Version 2.8.5

2.8.5

• [java-security] load environment from VCAP_SERVICES formatted json file (#471)
• [java-security] performance: make sure ServiceLoader loads services only once (#467)
• [java-api] move getAttributeFromClaimAsString and getAttributeFromClaimAsStringList methods from AccessToken to its Token parent interface.

Version 2.8.4

• [java-security] Make HybridTokenFactory more failure tolerant
• [spring-xsuaa-test] Prefills "ext_atr" "enhancer" with XSUAA

Update Versions

• [all]
  • commons-io 2.6 --> 2.8.0
  • org.apache.httpcomponents » httpclient 4.5.9 --> 4.5.13
  • spring.core.version 5.3.2 --> 5.3.3
  • spring.boot.version 2.4.1 --> 2.4.2
• [java-security-test]
  • org.eclipse.jetty 9.4.35.v20201120 --> 9.4.36.v20210114
• [token-client]
  • caffeine 2.8.6 --> 2.8.8
  • org.json 20200518 --> 20201115
• [spring-xsuaa]
  • caffeine 2.8.6 --> 2.8.8
  • reactor-core 3.3.7.RELEASE --> 3.4.2
  • log4j-to-slf4j 2.13.3 --> 2.14.0

Version 2.8.3

• [java-api] AccessToken exposes the getSubaccountId() method. Further information about the usage of getSubaccountId() and getZoneId() can be read here.
• [java-api] [java-security] allows hybrid token creation via Token.create(String encodedToken). The feature is available when using token authenticator. In order to avoid ServiceLoader issues, make sure that you don't mix up different versions of these client libraries. E.g., its not possible to use com.sap.cloud.security:java-api:2.8.3 together with com.sap.cloud.security:java-security:2.8.2. See also here.
• [samples/sap-java-buildpack-api-usage] uses SAP Java Buildpack BoM (sample).
• [token-client] UserTokenFlow enhances request with X-zid header that corresponds to zone id.

Version 2.8.2

2.8.2

• [java-security]
  • HOTFIX for 2.8.1 version.
  • Beta release of ias2xsuaa token exchange. Further information can be found here.

Version 2.8.1

2.8.1

• [spring-xsuaa]
  • Beta release of ias2xsuaa token exchange. Further information can be found here.
  • Replaces dependencies to JSON Parser of net.minidev with org.json (fixes #414).
  • The following dependencies were updated:
    • spring.boot.version 2.3.5.RELEASE --> 2.4.1
    • spring.core.version 5.2.10.RELEASE --> 5.3.2
    • spring.security.version 5.3.5.RELEASE --> 5.4.2

Version 2.8.0

• [java-security]
  • getClientId() method was added to Token interface. getClientId() method should be used instead of getClaimAsString(TokenClaims.XSUAA.CLIENT_ID). TokenClaims.XSUAA.CLIENT_ID is deprecated.
  • Supports IAS token validation. IAS_SERVICE_NAME has not be provided any longer. You can find a sample here.
• [java-security-test] In case you like to overwrite the client id using JwtGenerator using withClaimValue() or withClaimValues() method, it's recommended to set the azp claim instead using withClaimValue(TokenClaims.AUTHORIZATION_PARTY, "T000310").
• [spring-xsuaa]
  • getClientId() method implementation of Token interface has been changed. Using azp and as fallback aud and cid claims to obtain client id.
• ⚠️ backward incompatible change: usage of deprecated org.springframework.security.oauth:spring-security-oauth2 dependency in OAuth2AuthenticationConverter was removed.
  OAuth2AuthenticationConverter.convert() method return type has changed from org.springframework.security.oauth2.provider.OAuth2Authentication to org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication
  • Migration tips
    • when necessary, org.springframework.security.oauth:spring-security-oauth2 dependency need to be provided explicitly
    • OAuth2WebSecurityExpressionHandler() won't work in conjunction with OAuth2AuthenticationConverter, as it expects OAuth2Authentication class instead of BearerTokenAuthentication when deriving authorization claims. Use hasAuthority() or hasAnyAuthority() instead of explicitly defined expressionHandler(new OAuth2WebSecurityExpressionHandler()) and access() expression for authorized requests.
• The following dependency was removed:
  • org.springframework.security.oauth:spring-security-oauth2
• The following dependencies were updated:
  • spring.boot.version 2.3.4.RELEASE --> 2.3.5.RELEASE
  • spring.core.version 5.2.9.RELEASE --> 5.2.10.RELEASE
  • spring.security.version 5.3.4.RELEASE --> 5.3.5.RELEASE
  • caffeine.version 2.8.2 --> 2.8.6

Version 2.7.8

• [java-security-test] Supports JUnit 5 Tests with XsuaaExtension, IasExtension and SecurityTestExtension as documented here.
• [java-security] Does not fail in case of Xsuaa services of type: apiacess (#382).
• [spring-xsuaa-starter] Upgrade Spring versions:
  • spring.boot.version: 2.3.1.RELEASE --> 2.3.4.RELEASE
  • spring.core.version: 5.2.8.RELEASE --> 5.2.9.RELEASE
• The following dependencies were updated:
  • Jetty 9.4.24.v20191120 --> 9.4.31.v20200723
  • javax.servlet-api.version 3.0.1 --> 3.1.0
  • Apache HTTP client 4.5.8 --> 4.5.9
  • Wiremock 2.25.1 --> 2.27.2

Version 2.7.7

2.7.7

• [spring-xsuaa] Update Spring versions
  • spring.core.version: 5.2.7.RELEASE --> 5.2.8.RELEASE
  • spring.security.version: 5.3.3.RELEASE --> 5.3.4.RELEASE
• [java-security-test] SecurityTest and SecurityTestRule provides a better support for integration tests with a mockserver. It is now possible to upload the configuration and the token from a json file. Take our integration tests as a sample java-security-it.
• [java-security] DefaultJsonObject.getAsStringList(propertyName) parses the JSON object for a given property and returns a String list. This works also in case the property is not a JSON array but a JSON String.
• [java-security-it] New integration test project. Existing integration tests have been restructured and moved here. Additionally, JWT token validation performance tests have been added for java-security and spring-xsuaa.

Version 2.7.6

• [token-client] Fixes ClientCredentialsTokenFlow.scopes() and UserTokenFlow.scopes() to support multiple scopes. The scope form parameter has to provide a space-delimited list (and not comma-delimited list).
• [java-security] Improve compatibility of SAPOfflineTokenServicesCloud
  • There was incompatibility in the implementation of SAPOfflineTokenServicesCloud that caused the remoteUser of the HttpServletRequest to always return the client id of the XSUAA service binding. This was changed so that it now works like in the old implementation. This means that the remoteUser now returns either the user_name claim of the token for user tokens or the value of the client id cid claim of the token for all other tokens (e.g. client tokens).

Version 2.7.5

2.7.5

• [java-api] AcessToken provides
  • getAttributeFromClaimAsString(String claimName, String attributeName) to access for example ext_attr values such as subaccountid
  • getAttributeFromClaimAsStringList(String claimName, String attributeName) to access for example xs.user.attributes values such as custom_role
• [java-security] provide debug logs for failing token validation, see troubleshoot.
• [java-security-test] Fixed default value for jku token header to http://localhost/token_keys
• [samples] Upgraded approuter version to "^8.2.0"
• [spring-xsuaa-starter] Upgrade Spring versions:
  • spring.boot.version: 2.3.0.RELEASE --> 2.3.1.RELEASE
  • spring.core.version: 5.2.6.RELEASE --> 5.2.7.RELEASE
  • spring.security.version: 5.3.2.RELEASE --> 5.3.3.RELEASE
  • spring-security-oauth2.version: 2.4.1.RELEASE --> 2.5.0.RELEASE