Releases: SAP/cloud-security-services-integration-library
Version 3.3.5
- [spring-xsuaa] fixes a NPE bug in
XsuaaJwtDecoder
when uaadomain value is null - [spring-security] reactive token validation supported with a help of
ReactiveSecurityContext
andReactiveHybridJwtDecoder
to allow more versatile use of spring-security library, also
see spring-security ReadMe.md - [samples]
- spring-security-hybrid-usage demonstrates how to use multiple Xsuaa
bindings - new sample spring-weblux-security-hybrid-usage that showcases
usage of Reactive Token validation
- spring-security-hybrid-usage demonstrates how to use multiple Xsuaa
Dependency upgrades
- Bump com.sap.cloud.environment.servicebinding from 0.10.2 to 0.10.3
- Bump slf4j.api.version from 2.0.11 to 2.0.12
- Bump org.json:json from 20231013 to 20240205
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.3 to 5.3.1
- Bump spring.boot.version from 3.2.1 to 3.2.2
- Bump spring.core.version from 6.1.3 to 6.1.4
Version 2.17.3
- [java-security]
- add name property of service binding as property to OAuth2ServiceConfiguration
- reduce HybridTokenFactory logging noise - in case of missing service configuration warn message will be logged just once
- [java-api]
- add ServiceConstant#NAME which can be used to access that property
- [env]
- service plan property is no longer uppercased when building OAuth2ServiceConfiguration from service bindings of the environment
- [spring-security]
- fixes a bug in which a second XSUAA configuration of plan "broker" was ignored in spring-security auto-configuration for versions >= 2.16.0 and < 2.17.3
- add setName getName, setPlan, getPlan to OAuth2ServiceConfigurationProperties, which means, the list of XsuaaServiceConfigurations can now be filtered based on these properties.
- [token-client]
- remove httpclient caching from DefaultHttpClientFactory (#1416)ybr
Dependency upgrades
- bump spring-core version to 5.3.31
- bump spring-security version to 5.8.9
- bump commons io version to 2.15.1
Version 3.3.4
- [env] service plan property is no longer uppercased when building
OAuth2ServiceConfiguration
from service bindings of the environment - [spring-security] fixes a bug in which a second XSUAA configuration of plan "broker" was ignored in spring-security auto-configuration for versions 3.3.2 and 3.3.3
Dependency upgrades
- Bump io.projectreactor:reactor-core from 3.6.1 to 3.6.2
- Bump spring.core.version from 6.1.2 to 6.1.3
- Bump slf4j.api.version from 2.0.10 to 2.0.11
Version 3.3.3
- [java-security]
- reduce
HybridTokenFactory
logging noise - in case of missing service configuration warn message will be logged just once - upgrade jetty ee9 to jetty ee10
- reduce
- [java-security-test]
- fixes version mismatch issue when jetty BoM is used
JwtGenerator
ensures that claims are always in the same order
- [token-client]
- remove httpclient caching from DefaultHttpClientFactory (#1416)
Dependency upgrades
- Bump spring.boot.version from 3.2.0 to 3.2.1
- Bump spring.core.version from 6.0.14 to 6.1.2
- Bump log4j2.version from 2.22.0 to 2.22.1
- Bump slf4j.api.version from 2.0.9 to 2.0.10
Version 3.3.2
- [java-security]
- add
name
property of service binding as property to OAuth2ServiceConfiguration
- add
- [java-api]
- add ServiceConstant#NAME which can be used to access that property
- [spring-security]
IdentityServicesPropertySourceFactory
now populates Spring properties with ALL Xsuaa configurations found in the environment instead of only one (arbitrary) configuration of service plan 'application' and one (optional, arbitrary) additional one of service plan 'broker'.XsuaaServiceConfigurations#getConfigurations
now contains ALL Xsuaa configurations found as a result of the previous changeHybridIdentityServicesAutoConfiguration
was adjusted for backward compatibility to still create a JwtDecoder that uses the same XSUAA configurations as before for token validation (one of plan 'application' and an optional one of plan 'broker')- add
setName
getName
,setPlan
,getPlan
toOAuth2ServiceConfigurationProperties
, which means, the list ofXsuaaServiceConfigurations
can now be filtered based on these properties.
- [java-security-test]
- upgrade the Jetty servlet to jetty-ee9-servlet (fixes issues with the Spring Boot 3.2 upgrade)
Dependency upgrades
- Bump spring.boot.version from 3.1.6 to 3.2.0
- Bump spring.core.version from 6.0.14 to 6.1.2
- Bump spring.security.version from 6.2.0 to 6.2.1
- Bump commons-io:commons-io from 2.15.0 to 2.15.1
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.2.3 to 5.3
- Bump log4j2.version from 2.21.1 to 2.22.0
- Bump io.projectreactor:reactor-core from 3.5.11 to 3.6.0
- Bump org.eclipse.jetty:jetty-bom from 11.0.18 to 12.0.5
Version 3.3.1
✅ Resolves a Breaking Change introduced in version 3.3.0. Consumers should be able to update to 3.3.1 from a version < 3.3.0 without having to adjust test credentials used in their unit tests when using java-security-test
or spring-xsuaa-mock
.
In version 3.3.1, when java-security-test
is loaded (which should only occur during testing), credentials with localhost
as the uaadomain
(XSUAA) or trusted domains
(IAS) can be used to validate tokens that include a port for localhost
in their jku
(XSUAA) or issuer
(IAS). It's important to note that token validation is less strict in this case and may accept certain edge cases of malicious tokens that would not be accepted in a production environment.
Dependency upgrades
- Bump spring.boot.version from 3.1.5 to 3.1.6
- Bump spring.core.version from 6.0.13 to 6.0.14
- Bump spring.security.version from 6.1.5 to 6.2.0
- Bump apache.httpclient5.version from 5.2.1 to 5.2.3
- Bump wiremock.version from 3.0.0-beta-10 to 3.3.1 and replace org.wiremock.wiremock-standalone with com.github.tomakehurst.wiremock
- Bump logback-core, logback-classic from 1.4.6 to 1.4.14
Version 2.17.2
✅ Resolves a Breaking Change introduced in version 2.17.0. Consumers should be able to update to 2.17.2 from a version <= 2.16.0 without having to adjust test credentials used in their unit tests when using java-security-test
or spring-xsuaa-mock
.
In version 2.17.2, when java-security-test
or spring-xsuaa-mock
are loaded (which should only occur during testing), credentials with localhost
as the uaadomain
(XSUAA) or trusted domains
(IAS) can be used to validate tokens that include a port for localhost
in their jku
(XSUAA) or issuer
(IAS). It's important to note that token validation is less strict in this case and may accept certain edge cases of malicious tokens that would not be accepted in a production environment.
Dependency upgrades
- Bump logback-core, logback-classic from 1.2.12 to 1.2.13
Version 2.17.1
Dependency upgrades
- Bump spring.boot.version from 2.7.17 to 2.7.18
Version 3.3.0
-
[java-security-test]
⚠️ Breaking Change To validate mocked XSUAA tokens issued by java-security-test module, theuaadomain
property of the service configuration must now include the port of the Wiremock server.
Likewise for validating IAS tokens, the trusteddomains
array of the service configuration also needs to include the Wiremock URL including the port.
The full wiremock URL is available viaSecurityTestContext#getWireMockServer#baseUrl
.Note: If you are building your configuration via
SecurityTestContext#getOAuth2ServiceConfigurationBuilderFromFile
, this will already be preconfigured correctly, but you must not overwrite these properties with only "localhost". -
[java-security]
- [XSUAA/IAS] Adapt optimized server API
-
[spring-xsuaa]
- Adapt optimized server API
Version 2.17.0
java-security-test
module you might need to adjust the uaadomain
in the service configuration with a port where the wiremock token key server is running on. e.g. it should be changed from localhost
--> http://localhost:XXXX
(you can access wiremock token key server address using testRule.getWiremockServer().baseUrl()
)
- [java-security]
- [XSUAA/IAS] Adapt optimized server API
- [spring-xsuaa]
- Adapt optimized server API