Skip to content

Version 3.3.1
Compare
Choose a tag to compare
@liga-oz liga-oz released this 06 Dec 11:07
· 263 commits to main since this release
3.3.1
4155c27
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

✅ Resolves a Breaking Change introduced in version 3.3.0. Consumers should be able to update to 3.3.1 from a version < 3.3.0 without having to adjust test credentials used in their unit tests when using java-security-test or spring-xsuaa-mock.

In version 3.3.1, when java-security-test is loaded (which should only occur during testing), credentials with localhost as the uaadomain (XSUAA) or trusted domains (IAS) can be used to validate tokens that include a port for localhost in their jku (XSUAA) or issuer (IAS). It's important to note that token validation is less strict in this case and may accept certain edge cases of malicious tokens that would not be accepted in a production environment.

Dependency upgrades

  • Bump spring.boot.version from 3.1.5 to 3.1.6
  • Bump spring.core.version from 6.0.13 to 6.0.14
  • Bump spring.security.version from 6.1.5 to 6.2.0
  • Bump apache.httpclient5.version from 5.2.1 to 5.2.3
  • Bump wiremock.version from 3.0.0-beta-10 to 3.3.1 and replace org.wiremock.wiremock-standalone with com.github.tomakehurst.wiremock
  • Bump logback-core, logback-classic from 1.4.6 to 1.4.14
Assets 2
Loading