diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
deleted file mode 100644
index ca7e92fcb..000000000
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-name: Bug report
-about: Report a new bug
-title: ''
-labels: bug
-assignees: ''
-
----
-
-Please first read carefully [Report an issue](https://github.com/SAP/cloud-security-services-integration-library/blob/main/CONTRIBUTING.md#report-an-issue) section before creating an Issue.
-
-**Issue Summary**
-- A clear and concise description of the issue.
-- Steps to reproduce the problem: 1. 2. 3.
-- What is the expected result?
-- What happened instead?
-- Additional information? (attach screenshots if applicable)
-
-
-**Issue Report Checklist**
-
-- [ ] Real, current bug
-- [ ] Not a duplicate
-- [ ] Not covered in "Common Pitfalls" section of corresponding module's README.md e.g. [java-security#common-pitfalls](https://github.com/SAP/cloud-security-services-integration-library/tree/main/java-security#common-pitfalls)
-- [ ] Reproducible
-- [ ] Good summary
-- [ ] Well-documented
- - [ ] log level increased to `DEBUG` debug logs provided
- - [ ] POM provided
- - [ ] dependency tree provided
- - [ ] code snippet provided (when applicable)
diff --git a/.github/ISSUE_TEMPLATE/consultation-question.md b/.github/ISSUE_TEMPLATE/consultation-question.md
deleted file mode 100644
index b888f17a2..000000000
--- a/.github/ISSUE_TEMPLATE/consultation-question.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-name: Consultation question
-about: ask a question
-title: ''
-labels: consultation
-assignees: ''
-
----
-
-Before creating a new consultation questions search first in [GitHub Consultation Questions](https://github.com/SAP/cloud-security-services-integration-library/issues?q=label%3Aconsultation+) for already replied questions. If you still don't find an answer create a new one.
-
-**Question Summary**
-If applicable, please mention:
-- client library (e.g. java-security, spring-security etc.) and version
-- Environment: Cloud Foundry or Kubernetes/Kyma
-- Additional information
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
deleted file mode 100644
index f8dcf0619..000000000
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: enhancement
-assignees: ''
-
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.
diff --git a/.github/ISSUE_TEMPLATE/support.md b/.github/ISSUE_TEMPLATE/support.md
new file mode 100644
index 000000000..95990d0ff
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/support.md
@@ -0,0 +1,16 @@
+---
+name: How to get Support
+about: Please use SAP official support channels instead to get help. Use **BC-CP-CF-SEC-LIB** or **Security Client Libraries** components.
+title: ''
+labels: support
+assignees: ''
+
+---
+
+Before opening Support Tickets please check the corresponding [Troubleshooting](/README.md#troubleshooting) section
+of the Security Client Libraries.
+
+If you still do not find the answer please use SAP official support channels to get help. Use **BC-CP-CF-SEC-LIB** or
+**Security Client Libraries** components. Github.com is not an official support channel.
+
+
diff --git a/README.md b/README.md
index 20cf123a4..2c721b185 100644
--- a/README.md
+++ b/README.md
@@ -20,8 +20,9 @@ The libraries focus on streamlining [OAuth 2.0](https://oauth.net) access token
- [2.3 Testing utilities](#23-testing-utilities)
3. [Installation](#installation)
4. [Troubleshooting](#troubleshooting)
-5. [Contributing](#contributing)
-6. [License](#license)
+5. [Common Pitfalls](#common-pitfalls)
+6. [Contributing](#contributing)
+7. [License](#license)
## Prerequisites
Before you can use the SAP Cloud Security Services Integration libraries, you must fulfil the following requirements:
@@ -160,6 +161,19 @@ Please refer to each library's Troubleshooting section
| [java-security](/java-security/README.md#Troubleshooting) |
| [token-client](/token-client/README.md#Troubleshooting) |
+## Common Pitfalls
+### java.lang.NoSuchMethodError and java.lang.ClassNotFoundException errors
+Most common reason for these errors are out of sync client library versions. All the modules of the Security Client libraries
+should be always in the same version.
+This can be verified by executing `mvn dependency:tree` command.
+
+The easiest way to manage the module versions and keep them in sync is to use the [BOM](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms)
+
+The usage of the Security Client Libraries BOM is demonstrated also in the [spring-security-hybrid-usage sample](https://github.com/SAP/cloud-security-services-integration-library/blob/main/samples/spring-security-hybrid-usage/pom.xml#L35-L45)
+
+### reference-instance plan not supported
+The `reference-instance` plan is not an original plan of the Xsuaa service, therefore it is not supported by the Security Client Libraries out of the box.
+For a workaround please refer to the https://github.com/SAP/cloud-security-services-integration-library/issues/1279#issuecomment-1735542987
## Contributing
We welcome contributions to this project. Please see the [CONTRIBUTING.md](CONTRIBUTING.md) file for more details on how to contribute.
diff --git a/pom.xml b/pom.xml
index e827b8b3f..69988beaf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -57,7 +57,7 @@
17
3.2.1
- 3.2.1
+ 3.2.2
6.1.3
6.2.1
2.5.2.RELEASE
@@ -66,9 +66,9 @@
3.6.2
2.22.1
2.0.11
- 20231013
- 0.10.1
- 5.3
+ 20240205
+ 0.10.2
+ 5.3.1
4.5.14
3.1.5
2.15.1
@@ -77,8 +77,8 @@
5.9.2
3.2.5
1.3
- 5.9.0
- 3.25.1
+ 5.10.0
+ 3.25.2
3.3.1
3.6.2
1.3.2
@@ -385,7 +385,7 @@
org.owasp
dependency-check-maven
- 9.0.8
+ 9.0.9
diff --git a/samples/spring-security-hybrid-usage/pom.xml b/samples/spring-security-hybrid-usage/pom.xml
index f1b2faa54..ae9e9cec0 100644
--- a/samples/spring-security-hybrid-usage/pom.xml
+++ b/samples/spring-security-hybrid-usage/pom.xml
@@ -113,7 +113,7 @@
org.owasp
dependency-check-maven
- 9.0.2
+ 9.0.6
diff --git a/samples/spring-security-xsuaa-usage/pom.xml b/samples/spring-security-xsuaa-usage/pom.xml
index 1d957c172..a8ab8e423 100644
--- a/samples/spring-security-xsuaa-usage/pom.xml
+++ b/samples/spring-security-xsuaa-usage/pom.xml
@@ -98,7 +98,7 @@
org.owasp
dependency-check-maven
- 9.0.2
+ 9.0.6
diff --git a/samples/spring-webflux-security-xsuaa-usage/pom.xml b/samples/spring-webflux-security-xsuaa-usage/pom.xml
index b640c5bef..451c99a1f 100644
--- a/samples/spring-webflux-security-xsuaa-usage/pom.xml
+++ b/samples/spring-webflux-security-xsuaa-usage/pom.xml
@@ -81,7 +81,7 @@
org.owasp
dependency-check-maven
- 9.0.2
+ 9.0.6
diff --git a/spring-security/README.md b/spring-security/README.md
index ca357b5c6..4412f3e3b 100644
--- a/spring-security/README.md
+++ b/spring-security/README.md
@@ -78,12 +78,12 @@ Depending on the service bindings in the environment, a different implementation
In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/sap/cloud/security/xsuaa/tokenflows/XsuaaTokenFlows.java) is provided that can be used to fetch XSUAA tokens.
#### Autoconfiguration classes
-| Autoconfiguration class | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [HybridAuthorizationAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridAuthorizationAutoConfiguration.java) | Creates a converter ([XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java)) that removes the XSUAA application identifier from the scope names, allowing local scope checks to be performed using [Spring's common built-in expression](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#el-common-built-in) `hasAuthority |
-| [HybridIdentityServicesAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridIdentityServicesAutoConfiguration.java) | Configures a `JwtDecoder` which is able to decode and validate tokens from Xsuaa and/or Identity service
Furthermore it registers `IdentityServiceConfiguration` and optionally `XsuaaServiceConfiguration`, that allow overriding the identity service configurations found in the service bindings (via `identity.*` and `xsuaa.*` properties). |
-| [XsuaaTokenFlowAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/XsuaaTokenFlowAutoConfiguration.java) | Configures an `XsuaaTokenFlows` bean to fetch the XSUAA tokens. Starting with `2.10.0` version it supports X.509 based authentication |
-| [SecurityContextAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java) | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync |
+| Autoconfiguration class | Description |
+|--------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [HybridAuthorizationAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridAuthorizationAutoConfiguration.java) | Creates a converter ([XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java)) that removes the XSUAA application identifier from the scope names, allowing local scope checks to be performed using [Spring's common built-in expression](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#el-common-built-in) `hasAuthority`. Supports only single Xsuaa binding |
+| [HybridIdentityServicesAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridIdentityServicesAutoConfiguration.java) | Configures a `JwtDecoder` which is able to decode and validate tokens from Xsuaa and/or Identity service
Furthermore it registers `IdentityServiceConfiguration` and optionally `XsuaaServiceConfiguration`, that allow overriding the identity service configurations found in the service bindings (via `identity.*` and `xsuaa.*` properties). |
+| [XsuaaTokenFlowAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/XsuaaTokenFlowAutoConfiguration.java) | Configures an `XsuaaTokenFlows` bean to fetch the XSUAA tokens. Starting with `2.10.0` version it supports X.509 based authentication |
+| [SecurityContextAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java) | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync |
#### Autoconfiguration properties
| Autoconfiguration property | Default value | Description |
@@ -93,6 +93,19 @@ In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/
You can gradually replace auto-configurations as explained [here](https://docs.spring.io/spring-boot/docs/current/reference/html/using-boot-auto-configuration.html).
+#### Multiple Xsuaa configurations
+:warning: In case of multiple Xsuaa configurations, the [XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java) bean is not autoconfigured.
+The bean needs to be created manually based on the service configuration you want the converter to be initialized with.
+
+For example, to create a converter that removes the application identifier of the *first* XSUAA configuration from the scope names, you could create the following bean:
+
+```java
+@Bean
+public Converter xsuaaAuthConverter(XsuaaServiceConfigurations xsuaaConfigs) {
+ return new XsuaaTokenAuthorizationConverter(xsuaaConfigs.getConfigurations().get(0).getProperty(APP_ID));
+}
+```
+You may want to filter the list accessible via `XsuaaServiceConfigurations#getConfigurations` based on the configuration properties to find a specific configuration from the list.
### Security Configuration
This is an example how to configure your application as Spring Security OAuth 2.0 Resource Server for authentication of HTTP requests:
@@ -314,14 +327,7 @@ sap.security.services:
```
#### Multiple XSUAA bindings
-If you need to manually configure the application for more than one XSUAA service instances (e.g. one of plan `application` and another one of plan `broker`), you can provide them as follows:
-````yaml
- sap.security.services:
- xsuaa[0]:
- ... # credentials of XSUAA of plan 'application'
- xsuaa[1]:
- clientid: # clientid of XSUAA of plan 'broker'
-````
+If you need to manually configure the application for more than one XSUAA service instances (e.g. one of plan `application` and another one of plan `broker`), you need to provide them as `VCAP_SERVICES` environment variable (see second point of [Local Testing](#local-testing) section).
### Local testing
To run or debug your secured application locally you need to provide the mandatory Xsuaa or Identity service configuration attributes prior to launching the application.