Merge branch 'main' into fix/XsuaaJwtDecoder_validate_uaadomain_befor…

…e_access

.github/ISSUE_TEMPLATE/support.md

@@ -0,0 +1,16 @@
+---
+name: How to get Support
+about: Please use SAP official support channels instead to get help. Use **BC-CP-CF-SEC-LIB** or **Security Client Libraries** components.
+title: ''
+labels: support
+assignees: ''
+
+---
+
+Before opening Support Tickets please check the corresponding [Troubleshooting](/README.md#troubleshooting) section
+of the Security Client Libraries.
+
+If you still do not find the answer please use SAP official support channels to get help. Use **BC-CP-CF-SEC-LIB** or 
+**Security Client Libraries** components. Github.com is not an official support channel.
+
+

README.md

@@ -20,8 +20,9 @@ The libraries focus on streamlining [OAuth 2.0](https://oauth.net) access token
    - [2.3 Testing utilities](#23-testing-utilities)
 3. [Installation](#installation)
 4. [Troubleshooting](#troubleshooting)
-5. [Contributing](#contributing)
-6. [License](#license)
+5. [Common Pitfalls](#common-pitfalls)
+6. [Contributing](#contributing)
+7. [License](#license)
 
 ## Prerequisites
 Before you can use the SAP Cloud Security Services Integration libraries, you must fulfil the following requirements:
@@ -160,6 +161,19 @@ Please refer to each library's Troubleshooting section
 | [java-security](/java-security/README.md#Troubleshooting)     |
 | [token-client](/token-client/README.md#Troubleshooting)       |
 
+## Common Pitfalls
+### java.lang.NoSuchMethodError and java.lang.ClassNotFoundException errors
+Most common reason for these errors are out of sync client library versions. All the modules of the Security Client libraries
+should be always in the same version. 
+This can be verified by executing `mvn dependency:tree` command.
+
+The easiest way to manage the module versions and keep them in sync is to use the [BOM](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms)
+
+The usage of the Security Client Libraries BOM is demonstrated also in the [spring-security-hybrid-usage sample](https://github.com/SAP/cloud-security-services-integration-library/blob/main/samples/spring-security-hybrid-usage/pom.xml#L35-L45)
+
+### reference-instance plan not supported
+The `reference-instance` plan is not an original plan of the Xsuaa service, therefore it is not supported by the Security Client Libraries out of the box.
+For a workaround please refer to the https://github.com/SAP/cloud-security-services-integration-library/issues/1279#issuecomment-1735542987
 
 ## Contributing
 We welcome contributions to this project. Please see the [CONTRIBUTING.md](CONTRIBUTING.md) file for more details on how to contribute.

pom.xml

@@ -57,7 +57,7 @@
 		<maven.compiler.source>17</maven.compiler.source>
 		<maven.source.plugin.version>3.2.1</maven.source.plugin.version>
 		<!-- make sure that spring core and spring boot versions are compatible-->
-		<spring.boot.version>3.2.1</spring.boot.version>
+		<spring.boot.version>3.2.2</spring.boot.version>
 		<spring.core.version>6.1.3</spring.core.version>
 		<spring.security.version>6.2.1</spring.security.version>
 		<spring.security.oauth2.version>2.5.2.RELEASE</spring.security.oauth2.version>
@@ -66,9 +66,9 @@
 		<reactor.version>3.6.2</reactor.version>
 		<log4j2.version>2.22.1</log4j2.version>
 		<slf4j.api.version>2.0.11</slf4j.api.version> <!--see also here http://www.slf4j.org/faq.html#changesInVersion18 -->
-		<org.json.version>20231013</org.json.version>
-		<sap.cloud.env.servicebinding.version>0.10.1</sap.cloud.env.servicebinding.version>
-		<apache.httpclient5.version>5.3</apache.httpclient5.version>
+		<org.json.version>20240205</org.json.version>
+		<sap.cloud.env.servicebinding.version>0.10.2</sap.cloud.env.servicebinding.version>
+		<apache.httpclient5.version>5.3.1</apache.httpclient5.version>
 		<apache.httpclient.version>4.5.14</apache.httpclient.version>
 		<caffeine.version>3.1.5</caffeine.version>
 		<commons.io.version>2.15.1</commons.io.version>
@@ -77,8 +77,8 @@
 		<junit-jupiter.version>5.9.2</junit-jupiter.version>
 		<maven-surefire-plugin>3.2.5</maven-surefire-plugin>
 		<hamcrest.version>1.3</hamcrest.version>
-		<mockito.version>5.9.0</mockito.version>
-		<assertj.version>3.25.1</assertj.version>
+		<mockito.version>5.10.0</mockito.version>
+		<assertj.version>3.25.2</assertj.version>
 		<wiremock.version>3.3.1</wiremock.version>
 		<reactor.test.version>3.6.2</reactor.test.version>
 		<javax.annotation.version>1.3.2</javax.annotation.version>
@@ -385,7 +385,7 @@
 						<plugin>
 							<groupId>org.owasp</groupId> <!--scans for vulnerabilities-->
 							<artifactId>dependency-check-maven</artifactId>
-							<version>9.0.8</version>
+							<version>9.0.9</version>
 							<executions>
 								<execution>
 									<goals>

samples/spring-security-hybrid-usage/pom.xml

@@ -113,7 +113,7 @@
 			<plugin>
 				<groupId>org.owasp</groupId> <!--scans for vulnerabilities-->
 				<artifactId>dependency-check-maven</artifactId>
-				<version>9.0.2</version>
+				<version>9.0.6</version>
 				<executions>
 					<execution>
 						<goals>

samples/spring-security-xsuaa-usage/pom.xml

@@ -98,7 +98,7 @@
 			<plugin>
 				<groupId>org.owasp</groupId> <!--scans for vulnerabilities-->
 				<artifactId>dependency-check-maven</artifactId>
-				<version>9.0.2</version>
+				<version>9.0.6</version>
 				<executions>
 					<execution>
 						<goals>

samples/spring-webflux-security-xsuaa-usage/pom.xml

@@ -81,7 +81,7 @@
             <plugin>
                 <groupId>org.owasp</groupId> <!--scans for vulnerabilities-->
                 <artifactId>dependency-check-maven</artifactId>
-                <version>9.0.2</version>
+                <version>9.0.6</version>
                 <executions>
                     <execution>
                         <goals>

spring-security/README.md

@@ -78,12 +78,12 @@ Depending on the service bindings in the environment, a different implementation
 In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/sap/cloud/security/xsuaa/tokenflows/XsuaaTokenFlows.java) is provided that can be used to fetch XSUAA tokens.
 
 #### Autoconfiguration classes
-| Autoconfiguration class                                                                                                                          | Description                                                                                                                                                                                                                                                                                                                                                                                                                                |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [HybridAuthorizationAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridAuthorizationAutoConfiguration.java)       | Creates a converter ([XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java)) that removes the XSUAA application identifier from the scope names, allowing local scope checks to be performed using [Spring's common built-in expression](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#el-common-built-in) `hasAuthority |
-| [HybridIdentityServicesAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridIdentityServicesAutoConfiguration.java) | Configures a `JwtDecoder` which is able to decode and validate tokens from Xsuaa and/or Identity service<br/>Furthermore it registers `IdentityServiceConfiguration` and optionally `XsuaaServiceConfiguration`, that allow overriding the identity service configurations found in the service bindings (via `identity.*` and `xsuaa.*` properties).                                                                                      |
-| [XsuaaTokenFlowAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/XsuaaTokenFlowAutoConfiguration.java)                 | Configures an `XsuaaTokenFlows` bean to fetch the XSUAA tokens. Starting with `2.10.0` version it supports X.509 based authentication                                                                                                                                                                                                                                                                                                      |
-| [SecurityContextAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java)               | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync                                                                                                                                                               |
+| Autoconfiguration class                                                                                                                          | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+|--------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [HybridAuthorizationAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridAuthorizationAutoConfiguration.java)       | Creates a converter ([XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java)) that removes the XSUAA application identifier from the scope names, allowing local scope checks to be performed using [Spring's common built-in expression](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#el-common-built-in) `hasAuthority`. Supports only single Xsuaa binding |
+| [HybridIdentityServicesAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridIdentityServicesAutoConfiguration.java) | Configures a `JwtDecoder` which is able to decode and validate tokens from Xsuaa and/or Identity service<br/>Furthermore it registers `IdentityServiceConfiguration` and optionally `XsuaaServiceConfiguration`, that allow overriding the identity service configurations found in the service bindings (via `identity.*` and `xsuaa.*` properties).                                                                                                                          |
+| [XsuaaTokenFlowAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/XsuaaTokenFlowAutoConfiguration.java)                 | Configures an `XsuaaTokenFlows` bean to fetch the XSUAA tokens. Starting with `2.10.0` version it supports X.509 based authentication                                                                                                                                                                                                                                                                                                                                          |
+| [SecurityContextAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java)               | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync                                                                                                                                                                                                   |
 
 #### Autoconfiguration properties
 | Autoconfiguration property           | Default value | Description                                                                                                             |
@@ -93,6 +93,19 @@ In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/
 
 You can gradually replace auto-configurations as explained [here](https://docs.spring.io/spring-boot/docs/current/reference/html/using-boot-auto-configuration.html).
 
+#### Multiple Xsuaa configurations
+:warning: In case of multiple Xsuaa configurations, the [XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java) bean is not autoconfigured. 
+The bean needs to be created manually based on the service configuration you want the converter to be initialized with.
+
+For example, to create a converter that removes the application identifier of the *first* XSUAA configuration from the scope names, you could create the following bean:
+
+```java
+@Bean
+public Converter<Jwt, AbstractAuthenticationToken> xsuaaAuthConverter(XsuaaServiceConfigurations xsuaaConfigs) {
+	return new XsuaaTokenAuthorizationConverter(xsuaaConfigs.getConfigurations().get(0).getProperty(APP_ID));
+}
+```
+You may want to filter the list accessible via `XsuaaServiceConfigurations#getConfigurations` based on the configuration properties to find a specific configuration from the list.
 
 ### Security Configuration
 This is an example how to configure your application as Spring Security OAuth 2.0 Resource Server for authentication of HTTP requests:
@@ -314,14 +327,7 @@ sap.security.services:
 ```  
 	
 #### Multiple XSUAA bindings
-If you need to manually configure the application for more than one XSUAA service instances (e.g. one of plan `application` and another one of plan `broker`), you can provide them as follows:
-````yaml
- sap.security.services:
-       xsuaa[0]:
-            ...     # credentials of XSUAA of plan 'application' 
-       xsuaa[1]:
-         clientid:  # clientid of XSUAA of plan 'broker' 
-````
+If you need to manually configure the application for more than one XSUAA service instances (e.g. one of plan `application` and another one of plan `broker`), you need to provide them as `VCAP_SERVICES` environment variable (see second point of [Local Testing](#local-testing) section).
 
 ### Local testing
 To run or debug your secured application locally you need to provide the mandatory Xsuaa or Identity service configuration attributes prior to launching the application.