Version 2.8.13

• [token-client] Bug fix As of now, client-credential and jwt bearer user tokens are not cached in case tokenflow is configured with zone-id (instead of subdomain).
• [java-security] provides SapIdToken.getCnfX509Thumbprint() method to provide thumbprint of certificate, in case token was requested via X509 based authentication.
• [java-api] provides Token.getGrantType() method, proprietary GrantType.CLIENT_X509 gets deprecated.

Version Beta 0.1.6

[spring-security] and [spring-security-starter]
HybridIdentityServicesAutoConfiguration supports Identity service configuration alone, by setting up IasJwtDecoder.

Version 2.8.12

2.8.12 and 0.1.5 [BETA]

• The following dependencies were updated:
  • spring.security.version 5.4.5 --> 5.4.6
  • spring.core.version 5.3.5 --> 5.3.6
  • spring.boot.version 2.4.4 --> 2.4.5
  • org.json.version 20201115 --> 20210307
  • junit.version 4.13.1 --> 4.13.2
  • junit-jupiter.version 5.7.0 --> 5.7.1
  • reactor.version 3.4.2 --> 3.4.5
  • reactor.test.version 3.4.2 --> 3.4.5
• [token-client] OAuth2ServiceException provides getHttpStatusCode(). This allows applications to retry e.g. in case of 429 - when the request was rate limited.

Version 2.8.11

./.
error during release

Version 2.8.10

• [spring-xsuaa] introduced spring properties for IAS -> Xsuaa token exchange activation, as described here
• [java-security-test] uses jetty BoM to fix CVE-2021-28164 and CVE-2021-28165.
  • jetty 9.4.38.v20210224 --> 9.4.39.v20210325

Version 2.8.9

• [spring-xsuaa]
  • exclude transient dependency to net.minidev:json-smart to resolve CVE-2021-27568
• [xsuaa-spring-boot-starter] [resourceserver-security-spring-boot-starter]
  • spring-boot-starter 2.4.3 --> 2.4.4
  • spring-boot-starter-security 2.4.3 --> 2.4.4
  • net.minidev:json-smart 2.3 --> 2.4.2 to resolve CVE-2021-27568

Version 2.8.8

2.8.8

• [java-security-test] and java samples
  • jetty 9.4.36.v20210114 --> 9.4.38.v20210224 (⚠️ seems to be incompatible with javax.servlet-api 3.1.0)
  • javax.servlet:javax.servlet-api 3.1.0 --> 4.0.1 (recommended version)
• [java-security] supports with SpringSecurityContext a way to read tokens from Spring's SecurityContextHolder, in case a token was set by the application using one of these client-libraries:
  • org.springframework.security.oauth:spring-security-oauth2
  • com.sap.cloud.security.xsuaa:spring-xsuaa
  • com.sap.cloud.security:spring-security

Version 2.8.7

2.8.7 and 0.1.1 [BETA]

• [xsuaa-spring-boot-starter] and [resourceserver-security-spring-boot-starter (BETA)]
  • spring.core.version 5.3.3 --> 5.3.4
  • spring.boot.version 2.4.2 --> 2.4.3
  • spring.security.version 5.4.2 --> 5.4.5
• [samples] uses spring-boot-starter-parent version 2.4.3 in spring samples.
• [spring-xsuaa] fixes incompatibility issue: replaces Spring's InvalidBearerTokenException by InvalidTokenException
• [general] fixes Workflow action

Version 2.8.6

• [token-client]
  • Next to subdomain XsuaaTokenFlows.clientCredentialsTokenFlow() supports Zone ID setter
  • OAuth2TokenService.retrieveAccessTokenViaClientCredentialsGrant() was enhanced to set zoneId as a header when present.
  • OAuth2TokenService.retrieveAccessTokenViaClientCredentialsGrant(URI, ClientCredentials, String, Map, boolean) was deprecated in favor of OAuth2TokenService.retrieveAccessTokenViaClientCredentialsGrant(URI, ClientCredentials, String, String, Map, boolean)

BETA Version 0.1.0

0.1.0 [BETA] ⭐

[spring-security] new spring boot security client library that supports Token validation from XSUAA and IAS identity provider in parallel as described here.

An initial migration guide on how to migrate from spring-xsuaa is available here.