From 87022be263abbeacad30980cfc2f7d8e866d358e Mon Sep 17 00:00:00 2001
From: liga-oz <liga.ozolina@sap.com>
Date: Thu, 4 Jan 2024 15:38:13 +0100
Subject: [PATCH 1/2] remove jetty bom and define dependencies explicitly
 cleanup not used dependencies

Signed-off-by: liga-oz <liga.ozolina@sap.com>
---
 java-security-test/pom.xml | 20 +++-----------------
 pom.xml                    | 16 +---------------
 2 files changed, 4 insertions(+), 32 deletions(-)

diff --git a/java-security-test/pom.xml b/java-security-test/pom.xml
index b76143c91e..40c55d50ed 100644
--- a/java-security-test/pom.xml
+++ b/java-security-test/pom.xml
@@ -38,26 +38,17 @@
 		<dependency>
 			<groupId>org.eclipse.jetty</groupId>
 			<artifactId>jetty-server</artifactId>
+			<version>${org.eclipse.jetty.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.eclipse.jetty.ee9</groupId>
 			<artifactId>jetty-ee9-servlet</artifactId>
+			<version>${org.eclipse.jetty.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.eclipse.jetty.ee9</groupId>
 			<artifactId>jetty-ee9-webapp</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>org.eclipse.jetty.ee9</groupId>
-			<artifactId>jetty-ee9-annotations</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>org.eclipse.jetty</groupId>
-			<artifactId>jetty-io</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>org.eclipse.jetty</groupId>
-			<artifactId>jetty-util</artifactId>
+			<version>${org.eclipse.jetty.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.wiremock</groupId>
@@ -85,11 +76,6 @@
             <artifactId>assertj-core</artifactId>
             <scope>test</scope>
         </dependency>
-		<dependency> <!-- check if it's still needed when slf4j-api 1.8 is available -->
-			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-simple</artifactId>
-			<scope>test</scope>
-		</dependency>
     </dependencies>
 
 	<build>
diff --git a/pom.xml b/pom.xml
index d5a1215a9c..d9290c5c91 100644
--- a/pom.xml
+++ b/pom.xml
@@ -62,7 +62,7 @@
 		<spring.security.version>6.2.1</spring.security.version>
 		<spring.security.oauth2.version>2.5.2.RELEASE</spring.security.oauth2.version>
 		<spring.security.jwt.version>1.1.1.RELEASE</spring.security.jwt.version>
-		<org.eclipse.jetty.bom.version>12.0.5</org.eclipse.jetty.bom.version>
+		<org.eclipse.jetty.version>12.0.5</org.eclipse.jetty.version>
 		<reactor.version>3.6.1</reactor.version>
 		<log4j2.version>2.22.1</log4j2.version>
 		<slf4j.api.version>2.0.10</slf4j.api.version> <!--see also here http://www.slf4j.org/faq.html#changesInVersion18 -->
@@ -119,20 +119,6 @@
 				<type>pom</type>
 				<scope>import</scope>
 			</dependency>
-			<dependency>
-				<groupId>org.eclipse.jetty</groupId>
-				<artifactId>jetty-bom</artifactId>
-				<version>${org.eclipse.jetty.bom.version}</version>
-				<type>pom</type>
-				<scope>import</scope>
-			</dependency>
-			<dependency>
-				<groupId>org.eclipse.jetty.ee9</groupId>
-				<artifactId>jetty-ee9-bom</artifactId>
-				<version>${org.eclipse.jetty.bom.version}</version>
-				<type>pom</type>
-				<scope>import</scope>
-			</dependency>
 			<!-- spring -->
 			<!-- BOMs -->
 			<dependency>

From 6aaf71765ec6414f28d5a14880fb3db81665deeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C4=ABga?= <72249435+liga-oz@users.noreply.github.com>
Date: Fri, 5 Jan 2024 09:03:34 +0100
Subject: [PATCH 2/2] Make generated jwt attributes in a predictable order
 (#1403)

* make the generated attributes to be in the same order


---------

Signed-off-by: liga-oz <liga.ozolina@sap.com>
Co-authored-by: Manuel Fink <123368068+finkmanAtSap@users.noreply.github.com>
---
 .../sap/cloud/security/test/JwtGenerator.java | 22 +++++++++++++++++--
 .../security/comp/XsuaaTokenCompTest.java     |  6 ++---
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/java-security-test/src/main/java/com/sap/cloud/security/test/JwtGenerator.java b/java-security-test/src/main/java/com/sap/cloud/security/test/JwtGenerator.java
index 758e67225e..4d5041c9e8 100644
--- a/java-security-test/src/main/java/com/sap/cloud/security/test/JwtGenerator.java
+++ b/java-security-test/src/main/java/com/sap/cloud/security/test/JwtGenerator.java
@@ -18,6 +18,7 @@
 
 import javax.annotation.Nonnull;
 import java.io.IOException;
+import java.lang.reflect.Field;
 import java.nio.charset.StandardCharsets;
 import java.security.*;
 import java.time.Instant;
@@ -42,8 +43,8 @@ public class JwtGenerator {
 	private static final String DEFAULT_JWKS_URL = "http://localhost/token_keys";
 	private static final char DOT = '.';
 
-	private final JSONObject jsonHeader = new JSONObject();
-	private final JSONObject jsonPayload = new JSONObject();
+	private final JSONObject jsonHeader = newPredictableOrderingJSONObject();
+	private final JSONObject jsonPayload = newPredictableOrderingJSONObject();
 
 	private final SignatureCalculator signatureCalculator;
 	private final Service service;
@@ -60,6 +61,23 @@ private JwtGenerator(Service service, SignatureCalculator signatureCalculator) {
 		predefineTokenClaims();
 	}
 
+	/**
+	 * Creates a new JSONObject object with LinkedHashMap with predictable iteration order.
+	 * @return JSONObject
+	 */
+	private static JSONObject newPredictableOrderingJSONObject() {
+		JSONObject jsonObject = new JSONObject();
+		try {
+			Field declaredMapField = jsonObject.getClass().getDeclaredField("map");
+			declaredMapField.setAccessible(true);
+			declaredMapField.set(jsonObject, new LinkedHashMap<>());
+			declaredMapField.setAccessible(false);
+		} catch (IllegalAccessException | NoSuchFieldException e) {
+			LOGGER.info("Couldn't create a JSONObject with a LinkedHashMap field. {}", e.getMessage());
+		}
+		return jsonObject;
+	}
+
 	/**
 	 * This factory method creates an {@link JwtGenerator} instance that can be used
 	 * to create tokens for testing purposes. The tokens are prefilled with data so
diff --git a/spring-security-compatibility/src/test/java/com/sap/cloud/security/comp/XsuaaTokenCompTest.java b/spring-security-compatibility/src/test/java/com/sap/cloud/security/comp/XsuaaTokenCompTest.java
index 39b5fe218f..061971c69c 100644
--- a/spring-security-compatibility/src/test/java/com/sap/cloud/security/comp/XsuaaTokenCompTest.java
+++ b/spring-security-compatibility/src/test/java/com/sap/cloud/security/comp/XsuaaTokenCompTest.java
@@ -1,6 +1,6 @@
 /**
- * SPDX-FileCopyrightText: 2022 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
- *
+ * SPDX-FileCopyrightText: 2022 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors*
+ * <p>
  * SPDX-License-Identifier: Apache-2.0
  */
 package com.sap.cloud.security.comp;
@@ -227,7 +227,7 @@ void getSubdomainFails() {
 	@Test
 	void getAppToken() {
 		token = XsuaaTokenComp.createInstance(jwtGenerator.createToken());
-		assertThat(token.getAppToken(), startsWith("eyJqa3UiOiJodHRwOi8vbG9jYWx"));
+		assertThat(token.getAppToken(), startsWith("eyJraWQiOiJkZWZhdWx0LWtpZCIs"));
 	}
 
 	@Test