" == "true" (
        echo Finished downloading %WRAPPER_JAR%
    )
 )
@REM End of extension
-@REM If specified, validate the SHA-256 sum of the Maven wrapper jar file
+switch -wildcard -casesensitive ( $($distributionUrl -replace '^.*/','') ) {
-SET WRAPPER_SHA_256_SUM=""
+  "maven-mvnd-*" {
-FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    $USE_MVND = $true
-    IF "%%A"=="wrapperSha256Sum" SET WRAPPER_SHA_256_SUM=%%B
+    $distributionUrl = $distributionUrl -replace '-bin\.[^.]*$',"-windows-amd64.zip"
-)
+    $MVN_CMD = "mvnd.cmd"
-IF NOT %WRAPPER_SHA_256_SUM%=="" (
+    break
-    powershell -Command "&{"^
+  }
-       "Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash;"^
+  default {
-       "$hash = (Get-FileHash \"%WRAPPER_JAR%\" -Algorithm SHA256).Hash.ToLower();"^
+    $USE_MVND = $false
-       "If('%WRAPPER_SHA_256_SUM%' -ne $hash){"^
+    $MVN_CMD = $script -replace '^mvnw','mvn'
-       "  Write-Error 'Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised.';"^
+    break
-       "  Write-Error 'Investigate or delete %WRAPPER_JAR% to attempt a clean download.';"^
+  }
-       "  Write-Error 'If you updated your Maven version, you need to update the specified wrapperSha256Sum property.';"^
+}
       "  exit 1;"^
       "}"^
       "}"
    if ERRORLEVEL 1 goto error
 )
-@REM Provide a "standardized" way to retrieve the CLI args that will
+# apply MVNW_REPOURL and calculate MAVEN_HOME
-@REM work with both Windows and non-Windows executions.
+# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-<version>,maven-mvnd-<version>-<platform>}/<hash>
-set MAVEN_CMD_LINE_ARGS=%*
+if ($env:MVNW_REPOURL) {
  $MVNW_REPO_PATTERN = if ($USE_MVND -eq $False) { "/org/apache/maven/" } else { "/maven/mvnd/" }
  $distributionUrl = "$env:MVNW_REPOURL$MVNW_REPO_PATTERN$($distributionUrl -replace "^.*$MVNW_REPO_PATTERN",'')"
 }
 $distributionUrlName = $distributionUrl -replace '^.*/',''
 $distributionUrlNameMain = $distributionUrlName -replace '\.[^.]*$','' -replace '-bin$',''
-%MAVEN_JAVA_EXE% ^
+$MAVEN_M2_PATH = "$HOME/.m2"
-  %JVM_CONFIG_MAVEN_PROPS% ^
+if ($env:MAVEN_USER_HOME) {
-  %MAVEN_OPTS% ^
+  $MAVEN_M2_PATH = "$env:MAVEN_USER_HOME"
-  %MAVEN_DEBUG_OPTS% ^
+}
  -classpath %WRAPPER_JAR% ^
  "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^
  %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
 if ERRORLEVEL 1 goto error
 goto end
-:error
+if (-not (Test-Path -Path $MAVEN_M2_PATH)) {
-set ERROR_CODE=1
+    New-Item -Path $MAVEN_M2_PATH -ItemType Directory | Out-Null
 }
-:end
+$MAVEN_WRAPPER_DISTS = $null
-@endlocal & set ERROR_CODE=%ERROR_CODE%
+if ((Get-Item $MAVEN_M2_PATH).Target[0] -eq $null) {
  $MAVEN_WRAPPER_DISTS = "$MAVEN_M2_PATH/wrapper/dists"
 } else {
  $MAVEN_WRAPPER_DISTS = (Get-Item $MAVEN_M2_PATH).Target[0] + "/wrapper/dists"
 }
-if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost
+$MAVEN_HOME_PARENT = "$MAVEN_WRAPPER_DISTS/$distributionUrlNameMain"
-@REM check for post script, once with legacy .bat ending and once with .cmd ending
+$MAVEN_HOME_NAME = ([System.Security.Cryptography.SHA256]::Create().ComputeHash([byte[]][char[]]$distributionUrl) | ForEach-Object {$_.ToString("x2")}) -join ''
-if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat"
+$MAVEN_HOME = "$MAVEN_HOME_PARENT/$MAVEN_HOME_NAME"
 if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd"
 :skipRcPost
-@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if (Test-Path -Path "$MAVEN_HOME" -PathType Container) {
-if "%MAVEN_BATCH_PAUSE%"=="on" pause
+  Write-Verbose "found existing MAVEN_HOME at $MAVEN_HOME"
  Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD"
  exit $?
 }
-if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE%
+if (! $distributionUrlNameMain -or ($distributionUrlName -eq $distributionUrlNameMain)) {
  Write-Error "distributionUrl is not valid, must end with *-bin.zip, but found $distributionUrl"
 }
-cmd /C exit /B %ERROR_CODE%
+# prepare tmp dir
 $TMP_DOWNLOAD_DIR_HOLDER = New-TemporaryFile
 $TMP_DOWNLOAD_DIR = New-Item -Itemtype Directory -Path "$TMP_DOWNLOAD_DIR_HOLDER.dir"
 $TMP_DOWNLOAD_DIR_HOLDER.Delete() | Out-Null
 trap {
  if ($TMP_DOWNLOAD_DIR.Exists) {
    try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null }
    catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" }
  }
 }
 New-Item -Itemtype Directory -Path "$MAVEN_HOME_PARENT" -Force | Out-Null
 # Download and Install Apache Maven
 Write-Verbose "Couldn't find MAVEN_HOME, downloading and installing it ..."
 Write-Verbose "Downloading from: $distributionUrl"
 Write-Verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName"
 $webclient = New-Object System.Net.WebClient
 if ($env:MVNW_USERNAME -and $env:MVNW_PASSWORD) {
  $webclient.Credentials = New-Object System.Net.NetworkCredential($env:MVNW_USERNAME, $env:MVNW_PASSWORD)
 }
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $webclient.DownloadFile($distributionUrl, "$TMP_DOWNLOAD_DIR/$distributionUrlName") | Out-Null
 # If specified, validate the SHA-256 sum of the Maven distribution zip file
 $distributionSha256Sum = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionSha256Sum
 if ($distributionSha256Sum) {
  if ($USE_MVND) {
    Write-Error "Checksum validation is not supported for maven-mvnd. `nPlease disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties."
  }
  Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash
  if ((Get-FileHash "$TMP_DOWNLOAD_DIR/$distributionUrlName" -Algorithm SHA256).Hash.ToLower() -ne $distributionSha256Sum) {
    Write-Error "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised. If you updated your Maven version, you need to update the specified distributionSha256Sum property."
  }
 }
 # unzip and move
 Expand-Archive "$TMP_DOWNLOAD_DIR/$distributionUrlName" -DestinationPath "$TMP_DOWNLOAD_DIR" | Out-Null
 # Find the actual extracted directory name (handles snapshots where filename != directory name)
 $actualDistributionDir = ""
 # First try the expected directory name (for regular distributions)
 $expectedPath = Join-Path "$TMP_DOWNLOAD_DIR" "$distributionUrlNameMain"
 $expectedMvnPath = Join-Path "$expectedPath" "bin/$MVN_CMD"
 if ((Test-Path -Path $expectedPath -PathType Container) -and (Test-Path -Path $expectedMvnPath -PathType Leaf)) {
  $actualDistributionDir = $distributionUrlNameMain
 }
 # If not found, search for any directory with the Maven executable (for snapshots)
 if (!$actualDistributionDir) {
  Get-ChildItem -Path "$TMP_DOWNLOAD_DIR" -Directory | ForEach-Object {
    $testPath = Join-Path $_.FullName "bin/$MVN_CMD"
    if (Test-Path -Path $testPath -PathType Leaf) {
      $actualDistributionDir = $_.Name
    }
  }
 }
 if (!$actualDistributionDir) {
  Write-Error "Could not find Maven distribution directory in extracted archive"
 }
 Write-Verbose "Found extracted Maven distribution directory: $actualDistributionDir"
 Rename-Item -Path "$TMP_DOWNLOAD_DIR/$actualDistributionDir" -NewName $MAVEN_HOME_NAME | Out-Null
 try {
  Move-Item -Path "$TMP_DOWNLOAD_DIR/$MAVEN_HOME_NAME" -Destination $MAVEN_HOME_PARENT | Out-Null
 } catch {
  if (! (Test-Path -Path "$MAVEN_HOME" -PathType Container)) {
    Write-Error "fail to move MAVEN_HOME"
  }
 } finally {
  try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null }
  catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" }
 }
 Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD"
--- a/pom.xml
+++ b/pom.xml
@@ -1,10 +1,9 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>de.stklcode.jvault</groupId>
    <artifactId>jvault-connector</artifactId>
-    <version>1.4.0</version>
+    <version>1.5.3</version>
    <packaging>jar</packaging>
@@ -33,6 +32,7 @@
        <connection>scm:git:git://github.com/stklcode/jvaultconnector.git</connection>
        <developerConnection>scm:git:git@github.com:stklcode/jvaultconnector.git</developerConnection>
        <url>https://github.com/stklcode/jvaultconnector</url>
        <tag>v1.5.3</tag>
    </scm>
    <issueManagement>
@@ -42,31 +42,32 @@
    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <argLine></argLine>
+        <project.build.outputTimestamp>2025-09-09T09:45:59Z</project.build.outputTimestamp>
        <argLine />
    </properties>
    <dependencies>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
-             <version>2.18.2</version>
+            <version>2.20.0</version>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.datatype</groupId>
            <artifactId>jackson-datatype-jsr310</artifactId>
-            <version>2.18.2</version>
+            <version>2.20.0</version>
        </dependency>
        <dependency>
            <groupId>org.junit.jupiter</groupId>
            <artifactId>junit-jupiter</artifactId>
-            <version>5.11.3</version>
+            <version>5.13.3</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.mockito</groupId>
            <artifactId>mockito-core</artifactId>
-            <version>5.14.2</version>
+            <version>5.19.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
@@ -78,25 +79,25 @@
        <dependency>
            <groupId>org.wiremock</groupId>
            <artifactId>wiremock</artifactId>
-            <version>3.10.0</version>
+            <version>3.13.1</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
-            <version>2.18.0</version>
+            <version>2.20.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>nl.jqno.equalsverifier</groupId>
            <artifactId>equalsverifier</artifactId>
-            <version>3.17.5</version>
+            <version>3.19.4</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.awaitility</groupId>
            <artifactId>awaitility</artifactId>
-            <version>4.2.2</version>
+            <version>4.3.0</version>
            <scope>test</scope>
        </dependency>
    </dependencies>
@@ -107,7 +108,7 @@
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-compiler-plugin</artifactId>
-                    <version>3.13.0</version>
+                    <version>3.14.0</version>
                    <configuration>
                        <release>11</release>
                    </configuration>
@@ -115,28 +116,29 @@
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-clean-plugin</artifactId>
-                    <version>3.4.0</version>
+                    <version>3.5.0</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-deploy-plugin</artifactId>
-                    <version>3.1.3</version>
+                    <version>3.1.4</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-failsafe-plugin</artifactId>
-                    <version>3.5.2</version>
+                    <version>3.5.3</version>
                    <configuration>
                        <argLine>
                            @{argLine}
-                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.databind
+                            --add-opens
                            de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.databind
                        </argLine>
                    </configuration>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-install-plugin</artifactId>
-                    <version>3.1.3</version>
+                    <version>3.1.4</version>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
@@ -156,18 +158,11 @@
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-surefire-plugin</artifactId>
-                    <version>3.5.2</version>
+                    <version>3.5.3</version>
                    <configuration>
                        <argLine>
                            @{argLine}
                            --add-opens java.base/java.util=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.exception=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model.response=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.model.response.embedded=ALL-UNNAMED
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.databind
                            --add-opens de.stklcode.jvault.connector/de.stklcode.jvault.connector.test=com.fasterxml.jackson.datatype.jsr310
                        </argLine>
                    </configuration>
                </plugin>
@@ -179,15 +174,41 @@
                <plugin>
                    <groupId>org.jacoco</groupId>
                    <artifactId>jacoco-maven-plugin</artifactId>
-                    <version>0.8.12</version>
+                    <version>0.8.13</version>
                </plugin>
                <plugin>
                    <groupId>org.sonarsource.scanner.maven</groupId>
                    <artifactId>sonar-maven-plugin</artifactId>
-                    <version>5.0.0.4389</version>
+                    <version>5.2.0.4988</version>
                </plugin>
            </plugins>
        </pluginManagement>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-enforcer-plugin</artifactId>
                <version>3.6.1</version>
                <executions>
                    <execution>
                        <id>enforce-versions</id>
                        <goals>
                            <goal>enforce</goal>
                        </goals>
                        <configuration>
                            <rules>
                                <requireMavenVersion>
                                    <version>[3.6.3,)</version>
                                </requireMavenVersion>
                                <requireJavaVersion>
                                    <version>[11,)</version>
                                </requireJavaVersion>
                            </rules>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
    <profiles>
@@ -224,7 +245,7 @@
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-javadoc-plugin</artifactId>
-                        <version>3.11.1</version>
+                        <version>3.11.3</version>
                        <configuration>
                            <source>11</source>
                        </configuration>
@@ -271,7 +292,7 @@
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-gpg-plugin</artifactId>
-                        <version>3.2.7</version>
+                        <version>3.2.8</version>
                        <executions>
                            <execution>
                                <id>sign-artifacts</id>
@@ -342,7 +363,7 @@
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
-                        <version>11.1.1</version>
+                        <version>12.1.3</version>
                        <configuration>
                            <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
                            <nvdDatafeedUrl>${env.NVD_DATAFEED_URL}</nvdDatafeedUrl>
@@ -366,7 +387,7 @@
                    <plugin>
                        <groupId>org.sonatype.central</groupId>
                        <artifactId>central-publishing-maven-plugin</artifactId>
-                        <version>0.6.0</version>
+                        <version>0.8.0</version>
                        <extensions>true</extensions>
                        <configuration>
                            <publishingServerId>central</publishingServerId>
--- a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -31,6 +31,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 import static de.stklcode.jvault.connector.internal.RequestHelper.encode;
 import static de.stklcode.jvault.connector.internal.VaultApiPath.*;
 import static java.util.Collections.emptyMap;
 import static java.util.Collections.singletonMap;
@@ -41,33 +43,6 @@ import static java.util.Collections.singletonMap;
 * @since 0.1
 */
 public class HTTPVaultConnector implements VaultConnector {
    private static final String PATH_SYS = "sys";
    private static final String PATH_SYS_AUTH = PATH_SYS + "/auth";
    private static final String PATH_RENEW = PATH_SYS + "/leases/renew";
    private static final String PATH_REVOKE = PATH_SYS + "/leases/revoke/";
    private static final String PATH_HEALTH = PATH_SYS + "/health";
    private static final String PATH_SEAL = PATH_SYS + "/seal";
    private static final String PATH_SEAL_STATUS = PATH_SYS + "/seal-status";
    private static final String PATH_UNSEAL = PATH_SYS + "/unseal";
    private static final String PATH_AUTH = "auth";
    private static final String PATH_AUTH_TOKEN = PATH_AUTH + "/token";
    private static final String PATH_LOOKUP = "/lookup";
    private static final String PATH_CREATE = "/create";
    private static final String PATH_ROLES = "/roles";
    private static final String PATH_CREATE_ORPHAN = "/create-orphan";
    private static final String PATH_AUTH_USERPASS = PATH_AUTH + "/userpass/login/";
    private static final String PATH_AUTH_APPROLE = PATH_AUTH + "/approle";
    private static final String PATH_AUTH_APPROLE_ROLE = PATH_AUTH_APPROLE + "/role/%s%s";
    private static final String PATH_DATA = "/data/";
    private static final String PATH_METADATA = "/metadata/";
    private static final String PATH_LOGIN = "/login";
    private static final String PATH_DELETE = "/delete/";
    private static final String PATH_UNDELETE = "/undelete/";
    private static final String PATH_DESTROY = "/destroy/";
    private final RequestHelper request;
    private boolean authorized = false;     // Authorization status.
@@ -134,12 +109,12 @@ public class HTTPVaultConnector implements VaultConnector {
    @Override
    public final SealResponse sealStatus() throws VaultConnectorException {
-        return request.get(PATH_SEAL_STATUS, emptyMap(), token, SealResponse.class);
+        return request.get(SYS_SEAL_STATUS, emptyMap(), token, SealResponse.class);
    }
    @Override
    public final void seal() throws VaultConnectorException {
-        request.put(PATH_SEAL, emptyMap(), token);
+        request.put(SYS_SEAL, emptyMap(), token);
    }
    @Override
@@ -149,14 +124,14 @@ public class HTTPVaultConnector implements VaultConnector {
            "reset", reset
        );
-        return request.put(PATH_UNSEAL, param, token, SealResponse.class);
+        return request.put(SYS_UNSEAL, param, token, SealResponse.class);
    }
    @Override
    public HealthResponse getHealth() throws VaultConnectorException {
        return request.get(
-                PATH_HEALTH,
+            SYS_HEALTH,
            // Force status code to be 200, so we don't need to modify the request sequence.
            Map.of(
                "standbycode", "200",   // Default: 429.
@@ -176,7 +151,7 @@ public class HTTPVaultConnector implements VaultConnector {
    @Override
    public final List<AuthBackend> getAuthBackends() throws VaultConnectorException {
        /* Issue request and parse response */
-        AuthMethodsResponse amr = request.get(PATH_SYS_AUTH, emptyMap(), token, AuthMethodsResponse.class);
+        AuthMethodsResponse amr = request.get(SYS_AUTH, emptyMap(), token, AuthMethodsResponse.class);
        return amr.getSupportedMethods().values().stream().map(AuthMethod::getType).collect(Collectors.toList());
    }
@@ -186,7 +161,7 @@ public class HTTPVaultConnector implements VaultConnector {
        /* set token */
        this.token = token;
        this.tokenTTL = 0;
-        TokenResponse res = request.post(PATH_AUTH_TOKEN + PATH_LOOKUP, emptyMap(), token, TokenResponse.class);
+        TokenResponse res = request.get(AUTH_TOKEN + TOKEN_LOOKUP_SELF, emptyMap(), token, TokenResponse.class);
        authorized = true;
        return res;
@@ -196,7 +171,7 @@ public class HTTPVaultConnector implements VaultConnector {
    public final AuthResponse authUserPass(final String username, final String password)
        throws VaultConnectorException {
        final Map<String, String> payload = singletonMap("password", password);
-        return queryAuth(PATH_AUTH_USERPASS + username, payload);
+        return queryAuth(AUTH_USERPASS_LOGIN + encode(username), payload);
    }
    @Override
@@ -205,7 +180,7 @@ public class HTTPVaultConnector implements VaultConnector {
            "role_id", roleID,
            "secret_id", secretID
        );
-        return queryAuth(PATH_AUTH_APPROLE + PATH_LOGIN, payload);
+        return queryAuth(AUTH_APPROLE + "login", payload);
    }
    /**
@@ -233,7 +208,7 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        /* Issue request and expect code 204 with empty response */
-        request.postWithoutResponse(String.format(PATH_AUTH_APPROLE_ROLE, role.getName(), ""), role, token);
+        request.postWithoutResponse(AUTH_APPROLE_ROLE + encode(role.getName()), role, token);
        /* Set custom ID if provided */
        return !(role.getId() != null && !role.getId().isEmpty()) || setAppRoleID(role.getName(), role.getId());
@@ -244,7 +219,7 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        /* Request HTTP response and parse Secret */
        return request.get(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, ""),
+            AUTH_APPROLE_ROLE + encode(roleName),
            emptyMap(),
            token,
            AppRoleResponse.class
@@ -256,7 +231,7 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        /* Issue request and expect code 204 with empty response */
-        request.deleteWithoutResponse(String.format(PATH_AUTH_APPROLE_ROLE, roleName, ""), token);
+        request.deleteWithoutResponse(AUTH_APPROLE_ROLE + encode(roleName), token);
        return true;
    }
@@ -266,7 +241,7 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        /* Issue request, parse response and extract Role ID */
        return request.get(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/role-id"),
+            AUTH_APPROLE_ROLE + encode(roleName) + "/role-id",
            emptyMap(),
            token,
            RawDataResponse.class
@@ -279,7 +254,7 @@ public class HTTPVaultConnector implements VaultConnector {
        /* Issue request and expect code 204 with empty response */
        request.postWithoutResponse(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/role-id"),
+            AUTH_APPROLE_ROLE + encode(roleName) + "/role-id",
            singletonMap("role_id", roleID),
            token
        );
@@ -294,14 +269,14 @@ public class HTTPVaultConnector implements VaultConnector {
        if (secret.getId() != null && !secret.getId().isEmpty()) {
            return request.post(
-                    String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/custom-secret-id"),
+                AUTH_APPROLE_ROLE + encode(roleName) + "/custom-secret-id",
                secret,
                token,
                AppRoleSecretResponse.class
            );
        } else {
            return request.post(
-                    String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id"),
+                AUTH_APPROLE_ROLE + encode(roleName) + "/secret-id",
                secret, token,
                AppRoleSecretResponse.class
            );
@@ -315,7 +290,7 @@ public class HTTPVaultConnector implements VaultConnector {
        /* Issue request and parse secret response */
        return request.post(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id/lookup"),
+            AUTH_APPROLE_ROLE + encode(roleName) + "/secret-id/lookup",
            new AppRoleSecret(secretID),
            token,
            AppRoleSecretResponse.class
@@ -329,7 +304,7 @@ public class HTTPVaultConnector implements VaultConnector {
        /* Issue request and expect code 204 with empty response */
        request.postWithoutResponse(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id/destroy"),
+            AUTH_APPROLE_ROLE + encode(roleName) + "/secret-id/destroy",
            new AppRoleSecret(secretID),
            token);
@@ -341,7 +316,7 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        SecretListResponse secrets = request.get(
-                PATH_AUTH_APPROLE + "/role?list=true",
+            AUTH_APPROLE + "role?list=true",
            emptyMap(),
            token,
            SecretListResponse.class
@@ -355,7 +330,7 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        SecretListResponse secrets = request.get(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id?list=true"),
+            AUTH_APPROLE_ROLE + encode(roleName) + "/secret-id?list=true",
            emptyMap(),
            token,
            SecretListResponse.class
@@ -378,7 +353,7 @@ public class HTTPVaultConnector implements VaultConnector {
        /* Request HTTP response and parse secret metadata */
        Map<String, String> args = mapOfStrings("version", version);
-        return request.get(mount + PATH_DATA + key, args, token, MetaSecretResponse.class);
+        return request.get(mount + SECRET_DATA + key, args, token, MetaSecretResponse.class);
    }
    @Override
@@ -387,7 +362,7 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        /* Request HTTP response and parse secret metadata */
-        return request.get(mount + PATH_METADATA + key, emptyMap(), token, MetadataResponse.class);
+        return request.get(mount + SECRET_METADATA + key, emptyMap(), token, MetadataResponse.class);
    }
    @Override
@@ -402,7 +377,7 @@ public class HTTPVaultConnector implements VaultConnector {
            "cas_required", casRequired
        );
-        write(mount + PATH_METADATA + key, payload);
+        write(mount + SECRET_METADATA + key, payload);
    }
    @Override
@@ -421,7 +396,7 @@ public class HTTPVaultConnector implements VaultConnector {
        /* Issue request and parse metadata response */
        return request.post(
-                mount + PATH_DATA + key,
+            mount + SECRET_DATA + key,
            Map.of(
                "data", data,
                "options", options
@@ -474,30 +449,30 @@ public class HTTPVaultConnector implements VaultConnector {
    @Override
    public final void deleteLatestSecretVersion(final String mount, final String key) throws VaultConnectorException {
-        delete(mount + PATH_DATA + key);
+        delete(mount + SECRET_DATA + key);
    }
    @Override
    public final void deleteAllSecretVersions(final String mount, final String key) throws VaultConnectorException {
-        delete(mount + PATH_METADATA + key);
+        delete(mount + SECRET_METADATA + key);
    }
    @Override
    public final void deleteSecretVersions(final String mount, final String key, final int... versions)
        throws VaultConnectorException {
-        handleSecretVersions(mount, PATH_DELETE, key, versions);
+        handleSecretVersions(mount, SECRET_DELETE, key, versions);
    }
    @Override
    public final void undeleteSecretVersions(final String mount, final String key, final int... versions)
        throws VaultConnectorException {
-        handleSecretVersions(mount, PATH_UNDELETE, key, versions);
+        handleSecretVersions(mount, SECRET_UNDELETE, key, versions);
    }
    @Override
    public final void destroySecretVersions(final String mount, final String key, final int... versions)
        throws VaultConnectorException {
-        handleSecretVersions(mount, PATH_DESTROY, key, versions);
+        handleSecretVersions(mount, SECRET_DESTROY, key, versions);
    }
    /**
@@ -528,7 +503,7 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        /* Issue request and expect code 204 with empty response */
-        request.putWithoutResponse(PATH_REVOKE + leaseID, emptyMap(), token);
+        request.putWithoutResponse(SYS_LEASES_REVOKE + encode(leaseID), emptyMap(), token);
    }
    @Override
@@ -541,17 +516,17 @@ public class HTTPVaultConnector implements VaultConnector {
        );
        /* Issue request and parse secret response */
-        return request.put(PATH_RENEW, payload, token, SecretResponse.class);
+        return request.put(SYS_LEASES_RENEW, payload, token, SecretResponse.class);
    }
    @Override
    public final AuthResponse createToken(final Token token) throws VaultConnectorException {
-        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE);
+        return createTokenInternal(token, AUTH_TOKEN + TOKEN_CREATE);
    }
    @Override
    public final AuthResponse createToken(final Token token, final boolean orphan) throws VaultConnectorException {
-        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE_ORPHAN);
+        return createTokenInternal(token, AUTH_TOKEN + TOKEN_CREATE_ORPHAN);
    }
    @Override
@@ -559,7 +534,7 @@ public class HTTPVaultConnector implements VaultConnector {
        if (role == null || role.isEmpty()) {
            throw new InvalidRequestException("No role name specified.");
        }
-        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE + "/" + role);
+        return createTokenInternal(token, AUTH_TOKEN + TOKEN_CREATE + "/" + encode(role));
    }
    @Override
@@ -594,7 +569,7 @@ public class HTTPVaultConnector implements VaultConnector {
        /* Request HTTP response and parse Secret */
        return request.get(
-                PATH_AUTH_TOKEN + PATH_LOOKUP,
+            AUTH_TOKEN + TOKEN_LOOKUP,
            singletonMap("token", token),
            token,
            TokenResponse.class
@@ -612,7 +587,7 @@ public class HTTPVaultConnector implements VaultConnector {
        }
        // Issue request and expect code 204 with empty response.
-        request.postWithoutResponse(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, role, token);
+        request.postWithoutResponse(AUTH_TOKEN + TOKEN_ROLES + "/" + encode(name), role, token);
        return true;
    }
@@ -622,14 +597,14 @@ public class HTTPVaultConnector implements VaultConnector {
        requireAuth();
        // Request HTTP response and parse response.
-        return request.get(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, emptyMap(), token, TokenRoleResponse.class);
+        return request.get(AUTH_TOKEN + TOKEN_ROLES + "/" + encode(name), emptyMap(), token, TokenRoleResponse.class);
    }
    @Override
    public List<String> listTokenRoles() throws VaultConnectorException {
        requireAuth();
-        return list(PATH_AUTH_TOKEN + PATH_ROLES);
+        return list(AUTH_TOKEN + TOKEN_ROLES);
    }
    @Override
@@ -641,11 +616,52 @@ public class HTTPVaultConnector implements VaultConnector {
        }
        // Issue request and expect code 204 with empty response.
-        request.deleteWithoutResponse(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, token);
+        request.deleteWithoutResponse(AUTH_TOKEN + TOKEN_ROLES + "/" + encode(name), token);
        return true;
    }
    @Override
    public final TransitResponse transitEncrypt(final String keyName, final String plaintext)
        throws VaultConnectorException {
        requireAuth();
        Map<String, Object> payload = mapOf(
            "plaintext", plaintext
        );
        return request.post(TRANSIT_ENCRYPT + encode(keyName), payload, token, TransitResponse.class);
    }
    @Override
    public final TransitResponse transitDecrypt(final String keyName, final String ciphertext)
        throws VaultConnectorException {
        requireAuth();
        Map<String, Object> payload = mapOf(
            "ciphertext", ciphertext
        );
        return request.post(TRANSIT_DECRYPT + encode(keyName), payload, token, TransitResponse.class);
    }
    @Override
    public final TransitResponse transitHash(final String algorithm, final String input, final String format)
        throws VaultConnectorException {
        if (format != null && !"hex".equals(format) && !"base64".equals(format)) {
            throw new IllegalArgumentException("Unsupported format " + format);
        }
        requireAuth();
        Map<String, Object> payload = mapOf(
            "input", input,
            "format", format
        );
        return request.post(TRANSIT_HASH + encode(algorithm), payload, token, TransitResponse.class);
    }
    /**
     * Check for required authorization.
     *
@@ -685,7 +701,7 @@ public class HTTPVaultConnector implements VaultConnector {
     */
    private static Map<String, Object> mapOf(Object... keyValues) {
        Map<String, Object> map = new HashMap<>(keyValues.length / 2, 1);
-        for (int i = 0; i < keyValues.length; i = i + 2) {
+        for (int i = 0; i < keyValues.length - 1; i = i + 2) {
            Object key = keyValues[i];
            Object val = keyValues[i + 1];
            if (key instanceof String && val != null) {
--- a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnectorBuilder.java
+++ b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnectorBuilder.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -20,18 +20,17 @@ import de.stklcode.jvault.connector.exception.ConnectionException;
 import de.stklcode.jvault.connector.exception.TlsException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Objects;
 /**
 * Vault Connector Builder implementation for HTTP Vault connectors.
@@ -96,10 +95,14 @@ public final class HTTPVaultConnectorBuilder {
     * @since 1.0
     */
    public HTTPVaultConnectorBuilder withBaseURL(final URI baseURL) {
-        return withTLS(!("http".equalsIgnoreCase(Objects.requireNonNullElse(baseURL.getScheme(), ""))))
+        String path = baseURL.getPath();
        if (path == null || path.isBlank()) {
            path = DEFAULT_PREFIX;
        }
        return withTLS(!("http".equalsIgnoreCase(baseURL.getScheme())))
            .withHost(baseURL.getHost())
            .withPort(baseURL.getPort())
-                .withPrefix(baseURL.getPath());
+            .withPrefix(path);
    }
    /**
@@ -301,13 +304,10 @@ public final class HTTPVaultConnectorBuilder {
     */
    public HTTPVaultConnectorBuilder fromEnv() throws VaultConnectorException {
        /* Parse URL from environment variable */
-        if (System.getenv(ENV_VAULT_ADDR) != null && !System.getenv(ENV_VAULT_ADDR).trim().isEmpty()) {
+        if (System.getenv(ENV_VAULT_ADDR) != null && !System.getenv(ENV_VAULT_ADDR).isBlank()) {
            try {
-                var url = new URL(System.getenv(ENV_VAULT_ADDR));
+                withBaseURL(System.getenv(ENV_VAULT_ADDR));
-                this.host = url.getHost();
+            } catch (URISyntaxException e) {
                this.port = url.getPort();
                this.tls = url.getProtocol().equals("https");
            } catch (MalformedURLException e) {
                throw new ConnectionException("URL provided in environment variable malformed", e);
            }
        }
@@ -315,7 +315,7 @@ public final class HTTPVaultConnectorBuilder {
        /* Read number of retries */
        if (System.getenv(ENV_VAULT_MAX_RETRIES) != null) {
            try {
-                numberOfRetries = Integer.parseInt(System.getenv(ENV_VAULT_MAX_RETRIES));
+                withNumberOfRetries(Integer.parseInt(System.getenv(ENV_VAULT_MAX_RETRIES)));
            } catch (NumberFormatException ignored) {
                /* Ignore malformed values. */
            }
@@ -325,8 +325,12 @@ public final class HTTPVaultConnectorBuilder {
        token = System.getenv(ENV_VAULT_TOKEN);
        /* Parse certificate, if set */
-        if (System.getenv(ENV_VAULT_CACERT) != null && !System.getenv(ENV_VAULT_CACERT).trim().isEmpty()) {
+        if (System.getenv(ENV_VAULT_CACERT) != null && !System.getenv(ENV_VAULT_CACERT).isBlank()) {
-            return withTrustedCA(Paths.get(System.getenv(ENV_VAULT_CACERT)));
+            X509Certificate cert = certificateFromString(System.getenv(ENV_VAULT_CACERT));
            if (cert == null) {
                cert = certificateFromFile(Paths.get(System.getenv(ENV_VAULT_CACERT)));
            }
            return withTrustedCA(cert);
        }
        return this;
    }
@@ -398,6 +402,28 @@ public final class HTTPVaultConnectorBuilder {
        return con;
    }
    /**
     * Read given certificate file to X.509 certificate.
     *
     * @param cert Certificate string (optionally PEM)
     * @return X.509 Certificate object if parseable, else {@code null}
     * @throws TlsException on error
     * @since 1.5.0
     */
    private X509Certificate certificateFromString(final String cert) throws TlsException {
        // Check if PEM header is present in given string
        if (cert.contains("-BEGIN ") && cert.contains("-END")) {
            try (var is = new ByteArrayInputStream(cert.getBytes(StandardCharsets.UTF_8))) {
                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
            } catch (IOException | CertificateException e) {
                throw new TlsException("Unable to read certificate.", e);
            }
        }
        // Not am PEM string, skip
        return null;
    }
    /**
     * Read given certificate file to X.509 certificate.
     *
--- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -21,10 +21,7 @@ import de.stklcode.jvault.connector.model.*;
 import de.stklcode.jvault.connector.model.response.*;
 import java.io.Serializable;
-import java.util.ArrayList;
+import java.util.*;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 /**
 * Vault Connector interface.
@@ -674,6 +671,82 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    boolean deleteTokenRole(final String name) throws VaultConnectorException;
    /**
     * Encrypt plaintext via transit engine from Vault.
     *
     * @param keyName   Transit key name
     * @param plaintext Text to encrypt (Base64 encoded)
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    TransitResponse transitEncrypt(final String keyName, final String plaintext) throws VaultConnectorException;
    /**
     * Encrypt plaintext via transit engine from Vault.
     *
     * @param keyName   Transit key name
     * @param plaintext Binary data to encrypt
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    default TransitResponse transitEncrypt(final String keyName, final byte[] plaintext)
        throws VaultConnectorException {
        return transitEncrypt(keyName, Base64.getEncoder().encodeToString(plaintext));
    }
    /**
     * Decrypt ciphertext via transit engine from Vault.
     *
     * @param keyName    Transit key name
     * @param ciphertext Text to decrypt
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    TransitResponse transitDecrypt(final String keyName, final String ciphertext) throws VaultConnectorException;
    /**
     * Hash data in hex format via transit engine from Vault.
     *
     * @param algorithm Specifies the hash algorithm to use
     * @param input     Data to hash
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    default TransitResponse transitHash(final String algorithm, final String input) throws VaultConnectorException {
        return transitHash(algorithm, input, "hex");
    }
    /**
     * Hash data via transit engine from Vault.
     *
     * @param algorithm Specifies the hash algorithm to use
     * @param input     Data to hash (Base64 encoded)
     * @param format    Specifies the output encoding (hex/base64)
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    TransitResponse transitHash(final String algorithm, final String input, final String format)
        throws VaultConnectorException;
    /**
     * Hash data via transit engine from Vault.
     *
     * @param algorithm Specifies the hash algorithm to use
     * @param input     Data to hash
     * @return Transit response
     * @throws VaultConnectorException on error
     * @since 1.5.0
     */
    default TransitResponse transitHash(final String algorithm, final byte[] input, final String format)
        throws VaultConnectorException {
        return transitHash(algorithm, Base64.getEncoder().encodeToString(input), format);
    }
    /**
     * Read credentials for MySQL backend at default mount point.
     *
@@ -681,7 +754,9 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
     * @deprecated use {@link #readDbCredentials(String, String)} your MySQL mountpoint
     */
    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readMySqlCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "mysql");
    }
@@ -693,7 +768,9 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
     * @deprecated use {@link #readDbCredentials(String, String)} your PostgreSQL mountpoint
     */
    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readPostgreSqlCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "postgresql");
    }
@@ -705,28 +782,32 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
     * @deprecated use {@link #readDbCredentials(String, String)} your MSSQL mountpoint
     */
    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readMsSqlCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "mssql");
    }
    /**
-     * Read credentials for MSSQL backend at default mount point.
+     * Read credentials for MongoDB backend at default mount point.
     *
     * @param role the role name
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
     * @deprecated use {@link #readDbCredentials(String, String)} your MongoDB mountpoint
     */
    @Deprecated(since = "1.5.0", forRemoval = true)
    default CredentialsResponse readMongoDbCredentials(final String role) throws VaultConnectorException {
        return readDbCredentials(role, "mongodb");
    }
    /**
-     * Read credentials for SQL backends.
+     * Read credentials for database backends.
     *
     * @param role  the role name
-     * @param mount mount point of the SQL backend
+     * @param mount mount point of the database backend
     * @return the credentials response
     * @throws VaultConnectorException on error
     * @since 0.5.0
--- a/src/main/java/de/stklcode/jvault/connector/exception/AuthorizationRequiredException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/AuthorizationRequiredException.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/exception/ConnectionException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/ConnectionException.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/exception/InvalidRequestException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/InvalidRequestException.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/exception/InvalidResponseException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/InvalidResponseException.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/exception/PermissionDeniedException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/PermissionDeniedException.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/exception/TlsException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/TlsException.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/exception/VaultConnectorException.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/VaultConnectorException.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/exception/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/exception/package-info.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/internal/Error.java
+++ b/src/main/java/de/stklcode/jvault/connector/internal/Error.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/internal/RequestHelper.java
+++ b/src/main/java/de/stklcode/jvault/connector/internal/RequestHelper.java
@@ -2,8 +2,8 @@ package de.stklcode.jvault.connector.internal;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.databind.json.JsonMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import de.stklcode.jvault.connector.exception.*;
 import de.stklcode.jvault.connector.model.response.ErrorResponse;
@@ -25,6 +25,7 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.Map;
 import java.util.Objects;
 import java.util.concurrent.CompletionException;
 import java.util.stream.Collectors;
@@ -44,7 +45,7 @@ public final class RequestHelper implements Serializable {
    private final int retries;                      // Number of retries on 5xx errors.
    private final String tlsVersion;                // TLS version (#22).
    private final X509Certificate trustedCaCert;    // Trusted CA certificate.
-    private final ObjectMapper jsonMapper;
+    private final JsonMapper jsonMapper;
    /**
     * Constructor of the request helper.
@@ -65,10 +66,11 @@ public final class RequestHelper implements Serializable {
        this.timeout = timeout;
        this.tlsVersion = tlsVersion;
        this.trustedCaCert = trustedCaCert;
-        this.jsonMapper = new ObjectMapper()
+        this.jsonMapper = JsonMapper.builder()
-                .registerModule(new JavaTimeModule())
+            .addModule(new JavaTimeModule())
            .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
-                .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE);
+            .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE)
            .build();
    }
    /**
@@ -262,9 +264,9 @@ public final class RequestHelper implements Serializable {
        if (!payload.isEmpty()) {
            uriBuilder.append("?").append(
-                    payload.entrySet().stream().map(par ->
+                payload.entrySet().stream()
-                            URLEncoder.encode(par.getKey(), UTF_8) + "=" + URLEncoder.encode(par.getValue(), UTF_8)
+                    .map(par -> encode(par.getKey()) + "=" + encode(par.getValue()))
-                    ).collect(Collectors.joining("&"))
+                    .collect(Collectors.joining("&"))
            );
        }
@@ -306,6 +308,17 @@ public final class RequestHelper implements Serializable {
        }
    }
    /**
     * Encode URL part.
     *
     * @param part Path part to URL-encode and insert into the template
     * @return Encoded URL part
     * @since 1.5.3
     */
    public static String encode(final String part) {
        return URLEncoder.encode(Objects.requireNonNullElse(part, ""), UTF_8);
    }
    /**
     * Execute prepared HTTP request and return result.
     *
--- a/src/main/java/de/stklcode/jvault/connector/internal/VaultApiPath.java
+++ b/src/main/java/de/stklcode/jvault/connector/internal/VaultApiPath.java
@@ -0,0 +1,71 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.internal;
 /**
 * Vault API path constants.
 *
 * @author Stefan Kalscheuer
 * @since 1.5.3
 */
 public final class VaultApiPath {
    // Base paths
    private static final String SYS = "sys";
    private static final String AUTH = "auth";
    private static final String TRANSIT = "transit";
    // System paths
    public static final String SYS_AUTH = SYS + "/auth";
    public static final String SYS_LEASES_RENEW = SYS + "/leases/renew";
    public static final String SYS_LEASES_REVOKE = SYS + "/leases/revoke/";
    public static final String SYS_HEALTH = SYS + "/health";
    public static final String SYS_SEAL = SYS + "/seal";
    public static final String SYS_SEAL_STATUS = SYS + "/seal-status";
    public static final String SYS_UNSEAL = SYS + "/unseal";
    // Auth paths
    public static final String AUTH_TOKEN = AUTH + "/token";
    public static final String AUTH_USERPASS_LOGIN = AUTH + "/userpass/login/";
    public static final String AUTH_APPROLE = AUTH + "/approle/";
    public static final String AUTH_APPROLE_ROLE = AUTH_APPROLE + "role/";
    // Token operations
    public static final String TOKEN_LOOKUP = "/lookup";
    public static final String TOKEN_LOOKUP_SELF = "/lookup-self";
    public static final String TOKEN_CREATE = "/create";
    public static final String TOKEN_CREATE_ORPHAN = "/create-orphan";
    public static final String TOKEN_ROLES = "/roles";
    // Secret engine paths
    public static final String SECRET_DATA = "/data/";
    public static final String SECRET_METADATA = "/metadata/";
    public static final String SECRET_DELETE = "/delete/";
    public static final String SECRET_UNDELETE = "/undelete/";
    public static final String SECRET_DESTROY = "/destroy/";
    // Transit engine paths
    public static final String TRANSIT_ENCRYPT = TRANSIT + "/encrypt/";
    public static final String TRANSIT_DECRYPT = TRANSIT + "/decrypt/";
    public static final String TRANSIT_HASH = TRANSIT + "/hash/";
    /**
     * Private constructor to prevent instantiation.
     */
    private VaultApiPath() {
        // Utility class
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRole.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRole.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -32,7 +32,7 @@ import java.util.Objects;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AppRole implements Serializable {
-    private static final long serialVersionUID = 693228837510483448L;
+    private static final long serialVersionUID = 1546673231280751679L;
    @JsonProperty("role_name")
    private String name;
@@ -53,7 +53,7 @@ public final class AppRole implements Serializable {
    @JsonProperty("secret_id_ttl")
    @JsonInclude(JsonInclude.Include.NON_NULL)
-    private Integer secretIdTtl;
+    private Long secretIdTtl;
    @JsonProperty("local_secret_ids")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@@ -61,11 +61,11 @@ public final class AppRole implements Serializable {
    @JsonProperty("token_ttl")
    @JsonInclude(JsonInclude.Include.NON_NULL)
-    private Integer tokenTtl;
+    private Long tokenTtl;
    @JsonProperty("token_max_ttl")
    @JsonInclude(JsonInclude.Include.NON_NULL)
-    private Integer tokenMaxTtl;
+    private Long tokenMaxTtl;
    private List<String> tokenPolicies;
@@ -75,7 +75,7 @@ public final class AppRole implements Serializable {
    @JsonProperty("token_explicit_max_ttl")
    @JsonInclude(JsonInclude.Include.NON_NULL)
-    private Integer tokenExplicitMaxTtl;
+    private Long tokenExplicitMaxTtl;
    @JsonProperty("token_no_default_policy")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@@ -255,7 +255,7 @@ public final class AppRole implements Serializable {
    /**
     * @return maximum TTL in seconds for secrets
     */
-    public Integer getSecretIdTtl() {
+    public Long getSecretIdTtl() {
        return secretIdTtl;
    }
@@ -271,14 +271,14 @@ public final class AppRole implements Serializable {
    /**
     * @return token TTL in seconds
     */
-    public Integer getTokenTtl() {
+    public Long getTokenTtl() {
        return tokenTtl;
    }
    /**
     * @return maximum token TTL in seconds, including renewals
     */
-    public Integer getTokenMaxTtl() {
+    public Long getTokenMaxTtl() {
        return tokenMaxTtl;
    }
@@ -286,7 +286,7 @@ public final class AppRole implements Serializable {
     * @return explicit maximum token TTL in seconds, including renewals
     * @since 0.9
     */
-    public Integer getTokenExplicitMaxTtl() {
+    public Long getTokenExplicitMaxTtl() {
        return tokenExplicitMaxTtl;
    }
@@ -370,12 +370,12 @@ public final class AppRole implements Serializable {
        private List<String> secretIdBoundCidrs;
        private List<String> tokenPolicies;
        private Integer secretIdNumUses;
-        private Integer secretIdTtl;
+        private Long secretIdTtl;
        private Boolean localSecretIds;
-        private Integer tokenTtl;
+        private Long tokenTtl;
-        private Integer tokenMaxTtl;
+        private Long tokenMaxTtl;
        private List<String> tokenBoundCidrs;
-        private Integer tokenExplicitMaxTtl;
+        private Long tokenExplicitMaxTtl;
        private Boolean tokenNoDefaultPolicy;
        private Integer tokenNumUses;
        private Integer tokenPeriod;
@@ -520,7 +520,7 @@ public final class AppRole implements Serializable {
         * @param secretIdTtl the TTL
         * @return self
         */
-        public Builder withSecretIdTtl(final Integer secretIdTtl) {
+        public Builder withSecretIdTtl(final Long secretIdTtl) {
            this.secretIdTtl = secretIdTtl;
            return this;
        }
@@ -544,7 +544,7 @@ public final class AppRole implements Serializable {
         * @param tokenTtl the TTL
         * @return self
         */
-        public Builder withTokenTtl(final Integer tokenTtl) {
+        public Builder withTokenTtl(final Long tokenTtl) {
            this.tokenTtl = tokenTtl;
            return this;
        }
@@ -555,7 +555,7 @@ public final class AppRole implements Serializable {
         * @param tokenMaxTtl the TTL
         * @return self
         */
-        public Builder withTokenMaxTtl(final Integer tokenMaxTtl) {
+        public Builder withTokenMaxTtl(final Long tokenMaxTtl) {
            this.tokenMaxTtl = tokenMaxTtl;
            return this;
        }
@@ -596,7 +596,7 @@ public final class AppRole implements Serializable {
         * @param tokenExplicitMaxTtl the TTL
         * @return self
         */
-        public Builder withTokenExplicitMaxTtl(final Integer tokenExplicitMaxTtl) {
+        public Builder withTokenExplicitMaxTtl(final Long tokenExplicitMaxTtl) {
            this.tokenExplicitMaxTtl = tokenExplicitMaxTtl;
            return this;
        }
--- a/src/main/java/de/stklcode/jvault/connector/model/AppRoleSecret.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AppRoleSecret.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -32,7 +32,7 @@ import java.util.Objects;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class AppRoleSecret implements Serializable {
-    private static final long serialVersionUID = -3401074170145792641L;
+    private static final long serialVersionUID = 3079272087137299819L;
    @JsonProperty("secret_id")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@@ -47,6 +47,8 @@ public final class AppRoleSecret implements Serializable {
    private List<String> cidrList;
    private List<String> tokenBoundCidrs;
    @JsonProperty(value = "creation_time", access = JsonProperty.Access.WRITE_ONLY)
    private String creationTime;
@@ -137,6 +139,36 @@ public final class AppRoleSecret implements Serializable {
        return String.join(",", cidrList);
    }
    /**
     * @return list of bound CIDR subnets of associated tokens
     * @since 1.5.3
     */
    public List<String> getTokenBoundCidrs() {
        return tokenBoundCidrs;
    }
    /**
     * @param boundCidrList list of subnets in CIDR notation to bind role to
     * @since 1.5.3
     */
    @JsonSetter("token_bound_cidrs")
    public void setTokenBoundCidrs(final List<String> boundCidrList) {
        this.tokenBoundCidrs = boundCidrList;
    }
    /**
     * @return list of subnets in CIDR notation as comma-separated {@link String}
     * @since 1.5.3
     */
    @JsonGetter("token_bound_cidrs")
    @JsonInclude(JsonInclude.Include.NON_EMPTY)
    public String getTokenBoundCidrsString() {
        if (tokenBoundCidrs == null || tokenBoundCidrs.isEmpty()) {
            return "";
        }
        return String.join(",", tokenBoundCidrs);
    }
    /**
     * @return Creation time
     */
@@ -184,6 +216,7 @@ public final class AppRoleSecret implements Serializable {
            Objects.equals(accessor, that.accessor) &&
            Objects.equals(metadata, that.metadata) &&
            Objects.equals(cidrList, that.cidrList) &&
            Objects.equals(tokenBoundCidrs, that.tokenBoundCidrs) &&
            Objects.equals(creationTime, that.creationTime) &&
            Objects.equals(expirationTime, that.expirationTime) &&
            Objects.equals(lastUpdatedTime, that.lastUpdatedTime) &&
@@ -193,7 +226,7 @@ public final class AppRoleSecret implements Serializable {
    @Override
    public int hashCode() {
-        return Objects.hash(id, accessor, metadata, cidrList, creationTime, expirationTime, lastUpdatedTime, numUses,
+        return Objects.hash(id, accessor, metadata, cidrList, tokenBoundCidrs, creationTime, expirationTime,
-                ttl);
+            lastUpdatedTime, numUses, ttl);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/AuthBackend.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/AuthBackend.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/Token.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/Token.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -32,7 +32,7 @@ import java.util.*;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class Token implements Serializable {
-    private static final long serialVersionUID = 5208508683665365287L;
+    private static final long serialVersionUID = 7003016071684507115L;
    @JsonProperty("id")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@@ -56,11 +56,11 @@ public final class Token implements Serializable {
    @JsonProperty("ttl")
    @JsonInclude(JsonInclude.Include.NON_NULL)
-    private Integer ttl;
+    private Long ttl;
    @JsonProperty("explicit_max_ttl")
    @JsonInclude(JsonInclude.Include.NON_NULL)
-    private Integer explicitMaxTtl;
+    private Long explicitMaxTtl;
    @JsonProperty("num_uses")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@@ -162,7 +162,7 @@ public final class Token implements Serializable {
    /**
     * @return Time-to-live in seconds
     */
-    public Integer getTtl() {
+    public Long getTtl() {
        return ttl;
    }
@@ -170,7 +170,7 @@ public final class Token implements Serializable {
     * @return Explicit maximum time-to-live in seconds
     * @since 0.9
     */
-    public Integer getExplicitMaxTtl() {
+    public Long getExplicitMaxTtl() {
        return explicitMaxTtl;
    }
@@ -282,8 +282,8 @@ public final class Token implements Serializable {
        private String displayName;
        private Boolean noParent;
        private Boolean noDefaultPolicy;
-        private Integer ttl;
+        private Long ttl;
-        private Integer explicitMaxTtl;
+        private Long explicitMaxTtl;
        private Integer numUses;
        private List<String> policies;
        private Map<String, String> meta;
@@ -331,7 +331,7 @@ public final class Token implements Serializable {
         * @param ttl the ttl
         * @return self
         */
-        public Builder withTtl(final Integer ttl) {
+        public Builder withTtl(final Long ttl) {
            this.ttl = ttl;
            return this;
        }
@@ -342,7 +342,7 @@ public final class Token implements Serializable {
         * @param explicitMaxTtl the explicit max. TTL
         * @return self
         */
-        public Builder withExplicitMaxTtl(final Integer explicitMaxTtl) {
+        public Builder withExplicitMaxTtl(final Long explicitMaxTtl) {
            this.explicitMaxTtl = explicitMaxTtl;
            return this;
        }
--- a/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -34,7 +34,7 @@ import java.util.Objects;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class TokenRole implements Serializable {
-    private static final long serialVersionUID = -3505215215838576321L;
+    private static final long serialVersionUID = -4856948364869438439L;
    @JsonProperty("name")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@@ -78,7 +78,7 @@ public final class TokenRole implements Serializable {
    @JsonProperty("token_explicit_max_ttl")
    @JsonInclude(JsonInclude.Include.NON_NULL)
-    private Integer tokenExplicitMaxTtl;
+    private Long tokenExplicitMaxTtl;
    @JsonProperty("token_no_default_policy")
    @JsonInclude(JsonInclude.Include.NON_NULL)
@@ -204,7 +204,7 @@ public final class TokenRole implements Serializable {
    /**
     * @return Token explicit maximum TTL
     */
-    public Integer getTokenExplicitMaxTtl() {
+    public Long getTokenExplicitMaxTtl() {
        return tokenExplicitMaxTtl;
    }
@@ -285,7 +285,7 @@ public final class TokenRole implements Serializable {
        private String pathSuffix;
        private List<String> allowedEntityAliases;
        private List<String> tokenBoundCidrs;
-        private Integer tokenExplicitMaxTtl;
+        private Long tokenExplicitMaxTtl;
        private Boolean tokenNoDefaultPolicy;
        private Integer tokenNumUses;
        private Integer tokenPeriod;
@@ -537,7 +537,7 @@ public final class TokenRole implements Serializable {
         * @param tokenExplicitMaxTtl explicit maximum TTL
         * @return self
         */
-        public Builder withTokenExplicitMaxTtl(final Integer tokenExplicitMaxTtl) {
+        public Builder withTokenExplicitMaxTtl(final Long tokenExplicitMaxTtl) {
            this.tokenExplicitMaxTtl = tokenExplicitMaxTtl;
            return this;
        }
--- a/src/main/java/de/stklcode/jvault/connector/model/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/package-info.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AppRoleSecretResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/AuthResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/AuthResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/CredentialsResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/CredentialsResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/ErrorResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/ErrorResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/HealthResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/HealthResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/HelpResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/HelpResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/MetaSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/MetaSecretResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/MetadataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/MetadataResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/PlainSecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/PlainSecretResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/RawDataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/RawDataResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SealResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SealResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretListResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretListResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -18,8 +18,8 @@ package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.databind.json.JsonMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
@@ -85,10 +85,11 @@ public abstract class SecretResponse extends VaultDataResponse {
            } else if (type.isInstance(rawValue)) {
                return type.cast(rawValue);
            } else {
-                var om = new ObjectMapper()
+                var om = JsonMapper.builder()
-                        .registerModule(new JavaTimeModule())
+                    .addModule(new JavaTimeModule())
                    .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
-                        .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE);
+                    .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE)
                    .build();
                if (rawValue instanceof String) {
                    return om.readValue((String) rawValue, type);
--- a/src/main/java/de/stklcode/jvault/connector/model/response/SecretVersionResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/SecretVersionResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TokenResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TokenResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/TransitResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/TransitResponse.java
@@ -0,0 +1,92 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonSetter;
 import java.util.Map;
 import java.util.Objects;
 /**
 * Response entity for transit operations.
 *
 * @author Stefan Kalscheuer
 * @since 1.5.0
 */
 public class TransitResponse extends VaultDataResponse {
    private static final long serialVersionUID = 6873804240772242771L;
    private String ciphertext;
    private String plaintext;
    private String sum;
    @JsonSetter("data")
    private void setData(Map<String, String> data) {
        ciphertext = data.get("ciphertext");
        plaintext = data.get("plaintext");
        sum = data.get("sum");
    }
    /**
     * Get ciphertext.
     * Populated after encryption.
     *
     * @return Ciphertext
     */
    public String getCiphertext() {
        return ciphertext;
    }
    /**
     * Get plaintext.
     * Base64 encoded, populated after decryption.
     *
     * @return Plaintext
     */
    public String getPlaintext() {
        return plaintext;
    }
    /**
     * Get hash sum.
     * Hex or Base64 string. Populated after hashing.
     *
     * @return Hash sum
     */
    public String getSum() {
        return sum;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o == null || getClass() != o.getClass() || !super.equals(o)) {
            return false;
        }
        TransitResponse that = (TransitResponse) o;
        return Objects.equals(ciphertext, that.ciphertext) &&
            Objects.equals(plaintext, that.plaintext) &&
            Objects.equals(sum, that.sum);
    }
    @Override
    public int hashCode() {
        return Objects.hash(super.hashCode(), ciphertext, plaintext, sum);
    }
 }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/VaultDataResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/VaultDataResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -115,6 +115,7 @@ public abstract class VaultDataResponse implements VaultResponse {
    public final String getMountType() {
        return mountType;
    }
    @Override
    public boolean equals(Object o) {
        if (this == o) {
--- a/src/main/java/de/stklcode/jvault/connector/model/response/VaultResponse.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/VaultResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthData.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthData.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthMethod.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthMethod.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaConstraintAny.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaConstraintAny.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaMethodId.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaMethodId.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaRequirement.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MfaRequirement.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MountConfig.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/MountConfig.java
@@ -15,13 +15,13 @@ import java.util.Objects;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public class MountConfig implements Serializable {
-    private static final long serialVersionUID = -8653909672663717792L;
+    private static final long serialVersionUID = 7241631159224756605L;
    @JsonProperty("default_lease_ttl")
-    private Integer defaultLeaseTtl;
+    private Long defaultLeaseTtl;
    @JsonProperty("max_lease_ttl")
-    private Integer maxLeaseTtl;
+    private Long maxLeaseTtl;
    @JsonProperty("force_no_cache")
    private Boolean forceNoCache;
@@ -56,14 +56,14 @@ public class MountConfig implements Serializable {
    /**
     * @return Default lease TTL
     */
-    public Integer getDefaultLeaseTtl() {
+    public Long getDefaultLeaseTtl() {
        return defaultLeaseTtl;
    }
    /**
     * @return Maximum lease TTL
     */
-    public Integer getMaxLeaseTtl() {
+    public Long getMaxLeaseTtl() {
        return maxLeaseTtl;
    }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretMetadata.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretMetadata.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/TokenData.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/TokenData.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -34,7 +34,7 @@ import java.util.Objects;
 */
@JsonIgnoreProperties(ignoreUnknown = true)
 public final class TokenData implements Serializable {
-    private static final long serialVersionUID = -5749716740973138916L;
+    private static final long serialVersionUID = -4168046151053509784L;
    @JsonProperty("accessor")
    private String accessor;
@@ -43,7 +43,7 @@ public final class TokenData implements Serializable {
    private Integer creationTime;
    @JsonProperty("creation_ttl")
-    private Integer creationTtl;
+    private Long creationTtl;
    @JsonProperty("display_name")
    private String name;
@@ -55,7 +55,7 @@ public final class TokenData implements Serializable {
    private ZonedDateTime expireTime;
    @JsonProperty("explicit_max_ttl")
-    private Integer explicitMaxTtl;
+    private Long explicitMaxTtl;
    @JsonProperty("id")
    private String id;
@@ -82,7 +82,7 @@ public final class TokenData implements Serializable {
    private boolean renewable;
    @JsonProperty("ttl")
-    private Integer ttl;
+    private Long ttl;
    @JsonProperty("type")
    private String type;
@@ -104,7 +104,7 @@ public final class TokenData implements Serializable {
    /**
     * @return Creation TTL (in seconds)
     */
-    public Integer getCreationTtl() {
+    public Long getCreationTtl() {
        return creationTtl;
    }
@@ -135,7 +135,7 @@ public final class TokenData implements Serializable {
     * @return Explicit maximum TTL
     * @since 0.9
     */
-    public Integer getExplicitMaxTtl() {
+    public Long getExplicitMaxTtl() {
        return explicitMaxTtl;
    }
@@ -202,7 +202,7 @@ public final class TokenData implements Serializable {
    /**
     * @return Token TTL (in seconds)
     */
-    public Integer getTtl() {
+    public Long getTtl() {
        return ttl;
    }
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/VersionMetadata.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/VersionMetadata.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/WrapInfo.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/WrapInfo.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/embedded/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/embedded/package-info.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/model/response/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/model/response/package-info.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/de/stklcode/jvault/connector/package-info.java
+++ b/src/main/java/de/stklcode/jvault/connector/package-info.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorBuilderTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorBuilderTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -25,7 +25,10 @@ import org.junit.jupiter.api.io.TempDir;
 import java.io.File;
 import java.lang.reflect.Field;
 import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.nio.file.NoSuchFileException;
 import java.nio.file.Paths;
 import java.util.concurrent.atomic.AtomicReference;
 import static com.github.stefanbirkner.systemlambda.SystemLambda.withEnvironmentVariable;
 import static org.junit.jupiter.api.Assertions.*;
@@ -38,6 +41,8 @@ import static org.junit.jupiter.api.Assertions.*;
 */
 class HTTPVaultConnectorBuilderTest {
    private static final String VAULT_ADDR = "https://localhost:8201";
    private static final String VAULT_ADDR_2 = "http://localhost";
    private static final String VAULT_ADDR_3 = "https://localhost/vault/";
    private static final Integer VAULT_MAX_RETRIES = 13;
    private static final String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
@@ -112,6 +117,22 @@ class HTTPVaultConnectorBuilderTest {
            return null;
        });
        withVaultEnv(VAULT_ADDR_2, null, null, null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                () -> HTTPVaultConnector.builder().fromEnv(),
                "Factory creation from minimal environment failed"
            );
            assertEquals(VAULT_ADDR_2 + "/v1/", getRequestHelperPrivate(builder.build(), "baseURL"), "URL without port not set correctly");
            return null;
        });
        withVaultEnv(VAULT_ADDR_3, null, null, null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                () -> HTTPVaultConnector.builder().fromEnv(),
                "Factory creation from minimal environment failed"
            );
            assertEquals(VAULT_ADDR_3, getRequestHelperPrivate(builder.build(), "baseURL"), "URL with custom path not set correctly");
            return null;
        });
        // Provide address and number of retries.
        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
@@ -128,19 +149,6 @@ class HTTPVaultConnectorBuilderTest {
            return null;
        });
        // Provide CA certificate.
        String vaultCacert = tempDir.toString() + "/doesnotexist";
        withVaultEnv(VAULT_ADDR, vaultCacert, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
            TlsException e = assertThrows(
                    TlsException.class,
                    () -> HTTPVaultConnector.builder().fromEnv(),
                    "Creation with unknown cert path failed"
            );
            assertEquals(vaultCacert, assertInstanceOf(NoSuchFileException.class, e.getCause()).getFile());
            return null;
        });
        // Automatic authentication.
        withVaultEnv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
@@ -164,6 +172,59 @@ class HTTPVaultConnectorBuilderTest {
        });
    }
    /**
     * Test CA certificate handling from environment variables
     */
    @Test
    void testCertificateFromEnv() throws Exception {
        // From direct PEM content
        String pem = Files.readString(Paths.get(getClass().getResource("/tls/ca.pem").toURI()));
        AtomicReference<Object> certFromPem = new AtomicReference<>();
        withVaultEnv(VAULT_ADDR, pem, null, null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                () -> HTTPVaultConnector.builder().fromEnv(),
                "Builder with PEM certificate from environment failed"
            );
            HTTPVaultConnector connector = builder.build();
            certFromPem.set(getRequestHelperPrivate(connector, "trustedCaCert"));
            assertNotNull(certFromPem.get(), "Trusted CA cert from PEM not set");
            return null;
        });
        // From file path
        String file = Paths.get(getClass().getResource("/tls/ca.pem").toURI()).toString();
        AtomicReference<Object> certFromFile = new AtomicReference<>();
        withVaultEnv(VAULT_ADDR, file, null, null).execute(() -> {
            HTTPVaultConnectorBuilder builder = assertDoesNotThrow(
                () -> HTTPVaultConnector.builder().fromEnv(),
                "Builder with certificate path from environment failed"
            );
            HTTPVaultConnector connector = builder.build();
            certFromFile.set(getRequestHelperPrivate(connector, "trustedCaCert"));
            assertNotNull(certFromFile.get(), "Trusted CA cert from file not set");
            return null;
        });
        assertEquals(certFromPem.get(), certFromFile.get(), "Certificates from PEM and file should be equal");
        // Non-existing path CA certificate path
        String doesNotExist = tempDir.toString() + "/doesnotexist";
        withVaultEnv(VAULT_ADDR, doesNotExist, VAULT_MAX_RETRIES.toString(), null).execute(() -> {
            TlsException e = assertThrows(
                TlsException.class,
                () -> HTTPVaultConnector.builder().fromEnv(),
                "Creation with unknown cert path failed"
            );
            assertEquals(doesNotExist, assertInstanceOf(NoSuchFileException.class, e.getCause()).getFile());
            return null;
        });
    }
    private SystemLambda.WithEnvironmentVariables withVaultEnv(String vaultAddr, String vaultCacert, String vaultMaxRetries, String vaultToken) {
        return withEnvironmentVariable("VAULT_ADDR", vaultAddr)
            .and("VAULT_CACERT", vaultCacert)
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorIT.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorIT.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -52,7 +52,7 @@ import static org.junit.jupiter.api.Assumptions.assumeTrue;
 * @since 0.1
 */
 class HTTPVaultConnectorIT {
-    private static String VAULT_VERSION = "1.18.2";  // The vault version this test is supposed to run against.
+    private static String VAULT_VERSION = "1.20.3";  // The vault version this test is supposed to run against.
    private static final String KEY1 = "E38bkCm0VhUvpdCKGQpcohhD9XmcHJ/2hreOSY019Lho";
    private static final String KEY2 = "O5OHwDleY3IiPdgw61cgHlhsrEm6tVJkrxhF6QAnILd1";
    private static final String KEY3 = "mw7Bm3nbt/UWa/juDjjL2EPQ04kiJ0saC5JEXwJvXYsB";
@@ -862,7 +862,7 @@ class HTTPVaultConnectorIT {
                .withDefaultPolicy()
                .withMeta("test", "success")
                .withMeta("key", "value")
-                    .withTtl(1234)
+                .withTtl(1234L)
                .build();
            InvalidResponseException e = assertThrows(
                InvalidResponseException.class,
@@ -989,6 +989,75 @@ class HTTPVaultConnectorIT {
        }
    }
    @Nested
    @DisplayName("Transit Tests")
    class TransitTests {
        @Test
        @DisplayName("Transit encryption")
        void transitEncryptTest() {
            assertDoesNotThrow(() -> connector.authToken(TOKEN_ROOT));
            assumeTrue(connector.isAuthorized());
            TransitResponse transitResponse = assertDoesNotThrow(
                () -> connector.transitEncrypt("my-key", "dGVzdCBtZQ=="),
                "Failed to encrypt via transit"
            );
            assertNotNull(transitResponse.getCiphertext());
            assertTrue(transitResponse.getCiphertext().startsWith("vault:v1:"));
            transitResponse = assertDoesNotThrow(
                () -> connector.transitEncrypt("my-key", "test me".getBytes(UTF_8)),
                "Failed to encrypt binary data via transit"
            );
            assertNotNull(transitResponse.getCiphertext());
            assertTrue(transitResponse.getCiphertext().startsWith("vault:v1:"));
        }
        @Test
        @DisplayName("Transit decryption")
        void transitDecryptTest() {
            assertDoesNotThrow(() -> connector.authToken(TOKEN_ROOT));
            assumeTrue(connector.isAuthorized());
            TransitResponse transitResponse = assertDoesNotThrow(
                () -> connector.transitDecrypt("my-key", "vault:v1:1mhLVkBAR2nrFtIkJF/qg57DWfRj0FWgR6tvkGO8XOnL6sw="),
                "Failed to decrypt via transit"
            );
            assertEquals("dGVzdCBtZQ==", transitResponse.getPlaintext());
        }
        @Test
        @DisplayName("Transit hash")
        void transitHashText() {
            assertDoesNotThrow(() -> connector.authToken(TOKEN_ROOT));
            assumeTrue(connector.isAuthorized());
            TransitResponse transitResponse = assertDoesNotThrow(
                () -> connector.transitHash("sha2-512", "dGVzdCBtZQ=="),
                "Failed to hash via transit"
            );
            assertEquals("7677af0ee4effaa9f35e9b1e82d182f79516ab8321786baa23002de7c06851059492dd37d5fc3791f17d81d4b58198d24a6fd8bbd62c42c1c30b371da500f193", transitResponse.getSum());
            TransitResponse transitResponseBase64 = assertDoesNotThrow(
                () -> connector.transitHash("sha2-256", "dGVzdCBtZQ==", "base64"),
                "Failed to hash via transit with base64 output"
            );
            assertEquals("5DfYkW7cvGLkfy36cXhqmZcygEy9HpnFNB4WWXKOl1M=", transitResponseBase64.getSum());
            transitResponseBase64 = assertDoesNotThrow(
                () -> connector.transitHash("sha2-256", "test me".getBytes(UTF_8), "base64"),
                "Failed to hash binary data via transit"
            );
            assertEquals("5DfYkW7cvGLkfy36cXhqmZcygEy9HpnFNB4WWXKOl1M=", transitResponseBase64.getSum());
        }
    }
    @Nested
    @DisplayName("Misc Tests")
    class MiscTests {
@@ -1153,7 +1222,7 @@ class HTTPVaultConnectorIT {
        // Write configuration file.
        File configFile = new File(dir, "vault.conf");
        try {
-            Files.write(configFile.toPath(), config.toString().getBytes(UTF_8));
+            Files.writeString(configFile.toPath(), config.toString(), UTF_8);
        } catch (IOException e) {
            throw new IllegalStateException("Unable to generate config file", e);
        }
@@ -1213,10 +1282,8 @@ class HTTPVaultConnectorIT {
            return socket.getLocalPort();
        } catch (IOException e) {
-            e.printStackTrace();
+            throw new IllegalStateException("Unable to find a free TCP port", e);
        }
        throw new IllegalStateException("Unable to find a free TCP port");
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -17,13 +17,13 @@
 package de.stklcode.jvault.connector;
 import com.github.tomakehurst.wiremock.client.WireMock;
-import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
+import com.github.tomakehurst.wiremock.junit5.WireMockRuntimeInfo;
 import com.github.tomakehurst.wiremock.junit5.WireMockTest;
 import de.stklcode.jvault.connector.exception.ConnectionException;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.exception.PermissionDeniedException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 import org.junit.jupiter.api.function.Executable;
 import java.io.IOException;
@@ -36,9 +36,7 @@ import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Collections;
-import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
+import static com.github.tomakehurst.wiremock.client.WireMock.*;
 import static com.github.tomakehurst.wiremock.client.WireMock.anyUrl;
 import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig;
 import static org.junit.jupiter.api.Assertions.*;
 /**
@@ -48,18 +46,15 @@ import static org.junit.jupiter.api.Assertions.*;
 * @author Stefan Kalscheuer
 * @since 0.7.0
 */
@WireMockTest
 class HTTPVaultConnectorTest {
    @RegisterExtension
    static WireMockExtension wireMock = WireMockExtension.newInstance()
            .options(wireMockConfig().dynamicPort())
            .build();
    /**
     * Test exceptions thrown during request.
     */
    @Test
-    void requestExceptionTest() throws IOException, URISyntaxException {
+    void requestExceptionTest(WireMockRuntimeInfo wireMock) throws IOException, URISyntaxException {
-        HTTPVaultConnector connector = HTTPVaultConnector.builder(wireMock.url("/")).withTimeout(250).build();
+        HTTPVaultConnector connector = HTTPVaultConnector.builder(wireMock.getHttpBaseUrl()).withTimeout(250).build();
        // Test invalid response code.
        final int responseCode = 400;
@@ -94,9 +89,9 @@ class HTTPVaultConnectorTest {
        assertInstanceOf(IOException.class, e.getCause(), "Unexpected cause");
        // Now simulate a failing request that succeeds on second try.
-        connector = HTTPVaultConnector.builder(wireMock.url("/")).withNumberOfRetries(1).withTimeout(250).build();
+        connector = HTTPVaultConnector.builder(wireMock.getHttpBaseUrl()).withNumberOfRetries(1).withTimeout(250).build();
-        wireMock.stubFor(
+        stubFor(
            WireMock.any(anyUrl())
                .willReturn(aResponse().withStatus(500))
                .willReturn(aResponse().withStatus(500))
@@ -193,8 +188,8 @@ class HTTPVaultConnectorTest {
     * Test behavior on unparsable responses.
     */
    @Test
-    void parseExceptionTest() throws URISyntaxException {
+    void parseExceptionTest(WireMockRuntimeInfo wireMock) throws URISyntaxException {
-        HTTPVaultConnector connector = HTTPVaultConnector.builder(wireMock.url("/")).withTimeout(250).build();
+        HTTPVaultConnector connector = HTTPVaultConnector.builder(wireMock.getHttpBaseUrl()).withTimeout(250).build();
        // Mock authorization.
        setPrivate(connector, "authorized", true);
        // Mock response.
@@ -227,8 +222,8 @@ class HTTPVaultConnectorTest {
     * Test requests that expect an empty response with code 204, but receive a 200 body.
     */
    @Test
-    void nonEmpty204ResponseTest() throws URISyntaxException {
+    void nonEmpty204ResponseTest(WireMockRuntimeInfo wireMock) throws URISyntaxException {
-        HTTPVaultConnector connector = HTTPVaultConnector.builder(wireMock.url("/")).withTimeout(250).build();
+        HTTPVaultConnector connector = HTTPVaultConnector.builder(wireMock.getHttpBaseUrl()).withTimeout(250).build();
        // Mock authorization.
        setPrivate(connector, "authorized", true);
        // Mock response.
@@ -310,7 +305,7 @@ class HTTPVaultConnectorTest {
    }
    private void mockHttpResponse(int status, String body, String contentType) {
-        wireMock.stubFor(
+        stubFor(
            WireMock.any(anyUrl()).willReturn(
                aResponse().withStatus(status).withBody(body).withHeader("Content-Type", contentType)
            )
--- a/src/test/java/de/stklcode/jvault/connector/exception/VaultConnectorExceptionTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/exception/VaultConnectorExceptionTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/test/java/de/stklcode/jvault/connector/model/AbstractModelTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AbstractModelTest.java
@@ -3,6 +3,7 @@ package de.stklcode.jvault.connector.model;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.databind.json.JsonMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import nl.jqno.equalsverifier.EqualsVerifier;
 import org.junit.jupiter.api.Test;
@@ -29,10 +30,11 @@ public abstract class AbstractModelTest<T> {
     */
    protected AbstractModelTest(Class<T> modelClass) {
        this.modelClass = modelClass;
-        this.objectMapper = new ObjectMapper()
+        this.objectMapper = JsonMapper.builder()
-                .registerModule(new JavaTimeModule())
+            .addModule(new JavaTimeModule())
            .enable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)
-                .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE);
+            .disable(DeserializationFeature.ADJUST_DATES_TO_CONTEXT_TIME_ZONE)
            .build();
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleSecretTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleSecretTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -39,6 +39,7 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
        "number", 1337
    );
    private static final List<String> TEST_CIDR = List.of("203.0.113.0/24", "198.51.100.0/24");
    private static final List<String> TEST_TOKEN_CIDR = List.of("192.0.2.0/24", "198.51.100.0/24");
    AppRoleSecretTest() {
        super(AppRoleSecret.class);
@@ -61,6 +62,8 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
        assertNull(secret.getMetadata());
        assertNull(secret.getCidrList());
        assertEquals("", secret.getCidrListString());
        assertNull(secret.getTokenBoundCidrs());
        assertEquals("", secret.getTokenBoundCidrsString());
        assertNull(secret.getCreationTime());
        assertNull(secret.getExpirationTime());
        assertNull(secret.getLastUpdatedTime());
@@ -74,6 +77,8 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
        assertNull(secret.getMetadata());
        assertNull(secret.getCidrList());
        assertEquals("", secret.getCidrListString());
        assertNull(secret.getTokenBoundCidrs());
        assertEquals("", secret.getTokenBoundCidrsString());
        assertNull(secret.getCreationTime());
        assertNull(secret.getExpirationTime());
        assertNull(secret.getLastUpdatedTime());
@@ -87,6 +92,8 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
        assertEquals(TEST_META, secret.getMetadata());
        assertEquals(TEST_CIDR, secret.getCidrList());
        assertEquals(String.join(",", TEST_CIDR), secret.getCidrListString());
        assertNull(secret.getTokenBoundCidrs());
        assertEquals("", secret.getTokenBoundCidrsString());
        assertNull(secret.getCreationTime());
        assertNull(secret.getExpirationTime());
        assertNull(secret.getLastUpdatedTime());
@@ -108,6 +115,15 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
        secret.setCidrList(null);
        assertNull(secret.getCidrList());
        assertEquals("", secret.getCidrListString());
        assertNull(secret.getTokenBoundCidrs());
        assertEquals("", secret.getTokenBoundCidrsString());
        secret.setTokenBoundCidrs(TEST_TOKEN_CIDR);
        assertEquals(TEST_TOKEN_CIDR, secret.getTokenBoundCidrs());
        assertEquals(String.join(",", TEST_TOKEN_CIDR), secret.getTokenBoundCidrsString());
        secret.setTokenBoundCidrs(null);
        assertNull(secret.getTokenBoundCidrs());
        assertEquals("", secret.getTokenBoundCidrsString());
    }
    /**
@@ -159,7 +175,8 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
        // Those fields should be deserialized from JSON though.
        String secretJson4 = "{\"secret_id\":\"abc123\",\"metadata\":{\"number\":1337,\"foo\":\"bar\"}," +
-                "\"cidr_list\":[\"203.0.113.0/24\",\"198.51.100.0/24\"],\"secret_id_accessor\":\"TEST_ACCESSOR\"," +
+            "\"cidr_list\":[\"203.0.113.0/24\",\"198.51.100.0/24\"],\"cidr_list\":[\"192.0.2.0/24\",\"198.51.100.0/24\"]," +
            "\"secret_id_accessor\":\"TEST_ACCESSOR\"," +
            "\"creation_time\":\"TEST_CREATION\",\"expiration_time\":\"TEST_EXPIRATION\"," +
            "\"last_updated_time\":\"TEST_LASTUPDATE\",\"secret_id_num_uses\":678,\"secret_id_ttl\":12345}";
        secret2 = assertDoesNotThrow(() -> objectMapper.readValue(secretJson4, AppRoleSecret.class), "Deserialization failed");
@@ -181,6 +198,7 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
    private static String commaSeparatedToList(String json) {
        return json.replaceAll("\"cidr_list\":\"([^\"]*)\"", "\"cidr_list\":[$1]")
            .replaceAll("\"token_bound_cidrs\":\"([^\"]*)\"", "\"token_bound_cidrs\":[$1]")
            .replaceAll("(\\d+\\.\\d+\\.\\d+\\.\\d+/\\d+)", "\"$1\"");
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -42,11 +42,11 @@ class AppRoleTest extends AbstractModelTest<AppRole> {
    private static final String POLICY = "policy";
    private static final String POLICY_2 = "policy2";
    private static final Integer SECRET_ID_NUM_USES = 10;
-    private static final Integer SECRET_ID_TTL = 7200;
+    private static final Long SECRET_ID_TTL = 7200L;
    private static final Boolean LOCAL_SECRET_IDS = false;
-    private static final Integer TOKEN_TTL = 4800;
+    private static final Long TOKEN_TTL = 4800L;
-    private static final Integer TOKEN_MAX_TTL = 9600;
+    private static final Long TOKEN_MAX_TTL = 9600L;
-    private static final Integer TOKEN_EXPLICIT_MAX_TTL = 14400;
+    private static final Long TOKEN_EXPLICIT_MAX_TTL = 14400L;
    private static final Boolean TOKEN_NO_DEFAULT_POLICY = false;
    private static final Integer TOKEN_NUM_USES = 42;
    private static final Integer TOKEN_PERIOD = 1234;
--- a/src/test/java/de/stklcode/jvault/connector/model/AuthBackendTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/AuthBackendTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenRoleTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenRoleTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -59,7 +59,7 @@ class TokenRoleTest extends AbstractModelTest<TokenRole> {
    private static final String TOKEN_BOUND_CIDR_2 = "198.51.100.0/24";
    private static final String TOKEN_BOUND_CIDR_3 = "203.0.113.0/24";
    private static final List<String> TOKEN_BOUND_CIDRS = Arrays.asList(TOKEN_BOUND_CIDR_2, TOKEN_BOUND_CIDR_1);
-    private static final Integer TOKEN_EXPLICIT_MAX_TTL = 1234;
+    private static final Long TOKEN_EXPLICIT_MAX_TTL = 1234L;
    private static final Boolean TOKEN_NO_DEFAULT_POLICY = false;
    private static final Integer TOKEN_NUM_USES = 5;
    private static final Integer TOKEN_PERIOD = 2345;
@@ -173,7 +173,7 @@ class TokenRoleTest extends AbstractModelTest<TokenRole> {
        assertNull(role.getTokenType());
        // Empty builder should be equal to no-arg construction.
-        assertEquals(role, new TokenRole());
+        assertEquals(new TokenRole(), role);
        // Optional fields should be ignored, so JSON string should be empty.
        assertEquals("{}", objectMapper.writeValueAsString(role));
--- a/src/test/java/de/stklcode/jvault/connector/model/TokenTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/TokenTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -35,8 +35,8 @@ class TokenTest extends AbstractModelTest<Token> {
    private static final String DISPLAY_NAME = "display-name";
    private static final Boolean NO_PARENT = false;
    private static final Boolean NO_DEFAULT_POLICY = false;
-    private static final Integer TTL = 123;
+    private static final Long TTL = 123L;
-    private static final Integer EXPLICIT_MAX_TTL = 456;
+    private static final Long EXPLICIT_MAX_TTL = 456L;
    private static final Integer NUM_USES = 4;
    private static final List<String> POLICIES = new ArrayList<>();
    private static final String POLICY = "policy";
@@ -105,7 +105,7 @@ class TokenTest extends AbstractModelTest<Token> {
        assertEquals("{}", objectMapper.writeValueAsString(token));
        // Empty builder should be equal to no-arg construction.
-        assertEquals(token, new Token());
+        assertEquals(new Token(), token);
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.AppRole;
 import org.junit.jupiter.api.Test;
@@ -32,9 +31,9 @@ import static org.junit.jupiter.api.Assertions.*;
 * @since 0.6.2
 */
 class AppRoleResponseTest extends AbstractModelTest<AppRoleResponse> {
-    private static final Integer ROLE_TOKEN_TTL = 1200;
+    private static final Long ROLE_TOKEN_TTL = 1200L;
-    private static final Integer ROLE_TOKEN_MAX_TTL = 1800;
+    private static final Long ROLE_TOKEN_MAX_TTL = 1800L;
-    private static final Integer ROLE_SECRET_TTL = 600;
+    private static final Long ROLE_SECRET_TTL = 600L;
    private static final Integer ROLE_SECRET_NUM_USES = 40;
    private static final String ROLE_POLICY = "default";
    private static final Integer ROLE_PERIOD = 0;
@@ -67,12 +66,10 @@ class AppRoleResponseTest extends AbstractModelTest<AppRoleResponse> {
    @Override
    protected AppRoleResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(RES_JSON, AppRoleResponse.class);
+            () -> objectMapper.readValue(RES_JSON, AppRoleResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.AuthBackend;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
@@ -45,9 +44,9 @@ class AuthMethodsResponseTest extends AbstractModelTest<AuthMethodsResponse> {
    private static final String TK_UUID = "32ea9681-6bd6-6cec-eec3-d11260ba9741";
    private static final String TK_ACCESSOR = "auth_token_ac0dd95a";
    private static final String TK_DESCR = "token based credentials";
-    private static final Integer TK_LEASE_TTL = 0;
+    private static final Long TK_LEASE_TTL = 0L;
    private static final Boolean TK_FORCE_NO_CACHE = false;
-    private static final Integer TK_MAX_LEASE_TTL = 0;
+    private static final Long TK_MAX_LEASE_TTL = 0L;
    private static final String TK_TOKEN_TYPE = "default-service";
    private static final String TK_RUNNING_PLUGIN_VERSION = "v1.15.3+builtin.vault";
@@ -90,12 +89,10 @@ class AuthMethodsResponseTest extends AbstractModelTest<AuthMethodsResponse> {
    @Override
    protected AuthMethodsResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(RES_JSON, AuthMethodsResponse.class);
+            () -> objectMapper.readValue(RES_JSON, AuthMethodsResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/AuthResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/AuthResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.response.embedded.AuthData;
 import de.stklcode.jvault.connector.model.response.embedded.MfaConstraintAny;
@@ -101,12 +100,10 @@ class AuthResponseTest extends AbstractModelTest<AuthResponse> {
    @Override
    protected AuthResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(RES_JSON, AuthResponse.class);
+            () -> objectMapper.readValue(RES_JSON, AuthResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    @Test
--- a/src/test/java/de/stklcode/jvault/connector/model/response/CredentialsResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/CredentialsResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
@@ -49,12 +48,10 @@ class CredentialsResponseTest extends AbstractModelTest<CredentialsResponse> {
    @Override
    protected CredentialsResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(JSON, CredentialsResponse.class);
+            () -> objectMapper.readValue(JSON, CredentialsResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/ErrorResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/ErrorResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
@@ -42,12 +41,10 @@ class ErrorResponseTest extends AbstractModelTest<ErrorResponse> {
    @Override
    protected ErrorResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(JSON, ErrorResponse.class);
+            () -> objectMapper.readValue(JSON, ErrorResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/HealthResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/HealthResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
@@ -67,12 +66,10 @@ class HealthResponseTest extends AbstractModelTest<HealthResponse> {
    @Override
    protected HealthResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(RES_JSON, HealthResponse.class);
+            () -> objectMapper.readValue(RES_JSON, HealthResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/HelpResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/HelpResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
@@ -38,12 +37,10 @@ class HelpResponseTest extends AbstractModelTest<HelpResponse> {
    @Override
    protected HelpResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(JSON, HelpResponse.class);
+            () -> objectMapper.readValue(JSON, HelpResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/MetaSecretResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/MetaSecretResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
@@ -95,12 +94,10 @@ class MetaSecretResponseTest extends AbstractModelTest<MetaSecretResponse> {
    @Override
    protected MetaSecretResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(SECRET_JSON_V2, MetaSecretResponse.class);
+            () -> objectMapper.readValue(SECRET_JSON_V2, MetaSecretResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/MetadataResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/MetadataResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
@@ -80,12 +79,10 @@ class MetadataResponseTest extends AbstractModelTest<MetadataResponse> {
    @Override
    protected MetadataResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(META_JSON, MetadataResponse.class);
+            () -> objectMapper.readValue(META_JSON, MetadataResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/PlainSecretResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/PlainSecretResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -17,7 +17,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
@@ -60,12 +59,10 @@ class PlainSecretResponseTest extends AbstractModelTest<PlainSecretResponse> {
    @Override
    protected PlainSecretResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(SECRET_JSON, PlainSecretResponse.class);
+            () -> objectMapper.readValue(SECRET_JSON, PlainSecretResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/SealResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/SealResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
@@ -83,12 +82,10 @@ class SealResponseTest extends AbstractModelTest<SealResponse> {
    @Override
    protected SealResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(RES_UNSEALED, SealResponse.class);
+            () -> objectMapper.readValue(RES_UNSEALED, SealResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/SecretListResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/SecretListResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,13 +16,13 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
 import java.util.List;
-import static org.junit.jupiter.api.Assertions.*;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 /**
 * JUnit Test for {@link SecretListResponse} model.
@@ -52,12 +52,10 @@ class SecretListResponseTest extends AbstractModelTest<SecretListResponse> {
    @Override
    protected SecretListResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(JSON, SecretListResponse.class);
+            () -> objectMapper.readValue(JSON, SecretListResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/SecretVersionResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/SecretVersionResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
@@ -48,12 +47,10 @@ class SecretVersionResponseTest extends AbstractModelTest<SecretVersionResponse>
    @Override
    protected SecretVersionResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(META_JSON, SecretVersionResponse.class);
+            () -> objectMapper.readValue(META_JSON, SecretVersionResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/TokenResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/TokenResponseTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 package de.stklcode.jvault.connector.model.response;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import de.stklcode.jvault.connector.model.response.embedded.TokenData;
 import org.junit.jupiter.api.Test;
@@ -35,8 +34,8 @@ import static org.junit.jupiter.api.Assertions.*;
 */
 class TokenResponseTest extends AbstractModelTest<TokenResponse> {
    private static final Integer TOKEN_CREATION_TIME = 1457533232;
-    private static final Integer TOKEN_TTL = 2764800;
+    private static final Long TOKEN_TTL = 2764800L;
-    private static final Integer TOKEN_EXPLICIT_MAX_TTL = 0;
+    private static final Long TOKEN_EXPLICIT_MAX_TTL = 0L;
    private static final String TOKEN_DISPLAY_NAME = "token";
    private static final String TOKEN_META_KEY = "foo";
    private static final String TOKEN_META_VALUE = "bar";
@@ -47,7 +46,7 @@ class TokenResponseTest extends AbstractModelTest<TokenResponse> {
    private static final String TOKEN_POLICY_1 = "default";
    private static final String TOKEN_POLICY_2 = "web";
    private static final Boolean RES_RENEWABLE = false;
-    private static final Integer RES_TTL = 2591976;
+    private static final Long RES_TTL = 2591976L;
    private static final Integer RES_LEASE_DURATION = 0;
    private static final String TOKEN_ACCESSOR = "VKvzT2fKHFsZFUus9LyoXCvu";
    private static final String TOKEN_ENTITY_ID = "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9";
@@ -96,12 +95,10 @@ class TokenResponseTest extends AbstractModelTest<TokenResponse> {
    @Override
    protected TokenResponse createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(RES_JSON, TokenResponse.class);
+            () -> objectMapper.readValue(RES_JSON, TokenResponse.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/model/response/TransitResponseTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/TransitResponseTest.java
@@ -0,0 +1,134 @@
 /*
 * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package de.stklcode.jvault.connector.model.response;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
 import static org.junit.jupiter.api.Assertions.*;
 /**
 * JUnit Test for {@link TransitResponse} model.
 *
 * @author Stefan Kalscheuer
 * @since 1.5.0
 */
 class TransitResponseTest extends AbstractModelTest<TransitResponse> {
    private static final String CIPHERTEXT = "vault:v1:XjsPWPjqPrBi1N2Ms2s1QM798YyFWnO4TR4lsFA=";
    private static final String PLAINTEXT = "dGhlIHF1aWNrIGJyb3duIGZveAo=";
    private static final String SUM = "dGhlIHF1aWNrIGJyb3duIGZveAo=";
    TransitResponseTest() {
        super(TransitResponse.class);
    }
    @Override
    protected TransitResponse createFull() {
        return assertDoesNotThrow(
            () -> objectMapper.readValue(
                json(
                    "\"ciphertext\": \"" + CIPHERTEXT + "\", " +
                        "\"plaintext\": \"" + PLAINTEXT + "\", " +
                        "\"sum\": \"" + SUM + "\""
                ),
                TransitResponse.class
            ),
            "Creation of full model failed"
        );
    }
    @Test
    void encryptionTest() {
        TransitResponse res = assertDoesNotThrow(
            () -> objectMapper.readValue(
                json("\"ciphertext\": \"" + CIPHERTEXT + "\""),
                TransitResponse.class
            ),
            "TransitResponse deserialization failed"
        );
        assertNotNull(res, "Parsed response is NULL");
        assertEquals("987c6daf-b0e2-4142-a970-1e61fdb249d7", res.getRequestId(), "Incorrect request id");
        assertEquals("", res.getLeaseId(), "Unexpected lease id");
        assertFalse(res.isRenewable(), "Unexpected renewable flag");
        assertEquals(0, res.getLeaseDuration(), "Unexpected lease duration");
        assertEquals(CIPHERTEXT, res.getCiphertext(), "Incorrect ciphertext");
        assertNull(res.getPlaintext(), "Unexpected plaintext");
        assertNull(res.getSum(), "Unexpected sum");
        assertNull(res.getWrapInfo(), "Unexpected wrap info");
        assertNull(res.getWarnings(), "Unexpected warnings");
        assertNull(res.getAuth(), "Unexpected auth");
    }
    @Test
    void decryptionTest() {
        TransitResponse res = assertDoesNotThrow(
            () -> objectMapper.readValue(
                json("\"plaintext\": \"" + PLAINTEXT + "\""),
                TransitResponse.class
            ),
            "TransitResponse deserialization failed"
        );
        assertNotNull(res, "Parsed response is NULL");
        assertEquals("987c6daf-b0e2-4142-a970-1e61fdb249d7", res.getRequestId(), "Incorrect request id");
        assertEquals("", res.getLeaseId(), "Unexpected lease id");
        assertFalse(res.isRenewable(), "Unexpected renewable flag");
        assertEquals(0, res.getLeaseDuration(), "Unexpected lease duration");
        assertNull(res.getCiphertext(), "Unexpected ciphertext");
        assertEquals(PLAINTEXT, res.getPlaintext(), "Incorrect plaintext");
        assertNull(res.getSum(), "Unexpected sum");
        assertNull(res.getWrapInfo(), "Unexpected wrap info");
        assertNull(res.getWarnings(), "Unexpected warnings");
        assertNull(res.getAuth(), "Unexpected auth");
    }
    @Test
    void hashTest() {
        TransitResponse res = assertDoesNotThrow(
            () -> objectMapper.readValue(
                json("\"sum\": \"" + SUM + "\""),
                TransitResponse.class
            ),
            "TransitResponse deserialization failed"
        );
        assertNotNull(res, "Parsed response is NULL");
        assertEquals("987c6daf-b0e2-4142-a970-1e61fdb249d7", res.getRequestId(), "Incorrect request id");
        assertEquals("", res.getLeaseId(), "Unexpected lease id");
        assertFalse(res.isRenewable(), "Unexpected renewable flag");
        assertEquals(0, res.getLeaseDuration(), "Unexpected lease duration");
        assertNull(res.getCiphertext(), "Unexpected ciphertext");
        assertNull(res.getPlaintext(), "Unexpected plaintext");
        assertEquals(SUM, res.getSum(), "Incorrect sum");
        assertNull(res.getWrapInfo(), "Unexpected wrap info");
        assertNull(res.getWarnings(), "Unexpected warnings");
        assertNull(res.getAuth(), "Unexpected auth");
    }
    private static String json(String data) {
        return "{\n" +
            "  \"request_id\" : \"987c6daf-b0e2-4142-a970-1e61fdb249d7\",\n" +
            "  \"lease_id\" : \"\",\n" +
            "  \"renewable\" : false,\n" +
            "  \"lease_duration\" : 0,\n" +
            "  \"data\" : {\n" +
            "    " + data + "\n" +
            "  },\n" +
            "  \"wrap_info\" : null,\n" +
            "  \"warnings\" : null,\n" +
            "  \"auth\" : null\n" +
            "}";
    }
 }
--- a/src/test/java/de/stklcode/jvault/connector/model/response/embedded/MountConfigTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/model/response/embedded/MountConfigTest.java
@@ -1,6 +1,5 @@
 package de.stklcode.jvault.connector.model.response.embedded;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import de.stklcode.jvault.connector.model.AbstractModelTest;
 import org.junit.jupiter.api.Test;
@@ -14,8 +13,8 @@ import static org.junit.jupiter.api.Assertions.*;
 * @author Stefan Kalscheuer
 */
 class MountConfigTest extends AbstractModelTest<MountConfig> {
-    private static final Integer DEFAULT_LEASE_TTL = 1800;
+    private static final Long DEFAULT_LEASE_TTL = 1800L;
-    private static final Integer MAX_LEASE_TTL = 3600;
+    private static final Long MAX_LEASE_TTL = 3600L;
    private static final Boolean FORCE_NO_CACHE = false;
    private static final String TOKEN_TYPE = "default-service";
    private static final String AUDIT_NON_HMAC_REQ_KEYS_1 = "req1";
@@ -62,12 +61,10 @@ class MountConfigTest extends AbstractModelTest<MountConfig> {
    @Override
    protected MountConfig createFull() {
-        try {
+        return assertDoesNotThrow(
-            return objectMapper.readValue(RES_JSON, MountConfig.class);
+            () -> objectMapper.readValue(RES_JSON, MountConfig.class),
-        } catch (JsonProcessingException e) {
+            "Creation of full model instance failed"
-            fail("Creation of full model instance failed", e);
+        );
            return null;
        }
    }
    /**
--- a/src/test/java/de/stklcode/jvault/connector/test/Credentials.java
+++ b/src/test/java/de/stklcode/jvault/connector/test/Credentials.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/test/java/de/stklcode/jvault/connector/test/VaultConfiguration.java
+++ b/src/test/java/de/stklcode/jvault/connector/test/VaultConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 Stefan Kalscheuer
+ * Copyright 2016-2025 Stefan Kalscheuer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/src/test/resources/data_dir/core/_mounts
+++ b/src/test/resources/data_dir/core/_mounts
@@ -1 +1 @@
-{"Value":"AAAAAQIOTEuNxtf2ZfGu6k9+65GFonDBiaetJnyLYFk1qfWPrE/VqUunbxuTv/QyK4pgC/q14sqypdxPe4Ygp/5mxzzuY6JXB0VKiDMXe9R5BltTG7++rLmKH/j+G7nEh71LER1/qVktU6x8dmDmTbpTgl5xzAB5DIXLMMKjjWda/7qJ3ivNI0pEOQ3JyT27SkqjqM49Dp1JIgKnjIEVQORqKcsSP+aqIncMjIo2iGXOGlDYAesp5tZ4hln3VCwXaIlrU8z6Mmntgcg7NeK/O2WTl86K644dbJUh6frGFDujrjOh/Pgp9n9u0BI3E9K9GD1Z1S1wEb1MCqzT/e9oHG7I7D8ku8PH11wGWGH6BmYlESYUG/KRVqu0XOQEfroLHZQiLE00yHBdStW/UJ9y5pmGpu1aiQ88Q8fpjF5xmRey99b4c6KUIpHjw5Af0XA9ZKsEJUyjS/dbMKPM6PBOW21LYefXH5b0poXMWgLW6LJV0zLuVMyVZJqANbzCVtheDPSsEjkHHwR/CLa2zs2Z6wJF3j1GDZxUFf4nbnuXQzz3M3kVPPtS6htlb0d8RN0/dkOrqUue+c4UjnXhiacXyVUnQQzUVu0sGak4vrQi0020aBzMXM2ZG7rNgvw+wcYFS4txO90kwJL6aOMXT2BeJiQ3wjjHb7M74/sSd0ffRTUlJSODSDotO7Q7Dfcnc1FLrIhXPRFPavTjFoL5HRy77xuGG7U7jTMoGra+rK54v0sxqKbS5WZi1hADQmAVIO8bPb+jA1qoejRFygW6sLgAdmEFQQJOhCV/BoKP3A=="}
+{"Value":"AAAAAQJ7mykBIbHX5k81qdXEpvlLgRF1ZSlODETcB1JBZ7nj0Muskpvvl3jofN5XH1Td8ibJlrR0o5o/OUjZAz9t0Da+ZzCy4ga9G2SmgWkUAravTqfPO/ZxWh2hqTso2WPBXRM3/IeR0SAv/zh7m7JILxjKybJmnl9U6fkjPID/us0AscckZ9kgJ4g8jwaTzPfRp5U8jMebHYbABXZ65PeUOvNiDVcOvQDWPJrMxICz12xbeJ8mKs5MHpcNkLtPoRCQSpsh0YYTwkuF7NvpIciqIJ4/Yb7wYO+vp9AATbiIs3sSFBWxXEl0OAg/SAmOvaR27Y7/NHN//mg81jkMOHv62/Fxf11I8t1d63oyWFQhP0xR9eoq5hGNQ/30I2m1prhZtLRC2ieKASBDMxTzyNS5G5bsVXvhCsxn8tiC0Ma+ySOfxMQzBRfbx8rtoGmLFP+l/d6VMOPGFxmYqzLS5HvvpCryscCqLn7A8i6TMSrZiF7ZevyfEBpThqhJiYHzUxf07O5IAe6JBSGuNV9gLE+uJXaiYLedJwSfjRKwdQyzer730dU1IegW3KYTb/5hSW4eaETKkjc/alC536WlvAv+5FyckDBc3aVC+hHB7lKZG5YANkOUS3m5I8epemOmuKQ5pnXLOdDkQ14DyNCC79NwLltkp0d6sTNstQ44XAbs0HlLjs4EFwg5Hps9qHeXgTOXeAvwUerJgM20nKszlB+Oy+JzZm0xOK5xoJwy+z0/U3PtJ+7pwAipesIa2QEzqMt3EneuPuwEcv3bPUcowukq542sCEK0CuZjLqTUU9nNqiZan5f5pWuL0hYw4NFIkNfQyRlqgKpMaplDk/2fBqaV98yn0DWceEMWRY4NXpEMS+ysPDIeamX99auWqakb95AZ7tySpkRAkZYtq1nY5Nu0w7NyJrJZ1lhBHs2ZjW0tpXn2CL0MhMVArg=="}
--- a/src/test/resources/data_dir/logical/c49ee9eb-94d9-928c-c958-95d092130c30/archive/_my-key
+++ b/src/test/resources/data_dir/logical/c49ee9eb-94d9-928c-c958-95d092130c30/archive/_my-key
@@ -0,0 +1 @@
 {"Value":"AAAAAQIwsBgPcs7Hxl7UnB8OkTq9+5HERx4Fzn8jAzR8uIhoQZfpNG/15m2LEEsDJw1o+lxc6u+h7XcOB1QRqrKz8k7CFR15A+qsxD0UclHZdnk+MmMwXL9SSvYugp7XPiXmpG/uTZVf1QtigXQuehEEJeFfJVI7aFACu2AHEGVt+5b6yDQEgTUruo0seazRXuVU+J6NFCDU3ZvkR8e0al6OcMail59KamzjSCYiqDF4TeUuOQ6Zyr7zIG7gSaas1sog2JIlvrh+wkHW6I+OyD9SJSTinGEGRXl0tq15qoBJ4srfXdWODmKtExEupArbiDR5PyvSI3KlIHKIFduslJZKkJwiV3dBscdva4Rqb98FffMVYuM4G4s+VpvDDX+WVsqWF1ssoHRAFWCNAJGsenVDTxblzAF/4rGkJ7LC9yjLGsBtMOCkCZAKDQ3C9VFu+LGhbMRA5p2RKxNKWGem4Cyp5AqMmx62UzDAgMLGgm89A0g9s1/3FnCoLPdVmlWc6cg4QahN30qJCInJeAmH7T9NwIjv6/QxyJxyDVtdMtcfnMNxx15Q29lbyWTcbaI1iabHpc16iS/gwAPQeBTSbcvc4OxqwC5PDFThFq6bwZXaekYz4ghC13j9Ht79GVKH9cPZb5M="}
--- a/src/test/resources/data_dir/logical/c49ee9eb-94d9-928c-c958-95d092130c30/policy/_my-key
+++ b/src/test/resources/data_dir/logical/c49ee9eb-94d9-928c-c958-95d092130c30/policy/_my-key
@@ -0,0 +1 @@
 {"Value":"AAAAAQKfotDJ0SihB+f5i4PxZ6lq1kxtH4QMprGI7Hj8HimEwXsW0Gbj/1B7YM4DQt4t5JFD4gKwFVOwlJDyusaJj92ar0QLSreCWyJTKUadqZplMFyB/bAdK42QdH+ZS8Z9KHUNchbRpNhnvOFIahoDG8dZ+nbCIXblJONCaey4/ri3H+GQbk/jfre1VByh7zVIN0ISew5PzZRCTkbO1CvcQZhrRGoUGiPmLywKVbHEMsvimVuZY5py6OfL+70QmElBmN9O45bTgX9XPbfSmyQIcGrElO1foi0WwZLPsb/fZcAIgrhC768jOnzeimChoX4zc0DPxuyV1YPvsD1yAlsnsFuJW6CP7TGkszbJU+rwDpg0TgqKtvFr1Lgkxyfcxg0h++1BSiEgoJU7b2IgIWP7reJVjc1tbAsoR1tOBCSAAhvqWZVpn2oht5rfe9aN370bV3Jcu17hFWyhB+VhzbCCPRcofPXX3f2U2dcQ0X7bU4nMiq1v6NQP6u/D5GAPj4Jc0519tPW4KQrd9SNqR20ct6OvqxjMFWV4GZXVcsL4+3xup87Yib6EDb0+hhe6XEpC6isYgD3D5OTTOWphHlsglGkGFi9lUc+h8zNPM4FHwha6uVTLmaqaLGbLziwT9WXF1ATacwtNW0t3kZlFUBvMwSwWzoPqO1+jxs+id4ie/VI6ZTOeowi4ceK2eWJ1/t9MB/gjvadpgE+FYt5QG6dFav4ujQN5Ne/yY78PGF5tp0CT4koox0rMUuxyD1xOIXkm0NBpJm1y9/J06yqLpMKqS40/jGcSQaycRngXDb+6H9rj7mheiO4qxcFGqViqECCUjDG3PnLP/fy9py5kFq7mf0pq7L0Jq/lLWC+iKJF9UaZmCaz8DwlQ9zC03XOFqABPNe8gMFlb8zU09VKBbY+g5gukOonjcBeoFOTRqQxuaWwwwB2lj8XnZScOyIcVJGkH"}
`@@ -1,2 +1,2 @@`
	`distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip`	`distributionType=only-script`
	`wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar`	`distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.11/apache-maven-3.9.11-bin.zip`
`@@ -1 +1 @@`
	{"Value":"AAAAAQIOTEuNxtf2ZfGu6k9+65GFonDBiaetJnyLYFk1qfWPrE/VqUunbxuTv/QyK4pgC/q14sqypdxPe4Ygp/5mxzzuY6JXB0VKiDMXe9R5BltTG7++rLmKH/j+G7nEh71LER1/qVktU6x8dmDmTbpTgl5xzAB5DIXLMMKjjWda/7qJ3ivNI0pEOQ3JyT27SkqjqM49Dp1JIgKnjIEVQORqKcsSP+aqIncMjIo2iGXOGlDYAesp5tZ4hln3VCwXaIlrU8z6Mmntgcg7NeK/O2WTl86K644dbJUh6frGFDujrjOh/Pgp9n9u0BI3E9K9GD1Z1S1wEb1MCqzT/e9oHG7I7D8ku8PH11wGWGH6BmYlESYUG/KRVqu0XOQEfroLHZQiLE00yHBdStW/UJ9y5pmGpu1aiQ88Q8fpjF5xmRey99b4c6KUIpHjw5Af0XA9ZKsEJUyjS/dbMKPM6PBOW21LYefXH5b0poXMWgLW6LJV0zLuVMyVZJqANbzCVtheDPSsEjkHHwR/CLa2zs2Z6wJF3j1GDZxUFf4nbnuXQzz3M3kVPPtS6htlb0d8RN0/dkOrqUue+c4UjnXhiacXyVUnQQzUVu0sGak4vrQi0020aBzMXM2ZG7rNgvw+wcYFS4txO90kwJL6aOMXT2BeJiQ3wjjHb7M74/sSd0ffRTUlJSODSDotO7Q7Dfcnc1FLrIhXPRFPavTjFoL5HRy77xuGG7U7jTMoGra+rK54v0sxqKbS5WZi1hADQmAVIO8bPb+jA1qoejRFygW6sLgAdmEFQQJOhCV/BoKP3A=="}	{"Value":"AAAAAQJ7mykBIbHX5k81qdXEpvlLgRF1ZSlODETcB1JBZ7nj0Muskpvvl3jofN5XH1Td8ibJlrR0o5o/OUjZAz9t0Da+ZzCy4ga9G2SmgWkUAravTqfPO/ZxWh2hqTso2WPBXRM3/IeR0SAv/zh7m7JILxjKybJmnl9U6fkjPID/us0AscckZ9kgJ4g8jwaTzPfRp5U8jMebHYbABXZ65PeUOvNiDVcOvQDWPJrMxICz12xbeJ8mKs5MHpcNkLtPoRCQSpsh0YYTwkuF7NvpIciqIJ4/Yb7wYO+vp9AATbiIs3sSFBWxXEl0OAg/SAmOvaR27Y7/NHN//mg81jkMOHv62/Fxf11I8t1d63oyWFQhP0xR9eoq5hGNQ/30I2m1prhZtLRC2ieKASBDMxTzyNS5G5bsVXvhCsxn8tiC0Ma+ySOfxMQzBRfbx8rtoGmLFP+l/d6VMOPGFxmYqzLS5HvvpCryscCqLn7A8i6TMSrZiF7ZevyfEBpThqhJiYHzUxf07O5IAe6JBSGuNV9gLE+uJXaiYLedJwSfjRKwdQyzer730dU1IegW3KYTb/5hSW4eaETKkjc/alC536WlvAv+5FyckDBc3aVC+hHB7lKZG5YANkOUS3m5I8epemOmuKQ5pnXLOdDkQ14DyNCC79NwLltkp0d6sTNstQ44XAbs0HlLjs4EFwg5Hps9qHeXgTOXeAvwUerJgM20nKszlB+Oy+JzZm0xOK5xoJwy+z0/U3PtJ+7pwAipesIa2QEzqMt3EneuPuwEcv3bPUcowukq542sCEK0CuZjLqTUU9nNqiZan5f5pWuL0hYw4NFIkNfQyRlqgKpMaplDk/2fBqaV98yn0DWceEMWRY4NXpEMS+ysPDIeamX99auWqakb95AZ7tySpkRAkZYtq1nY5Nu0w7NyJrJZ1lhBHs2ZjW0tpXn2CL0MhMVArg=="}
		`@@ -0,0 +1 @@`
							{"Value":"AAAAAQIwsBgPcs7Hxl7UnB8OkTq9+5HERx4Fzn8jAzR8uIhoQZfpNG/15m2LEEsDJw1o+lxc6u+h7XcOB1QRqrKz8k7CFR15A+qsxD0UclHZdnk+MmMwXL9SSvYugp7XPiXmpG/uTZVf1QtigXQuehEEJeFfJVI7aFACu2AHEGVt+5b6yDQEgTUruo0seazRXuVU+J6NFCDU3ZvkR8e0al6OcMail59KamzjSCYiqDF4TeUuOQ6Zyr7zIG7gSaas1sog2JIlvrh+wkHW6I+OyD9SJSTinGEGRXl0tq15qoBJ4srfXdWODmKtExEupArbiDR5PyvSI3KlIHKIFduslJZKkJwiV3dBscdva4Rqb98FffMVYuM4G4s+VpvDDX+WVsqWF1ssoHRAFWCNAJGsenVDTxblzAF/4rGkJ7LC9yjLGsBtMOCkCZAKDQ3C9VFu+LGhbMRA5p2RKxNKWGem4Cyp5AqMmx62UzDAgMLGgm89A0g9s1/3FnCoLPdVmlWc6cg4QahN30qJCInJeAmH7T9NwIjv6/QxyJxyDVtdMtcfnMNxx15Q29lbyWTcbaI1iabHpc16iS/gwAPQeBTSbcvc4OxqwC5PDFThFq6bwZXaekYz4ghC13j9Ht79GVKH9cPZb5M="}
		`@@ -0,0 +1 @@`
							{"Value":"AAAAAQKfotDJ0SihB+f5i4PxZ6lq1kxtH4QMprGI7Hj8HimEwXsW0Gbj/1B7YM4DQt4t5JFD4gKwFVOwlJDyusaJj92ar0QLSreCWyJTKUadqZplMFyB/bAdK42QdH+ZS8Z9KHUNchbRpNhnvOFIahoDG8dZ+nbCIXblJONCaey4/ri3H+GQbk/jfre1VByh7zVIN0ISew5PzZRCTkbO1CvcQZhrRGoUGiPmLywKVbHEMsvimVuZY5py6OfL+70QmElBmN9O45bTgX9XPbfSmyQIcGrElO1foi0WwZLPsb/fZcAIgrhC768jOnzeimChoX4zc0DPxuyV1YPvsD1yAlsnsFuJW6CP7TGkszbJU+rwDpg0TgqKtvFr1Lgkxyfcxg0h++1BSiEgoJU7b2IgIWP7reJVjc1tbAsoR1tOBCSAAhvqWZVpn2oht5rfe9aN370bV3Jcu17hFWyhB+VhzbCCPRcofPXX3f2U2dcQ0X7bU4nMiq1v6NQP6u/D5GAPj4Jc0519tPW4KQrd9SNqR20ct6OvqxjMFWV4GZXVcsL4+3xup87Yib6EDb0+hhe6XEpC6isYgD3D5OTTOWphHlsglGkGFi9lUc+h8zNPM4FHwha6uVTLmaqaLGbLziwT9WXF1ATacwtNW0t3kZlFUBvMwSwWzoPqO1+jxs+id4ie/VI6ZTOeowi4ceK2eWJ1/t9MB/gjvadpgE+FYt5QG6dFav4ujQN5Ne/yY78PGF5tp0CT4koox0rMUuxyD1xOIXkm0NBpJm1y9/J06yqLpMKqS40/jGcSQaycRngXDb+6H9rj7mheiO4qxcFGqViqECCUjDG3PnLP/fy9py5kFq7mf0pq7L0Jq/lLWC+iKJF9UaZmCaz8DwlQ9zC03XOFqABPNe8gMFlb8zU09VKBbY+g5gukOonjcBeoFOTRqQxuaWwwwB2lj8XnZScOyIcVJGkH"}