prepare for next development iteration

In various methods we use user-provided values like role names or lease
ids as parts of the API request path.

Apply URL encoding to these paths that are not expected to contain any
path separators or query args.

.github/workflows/ci-it.yml

@@ -15,18 +15,18 @@ jobs:
     strategy:
       matrix:
         jdk: [ 11, 17, 21 ]
-        vault: [ '1.2.0', '1.20.0' ]
+        vault: [ '1.2.0', '1.20.3' ]
         include:
           - jdk: 21
-            vault: '1.20.0'
+            vault: '1.20.3'
             analysis: true
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Set up Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           java-version: ${{ matrix.jdk }}
           distribution: 'temurin'

.github/workflows/ci.yml

@@ -21,11 +21,11 @@ jobs:
             analysis: true
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Set up Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           java-version: ${{ matrix.jdk }}
           distribution: 'temurin'

.mvn/wrapper/maven-wrapper.properties

@@ -1,2 +1,2 @@
+distributionType=only-script
 distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.11/apache-maven-3.9.11-bin.zip
-wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar

CHANGELOG.md

@@ -1,3 +1,17 @@
+## 1.5.3 (2025-09-09)
+
+### Dependencies
+* Updated Jackson to 2.20.0 (#106)
+
+### Improvements
+* Extract API paths into a utility class (#108)
+* Encode user-provided URL parts (#109)
+* Add `token_bound_cidrs` field to `AppRoleSecret` model (#110)
+
+### Fix
+* Prevent potential off-by-1 error in internal `mapOf()` helper (#107)
+
+
 ## 1.5.2 (2025-07-16)
 
 ### Dependencies

README.md

@@ -40,7 +40,7 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
 <dependency>
     <groupId>de.stklcode.jvault</groupId>
     <artifactId>jvault-connector</artifactId>
-    <version>1.5.2</version>
+    <version>1.5.3</version>
 </dependency>
 ```
 

mvnw

@@ -19,314 +19,277 @@
 # ----------------------------------------------------------------------------
 
 # ----------------------------------------------------------------------------
-# Apache Maven Wrapper startup batch script, version 3.3.2
+# Apache Maven Wrapper startup batch script, version 3.3.3
-#
-# Required ENV vars:
-# ------------------
-#   JAVA_HOME - location of a JDK home dir
 #
 # Optional ENV vars
 # -----------------
-#   MAVEN_OPTS - parameters passed to the Java VM when running Maven
+#   JAVA_HOME - location of a JDK home dir, required when download maven via java source
-#     e.g. to debug Maven itself, use
+#   MVNW_REPOURL - repo url base for downloading maven distribution
-#       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+#   MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven
-#   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+#   MVNW_VERBOSE - true: enable verbose log; debug: trace the mvnw script; others: silence the output
 # ----------------------------------------------------------------------------
 
-if [ -z "$MAVEN_SKIP_RC" ]; then
+set -euf
+[ "${MVNW_VERBOSE-}" != debug ] || set -x
 
-  if [ -f /usr/local/etc/mavenrc ]; then
+# OS specific support.
-    . /usr/local/etc/mavenrc
+native_path() { printf %s\\n "$1"; }
-  fi
-
-  if [ -f /etc/mavenrc ]; then
-    . /etc/mavenrc
-  fi
-
-  if [ -f "$HOME/.mavenrc" ]; then
-    . "$HOME/.mavenrc"
-  fi
-
-fi
-
-# OS specific support.  $var _must_ be set to either true or false.
-cygwin=false
-darwin=false
-mingw=false
 case "$(uname)" in
-CYGWIN*) cygwin=true ;;
+CYGWIN* | MINGW*)
-MINGW*) mingw=true ;;
+  [ -z "${JAVA_HOME-}" ] || JAVA_HOME="$(cygpath --unix "$JAVA_HOME")"
-Darwin*)
+  native_path() { cygpath --path --windows "$1"; }
-  darwin=true
-  # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
-  # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
-  if [ -z "$JAVA_HOME" ]; then
-    if [ -x "/usr/libexec/java_home" ]; then
-      JAVA_HOME="$(/usr/libexec/java_home)"
-      export JAVA_HOME
-    else
-      JAVA_HOME="/Library/Java/Home"
-      export JAVA_HOME
-    fi
-  fi
   ;;
 esac
 
-if [ -z "$JAVA_HOME" ]; then
+# set JAVACMD and JAVACCMD
-  if [ -r /etc/gentoo-release ]; then
+set_java_home() {
-    JAVA_HOME=$(java-config --jre-home)
+  # For Cygwin and MinGW, ensure paths are in Unix format before anything is touched
-  fi
+  if [ -n "${JAVA_HOME-}" ]; then
-fi
-
-# For Cygwin, ensure paths are in UNIX format before anything is touched
-if $cygwin; then
-  [ -n "$JAVA_HOME" ] \
-    && JAVA_HOME=$(cygpath --unix "$JAVA_HOME")
-  [ -n "$CLASSPATH" ] \
-    && CLASSPATH=$(cygpath --path --unix "$CLASSPATH")
-fi
-
-# For Mingw, ensure paths are in UNIX format before anything is touched
-if $mingw; then
-  [ -n "$JAVA_HOME" ] && [ -d "$JAVA_HOME" ] \
-    && JAVA_HOME="$(
-      cd "$JAVA_HOME" || (
-        echo "cannot cd into $JAVA_HOME." >&2
-        exit 1
-      )
-      pwd
-    )"
-fi
-
-if [ -z "$JAVA_HOME" ]; then
-  javaExecutable="$(which javac)"
-  if [ -n "$javaExecutable" ] && ! [ "$(expr "$javaExecutable" : '\([^ ]*\)')" = "no" ]; then
-    # readlink(1) is not available as standard on Solaris 10.
-    readLink=$(which readlink)
-    if [ ! "$(expr "$readLink" : '\([^ ]*\)')" = "no" ]; then
-      if $darwin; then
-        javaHome="$(dirname "$javaExecutable")"
-        javaExecutable="$(cd "$javaHome" && pwd -P)/javac"
-      else
-        javaExecutable="$(readlink -f "$javaExecutable")"
-      fi
-      javaHome="$(dirname "$javaExecutable")"
-      javaHome=$(expr "$javaHome" : '\(.*\)/bin')
-      JAVA_HOME="$javaHome"
-      export JAVA_HOME
-    fi
-  fi
-fi
-
-if [ -z "$JAVACMD" ]; then
-  if [ -n "$JAVA_HOME" ]; then
     if [ -x "$JAVA_HOME/jre/sh/java" ]; then
       # IBM's JDK on AIX uses strange locations for the executables
       JAVACMD="$JAVA_HOME/jre/sh/java"
+      JAVACCMD="$JAVA_HOME/jre/sh/javac"
     else
       JAVACMD="$JAVA_HOME/bin/java"
+      JAVACCMD="$JAVA_HOME/bin/javac"
+
+      if [ ! -x "$JAVACMD" ] || [ ! -x "$JAVACCMD" ]; then
+        echo "The JAVA_HOME environment variable is not defined correctly, so mvnw cannot run." >&2
+        echo "JAVA_HOME is set to \"$JAVA_HOME\", but \"\$JAVA_HOME/bin/java\" or \"\$JAVA_HOME/bin/javac\" does not exist." >&2
+        return 1
+      fi
     fi
   else
     JAVACMD="$(
-      \unset -f command 2>/dev/null
+      'set' +e
-      \command -v java
+      'unset' -f command 2>/dev/null
-    )"
+      'command' -v java
-  fi
+    )" || :
-fi
+    JAVACCMD="$(
+      'set' +e
+      'unset' -f command 2>/dev/null
+      'command' -v javac
+    )" || :
 
-if [ ! -x "$JAVACMD" ]; then
+    if [ ! -x "${JAVACMD-}" ] || [ ! -x "${JAVACCMD-}" ]; then
-  echo "Error: JAVA_HOME is not defined correctly." >&2
+      echo "The java/javac command does not exist in PATH nor is JAVA_HOME set, so mvnw cannot run." >&2
-  echo "  We cannot execute $JAVACMD" >&2
+      return 1
-  exit 1
-fi
-
-if [ -z "$JAVA_HOME" ]; then
-  echo "Warning: JAVA_HOME environment variable is not set." >&2
-fi
-
-# traverses directory structure from process work directory to filesystem root
-# first directory with .mvn subdirectory is considered project base directory
-find_maven_basedir() {
-  if [ -z "$1" ]; then
-    echo "Path not specified to find_maven_basedir" >&2
-    return 1
-  fi
-
-  basedir="$1"
-  wdir="$1"
-  while [ "$wdir" != '/' ]; do
-    if [ -d "$wdir"/.mvn ]; then
-      basedir=$wdir
-      break
     fi
-    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
+  fi
-    if [ -d "${wdir}" ]; then
+}
-      wdir=$(
+
-        cd "$wdir/.." || exit 1
+# hash string like Java String::hashCode
-        pwd
+hash_string() {
-      )
+  str="${1:-}" h=0
-    fi
+  while [ -n "$str" ]; do
-    # end of workaround
+    char="${str%"${str#?}"}"
+    h=$(((h * 31 + $(LC_CTYPE=C printf %d "'$char")) % 4294967296))
+    str="${str#?}"
   done
-  printf '%s' "$(
+  printf %x\\n $h
-    cd "$basedir" || exit 1
-    pwd
-  )"
 }
 
-# concatenates all lines of a file
+verbose() { :; }
-concat_lines() {
+[ "${MVNW_VERBOSE-}" != true ] || verbose() { printf %s\\n "${1-}"; }
-  if [ -f "$1" ]; then
-    # Remove \r in case we run on Windows within Git Bash
-    # and check out the repository with auto CRLF management
-    # enabled. Otherwise, we may read lines that are delimited with
-    # \r\n and produce $'-Xarg\r' rather than -Xarg due to word
-    # splitting rules.
-    tr -s '\r\n' ' ' <"$1"
-  fi
-}
 
-log() {
+die() {
-  if [ "$MVNW_VERBOSE" = true ]; then
+  printf %s\\n "$1" >&2
-    printf '%s\n' "$1"
-  fi
-}
-
-BASE_DIR=$(find_maven_basedir "$(dirname "$0")")
-if [ -z "$BASE_DIR" ]; then
   exit 1
-fi
+}
 
-MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
+trim() {
-export MAVEN_PROJECTBASEDIR
+  # MWRAPPER-139:
-log "$MAVEN_PROJECTBASEDIR"
+  #   Trims trailing and leading whitespace, carriage returns, tabs, and linefeeds.
+  #   Needed for removing poorly interpreted newline sequences when running in more
+  #   exotic environments such as mingw bash on Windows.
+  printf "%s" "${1}" | tr -d '[:space:]'
+}
 
-##########################################################################################
+scriptDir="$(dirname "$0")"
-# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+scriptName="$(basename "$0")"
-# This allows using the maven wrapper in projects that prohibit checking in binary data.
-##########################################################################################
-wrapperJarPath="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar"
-if [ -r "$wrapperJarPath" ]; then
-  log "Found $wrapperJarPath"
-else
-  log "Couldn't find $wrapperJarPath, downloading it ..."
 
-  if [ -n "$MVNW_REPOURL" ]; then
+# parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties
-    wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
-  else
-    wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
-  fi
-  while IFS="=" read -r key value; do
-    # Remove '\r' from value to allow usage on windows as IFS does not consider '\r' as a separator ( considers space, tab, new line ('\n'), and custom '=' )
-    safeValue=$(echo "$value" | tr -d '\r')
-    case "$key" in wrapperUrl)
-      wrapperUrl="$safeValue"
-      break
-      ;;
-    esac
-  done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
-  log "Downloading from: $wrapperUrl"
-
-  if $cygwin; then
-    wrapperJarPath=$(cygpath --path --windows "$wrapperJarPath")
-  fi
-
-  if command -v wget >/dev/null; then
-    log "Found wget ... using wget"
-    [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--quiet"
-    if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
-      wget $QUIET "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
-    else
-      wget $QUIET --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
-    fi
-  elif command -v curl >/dev/null; then
-    log "Found curl ... using curl"
-    [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--silent"
-    if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
-      curl $QUIET -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
-    else
-      curl $QUIET --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
-    fi
-  else
-    log "Falling back to using Java to download"
-    javaSource="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.java"
-    javaClass="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.class"
-    # For Cygwin, switch paths to Windows format before running javac
-    if $cygwin; then
-      javaSource=$(cygpath --path --windows "$javaSource")
-      javaClass=$(cygpath --path --windows "$javaClass")
-    fi
-    if [ -e "$javaSource" ]; then
-      if [ ! -e "$javaClass" ]; then
-        log " - Compiling MavenWrapperDownloader.java ..."
-        ("$JAVA_HOME/bin/javac" "$javaSource")
-      fi
-      if [ -e "$javaClass" ]; then
-        log " - Running MavenWrapperDownloader.java ..."
-        ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$wrapperUrl" "$wrapperJarPath") || rm -f "$wrapperJarPath"
-      fi
-    fi
-  fi
-fi
-##########################################################################################
-# End of extension
-##########################################################################################
-
-# If specified, validate the SHA-256 sum of the Maven wrapper jar file
-wrapperSha256Sum=""
 while IFS="=" read -r key value; do
-  case "$key" in wrapperSha256Sum)
+  case "${key-}" in
-    wrapperSha256Sum=$value
+  distributionUrl) distributionUrl=$(trim "${value-}") ;;
-    break
+  distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;;
+  esac
+done <"$scriptDir/.mvn/wrapper/maven-wrapper.properties"
+[ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties"
+
+case "${distributionUrl##*/}" in
+maven-mvnd-*bin.*)
+  MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/
+  case "${PROCESSOR_ARCHITECTURE-}${PROCESSOR_ARCHITEW6432-}:$(uname -a)" in
+  *AMD64:CYGWIN* | *AMD64:MINGW*) distributionPlatform=windows-amd64 ;;
+  :Darwin*x86_64) distributionPlatform=darwin-amd64 ;;
+  :Darwin*arm64) distributionPlatform=darwin-aarch64 ;;
+  :Linux*x86_64*) distributionPlatform=linux-amd64 ;;
+  *)
+    echo "Cannot detect native platform for mvnd on $(uname)-$(uname -m), use pure java version" >&2
+    distributionPlatform=linux-amd64
     ;;
   esac
-done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+  distributionUrl="${distributionUrl%-bin.*}-$distributionPlatform.zip"
-if [ -n "$wrapperSha256Sum" ]; then
+  ;;
-  wrapperSha256Result=false
+maven-mvnd-*) MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ ;;
-  if command -v sha256sum >/dev/null; then
+*) MVN_CMD="mvn${scriptName#mvnw}" _MVNW_REPO_PATTERN=/org/apache/maven/ ;;
-    if echo "$wrapperSha256Sum  $wrapperJarPath" | sha256sum -c >/dev/null 2>&1; then
+esac
-      wrapperSha256Result=true
+
+# apply MVNW_REPOURL and calculate MAVEN_HOME
+# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-<version>,maven-mvnd-<version>-<platform>}/<hash>
+[ -z "${MVNW_REPOURL-}" ] || distributionUrl="$MVNW_REPOURL$_MVNW_REPO_PATTERN${distributionUrl#*"$_MVNW_REPO_PATTERN"}"
+distributionUrlName="${distributionUrl##*/}"
+distributionUrlNameMain="${distributionUrlName%.*}"
+distributionUrlNameMain="${distributionUrlNameMain%-bin}"
+MAVEN_USER_HOME="${MAVEN_USER_HOME:-${HOME}/.m2}"
+MAVEN_HOME="${MAVEN_USER_HOME}/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")"
+
+exec_maven() {
+  unset MVNW_VERBOSE MVNW_USERNAME MVNW_PASSWORD MVNW_REPOURL || :
+  exec "$MAVEN_HOME/bin/$MVN_CMD" "$@" || die "cannot exec $MAVEN_HOME/bin/$MVN_CMD"
+}
+
+if [ -d "$MAVEN_HOME" ]; then
+  verbose "found existing MAVEN_HOME at $MAVEN_HOME"
+  exec_maven "$@"
+fi
+
+case "${distributionUrl-}" in
+*?-bin.zip | *?maven-mvnd-?*-?*.zip) ;;
+*) die "distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found '${distributionUrl-}'" ;;
+esac
+
+# prepare tmp dir
+if TMP_DOWNLOAD_DIR="$(mktemp -d)" && [ -d "$TMP_DOWNLOAD_DIR" ]; then
+  clean() { rm -rf -- "$TMP_DOWNLOAD_DIR"; }
+  trap clean HUP INT TERM EXIT
+else
+  die "cannot create temp dir"
+fi
+
+mkdir -p -- "${MAVEN_HOME%/*}"
+
+# Download and Install Apache Maven
+verbose "Couldn't find MAVEN_HOME, downloading and installing it ..."
+verbose "Downloading from: $distributionUrl"
+verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName"
+
+# select .zip or .tar.gz
+if ! command -v unzip >/dev/null; then
+  distributionUrl="${distributionUrl%.zip}.tar.gz"
+  distributionUrlName="${distributionUrl##*/}"
+fi
+
+# verbose opt
+__MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR=''
+[ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v
+
+# normalize http auth
+case "${MVNW_PASSWORD:+has-password}" in
+'') MVNW_USERNAME='' MVNW_PASSWORD='' ;;
+has-password) [ -n "${MVNW_USERNAME-}" ] || MVNW_USERNAME='' MVNW_PASSWORD='' ;;
+esac
+
+if [ -z "${MVNW_USERNAME-}" ] && command -v wget >/dev/null; then
+  verbose "Found wget ... using wget"
+  wget ${__MVNW_QUIET_WGET:+"$__MVNW_QUIET_WGET"} "$distributionUrl" -O "$TMP_DOWNLOAD_DIR/$distributionUrlName" || die "wget: Failed to fetch $distributionUrl"
+elif [ -z "${MVNW_USERNAME-}" ] && command -v curl >/dev/null; then
+  verbose "Found curl ... using curl"
+  curl ${__MVNW_QUIET_CURL:+"$__MVNW_QUIET_CURL"} -f -L -o "$TMP_DOWNLOAD_DIR/$distributionUrlName" "$distributionUrl" || die "curl: Failed to fetch $distributionUrl"
+elif set_java_home; then
+  verbose "Falling back to use Java to download"
+  javaSource="$TMP_DOWNLOAD_DIR/Downloader.java"
+  targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName"
+  cat >"$javaSource" <<-END
+	public class Downloader extends java.net.Authenticator
+	{
+	  protected java.net.PasswordAuthentication getPasswordAuthentication()
+	  {
+	    return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() );
+	  }
+	  public static void main( String[] args ) throws Exception
+	  {
+	    setDefault( new Downloader() );
+	    java.nio.file.Files.copy( java.net.URI.create( args[0] ).toURL().openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() );
+	  }
+	}
+	END
+  # For Cygwin/MinGW, switch paths to Windows format before running javac and java
+  verbose " - Compiling Downloader.java ..."
+  "$(native_path "$JAVACCMD")" "$(native_path "$javaSource")" || die "Failed to compile Downloader.java"
+  verbose " - Running Downloader.java ..."
+  "$(native_path "$JAVACMD")" -cp "$(native_path "$TMP_DOWNLOAD_DIR")" Downloader "$distributionUrl" "$(native_path "$targetZip")"
+fi
+
+# If specified, validate the SHA-256 sum of the Maven distribution zip file
+if [ -n "${distributionSha256Sum-}" ]; then
+  distributionSha256Result=false
+  if [ "$MVN_CMD" = mvnd.sh ]; then
+    echo "Checksum validation is not supported for maven-mvnd." >&2
+    echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2
+    exit 1
+  elif command -v sha256sum >/dev/null; then
+    if echo "$distributionSha256Sum  $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c - >/dev/null 2>&1; then
+      distributionSha256Result=true
     fi
   elif command -v shasum >/dev/null; then
-    if echo "$wrapperSha256Sum  $wrapperJarPath" | shasum -a 256 -c >/dev/null 2>&1; then
+    if echo "$distributionSha256Sum  $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 256 -c >/dev/null 2>&1; then
-      wrapperSha256Result=true
+      distributionSha256Result=true
     fi
   else
     echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2
-    echo "Please install either command, or disable validation by removing 'wrapperSha256Sum' from your maven-wrapper.properties." >&2
+    echo "Please install either command, or disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2
     exit 1
   fi
-  if [ $wrapperSha256Result = false ]; then
+  if [ $distributionSha256Result = false ]; then
-    echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised." >&2
+    echo "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised." >&2
-    echo "Investigate or delete $wrapperJarPath to attempt a clean download." >&2
+    echo "If you updated your Maven version, you need to update the specified distributionSha256Sum property." >&2
-    echo "If you updated your Maven version, you need to update the specified wrapperSha256Sum property." >&2
     exit 1
   fi
 fi
 
-MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+# unzip and move
-
+if command -v unzip >/dev/null; then
-# For Cygwin, switch paths to Windows format before running java
+  unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" || die "failed to unzip"
-if $cygwin; then
+else
-  [ -n "$JAVA_HOME" ] \
+  tar xzf${__MVNW_QUIET_TAR:+"$__MVNW_QUIET_TAR"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -C "$TMP_DOWNLOAD_DIR" || die "failed to untar"
-    && JAVA_HOME=$(cygpath --path --windows "$JAVA_HOME")
-  [ -n "$CLASSPATH" ] \
-    && CLASSPATH=$(cygpath --path --windows "$CLASSPATH")
-  [ -n "$MAVEN_PROJECTBASEDIR" ] \
-    && MAVEN_PROJECTBASEDIR=$(cygpath --path --windows "$MAVEN_PROJECTBASEDIR")
 fi
 
-# Provide a "standardized" way to retrieve the CLI args that will
+# Find the actual extracted directory name (handles snapshots where filename != directory name)
-# work with both Windows and non-Windows executions.
+actualDistributionDir=""
-MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $*"
-export MAVEN_CMD_LINE_ARGS
 
-WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+# First try the expected directory name (for regular distributions)
+if [ -d "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" ]; then
+  if [ -f "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain/bin/$MVN_CMD" ]; then
+    actualDistributionDir="$distributionUrlNameMain"
+  fi
+fi
 
-# shellcheck disable=SC2086 # safe args
+# If not found, search for any directory with the Maven executable (for snapshots)
-exec "$JAVACMD" \
+if [ -z "$actualDistributionDir" ]; then
-  $MAVEN_OPTS \
+  # enable globbing to iterate over items
-  $MAVEN_DEBUG_OPTS \
+  set +f
-  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+  for dir in "$TMP_DOWNLOAD_DIR"/*; do
-  "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+    if [ -d "$dir" ]; then
-  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
+      if [ -f "$dir/bin/$MVN_CMD" ]; then
+        actualDistributionDir="$(basename "$dir")"
+        break
+      fi
+    fi
+  done
+  set -f
+fi
+
+if [ -z "$actualDistributionDir" ]; then
+  verbose "Contents of $TMP_DOWNLOAD_DIR:"
+  verbose "$(ls -la "$TMP_DOWNLOAD_DIR")"
+  die "Could not find Maven distribution directory in extracted archive"
+fi
+
+verbose "Found extracted Maven distribution directory: $actualDistributionDir"
+printf %s\\n "$distributionUrl" >"$TMP_DOWNLOAD_DIR/$actualDistributionDir/mvnw.url"
+mv -- "$TMP_DOWNLOAD_DIR/$actualDistributionDir" "$MAVEN_HOME" || [ -d "$MAVEN_HOME" ] || die "fail to move MAVEN_HOME"
+
+clean || :
+exec_maven "$@"

mvnw.cmd

@@ -1,3 +1,4 @@
+<# : batch portion
 @REM ----------------------------------------------------------------------------
 @REM Licensed to the Apache Software Foundation (ASF) under one
 @REM or more contributor license agreements.  See the NOTICE file
@@ -18,189 +19,171 @@
 @REM ----------------------------------------------------------------------------
 
 @REM ----------------------------------------------------------------------------
-@REM Apache Maven Wrapper startup batch script, version 3.3.2
+@REM Apache Maven Wrapper startup batch script, version 3.3.3
-@REM
-@REM Required ENV vars:
-@REM JAVA_HOME - location of a JDK home dir
 @REM
 @REM Optional ENV vars
-@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM   MVNW_REPOURL - repo url base for downloading maven distribution
-@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
+@REM   MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven
-@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM   MVNW_VERBOSE - true: enable verbose log; others: silence the output
-@REM     e.g. to debug Maven itself, use
-@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
-@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
 @REM ----------------------------------------------------------------------------
 
-@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@IF "%__MVNW_ARG0_NAME__%"=="" (SET __MVNW_ARG0_NAME__=%~nx0)
-@echo off
+@SET __MVNW_CMD__=
-@REM set title of command window
+@SET __MVNW_ERROR__=
-title %0
+@SET __MVNW_PSMODULEP_SAVE=%PSModulePath%
-@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
+@SET PSModulePath=
-@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
+@FOR /F "usebackq tokens=1* delims==" %%A IN (`powershell -noprofile "& {$scriptDir='%~dp0'; $script='%__MVNW_ARG0_NAME__%'; icm -ScriptBlock ([Scriptblock]::Create((Get-Content -Raw '%~f0'))) -NoNewScope}"`) DO @(
-
+  IF "%%A"=="MVN_CMD" (set __MVNW_CMD__=%%B) ELSE IF "%%B"=="" (echo %%A) ELSE (echo %%A=%%B)
-@REM set %HOME% to equivalent of $HOME
-if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
-
-@REM Execute a user defined script before this one
-if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
-@REM check for pre script, once with legacy .bat ending and once with .cmd ending
-if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %*
-if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %*
-:skipRcPre
-
-@setlocal
-
-set ERROR_CODE=0
-
-@REM To isolate internal variables from possible post scripts, we use another setlocal
-@setlocal
-
-@REM ==== START VALIDATION ====
-if not "%JAVA_HOME%" == "" goto OkJHome
-
-echo. >&2
-echo Error: JAVA_HOME not found in your environment. >&2
-echo Please set the JAVA_HOME variable in your environment to match the >&2
-echo location of your Java installation. >&2
-echo. >&2
-goto error
-
-:OkJHome
-if exist "%JAVA_HOME%\bin\java.exe" goto init
-
-echo. >&2
-echo Error: JAVA_HOME is set to an invalid directory. >&2
-echo JAVA_HOME = "%JAVA_HOME%" >&2
-echo Please set the JAVA_HOME variable in your environment to match the >&2
-echo location of your Java installation. >&2
-echo. >&2
-goto error
-
-@REM ==== END VALIDATION ====
-
-:init
-
-@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
-@REM Fallback to current working directory if not found.
-
-set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
-IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
-
-set EXEC_DIR=%CD%
-set WDIR=%EXEC_DIR%
-:findBaseDir
-IF EXIST "%WDIR%"\.mvn goto baseDirFound
-cd ..
-IF "%WDIR%"=="%CD%" goto baseDirNotFound
-set WDIR=%CD%
-goto findBaseDir
-
-:baseDirFound
-set MAVEN_PROJECTBASEDIR=%WDIR%
-cd "%EXEC_DIR%"
-goto endDetectBaseDir
-
-:baseDirNotFound
-set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
-cd "%EXEC_DIR%"
-
-:endDetectBaseDir
-
-IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
-
-@setlocal EnableExtensions EnableDelayedExpansion
-for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
-@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
-
-:endReadAdditionalConfig
-
-SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
-set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
-set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
-
-set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
-
-FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
-    IF "%%A"=="wrapperUrl" SET WRAPPER_URL=%%B
 )
+@SET PSModulePath=%__MVNW_PSMODULEP_SAVE%
+@SET __MVNW_PSMODULEP_SAVE=
+@SET __MVNW_ARG0_NAME__=
+@SET MVNW_USERNAME=
+@SET MVNW_PASSWORD=
+@IF NOT "%__MVNW_CMD__%"=="" ("%__MVNW_CMD__%" %*)
+@echo Cannot start maven from wrapper >&2 && exit /b 1
+@GOTO :EOF
+: end batch / begin powershell #>
 
-@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+$ErrorActionPreference = "Stop"
-@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if ($env:MVNW_VERBOSE -eq "true") {
-if exist %WRAPPER_JAR% (
+  $VerbosePreference = "Continue"
-    if "%MVNW_VERBOSE%" == "true" (
+}
-        echo Found %WRAPPER_JAR%
-    )
-) else (
-    if not "%MVNW_REPOURL%" == "" (
-        SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
-    )
-    if "%MVNW_VERBOSE%" == "true" (
-        echo Couldn't find %WRAPPER_JAR%, downloading it ...
-        echo Downloading from: %WRAPPER_URL%
-    )
 
-    powershell -Command "&{"^
+# calculate distributionUrl, requires .mvn/wrapper/maven-wrapper.properties
-		"$webclient = new-object System.Net.WebClient;"^
+$distributionUrl = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionUrl
-		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
+if (!$distributionUrl) {
-		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
+  Write-Error "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties"
-		"}"^
+}
-		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%WRAPPER_URL%', '%WRAPPER_JAR%')"^
-		"}"
-    if "%MVNW_VERBOSE%" == "true" (
-        echo Finished downloading %WRAPPER_JAR%
-    )
-)
-@REM End of extension
 
-@REM If specified, validate the SHA-256 sum of the Maven wrapper jar file
+switch -wildcard -casesensitive ( $($distributionUrl -replace '^.*/','') ) {
-SET WRAPPER_SHA_256_SUM=""
+  "maven-mvnd-*" {
-FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    $USE_MVND = $true
-    IF "%%A"=="wrapperSha256Sum" SET WRAPPER_SHA_256_SUM=%%B
+    $distributionUrl = $distributionUrl -replace '-bin\.[^.]*$',"-windows-amd64.zip"
-)
+    $MVN_CMD = "mvnd.cmd"
-IF NOT %WRAPPER_SHA_256_SUM%=="" (
+    break
-    powershell -Command "&{"^
+  }
-       "Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash;"^
+  default {
-       "$hash = (Get-FileHash \"%WRAPPER_JAR%\" -Algorithm SHA256).Hash.ToLower();"^
+    $USE_MVND = $false
-       "If('%WRAPPER_SHA_256_SUM%' -ne $hash){"^
+    $MVN_CMD = $script -replace '^mvnw','mvn'
-       "  Write-Error 'Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised.';"^
+    break
-       "  Write-Error 'Investigate or delete %WRAPPER_JAR% to attempt a clean download.';"^
+  }
-       "  Write-Error 'If you updated your Maven version, you need to update the specified wrapperSha256Sum property.';"^
+}
-       "  exit 1;"^
-       "}"^
-       "}"
-    if ERRORLEVEL 1 goto error
-)
 
-@REM Provide a "standardized" way to retrieve the CLI args that will
+# apply MVNW_REPOURL and calculate MAVEN_HOME
-@REM work with both Windows and non-Windows executions.
+# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-<version>,maven-mvnd-<version>-<platform>}/<hash>
-set MAVEN_CMD_LINE_ARGS=%*
+if ($env:MVNW_REPOURL) {
+  $MVNW_REPO_PATTERN = if ($USE_MVND -eq $False) { "/org/apache/maven/" } else { "/maven/mvnd/" }
+  $distributionUrl = "$env:MVNW_REPOURL$MVNW_REPO_PATTERN$($distributionUrl -replace "^.*$MVNW_REPO_PATTERN",'')"
+}
+$distributionUrlName = $distributionUrl -replace '^.*/',''
+$distributionUrlNameMain = $distributionUrlName -replace '\.[^.]*$','' -replace '-bin$',''
 
-%MAVEN_JAVA_EXE% ^
+$MAVEN_M2_PATH = "$HOME/.m2"
-  %JVM_CONFIG_MAVEN_PROPS% ^
+if ($env:MAVEN_USER_HOME) {
-  %MAVEN_OPTS% ^
+  $MAVEN_M2_PATH = "$env:MAVEN_USER_HOME"
-  %MAVEN_DEBUG_OPTS% ^
+}
-  -classpath %WRAPPER_JAR% ^
-  "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^
-  %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
-if ERRORLEVEL 1 goto error
-goto end
 
-:error
+if (-not (Test-Path -Path $MAVEN_M2_PATH)) {
-set ERROR_CODE=1
+    New-Item -Path $MAVEN_M2_PATH -ItemType Directory | Out-Null
+}
 
-:end
+$MAVEN_WRAPPER_DISTS = $null
-@endlocal & set ERROR_CODE=%ERROR_CODE%
+if ((Get-Item $MAVEN_M2_PATH).Target[0] -eq $null) {
+  $MAVEN_WRAPPER_DISTS = "$MAVEN_M2_PATH/wrapper/dists"
+} else {
+  $MAVEN_WRAPPER_DISTS = (Get-Item $MAVEN_M2_PATH).Target[0] + "/wrapper/dists"
+}
 
-if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost
+$MAVEN_HOME_PARENT = "$MAVEN_WRAPPER_DISTS/$distributionUrlNameMain"
-@REM check for post script, once with legacy .bat ending and once with .cmd ending
+$MAVEN_HOME_NAME = ([System.Security.Cryptography.SHA256]::Create().ComputeHash([byte[]][char[]]$distributionUrl) | ForEach-Object {$_.ToString("x2")}) -join ''
-if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat"
+$MAVEN_HOME = "$MAVEN_HOME_PARENT/$MAVEN_HOME_NAME"
-if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd"
-:skipRcPost
 
-@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if (Test-Path -Path "$MAVEN_HOME" -PathType Container) {
-if "%MAVEN_BATCH_PAUSE%"=="on" pause
+  Write-Verbose "found existing MAVEN_HOME at $MAVEN_HOME"
+  Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD"
+  exit $?
+}
 
-if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE%
+if (! $distributionUrlNameMain -or ($distributionUrlName -eq $distributionUrlNameMain)) {
+  Write-Error "distributionUrl is not valid, must end with *-bin.zip, but found $distributionUrl"
+}
 
-cmd /C exit /B %ERROR_CODE%
+# prepare tmp dir
+$TMP_DOWNLOAD_DIR_HOLDER = New-TemporaryFile
+$TMP_DOWNLOAD_DIR = New-Item -Itemtype Directory -Path "$TMP_DOWNLOAD_DIR_HOLDER.dir"
+$TMP_DOWNLOAD_DIR_HOLDER.Delete() | Out-Null
+trap {
+  if ($TMP_DOWNLOAD_DIR.Exists) {
+    try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null }
+    catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" }
+  }
+}
+
+New-Item -Itemtype Directory -Path "$MAVEN_HOME_PARENT" -Force | Out-Null
+
+# Download and Install Apache Maven
+Write-Verbose "Couldn't find MAVEN_HOME, downloading and installing it ..."
+Write-Verbose "Downloading from: $distributionUrl"
+Write-Verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName"
+
+$webclient = New-Object System.Net.WebClient
+if ($env:MVNW_USERNAME -and $env:MVNW_PASSWORD) {
+  $webclient.Credentials = New-Object System.Net.NetworkCredential($env:MVNW_USERNAME, $env:MVNW_PASSWORD)
+}
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$webclient.DownloadFile($distributionUrl, "$TMP_DOWNLOAD_DIR/$distributionUrlName") | Out-Null
+
+# If specified, validate the SHA-256 sum of the Maven distribution zip file
+$distributionSha256Sum = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionSha256Sum
+if ($distributionSha256Sum) {
+  if ($USE_MVND) {
+    Write-Error "Checksum validation is not supported for maven-mvnd. `nPlease disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties."
+  }
+  Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash
+  if ((Get-FileHash "$TMP_DOWNLOAD_DIR/$distributionUrlName" -Algorithm SHA256).Hash.ToLower() -ne $distributionSha256Sum) {
+    Write-Error "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised. If you updated your Maven version, you need to update the specified distributionSha256Sum property."
+  }
+}
+
+# unzip and move
+Expand-Archive "$TMP_DOWNLOAD_DIR/$distributionUrlName" -DestinationPath "$TMP_DOWNLOAD_DIR" | Out-Null
+
+# Find the actual extracted directory name (handles snapshots where filename != directory name)
+$actualDistributionDir = ""
+
+# First try the expected directory name (for regular distributions)
+$expectedPath = Join-Path "$TMP_DOWNLOAD_DIR" "$distributionUrlNameMain"
+$expectedMvnPath = Join-Path "$expectedPath" "bin/$MVN_CMD"
+if ((Test-Path -Path $expectedPath -PathType Container) -and (Test-Path -Path $expectedMvnPath -PathType Leaf)) {
+  $actualDistributionDir = $distributionUrlNameMain
+}
+
+# If not found, search for any directory with the Maven executable (for snapshots)
+if (!$actualDistributionDir) {
+  Get-ChildItem -Path "$TMP_DOWNLOAD_DIR" -Directory | ForEach-Object {
+    $testPath = Join-Path $_.FullName "bin/$MVN_CMD"
+    if (Test-Path -Path $testPath -PathType Leaf) {
+      $actualDistributionDir = $_.Name
+    }
+  }
+}
+
+if (!$actualDistributionDir) {
+  Write-Error "Could not find Maven distribution directory in extracted archive"
+}
+
+Write-Verbose "Found extracted Maven distribution directory: $actualDistributionDir"
+Rename-Item -Path "$TMP_DOWNLOAD_DIR/$actualDistributionDir" -NewName $MAVEN_HOME_NAME | Out-Null
+try {
+  Move-Item -Path "$TMP_DOWNLOAD_DIR/$MAVEN_HOME_NAME" -Destination $MAVEN_HOME_PARENT | Out-Null
+} catch {
+  if (! (Test-Path -Path "$MAVEN_HOME" -PathType Container)) {
+    Write-Error "fail to move MAVEN_HOME"
+  }
+} finally {
+  try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null }
+  catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" }
+}
+
+Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD"

pom.xml

@@ -3,7 +3,7 @@
 
     <groupId>de.stklcode.jvault</groupId>
     <artifactId>jvault-connector</artifactId>
-    <version>1.5.2</version>
+    <version>1.5.4-SNAPSHOT</version>
 
     <packaging>jar</packaging>
 
@@ -32,7 +32,7 @@
         <connection>scm:git:git://github.com/stklcode/jvaultconnector.git</connection>
         <developerConnection>scm:git:git@github.com:stklcode/jvaultconnector.git</developerConnection>
         <url>https://github.com/stklcode/jvaultconnector</url>
-        <tag>v1.5.2</tag>
+        <tag>HEAD</tag>
     </scm>
 
     <issueManagement>
@@ -42,7 +42,6 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <project.build.outputTimestamp>2025-07-16T16:17:58Z</project.build.outputTimestamp>
         <argLine />
     </properties>
 
@@ -50,24 +49,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.19.1</version>
+            <version>2.20.0</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.datatype</groupId>
             <artifactId>jackson-datatype-jsr310</artifactId>
-            <version>2.19.1</version>
+            <version>2.20.0</version>
         </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter</artifactId>
-            <version>5.13.2</version>
+            <version>5.13.3</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
-            <version>5.18.0</version>
+            <version>5.19.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -85,7 +84,7 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.19.0</version>
+            <version>2.20.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -179,7 +178,7 @@
                 <plugin>
                     <groupId>org.sonarsource.scanner.maven</groupId>
                     <artifactId>sonar-maven-plugin</artifactId>
-                    <version>5.1.0.4751</version>
+                    <version>5.2.0.4988</version>
                 </plugin>
             </plugins>
         </pluginManagement>
@@ -245,7 +244,7 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-javadoc-plugin</artifactId>
-                        <version>3.11.2</version>
+                        <version>3.11.3</version>
                         <configuration>
                             <source>11</source>
                         </configuration>

src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java

@@ -31,6 +31,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 
+import static de.stklcode.jvault.connector.internal.RequestHelper.encode;
+import static de.stklcode.jvault.connector.internal.VaultApiPath.*;
 import static java.util.Collections.emptyMap;
 import static java.util.Collections.singletonMap;
 
@@ -41,39 +43,6 @@ import static java.util.Collections.singletonMap;
  * @since 0.1
  */
 public class HTTPVaultConnector implements VaultConnector {
-    private static final String PATH_SYS = "sys";
-    private static final String PATH_SYS_AUTH = PATH_SYS + "/auth";
-    private static final String PATH_RENEW = PATH_SYS + "/leases/renew";
-    private static final String PATH_REVOKE = PATH_SYS + "/leases/revoke/";
-    private static final String PATH_HEALTH = PATH_SYS + "/health";
-    private static final String PATH_SEAL = PATH_SYS + "/seal";
-    private static final String PATH_SEAL_STATUS = PATH_SYS + "/seal-status";
-    private static final String PATH_UNSEAL = PATH_SYS + "/unseal";
-
-
-    private static final String PATH_AUTH = "auth";
-    private static final String PATH_AUTH_TOKEN = PATH_AUTH + "/token";
-    private static final String PATH_LOOKUP = "/lookup";
-    private static final String PATH_LOOKUP_SELF = "/lookup-self";
-    private static final String PATH_CREATE = "/create";
-    private static final String PATH_ROLES = "/roles";
-    private static final String PATH_CREATE_ORPHAN = "/create-orphan";
-    private static final String PATH_AUTH_USERPASS = PATH_AUTH + "/userpass/login/";
-    private static final String PATH_AUTH_APPROLE = PATH_AUTH + "/approle";
-    private static final String PATH_AUTH_APPROLE_ROLE = PATH_AUTH_APPROLE + "/role/%s%s";
-
-    private static final String PATH_DATA = "/data/";
-    private static final String PATH_METADATA = "/metadata/";
-    private static final String PATH_LOGIN = "/login";
-    private static final String PATH_DELETE = "/delete/";
-    private static final String PATH_UNDELETE = "/undelete/";
-    private static final String PATH_DESTROY = "/destroy/";
-
-    private static final String PATH_TRANSIT = "transit";
-    private static final String PATH_TRANSIT_ENCRYPT = PATH_TRANSIT + "/encrypt/";
-    private static final String PATH_TRANSIT_DECRYPT = PATH_TRANSIT + "/decrypt/";
-    private static final String PATH_TRANSIT_HASH = PATH_TRANSIT + "/hash/";
-
     private final RequestHelper request;
 
     private boolean authorized = false;     // Authorization status.
@@ -140,12 +109,12 @@ public class HTTPVaultConnector implements VaultConnector {
 
     @Override
     public final SealResponse sealStatus() throws VaultConnectorException {
-        return request.get(PATH_SEAL_STATUS, emptyMap(), token, SealResponse.class);
+        return request.get(SYS_SEAL_STATUS, emptyMap(), token, SealResponse.class);
     }
 
     @Override
     public final void seal() throws VaultConnectorException {
-        request.put(PATH_SEAL, emptyMap(), token);
+        request.put(SYS_SEAL, emptyMap(), token);
     }
 
     @Override
@@ -155,14 +124,14 @@ public class HTTPVaultConnector implements VaultConnector {
             "reset", reset
         );
 
-        return request.put(PATH_UNSEAL, param, token, SealResponse.class);
+        return request.put(SYS_UNSEAL, param, token, SealResponse.class);
     }
 
     @Override
     public HealthResponse getHealth() throws VaultConnectorException {
 
         return request.get(
-            PATH_HEALTH,
+            SYS_HEALTH,
             // Force status code to be 200, so we don't need to modify the request sequence.
             Map.of(
                 "standbycode", "200",   // Default: 429.
@@ -182,7 +151,7 @@ public class HTTPVaultConnector implements VaultConnector {
     @Override
     public final List<AuthBackend> getAuthBackends() throws VaultConnectorException {
         /* Issue request and parse response */
-        AuthMethodsResponse amr = request.get(PATH_SYS_AUTH, emptyMap(), token, AuthMethodsResponse.class);
+        AuthMethodsResponse amr = request.get(SYS_AUTH, emptyMap(), token, AuthMethodsResponse.class);
 
         return amr.getSupportedMethods().values().stream().map(AuthMethod::getType).collect(Collectors.toList());
     }
@@ -192,7 +161,7 @@ public class HTTPVaultConnector implements VaultConnector {
         /* set token */
         this.token = token;
         this.tokenTTL = 0;
-        TokenResponse res = request.get(PATH_AUTH_TOKEN + PATH_LOOKUP_SELF, emptyMap(), token, TokenResponse.class);
+        TokenResponse res = request.get(AUTH_TOKEN + TOKEN_LOOKUP_SELF, emptyMap(), token, TokenResponse.class);
         authorized = true;
 
         return res;
@@ -202,7 +171,7 @@ public class HTTPVaultConnector implements VaultConnector {
     public final AuthResponse authUserPass(final String username, final String password)
         throws VaultConnectorException {
         final Map<String, String> payload = singletonMap("password", password);
-        return queryAuth(PATH_AUTH_USERPASS + username, payload);
+        return queryAuth(AUTH_USERPASS_LOGIN + encode(username), payload);
     }
 
     @Override
@@ -211,7 +180,7 @@ public class HTTPVaultConnector implements VaultConnector {
             "role_id", roleID,
             "secret_id", secretID
         );
-        return queryAuth(PATH_AUTH_APPROLE + PATH_LOGIN, payload);
+        return queryAuth(AUTH_APPROLE + "login", payload);
     }
 
     /**
@@ -239,7 +208,7 @@ public class HTTPVaultConnector implements VaultConnector {
         requireAuth();
 
         /* Issue request and expect code 204 with empty response */
-        request.postWithoutResponse(String.format(PATH_AUTH_APPROLE_ROLE, role.getName(), ""), role, token);
+        request.postWithoutResponse(AUTH_APPROLE_ROLE + encode(role.getName()), role, token);
 
         /* Set custom ID if provided */
         return !(role.getId() != null && !role.getId().isEmpty()) || setAppRoleID(role.getName(), role.getId());
@@ -250,7 +219,7 @@ public class HTTPVaultConnector implements VaultConnector {
         requireAuth();
         /* Request HTTP response and parse Secret */
         return request.get(
-            String.format(PATH_AUTH_APPROLE_ROLE, roleName, ""),
+            AUTH_APPROLE_ROLE + encode(roleName),
             emptyMap(),
             token,
             AppRoleResponse.class
@@ -262,7 +231,7 @@ public class HTTPVaultConnector implements VaultConnector {
         requireAuth();
 
         /* Issue request and expect code 204 with empty response */
-        request.deleteWithoutResponse(String.format(PATH_AUTH_APPROLE_ROLE, roleName, ""), token);
+        request.deleteWithoutResponse(AUTH_APPROLE_ROLE + encode(roleName), token);
 
         return true;
     }
@@ -272,7 +241,7 @@ public class HTTPVaultConnector implements VaultConnector {
         requireAuth();
         /* Issue request, parse response and extract Role ID */
         return request.get(
-            String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/role-id"),
+            AUTH_APPROLE_ROLE + encode(roleName) + "/role-id",
             emptyMap(),
             token,
             RawDataResponse.class
@@ -285,7 +254,7 @@ public class HTTPVaultConnector implements VaultConnector {
 
         /* Issue request and expect code 204 with empty response */
         request.postWithoutResponse(
-            String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/role-id"),
+            AUTH_APPROLE_ROLE + encode(roleName) + "/role-id",
             singletonMap("role_id", roleID),
             token
         );
@@ -300,14 +269,14 @@ public class HTTPVaultConnector implements VaultConnector {
 
         if (secret.getId() != null && !secret.getId().isEmpty()) {
             return request.post(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/custom-secret-id"),
+                AUTH_APPROLE_ROLE + encode(roleName) + "/custom-secret-id",
                 secret,
                 token,
                 AppRoleSecretResponse.class
             );
         } else {
             return request.post(
-                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id"),
+                AUTH_APPROLE_ROLE + encode(roleName) + "/secret-id",
                 secret, token,
                 AppRoleSecretResponse.class
             );
@@ -321,7 +290,7 @@ public class HTTPVaultConnector implements VaultConnector {
 
         /* Issue request and parse secret response */
         return request.post(
-            String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id/lookup"),
+            AUTH_APPROLE_ROLE + encode(roleName) + "/secret-id/lookup",
             new AppRoleSecret(secretID),
             token,
             AppRoleSecretResponse.class
@@ -335,7 +304,7 @@ public class HTTPVaultConnector implements VaultConnector {
 
         /* Issue request and expect code 204 with empty response */
         request.postWithoutResponse(
-            String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id/destroy"),
+            AUTH_APPROLE_ROLE + encode(roleName) + "/secret-id/destroy",
             new AppRoleSecret(secretID),
             token);
 
@@ -347,7 +316,7 @@ public class HTTPVaultConnector implements VaultConnector {
         requireAuth();
 
         SecretListResponse secrets = request.get(
-            PATH_AUTH_APPROLE + "/role?list=true",
+            AUTH_APPROLE + "role?list=true",
             emptyMap(),
             token,
             SecretListResponse.class
@@ -361,7 +330,7 @@ public class HTTPVaultConnector implements VaultConnector {
         requireAuth();
 
         SecretListResponse secrets = request.get(
-            String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id?list=true"),
+            AUTH_APPROLE_ROLE + encode(roleName) + "/secret-id?list=true",
             emptyMap(),
             token,
             SecretListResponse.class
@@ -384,7 +353,7 @@ public class HTTPVaultConnector implements VaultConnector {
         /* Request HTTP response and parse secret metadata */
         Map<String, String> args = mapOfStrings("version", version);
 
-        return request.get(mount + PATH_DATA + key, args, token, MetaSecretResponse.class);
+        return request.get(mount + SECRET_DATA + key, args, token, MetaSecretResponse.class);
     }
 
     @Override
@@ -393,7 +362,7 @@ public class HTTPVaultConnector implements VaultConnector {
         requireAuth();
 
         /* Request HTTP response and parse secret metadata */
-        return request.get(mount + PATH_METADATA + key, emptyMap(), token, MetadataResponse.class);
+        return request.get(mount + SECRET_METADATA + key, emptyMap(), token, MetadataResponse.class);
     }
 
     @Override
@@ -408,7 +377,7 @@ public class HTTPVaultConnector implements VaultConnector {
             "cas_required", casRequired
         );
 
-        write(mount + PATH_METADATA + key, payload);
+        write(mount + SECRET_METADATA + key, payload);
     }
 
     @Override
@@ -427,7 +396,7 @@ public class HTTPVaultConnector implements VaultConnector {
 
         /* Issue request and parse metadata response */
         return request.post(
-            mount + PATH_DATA + key,
+            mount + SECRET_DATA + key,
             Map.of(
                 "data", data,
                 "options", options
@@ -480,30 +449,30 @@ public class HTTPVaultConnector implements VaultConnector {
 
     @Override
     public final void deleteLatestSecretVersion(final String mount, final String key) throws VaultConnectorException {
-        delete(mount + PATH_DATA + key);
+        delete(mount + SECRET_DATA + key);
     }
 
     @Override
     public final void deleteAllSecretVersions(final String mount, final String key) throws VaultConnectorException {
-        delete(mount + PATH_METADATA + key);
+        delete(mount + SECRET_METADATA + key);
     }
 
     @Override
     public final void deleteSecretVersions(final String mount, final String key, final int... versions)
         throws VaultConnectorException {
-        handleSecretVersions(mount, PATH_DELETE, key, versions);
+        handleSecretVersions(mount, SECRET_DELETE, key, versions);
     }
 
     @Override
     public final void undeleteSecretVersions(final String mount, final String key, final int... versions)
         throws VaultConnectorException {
-        handleSecretVersions(mount, PATH_UNDELETE, key, versions);
+        handleSecretVersions(mount, SECRET_UNDELETE, key, versions);
     }
 
     @Override
     public final void destroySecretVersions(final String mount, final String key, final int... versions)
         throws VaultConnectorException {
-        handleSecretVersions(mount, PATH_DESTROY, key, versions);
+        handleSecretVersions(mount, SECRET_DESTROY, key, versions);
     }
 
     /**
@@ -534,7 +503,7 @@ public class HTTPVaultConnector implements VaultConnector {
         requireAuth();
 
         /* Issue request and expect code 204 with empty response */
-        request.putWithoutResponse(PATH_REVOKE + leaseID, emptyMap(), token);
+        request.putWithoutResponse(SYS_LEASES_REVOKE + encode(leaseID), emptyMap(), token);
     }
 
     @Override
@@ -547,17 +516,17 @@ public class HTTPVaultConnector implements VaultConnector {
         );
 
         /* Issue request and parse secret response */
-        return request.put(PATH_RENEW, payload, token, SecretResponse.class);
+        return request.put(SYS_LEASES_RENEW, payload, token, SecretResponse.class);
     }
 
     @Override
     public final AuthResponse createToken(final Token token) throws VaultConnectorException {
-        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE);
+        return createTokenInternal(token, AUTH_TOKEN + TOKEN_CREATE);
     }
 
     @Override
     public final AuthResponse createToken(final Token token, final boolean orphan) throws VaultConnectorException {
-        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE_ORPHAN);
+        return createTokenInternal(token, AUTH_TOKEN + TOKEN_CREATE_ORPHAN);
     }
 
     @Override
@@ -565,7 +534,7 @@ public class HTTPVaultConnector implements VaultConnector {
         if (role == null || role.isEmpty()) {
             throw new InvalidRequestException("No role name specified.");
         }
-        return createTokenInternal(token, PATH_AUTH_TOKEN + PATH_CREATE + "/" + role);
+        return createTokenInternal(token, AUTH_TOKEN + TOKEN_CREATE + "/" + encode(role));
     }
 
     @Override
@@ -600,7 +569,7 @@ public class HTTPVaultConnector implements VaultConnector {
 
         /* Request HTTP response and parse Secret */
         return request.get(
-            PATH_AUTH_TOKEN + PATH_LOOKUP,
+            AUTH_TOKEN + TOKEN_LOOKUP,
             singletonMap("token", token),
             token,
             TokenResponse.class
@@ -618,7 +587,7 @@ public class HTTPVaultConnector implements VaultConnector {
         }
 
         // Issue request and expect code 204 with empty response.
-        request.postWithoutResponse(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, role, token);
+        request.postWithoutResponse(AUTH_TOKEN + TOKEN_ROLES + "/" + encode(name), role, token);
 
         return true;
     }
@@ -628,14 +597,14 @@ public class HTTPVaultConnector implements VaultConnector {
         requireAuth();
 
         // Request HTTP response and parse response.
-        return request.get(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, emptyMap(), token, TokenRoleResponse.class);
+        return request.get(AUTH_TOKEN + TOKEN_ROLES + "/" + encode(name), emptyMap(), token, TokenRoleResponse.class);
     }
 
     @Override
     public List<String> listTokenRoles() throws VaultConnectorException {
         requireAuth();
 
-        return list(PATH_AUTH_TOKEN + PATH_ROLES);
+        return list(AUTH_TOKEN + TOKEN_ROLES);
     }
 
     @Override
@@ -647,7 +616,7 @@ public class HTTPVaultConnector implements VaultConnector {
         }
 
         // Issue request and expect code 204 with empty response.
-        request.deleteWithoutResponse(PATH_AUTH_TOKEN + PATH_ROLES + "/" + name, token);
+        request.deleteWithoutResponse(AUTH_TOKEN + TOKEN_ROLES + "/" + encode(name), token);
 
         return true;
     }
@@ -661,7 +630,7 @@ public class HTTPVaultConnector implements VaultConnector {
             "plaintext", plaintext
         );
 
-        return request.post(PATH_TRANSIT_ENCRYPT + keyName, payload, token, TransitResponse.class);
+        return request.post(TRANSIT_ENCRYPT + encode(keyName), payload, token, TransitResponse.class);
     }
 
     @Override
@@ -673,7 +642,7 @@ public class HTTPVaultConnector implements VaultConnector {
             "ciphertext", ciphertext
         );
 
-        return request.post(PATH_TRANSIT_DECRYPT + keyName, payload, token, TransitResponse.class);
+        return request.post(TRANSIT_DECRYPT + encode(keyName), payload, token, TransitResponse.class);
     }
 
     @Override
@@ -690,7 +659,7 @@ public class HTTPVaultConnector implements VaultConnector {
             "format", format
         );
 
-        return request.post(PATH_TRANSIT_HASH + algorithm, payload, token, TransitResponse.class);
+        return request.post(TRANSIT_HASH + encode(algorithm), payload, token, TransitResponse.class);
     }
 
     /**
@@ -732,7 +701,7 @@ public class HTTPVaultConnector implements VaultConnector {
      */
     private static Map<String, Object> mapOf(Object... keyValues) {
         Map<String, Object> map = new HashMap<>(keyValues.length / 2, 1);
-        for (int i = 0; i < keyValues.length; i = i + 2) {
+        for (int i = 0; i < keyValues.length - 1; i = i + 2) {
             Object key = keyValues[i];
             Object val = keyValues[i + 1];
             if (key instanceof String && val != null) {

src/main/java/de/stklcode/jvault/connector/internal/RequestHelper.java

@@ -25,6 +25,7 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.Map;
+import java.util.Objects;
 import java.util.concurrent.CompletionException;
 import java.util.stream.Collectors;
 
@@ -263,9 +264,9 @@ public final class RequestHelper implements Serializable {
 
         if (!payload.isEmpty()) {
             uriBuilder.append("?").append(
-                payload.entrySet().stream().map(par ->
+                payload.entrySet().stream()
-                    URLEncoder.encode(par.getKey(), UTF_8) + "=" + URLEncoder.encode(par.getValue(), UTF_8)
+                    .map(par -> encode(par.getKey()) + "=" + encode(par.getValue()))
-                ).collect(Collectors.joining("&"))
+                    .collect(Collectors.joining("&"))
             );
         }
 
@@ -307,6 +308,17 @@ public final class RequestHelper implements Serializable {
         }
     }
 
+    /**
+     * Encode URL part.
+     *
+     * @param part Path part to URL-encode and insert into the template
+     * @return Encoded URL part
+     * @since 1.5.3
+     */
+    public static String encode(final String part) {
+        return URLEncoder.encode(Objects.requireNonNullElse(part, ""), UTF_8);
+    }
+
     /**
      * Execute prepared HTTP request and return result.
      *

src/main/java/de/stklcode/jvault/connector/internal/VaultApiPath.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2016-2025 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.internal;
+
+/**
+ * Vault API path constants.
+ *
+ * @author Stefan Kalscheuer
+ * @since 1.5.3
+ */
+public final class VaultApiPath {
+    // Base paths
+    private static final String SYS = "sys";
+    private static final String AUTH = "auth";
+    private static final String TRANSIT = "transit";
+
+    // System paths
+    public static final String SYS_AUTH = SYS + "/auth";
+    public static final String SYS_LEASES_RENEW = SYS + "/leases/renew";
+    public static final String SYS_LEASES_REVOKE = SYS + "/leases/revoke/";
+    public static final String SYS_HEALTH = SYS + "/health";
+    public static final String SYS_SEAL = SYS + "/seal";
+    public static final String SYS_SEAL_STATUS = SYS + "/seal-status";
+    public static final String SYS_UNSEAL = SYS + "/unseal";
+
+    // Auth paths
+    public static final String AUTH_TOKEN = AUTH + "/token";
+    public static final String AUTH_USERPASS_LOGIN = AUTH + "/userpass/login/";
+    public static final String AUTH_APPROLE = AUTH + "/approle/";
+    public static final String AUTH_APPROLE_ROLE = AUTH_APPROLE + "role/";
+
+    // Token operations
+    public static final String TOKEN_LOOKUP = "/lookup";
+    public static final String TOKEN_LOOKUP_SELF = "/lookup-self";
+    public static final String TOKEN_CREATE = "/create";
+    public static final String TOKEN_CREATE_ORPHAN = "/create-orphan";
+    public static final String TOKEN_ROLES = "/roles";
+
+    // Secret engine paths
+    public static final String SECRET_DATA = "/data/";
+    public static final String SECRET_METADATA = "/metadata/";
+    public static final String SECRET_DELETE = "/delete/";
+    public static final String SECRET_UNDELETE = "/undelete/";
+    public static final String SECRET_DESTROY = "/destroy/";
+
+    // Transit engine paths
+    public static final String TRANSIT_ENCRYPT = TRANSIT + "/encrypt/";
+    public static final String TRANSIT_DECRYPT = TRANSIT + "/decrypt/";
+    public static final String TRANSIT_HASH = TRANSIT + "/hash/";
+
+    /**
+     * Private constructor to prevent instantiation.
+     */
+    private VaultApiPath() {
+        // Utility class
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/AppRoleSecret.java

@@ -32,7 +32,7 @@ import java.util.Objects;
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
 public final class AppRoleSecret implements Serializable {
-    private static final long serialVersionUID = -3401074170145792641L;
+    private static final long serialVersionUID = 3079272087137299819L;
 
     @JsonProperty("secret_id")
     @JsonInclude(JsonInclude.Include.NON_NULL)
@@ -47,6 +47,8 @@ public final class AppRoleSecret implements Serializable {
 
     private List<String> cidrList;
 
+    private List<String> tokenBoundCidrs;
+
     @JsonProperty(value = "creation_time", access = JsonProperty.Access.WRITE_ONLY)
     private String creationTime;
 
@@ -137,6 +139,36 @@ public final class AppRoleSecret implements Serializable {
         return String.join(",", cidrList);
     }
 
+    /**
+     * @return list of bound CIDR subnets of associated tokens
+     * @since 1.5.3
+     */
+    public List<String> getTokenBoundCidrs() {
+        return tokenBoundCidrs;
+    }
+
+    /**
+     * @param boundCidrList list of subnets in CIDR notation to bind role to
+     * @since 1.5.3
+     */
+    @JsonSetter("token_bound_cidrs")
+    public void setTokenBoundCidrs(final List<String> boundCidrList) {
+        this.tokenBoundCidrs = boundCidrList;
+    }
+
+    /**
+     * @return list of subnets in CIDR notation as comma-separated {@link String}
+     * @since 1.5.3
+     */
+    @JsonGetter("token_bound_cidrs")
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String getTokenBoundCidrsString() {
+        if (tokenBoundCidrs == null || tokenBoundCidrs.isEmpty()) {
+            return "";
+        }
+        return String.join(",", tokenBoundCidrs);
+    }
+
     /**
      * @return Creation time
      */
@@ -184,6 +216,7 @@ public final class AppRoleSecret implements Serializable {
             Objects.equals(accessor, that.accessor) &&
             Objects.equals(metadata, that.metadata) &&
             Objects.equals(cidrList, that.cidrList) &&
+            Objects.equals(tokenBoundCidrs, that.tokenBoundCidrs) &&
             Objects.equals(creationTime, that.creationTime) &&
             Objects.equals(expirationTime, that.expirationTime) &&
             Objects.equals(lastUpdatedTime, that.lastUpdatedTime) &&
@@ -193,7 +226,7 @@ public final class AppRoleSecret implements Serializable {
 
     @Override
     public int hashCode() {
-        return Objects.hash(id, accessor, metadata, cidrList, creationTime, expirationTime, lastUpdatedTime, numUses,
+        return Objects.hash(id, accessor, metadata, cidrList, tokenBoundCidrs, creationTime, expirationTime,
-            ttl);
+            lastUpdatedTime, numUses, ttl);
     }
 }

src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorIT.java

@@ -52,7 +52,7 @@ import static org.junit.jupiter.api.Assumptions.assumeTrue;
  * @since 0.1
  */
 class HTTPVaultConnectorIT {
-    private static String VAULT_VERSION = "1.20.0";  // The vault version this test is supposed to run against.
+    private static String VAULT_VERSION = "1.20.3";  // The vault version this test is supposed to run against.
     private static final String KEY1 = "E38bkCm0VhUvpdCKGQpcohhD9XmcHJ/2hreOSY019Lho";
     private static final String KEY2 = "O5OHwDleY3IiPdgw61cgHlhsrEm6tVJkrxhF6QAnILd1";
     private static final String KEY3 = "mw7Bm3nbt/UWa/juDjjL2EPQ04kiJ0saC5JEXwJvXYsB";

src/test/java/de/stklcode/jvault/connector/model/AppRoleSecretTest.java

@@ -39,6 +39,7 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
         "number", 1337
     );
     private static final List<String> TEST_CIDR = List.of("203.0.113.0/24", "198.51.100.0/24");
+    private static final List<String> TEST_TOKEN_CIDR = List.of("192.0.2.0/24", "198.51.100.0/24");
 
     AppRoleSecretTest() {
         super(AppRoleSecret.class);
@@ -61,6 +62,8 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
         assertNull(secret.getMetadata());
         assertNull(secret.getCidrList());
         assertEquals("", secret.getCidrListString());
+        assertNull(secret.getTokenBoundCidrs());
+        assertEquals("", secret.getTokenBoundCidrsString());
         assertNull(secret.getCreationTime());
         assertNull(secret.getExpirationTime());
         assertNull(secret.getLastUpdatedTime());
@@ -74,6 +77,8 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
         assertNull(secret.getMetadata());
         assertNull(secret.getCidrList());
         assertEquals("", secret.getCidrListString());
+        assertNull(secret.getTokenBoundCidrs());
+        assertEquals("", secret.getTokenBoundCidrsString());
         assertNull(secret.getCreationTime());
         assertNull(secret.getExpirationTime());
         assertNull(secret.getLastUpdatedTime());
@@ -87,6 +92,8 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
         assertEquals(TEST_META, secret.getMetadata());
         assertEquals(TEST_CIDR, secret.getCidrList());
         assertEquals(String.join(",", TEST_CIDR), secret.getCidrListString());
+        assertNull(secret.getTokenBoundCidrs());
+        assertEquals("", secret.getTokenBoundCidrsString());
         assertNull(secret.getCreationTime());
         assertNull(secret.getExpirationTime());
         assertNull(secret.getLastUpdatedTime());
@@ -108,6 +115,15 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
         secret.setCidrList(null);
         assertNull(secret.getCidrList());
         assertEquals("", secret.getCidrListString());
+
+        assertNull(secret.getTokenBoundCidrs());
+        assertEquals("", secret.getTokenBoundCidrsString());
+        secret.setTokenBoundCidrs(TEST_TOKEN_CIDR);
+        assertEquals(TEST_TOKEN_CIDR, secret.getTokenBoundCidrs());
+        assertEquals(String.join(",", TEST_TOKEN_CIDR), secret.getTokenBoundCidrsString());
+        secret.setTokenBoundCidrs(null);
+        assertNull(secret.getTokenBoundCidrs());
+        assertEquals("", secret.getTokenBoundCidrsString());
     }
 
     /**
@@ -159,7 +175,8 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
 
         // Those fields should be deserialized from JSON though.
         String secretJson4 = "{\"secret_id\":\"abc123\",\"metadata\":{\"number\":1337,\"foo\":\"bar\"}," +
-            "\"cidr_list\":[\"203.0.113.0/24\",\"198.51.100.0/24\"],\"secret_id_accessor\":\"TEST_ACCESSOR\"," +
+            "\"cidr_list\":[\"203.0.113.0/24\",\"198.51.100.0/24\"],\"cidr_list\":[\"192.0.2.0/24\",\"198.51.100.0/24\"]," +
+            "\"secret_id_accessor\":\"TEST_ACCESSOR\"," +
             "\"creation_time\":\"TEST_CREATION\",\"expiration_time\":\"TEST_EXPIRATION\"," +
             "\"last_updated_time\":\"TEST_LASTUPDATE\",\"secret_id_num_uses\":678,\"secret_id_ttl\":12345}";
         secret2 = assertDoesNotThrow(() -> objectMapper.readValue(secretJson4, AppRoleSecret.class), "Deserialization failed");
@@ -181,6 +198,7 @@ class AppRoleSecretTest extends AbstractModelTest<AppRoleSecret> {
 
     private static String commaSeparatedToList(String json) {
         return json.replaceAll("\"cidr_list\":\"([^\"]*)\"", "\"cidr_list\":[$1]")
+            .replaceAll("\"token_bound_cidrs\":\"([^\"]*)\"", "\"token_bound_cidrs\":[$1]")
             .replaceAll("(\\d+\\.\\d+\\.\\d+\\.\\d+/\\d+)", "\"$1\"");
     }
 }