Version 2.11.3

• [java-api]
  • SecurityContext has been extended to provide thread-wide X.509 certificate storage
• [java-security]
  • Introduces X.509 certificate thumbprint validator JwtX5tValidator as described here
  • IasTokenAuthenticator and XsuaaTokenAuthenticator store the forwarded X.509 certificate for incoming requests in SecurityContext
  • XsuaaDefaultEndpoints provides a new constructor(url, certUrl) (issue 707)
• [spring-xsuaa]
  • XsuaaServiceConfiguration interface default method getClientIdentity() needs to be overridden to be used
  • ❗ Incompatible change XsuaaCredentials getPrivateKey() setPrivateKey() has changed to getKey() setKey() to reflect the attribute name from configuration
• [token-client] Adds X-CorrelationID header to outgoing requests. In case MDC provides "correlation_id" this one is taken (issue 691)

Dependency upgrades

• io.projectreactor:reactor-test 3.4.11 --> 3.4.12
• io.projectreactor:reactor-core 3.4.11 --> 3.4.12
• dependency-check-maven-plugin 6.4.1 --> 6.5.0
• org.springframework:spring.core.version 5.3.12 --> 5.3.13
• org.springframework:spring.security.version 5.5.3 --> 5.6.0
• org.springframework.boot:spring-boot 2.5.6 to 2.6.0
• logcaptor 2.7.0 --> 2.7.2

Version 2.11.1

• [java-security][spring-security] supports custom domains of identity service. If ias_iss is given and not empty, JwtIssuerValidator.java checks whether its a valid url and checks whether this matches one of the valid domains of the identity service. The check whether iss matches to any given domains is skipped in that case.
• [spring-xsuaa] resolves regression in XsuaaServiceConfigurationDefault (fixes #695)

Dependency upgrades

• io.projectreactor:reactor-test 3.4.10 --> 3.4.11
• io.projectreactor:reactor-core 3.4.10 --> 3.4.11
• org.springframework:spring.core.version 5.3.10 --> 5.3.12
• org.springframework.boot:spring-boot 2.5.4 to 2.5.6

Version 2.11.0

📣 Client Libraries support Kubernetes/Kyma environment

• [env]
  • The extraction of OAuth2ServiceConfiguration for xsuaa oder ias identity provider is moved into com.sap.cloud.security:env client library. ❗ Make sure that you have com.sap.cloud.security:env in your dependency tree.
  • Extended with Kubernetes/Kyma environment support
• [samples/java-security-usage] enabled for Kyma/Kubernetes environment
• [samples/spring-security-basic-auth] enabled for Kyma/Kubernetes environment
• [samples/spring-security-hybrid-usage] enabled for Kyma/Kubernetes environment
• [spring-xsuaa] LocalAuthoritiesExtractor supports also appIds that contains pipe (|) characters #640.
• [spring-security] XsuaaTokenAuthorizationConverter supports also appIds that contains pipe (|) characters #640.

Dependency upgrades

• maven-javadoc-plugin 3.3.0 --> 3.3.1
• maven-pmd-plugin 3.14.0 --> 3.15.0
• dependency-check-maven 6.2.2 --> 6.3.1
• com.github.tomakehurst:wiremock-jre8-standalone 2.30.1 --> 2.31.0
• io.projectreactor:reactor-test 3.4.9 --> 3.4.10
• io.projectreactor:reactor-core 3.4.9 --> 3.4.10
• org.springframework:spring.core.version 5.3.9 --> 5.3.10
• org.springframework.boot:spring-boot 2.5.3 to 2.5.4
• org.mockito:mockito-core 3.11.2 --> 3.12.4

Version 2.10.5

• [token-client]
  • XsuaaTokenFlows constructor accepts com.sap.cloud.security.xsuaa.client.ClientCredentials as argument.

Dependency upgrades

• org.springframework.security:spring-security-oauth2-jose 5.5.1 --> 5.5.2
• org.springframework.security:spring-security-oauth2-resource-server 5.5.1 --> 5.5.2
• org.springframework.security:spring-security-oauth2-jose 5.5.1 --> 5.5.2
• org.springframework.security:spring-boot-starter-test 5.5.1 --> 5.5.2

Version 2.10.4

• [java-security] Enrich JsonParsingException to detect wrong authorization headers earlier
• [token-client]
  • ClientCredentials: solves incompatible change between 2.9.0 and 2.10.0
  • OAuth2TokenResponse.getTokenType() exposes token type as provided by token request
• [spring-xsuaa]
  • XsuaaServiceConfigurationDefault.hasProperty("apiurl") returns true if VCAP_SERVICES-xsuaa-credentials contains attribute "apiurl"
    -XsuaaServiceConfigurationDefault.getProperty("apiurl") returns value from VCAP_SERVICES-xsuaa-credentials-apiurl or null, if attribute does not exist.
• [spring-security]HybridJwtDecoder raises BadJwtException if token is invalid and can not be decoded

Dependency upgrades

• wiremock 2.29.1 --> 2.30.1
• io.projectreactor:reactor-core 3.4.8 --> 3.4.9
• io.projectreactor:reactor-test 3.4.8 --> 3.4.9

Version 2.10.3

2.10.3

Dependency upgrades

• org.springframework.boot:spring-boot 2.5.0 --> 2.5.2
• slf4j-api 1.7.30 --> 1.7.32
• caffeine 2.8.8 --> 2.9.2
• mockito 3.10.0 --> 3.11.2
• assertj 3.19.0 --> 3.20.2
• commons-io:commons-io 2.9.0 --> 2.11.0
• io.projectreactor:reactor-test 3.4.5 -> 3.4.8
• io.projectreactor:reactor-core 3.4.6 --> 3.4.8
• com.github.tomakehurst:wiremock-jre8-standalone 2.27.2 --> 2.29.1
• removes mockwebserver from parent

Version 2.10.2

• [spring-security] and starter are released with project version: 2.10.2.
  Green field projects should use spring-security one instead of spring-xsuaa.
• [spring-xsuaa] TokenBrokerResolver supports X.509 authentication method.
• [samples/spring-security-basic-auth] deprecates the xsuaa security descriptor with a client secret authentication, default now is X.509 based authentication.
• [java-security-test] requires javax.servlet:javax.servlet-api dependency to be provided.

2.10.1 and 0.3.1 [BETA]

• [xsuaa-spring-boot-starter] [resourceserver-security-spring-boot-starter] dependency upgrades fixes CVE-2021-22119

Dependency upgrades

• org.springframework.boot:spring-boot 2.5.0 --> 2.5.2
• org.springframework:spring-core 5.3.7 --> 5.3.8
• org.springframework.security:spring-security-oauth2-jose 5.5.0 --> 5.5.1
• org.springframework.security:spring-security-oauth2-resource-server 5.5.0 --> 5.5.1
• org.springframework.security:spring-security-oauth2-jose 5.5.0 --> 5.5.1
• org.springframework.security:spring-boot-starter-test 5.5.0 --> 5.5.1
• org.springframework.security.oauth:spring-security-oauth2 2.5.0.RELEASE --> 2.5.1.RELEASE
• [samples] Upgraded approuter version to "^10.4.3"

Version 2.10.0

2.10.0 and 0.3.0 [BETA]

• [java-api] provides ClientIdentity with 2 implementations: ClientCredentials and ClientCertificate
• [token-client]
  • XsuaaTokenFlows supports X.509 authentication method. In order to enable X.509 you probably need to provide org.apache.httpcomponents:httpclient as dependency and need to configure XsuaaTokenFlows differently:
    • XsuaaDefaultEndpoints(url) must be replaced with XsuaaDefaultEndpoints(<OAuth2ServiceConfiguration>).
    • DefaultOAuth2TokenService constructors that are not parameterized with CloseableHttpClient are deprecated, as they do not support X.509.
    • XsuaaOAuth2TokenService constructors that are not parameterized with RestOperations are deprecated, as they do not support X.509.
    • Find more detailed information here.
  • SSLContextFactory class, which was marked as deprecated, is moved to com.sap.cloud.security.mtls package.
  • logs 'WARN' message, in case application has not overwritten the default http client. Find further information about that here.
• [java-security]
  • IasXsuaaExchangeBroker supports X.509 based token exchange. In case the token exchange is done via XsuaaTokenAuthenticator you need to provide a http client that is prepared with ssl context.
  • JwtIssuerValidator.java supports custom domains of identity service. If ias_iss is given and not empty, JwtIssuerValidator.java checks whether its a valid url and checks whether this matches one of the valid domains of the identity service. The check whether ias matches to any given domains is skipped in that case.
  • The token keys cache does not accept cache time longer than 15 minutes.
• [spring-xsuaa] and starter
  • As of Spring Security version 5.5.0 only BadJwtException results in InvalidBearerTokenException, which are handled and mapped to 401 status code. Consequently, XsuaaJwtDecoder raises BadJwtExceptions instead of JwtExceptions.
  • XsuaaTokenFlowAutoconfiguration supports X.509 based authentication. You need to provide org.apache.httpcomponents:httpclient as dependency.
  • IasXsuaaExchangeBroker can be configured with (autoconfigured) XsuaaTokenFlow to enable X.509 based authentication.
  • As of version 2.10 a warning In productive environment provide a well configured client secret based RestOperations bean. is exposed to the application log in case the default implementation of RestOperations is used and not overwritten by an own well-defined one. See also here.
• [spring-security] and starter
  • XsuaaTokenFlowAutoconfiguration supports X.509 based authentication. You need to provide org.apache.httpcomponents:httpclient as dependency.
  • HybridJwtDecoder raises BadJwtExceptions instead of AccessDeniedExceptions.
  • As of version 2.10 a warning In productive environment provide a well configured client secret based RestOperations bean. is exposed to the application log in case the default implementation of RestOperations is used and not overwritten by an own well-defined one.
• [samples/java-tokenclient-usage] uses X.509 based authentication for XsuaaTokenflows
• [samples/spring-security-xsuaa-usage] deprecates the xsuaa security descriptor with a client secret authentication, default now is X.509 based authentication.
• [samples/spring-security-hybrid-usage] switched now to X.509 based authentication.

Version 2.9.0

2.9.0 and 0.2.0 [BETA]

• [java-security] and [spring-security] validates IAS OIDC tokens from multiple IAS tenants and zones.
  Prerequisite: identity service broker needs to provide list of domains via VCAP_SERVICES-identity-credentials.
• [spring-security] Resource Server raises InvalidBearerTokenException in case token couldn't be successfully validated (as documented here). Adapt your configuation locally according to this documentation.

Dependency upgrades

• commons-io:commons-io 2.8.0 --> 2.9.0
• org.springframework.boot:spring-boot 2.4.5 --> 2.5.0
• org.springframework:spring-core 5.3.6 --> 5.3.7
• org.springframework.security:spring-security-oauth2-jose 5.4.6 --> 5.5.0
• org.springframework.security:spring-security-oauth2-resource-server 5.4.6 --> 5.5.0
• org.springframework.security:spring-security-oauth2-jose 5.4.6 --> 5.5.0
• org.springframework.security:spring-boot-starter-test 5.4.6 --> 5.5.0
• org.junit.jupiter 5.7.1 --> 5.7.2
• org.mockito:mockito-core 3.9.0 --> 3.10.0