Version 2.0.0

2.0.0

• Deleted package com.sap.xs2.security.container in order to avoid Class Loader issues, when an application makes use of SAP-libraries using the SAP-internal container lib like CAP.
  • As already mentioned use SpringSecurityContext class instead of SecurityContext class.
• Removed deprecated methods:
  • XsuaaServiceConfiguration.getTokenUrl()
  • XsuaaToken.getClaimAccessor() is not required anymore as Xsuaa itself implements JwtClaimAccessor .
• Deprecated TokenBroker interface and its implementation UaaTokenBroker, as this is going to be replaced with the OAuth2TokenService interface which is provided by the new token-client library. If you wish to configure / pass your RestTemplate you can pass an instance of OAuth2TokenService:

new TokenBrokerResolver( 
  <<your configuration>>, 
  <<your cache>>, 
  new XsuaaOAuth2TokenService(<<your restTemplate>>), 
  <<your authenticationInformationExtractor>>);

• TokenUlrUtils class is now package protected and will be deleted with version.
• token-client library supports basically Password-Grant Access Tokens.

Version 1.7.0

1.7.0

• We now provide a new slim token-client library with a XsuaaTokenFlows class, which serves as a factory for the different flows (user, refresh and client-credentials). This deprecates the existing Token.requestToken(XSTokenRequest) API.

  • The token-client library can be used by plain Java applications.
  • Auto-configuration is provided for Spring Boot applications only, when using XSUAA Spring Boot Starter.

• ANNOUNCEMENT: Please be aware that with version 2.0.0 we want to get rid of package com.sap.xs2.security.container in order to avoid Class Loader issues, when an application makes use of SAP-libraries using the SAP-internal container lib.

1.6.0

1.6.0

• Provides spring starter for spring-xsuaa, which enables auto-configuration as documented here

<dependency>
    <groupId>com.sap.cloud.security.xsuaa</groupId>
    <artifactId>xsuaa-spring-boot-starter</artifactId>
    <version>1.6.0</version>
</dependency>

• Supports reactive ServerHttpSecurity (Spring webflux). Have a look at the (webflux sample application)[samples/spring-webflux-security-xsuaa-usage/README.md]
• To make sure that the Spring SecurityContext is always initialized with a validated token use SpringSecurityContext.init() method as documented here
• To avoid issues, when an application makes use of SAP-libraries using the SAP-internal container lib, use SpringSecurityContext instead of SecurityContext
• Some enhancements for XSUAA integration

Incompatible changes

• As of version 1.6.0 you need to make use of XSUAA Spring Boot Starter in order to leverage auto-configuration (see Troubleshoot section here)

1.5.0

1.5.0

• Supports jku URI which is provided as part of the JSON Web Signature (JWS). The jku of the Jwt token header references the public key URI of the Xsuaa OAuth Authorization Server, and needs to match to the xsuaa.uaadomain.
• Completely customizable auto-configurations so that apps can override the spring-xsuaa defaults:
  • auto-configuration for Xsuaa OAuth Authorization Server is documented here.
  • auto-configuration for Xsuaa Mock Server configuration can be found here.
• Uses apache slf4j Logger for better log analysis on Cloud Foundry. This is provided with org.springframework.boot:spring-boot-starter-logging.
• Improves and enhances sample application.
• Renames class TokenImpl to XsuaaToken. Furthermore for convenience XsuaaToken subclasses org.springframework.security.oauth2.jwt.Jwt.
• Subclassing of TokenAuthenticationConverter is no longer allowed, instead TokenAuthenticationConverter can be configured with your own AuthoritiesExtractor implementation (an example can be found here).
• Please note that the port of the mock web server that is provided with the xsuaa mock library had to be defined statically. It runs now always on port 33195.
• Find more complex examples here: https://github.com/SAP/cloud-application-security-sample

1.4.0

• API method to query token validity
• Bugfix in basic authentication support: allow usage of JWT token or basic authentication with one configuration
• Allows overwrite / enhancement of XSUAA jwt token validators
• Allow applications to initialize of Spring SecurityContext for non HTTP requests. As documented in https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/spring-xsuaa/README.md

Build results have been published to maven central: https://search.maven.org/search?q=com.sap.cloud.security

Support for Broker plan

Changes:

• Broker plan validation failed due to incorrect audience validation

Build results have been published to maven central: https://search.maven.org/search?q=com.sap.cloud.security

1.3.0

Changes:

• JwtGenerator offers enhancement options: custom claims and audience
• Test framework support for multi tenancy

Build results have been published to maven central: https://search.maven.org/search?q=com.sap.cloud.security

1.2.0

• Eases enhancement of TokenAuthenticationConverter (issue 23)
• Makes XsuaaAudienceValidator more robust (issue 21)
• XSTokenRequest accepts custom RestTemplate (issue 25) to e.g. configure timeout behavior.
• Provides spring-xsuaa-test library with JWTGenerator (issue 29)
• Provides spring-xsuaa-mock library with XSUAA authentication mock web server for offline token key validation (issue 30)

Build results have been published to maven central: https://search.maven.org/search?q=com.sap.cloud.security

xsuaa Spring integration libraries

• Spring-Security 5 integration libraries.
• Spring-Security 5 Support for basic authentication
• Samples