Bump the all-maven-dependencies group across 2 directories with 3 updates

[dependabot]

Bumps the all-maven-dependencies group with 3 updates in the / directory: org.springframework.boot:spring-boot-dependencies, org.springframework.boot:spring-boot-maven-plugin and com.sap.cloud.security:java-bom.
Bumps the all-maven-dependencies group with 3 updates in the /srv directory: org.springframework.boot:spring-boot-maven-plugin, org.springframework.boot:spring-boot-dependencies and com.sap.cloud.security:java-bom.

Updates org.springframework.boot:spring-boot-dependencies from 3.5.12 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.12 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.6.8 to 4.0.3

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

4.0.3

Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

• Spring Boot 3.x → 4.0.3
• Spring Framework 6.x → 7.0.5
• Spring Security 6.x → 7.0.3
• Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

• Now uses Java 11 HttpClient by default (no Apache HttpClient dependency)
• Apache HttpClient 4 constructors deprecated (removed in 5.0.0)
• Custom HTTP clients supported via SecurityHttpClientFactory

Removed Modules:

• spring-xsuaa* → use spring-security or spring-security-3
• spring-security-compatibility → use spring-security-3

Token Client Spring Classes:

• Spring-dependent classes moved to new token-client-spring module

New Features

Spring Boot 3.x Compatibility:

• spring-security-3 - Core module for Spring Boot 3.5.9
• resourceserver-security-spring-boot-3-starter - Starter for Spring Boot 3.x

Pluggable HTTP Client:

• Support for Apache HttpClient 4.x/5.x, OkHttp, SAP Cloud SDK, custom implementations

Documentation

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/MIGRATION_4.0.md

https://github.com/SAP/cloud-security-services-integration-library/blob/main/token-client/APACHE_HTTPCLIENT_MIGRATION.md

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md#400---major-release

3.6.12

... (truncated)

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

• Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5
• Spring Security: Upgraded from 6.x to 7.0.3
• Jakarta Servlet API: Upgraded from 6.0.0 to 6.1.0
• Java: Minimum version remains Java 17
• JUnit Jupiter: Upgraded from 5.12.2 to 6.0.3

HTTP Client Default Changed

Token-client module now uses Java 11's HttpClient as the default implementation. Apache HttpClient 4 remains available as a dependency for backward compatibility.

Impact:

• ✅ No code changes required if you use the default (parameterless) constructors
• ⚠️ Deprecated constructors added for backward compatibility with Apache HttpClient 4
• ❌ Will be removed in version 5.0.0 - Plan to migrate to Java HttpClient or custom implementation

Deprecated in 4.0.0 (Removed in 5.0.0):

• DefaultOAuth2TokenKeyService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
• DefaultOidcConfigurationService(CloseableHttpClient)
• HttpClientFactory interface and DefaultHttpClientFactory implementation

Migration Path:

• Option 1 (Recommended): Use default constructors - Java 11 HttpClient is used automatically
• Option 2 (Temporary): Continue using deprecated constructors with Apache HttpClient 4
• Option 3 (Custom): Implement SecurityHttpClientFactory interface for custom HTTP clients (see CUSTOM_HTTPCLIENT.md)

See the comprehensive Apache HttpClient Migration Guide for detailed migration instructions.

... (truncated)

Commits

• ed3b9ef Bugfix/4.0.2 (#1939)
• ea432c8 Bugfix/4.0.2 (#1938)
• 4dce88b Merge pull request #1936 from SAP/feature/token-client-spring-3-module
• 3073f80 docs: Update migration guide with correct Spring Boot 3.x starter name
• f25b05e refactor: Centralize Spring Boot 3.x versions in parent POM
• c3fba41 feat: Add token-client-spring-3 module for Spring Boot 3.x compatibility
• 315650b Bugfix/id token exchange cert url and release 4.0.1 (#1935)
• 5e226d8 Major release 4 (#1924)
• 2c6f46b fix: Correct token exchange logic for App2App flows in DefaultIdTokenExtensio...
• See full diff in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.12 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.12 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.5.12 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.6.8 to 4.0.3

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

4.0.3

Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

• Spring Boot 3.x → 4.0.3
• Spring Framework 6.x → 7.0.5
• Spring Security 6.x → 7.0.3
• Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

• Now uses Java 11 HttpClient by default (no Apache HttpClient dependency)
• Apache HttpClient 4 constructors deprecated (removed in 5.0.0)
• Custom HTTP clients supported via SecurityHttpClientFactory

Removed Modules:

• spring-xsuaa* → use spring-security or spring-security-3
• spring-security-compatibility → use spring-security-3

Token Client Spring Classes:

• Spring-dependent classes moved to new token-client-spring module

New Features

Spring Boot 3.x Compatibility:

• spring-security-3 - Core module for Spring Boot 3.5.9
• resourceserver-security-spring-boot-3-starter - Starter for Spring Boot 3.x

Pluggable HTTP Client:

• Support for Apache HttpClient 4.x/5.x, OkHttp, SAP Cloud SDK, custom implementations

Documentation

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/MIGRATION_4.0.md

https://github.com/SAP/cloud-security-services-integration-library/blob/main/token-client/APACHE_HTTPCLIENT_MIGRATION.md

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md#400---major-release

3.6.12

... (truncated)

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

• Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5
• Spring Security: Upgraded from 6.x to 7.0.3
• Jakarta Servlet API: Upgraded from 6.0.0 to 6.1.0
• Java: Minimum version remains Java 17
• JUnit Jupiter: Upgraded from 5.12.2 to 6.0.3

HTTP Client Default Changed

Token-client module now uses Java 11's HttpClient as the default implementation. Apache HttpClient 4 remains available as a dependency for backward compatibility.

Impact:

• ✅ No code changes required if you use the default (parameterless) constructors
• ⚠️ Deprecated constructors added for backward compatibility with Apache HttpClient 4
• ❌ Will be removed in version 5.0.0 - Plan to migrate to Java HttpClient or custom implementation

Deprecated in 4.0.0 (Removed in 5.0.0):

• DefaultOAuth2TokenKeyService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
• DefaultOidcConfigurationService(CloseableHttpClient)
• HttpClientFactory interface and DefaultHttpClientFactory implementation

Migration Path:

• Option 1 (Recommended): Use default constructors - Java 11 HttpClient is used automatically
• Option 2 (Temporary): Continue using deprecated constructors with Apache HttpClient 4
• Option 3 (Custom): Implement SecurityHttpClientFactory interface for custom HTTP clients (see CUSTOM_HTTPCLIENT.md)

See the comprehensive Apache HttpClient Migration Guide for detailed migration instructions.

... (truncated)

Commits

• ed3b9ef Bugfix/4.0.2 (#1939)
• ea432c8 Bugfix/4.0.2 (#1938)
• 4dce88b Merge pull request #1936 from SAP/feature/token-client-spring-3-module
• 3073f80 docs: Update migration guide with correct Spring Boot 3.x starter name
• f25b05e refactor: Centralize Spring Boot 3.x versions in parent POM
• c3fba41 feat: Add token-client-spring-3 module for Spring Boot 3.x compatibility
• 315650b Bugfix/id token exchange cert url and release 4.0.1 (#1935)
• 5e226d8 Major release 4 (#1924)
• 2c6f46b fix: Correct token exchange logic for App2App flows in DefaultIdTokenExtensio...
• See full diff in compare view

Updates org.springframework.boot:spring-boot-maven-plugin from 3.5.12 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-maven-plugin's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates org.springframework.boot:spring-boot-dependencies from 3.5.12 to 3.5.13

Release notes

Sourced from org.springframework.boot:spring-boot-dependencies's releases.

v3.5.13

⚠️ Attention Required

• Jackson has been upgraded to 2.21.2 in response to the Jackson team ending support for Jackson 2.19.x and 2.20.x. #49365

🐞 Bug Fixes

• WebSocket messaging's task executors are only auto-configured and stompWebSocketHandlerMapping is only forced to be eager when using Jackson #49750
• Metadata annotation processor ignores method-level @NestedConfigurationProperty when using constructor binding #49734
• Override of property in external 'application.properties' or 'application.yaml' is ignored #49724
• Some sliced tests that import TransactionAutoConfiguration do not import TransactionManagerCustomizationAutoConfiguration #49716
• NativeImageResourceProvider does not find Flyway migration scripts in subdirectories #49661
• @GraphQlTest does not include @ControllerAdvice #49660

📔 Documentation

• Fix incorrect indefinite articles in Javadoc #49723
• Add some more Kotlin examples and trivial style fixes #49710

🔨 Dependency Upgrades

• Upgrade to Hibernate 6.6.45.Final #49757
• Upgrade to jOOQ 3.19.31 #49758
• Upgrade to Netty 4.1.132.Final #49759
• Upgrade to Tomcat 10.1.53 #49760
• Upgrade to Undertow 2.3.24.Final #49761
• Upgrade to Zipkin Reporter 3.5.3 #49756

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Joowon-Seo, @​deejay1, @​dlwldnjs1009, and @​ljrmorgan

Commits

• 4a4c79f Release v3.5.13
• 696a60e Full auto-configure transaction management in slice tests
• 4b37ecb Upgrade to Undertow 2.3.24.Final
• 32a51d5 Upgrade to Tomcat 10.1.53
• 0934296 Upgrade to Netty 4.1.132.Final
• 851ddda Upgrade to jOOQ 3.19.31
• ef876fe Upgrade to Hibernate 6.6.45.Final
• 2841d87 Upgrade to Zipkin Reporter 3.5.3
• 025b527 Fix WebSocketMessagingAutoConfiguration in the absence of Jackson
• 3282672 Make DevTools tests more tolerant to wrapped DataSource
• Additional commits viewable in compare view

Updates com.sap.cloud.security:java-bom from 3.6.8 to 4.0.3

Release notes

Sourced from com.sap.cloud.security:java-bom's releases.

4.0.3

Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

• Spring Boot 3.x → 4.0.3
• Spring Framework 6.x → 7.0.5
• Spring Security 6.x → 7.0.3
• Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

• Now uses Java 11 HttpClient by default (no Apache HttpClient dependency)
• Apache HttpClient 4 constructors deprecated (removed in 5.0.0)
• Custom HTTP clients supported via SecurityHttpClientFactory

Removed Modules:

• spring-xsuaa* → use spring-security or spring-security-3
• spring-security-compatibility → use spring-security-3

Token Client Spring Classes:

• Spring-dependent classes moved to new token-client-spring module

New Features

Spring Boot 3.x Compatibility:

• spring-security-3 - Core module for Spring Boot 3.5.9
• resourceserver-security-spring-boot-3-starter - Starter for Spring Boot 3.x

Pluggable HTTP Client:

• Support for Apache HttpClient 4.x/5.x, OkHttp, SAP Cloud SDK, custom implementations

Documentation

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/MIGRATION_4.0.md

https://github.com/SAP/cloud-security-services-integration-library/blob/main/token-client/APACHE_HTTPCLIENT_MIGRATION.md

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md#400---major-release

3.6.12

... (truncated)

Changelog

Sourced from com.sap.cloud.security:java-bom's changelog.

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

• Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5
• Spring Security: Upgraded from 6.x to 7.0.3
• Jakarta Servlet API: Upgraded from 6.0.0 to 6.1.0
• Java: Minimum version remains Java 17
• JUnit Jupiter: Upgraded from 5.12.2 to 6.0.3

HTTP Client Default Changed

Token-client module now uses Java 11's HttpClient as the default implementation. Apache HttpClient 4 remains available as a dependency for backward compatibility.

Impact:

• ✅ No code changes required if you use the default (parameterless) constructors
• ⚠️ Deprecated constructors added for backward compatibility with Apache HttpClient 4
• ❌ Will be removed in version 5.0.0 - Plan to migrate to Java HttpClient or custom implementation

Deprecated in 4.0.0 (Removed in 5.0.0):

• DefaultOAuth2TokenKeyService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient)
• DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
• DefaultOidcConfigurationService(CloseableHttpClient)
• HttpClientFactory interface and DefaultHttpClientFactory implementation

Migration Path:

• Option 1 (Recommended): Use default constructors - Java 11 HttpClient is used automatically
• Option 2 (Temporary): Continue using deprecated constructors with Apache HttpClient 4
• Option 3 (Custom): Implement SecurityHttpClientFactory interface for custom HTTP clients (see CUSTOM_HTTPCLIENT.md)

See the comprehensive Apache HttpClient Migration Guide for detailed migration instructions.

... (truncated)

Commits

• ed3b9ef Bugfix/4.0.2 (#1939)