increase to version 2.2.0 (#181)

* increase to version 2.2.0

* Update CHANGELOG for version 2.2.0

* apply formatting rules

CHANGELOG.md

@@ -2,7 +2,16 @@
 
 All notable changes to this project will be documented in this file.
 
-## 2.0.1
+## 2.2.0
+- [spring-xsuaa] `PropertySourceFactory` supports custom property sources and default can optionally be disabled with  `spring.xsuaa.disable-default-property-source=true`
+- [spring-xsuaa] Supports Spring Core `5.2.0.RELEASE`and Spring Boot `2.2.0.RELEASE`
+- [spring-xsuaa] Deprecates `TokenUrlUtils` in favor of `OAuth2ServiceEndpointsProvider`
+- Internally, we've cleaned up maven dependencies (converged versions) and 
+  - removed transient dependency of `spring-security-oauth2` to `jackson`.
+  - introduced `org.owasp.dependency-check-maven` which performs CVSS checks.
+- [token-client] supports password token flows as documented [here](https://github.com/SAP/cloud-security-xsuaa-integration/tree/master/token-client).
+
+## 2.1.0
 * `token-client` library supports [Apache Http Client](https://hc.apache.org/) (without any Spring dependencies). Have also a look at the [java-tokenclient-usage](/samples/java-tokenclient-usage) sample application.
 * Fix CVE-2018-1000613 by removing unnecessary dependencies ([issue 144](https://github.com/SAP/cloud-security-xsuaa-integration/issues/144)).
 * Makes `XsuaaMockWebServer` more robust.

api/pom.xml

@@ -4,12 +4,12 @@
 
 	<groupId>com.sap.cloud.security.xsuaa</groupId>
 	<artifactId>api</artifactId>
-	<version>2.1.0</version>
+	<version>2.2.0</version>
 
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>2.1.0</version>
+		<version>2.2.0</version>
 	</parent>
 
 	<packaging>jar</packaging>

pom.xml

@@ -5,7 +5,7 @@
 
 	<groupId>com.sap.cloud.security.xsuaa</groupId>
 	<artifactId>parent</artifactId>
-	<version>2.1.0</version>
+	<version>2.2.0</version>
 	<packaging>pom</packaging>
 
 	<name>parent</name>

samples/java-tokenclient-usage/pom.xml

@@ -3,11 +3,11 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.sap.cloud.security.xssec.samples</groupId>
     <artifactId>java-tokenclient-usage</artifactId>
-    <version>2.1.0</version>
+    <version>2.2.0</version>
     <packaging>war</packaging>
 
     <properties>
-        <xsuaa.client.version>2.1.0</xsuaa.client.version>
+        <xsuaa.client.version>2.2.0</xsuaa.client.version>
         <apache.httpclient.version>4.5.8</apache.httpclient.version>
         <javax.servlet.api.version>3.0.1</javax.servlet.api.version>
     </properties>

samples/sap-java-buildpack-api-usage/pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.sap.cloud.security.xssec.samples</groupId>
 	<artifactId>sap-java-buildpack-api-usage</artifactId>
-	<version>1.0</version>
+	<version>2.2.0</version>
 	<packaging>war</packaging>
 	<build>
 		<plugins>
@@ -21,7 +21,7 @@
 		<dependency>
 			<groupId>com.sap.cloud.security.xsuaa</groupId>
 			<artifactId>api</artifactId>
-			<version>2.1.0</version>
+			<version>2.2.0</version>
 			<scope>provided</scope>
 		</dependency>
 		<!-- https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api -->

samples/spring-security-basic-auth/pom.xml

@@ -11,7 +11,7 @@
 	</parent>
 
 	<artifactId>spring-security-basic-auth</artifactId>
-	<version>2.0.0</version>
+	<version>2.2.0</version>
 	<name>spring-security-basic-auth</name>
 
 	<properties>

samples/spring-security-xsuaa-usage/pom.xml

@@ -14,7 +14,7 @@
 
 	<groupId>com.sap.cloud.security.samples</groupId>
 	<artifactId>spring-security-xsuaa-usage</artifactId>
-	<version>2.1.0</version>
+	<version>2.2.0</version>
 	<name>spring-security-xsuaa-usage</name>
 
 	<properties>
@@ -37,7 +37,7 @@
         <dependency>
             <groupId>com.sap.cloud.security.xsuaa</groupId>
             <artifactId>xsuaa-spring-boot-starter</artifactId>
-            <version>2.1.0</version>
+            <version>2.2.0</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>

samples/spring-webflux-security-xsuaa-usage/pom.xml

@@ -12,7 +12,7 @@
 
     <groupId>com.sap.cloud.security.samples</groupId>
     <artifactId>spring-webflux-security-xsuaa-usage</artifactId>
-    <version>2.1.0</version>
+    <version>2.2.0</version>
     <name>spring-webflux-security-xsuaa-usage</name>
 
     <properties>

spring-xsuaa-it/pom.xml

@@ -11,7 +11,7 @@
 	</parent>
 
 	<artifactId>spring-xsuaa-it</artifactId>
-	<version>2.1.0</version>
+	<version>2.2.0</version>
 	<name>spring-xsuaa-it</name>
 
 	<properties>

spring-xsuaa-mock/README.md

@@ -17,7 +17,7 @@ The default implementation offers already valid *token_keys* for JWT tokens, tha
 <dependency>
     <groupId>com.sap.cloud.security.xsuaa</groupId>
     <artifactId>spring-xsuaa-mock</artifactId>
-    <version>2.1.0</version>
+    <version>2.2.0</version>
 </dependency>
 <dependency> <!-- new with version 1.5.0 - provided with org.springframework.boot:spring-boot-starter:jar -->
     <groupId>org.springframework.boot</groupId>

spring-xsuaa-mock/pom.xml

@@ -7,7 +7,7 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>2.1.0</version>
+		<version>2.2.0</version>
 	</parent>
 
 	<artifactId>spring-xsuaa-mock</artifactId>

spring-xsuaa-mock/src/main/java/com/sap/cloud/security/xsuaa/mock/XsuaaMockWebServer.java

@@ -14,7 +14,8 @@
 import okhttp3.mockwebserver.MockWebServer;
 
 /**
- * Starts a mock for xsuaa (user account and authentication) service on localhost.
+ * Starts a mock for xsuaa (user account and authentication) service on
+ * localhost.
  */
 public class XsuaaMockWebServer extends PropertySource<MockWebServer> {
 
@@ -37,8 +38,9 @@ public XsuaaMockWebServer() {
 	 * Initializes a Mock Web Server object on a given port.
 	 *
 	 * @param port
-	 *            the port the mock server should listen to. Use '0' in case you want to use a random port.
-	 *            Per specified port you can only start one mock web server instance.
+	 *            the port the mock server should listen to. Use '0' in case you
+	 *            want to use a random port. Per specified port you can only start
+	 *            one mock web server instance.
 	 */
 	public XsuaaMockWebServer(int port) {
 		super(MOCK_XSUAA_PROPERTY_SOURCE_NAME, createMockWebServer(new XsuaaRequestDispatcher()));
@@ -86,10 +88,11 @@ public Object getProperty(String name) {
 
 	/**
 	 * Shuts the server down, but only if it is started.
+	 * 
 	 * @throws IOException
 	 */
 	public void destroy() throws IOException {
-		if(isStarted) { // if XsuaaMockWebServer instance contains server (getSource()) which is started
+		if (isStarted) { // if XsuaaMockWebServer instance contains server (getSource()) which is started
 			getSource().shutdown(); // performs a shutdown only in case if getSource().started = true
 			log.info(">>>>>>>>>>> Stopped Xsuaa Mock Server (MockWebServer[{}]) ", port);
 			startedWebServer.remove(port);
@@ -101,11 +104,13 @@ private static void intializeMockXsuaa(MockWebServer mockWebServer, int port) {
 			mockWebServer.start(port);
 			startedWebServer.put(port, getUrlAndStartIfNotStarted(mockWebServer));
 			log.warn(
-					">>>>>>>>>>> Started Xsuaa Mock Server ({}) that provides public keys for offline JWT Token validation. NEVER run in productive environment!<<<<<<", mockWebServer.url(""));
+					">>>>>>>>>>> Started Xsuaa Mock Server ({}) that provides public keys for offline JWT Token validation. NEVER run in productive environment!<<<<<<",
+					mockWebServer.url(""));
 		} catch (IllegalStateException | IOException e) {
 			throw new IllegalStateException(
 					String.format("Could not start XSUAA Mock webserver (port:%d). " +
-							"Make sure that it is not yet started in another process.", port), e);
+							"Make sure that it is not yet started in another process.", port),
+					e);
 		}
 	}
 

spring-xsuaa-mock/src/test/java/com/sap/cloud/security/xsuaa/mock/XsuaaMockWebServerTest.java

@@ -68,7 +68,7 @@ public void dontStartMockServerIfAlreadyStarted() throws Exception {
 	@Test
 	public void restartDestroyedMockServer() throws Exception {
 		mockServer = new XsuaaMockWebServer();
-		mockServer.getProperty(MOCK_XSUAA_PROPERTY_SOURCE_NAME); //starts the mock server
+		mockServer.getProperty(MOCK_XSUAA_PROPERTY_SOURCE_NAME); // starts the mock server
 		mockServer.destroy();
 		mockServer = new XsuaaMockWebServer();
 		String url = getLocalHostUrl(mockServer.getProperty(MOCK_XSUAA_PROPERTY_SOURCE_NAME));
@@ -79,19 +79,19 @@ public void restartDestroyedMockServer() throws Exception {
 	@Test
 	public void destroyWebServerOnlyIfStarted() throws Exception {
 		mockServer = new XsuaaMockWebServer(4711);
-		mockServer.getProperty(MOCK_XSUAA_PROPERTY_SOURCE_NAME); //starts the mock server
+		mockServer.getProperty(MOCK_XSUAA_PROPERTY_SOURCE_NAME); // starts the mock server
 
 		XsuaaMockWebServer otherMockServer = new XsuaaMockWebServer(4711);
-		otherMockServer.getProperty(MOCK_XSUAA_PROPERTY_SOURCE_NAME); //trys to start the mock server
+		otherMockServer.getProperty(MOCK_XSUAA_PROPERTY_SOURCE_NAME); // trys to start the mock server
 		otherMockServer.destroy(); // will not shutdown
 
 		XsuaaMockWebServer anotherMockServer = new XsuaaMockWebServer(4711);
-		anotherMockServer.getProperty(MOCK_XSUAA_PROPERTY_SOURCE_NAME); //trys to start the mock server
+		anotherMockServer.getProperty(MOCK_XSUAA_PROPERTY_SOURCE_NAME); // trys to start the mock server
 	}
 
 	private String getLocalHostUrl(Object urlProperty) throws UnknownHostException {
 		InetAddress address = InetAddress.getLocalHost();
-		String url = ((String)urlProperty).toLowerCase();
+		String url = ((String) urlProperty).toLowerCase();
 		return url.replace(address.getCanonicalHostName().toLowerCase(), "localhost");
 	}
 }

spring-xsuaa-starter/pom.xml

@@ -14,11 +14,11 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>2.1.0</version>
+		<version>2.2.0</version>
 	</parent>
 
 	<artifactId>xsuaa-spring-boot-starter</artifactId>
-	<version>2.1.0</version>
+	<version>2.2.0</version>
 	<name>SAP Spring Boot Xsuaa Starter</name>
 	<description>SAP Starter for integrating application with XSUAA service</description>
 	<url>https://github.com/SAP/cloud-security-xsuaa-integration</url>

spring-xsuaa-test/README.md

@@ -27,7 +27,7 @@ This includes for example a `JwtGenerator` that generates JSON Web Tokens (JWT)
 <dependency>
     <groupId>com.sap.cloud.security.xsuaa</groupId>
     <artifactId>spring-xsuaa-test</artifactId>
-    <version>2.1.0</version>
+    <version>2.2.0</version>
     <scope>test</scope>
 </dependency>
 

spring-xsuaa-test/pom.xml

@@ -7,7 +7,7 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>2.1.0</version>
+		<version>2.2.0</version>
 	</parent>
 
 	<artifactId>spring-xsuaa-test</artifactId>

spring-xsuaa/README.md

@@ -23,7 +23,7 @@ This library enhances the [spring-security](https://github.com/spring-projects/s
 <dependency>
     <groupId>com.sap.cloud.security.xsuaa</groupId>
     <artifactId>spring-xsuaa</artifactId>
-    <version>2.1.0</version>
+    <version>2.2.0</version>
 </dependency>
 <dependency> <!-- new with version 1.5.0 -->
     <groupId>org.apache.logging.log4j</groupId>
@@ -38,7 +38,7 @@ This library enhances the [spring-security](https://github.com/spring-projects/s
 <dependency>
     <groupId>com.sap.cloud.security.xsuaa</groupId>
     <artifactId>xsuaa-spring-boot-starter</artifactId>
-    <version>2.1.0</version>
+    <version>2.2.0</version>
 </dependency>
 ```
 

spring-xsuaa/pom.xml

@@ -7,7 +7,7 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>2.1.0</version>
+		<version>2.2.0</version>
 	</parent>
 
 	<artifactId>spring-xsuaa</artifactId>

spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/XsuaaServicesParser.java

@@ -55,15 +55,17 @@ public XsuaaServicesParser(String vcapServicesJson) {
 	}
 
 	/**
-	 * Parses the VCAP_SERVICES for xsuaa tag and returns a requested attribute/property from
-	 * credentials.
+	 * Parses the VCAP_SERVICES for xsuaa tag and returns a requested
+	 * attribute/property from credentials.
 	 * 
 	 * @param name
 	 *            the attribute name
-	 * @return associated value to given tag name or null if attribute/property not found
+	 * @return associated value to given tag name or null if attribute/property not
+	 *         found
 	 * @throws IOException
 	 *             in case of parse errors
-	 * @deprecated in favor of {@link #parseCredentials()}. Will be deleted with version 3.0.0.
+	 * @deprecated in favor of {@link #parseCredentials()}. Will be deleted with
+	 *             version 3.0.0.
 	 */
 	@Deprecated
 	public Optional<String> getAttribute(String name) throws IOException {
@@ -83,7 +85,8 @@ public Optional<String> getAttribute(String name) throws IOException {
 	/**
 	 * Parses the VCAP_SERVICES for xsuaa tag and returns all credential properties.
 	 *
-	 * @return Properties that contains all properties that belong to the xsuaa credentials object.
+	 * @return Properties that contains all properties that belong to the xsuaa
+	 *         credentials object.
 	 * @throws IOException
 	 *             in case of parse errors.
 	 *

spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/autoconfiguration/XsuaaAutoConfiguration.java

@@ -57,10 +57,12 @@ public PropertyConditions() {
 		}
 
 		@ConditionalOnProperty(prefix = "spring.xsuaa", name = "multiple-bindings", havingValue = "false", matchIfMissing = true)
-		static class MultipleBindingsCondition { }
+		static class MultipleBindingsCondition {
+		}
 
 		@ConditionalOnProperty(prefix = "spring.xsuaa", name = "disable-default-property-source", havingValue = "false", matchIfMissing = true)
-		static class DisableDefaultPropertySourceCondition { }
+		static class DisableDefaultPropertySourceCondition {
+		}
 
 	}
 
@@ -77,5 +79,4 @@ public RestOperations xsuaaRestOperations() {
 		return new RestTemplate();
 	}
 
-
 }

spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/autoconfiguration/XsuaaResourceServerJwkAutoConfiguration.java

@@ -42,10 +42,11 @@ public class XsuaaResourceServerJwkAutoConfiguration {
 	private final Logger logger = LoggerFactory.getLogger(getClass());
 
 	@Bean
-	@ConditionalOnBean({XsuaaServiceConfiguration.class, RestOperations.class })
+	@ConditionalOnBean({ XsuaaServiceConfiguration.class, RestOperations.class })
 	@ConditionalOnWebApplication(type = Type.SERVLET)
 	@ConditionalOnMissingBean
-	public JwtDecoder xsuaaJwtDecoder(XsuaaServiceConfiguration xsuaaServiceConfiguration, RestOperations restOperations) {
+	public JwtDecoder xsuaaJwtDecoder(XsuaaServiceConfiguration xsuaaServiceConfiguration,
+			RestOperations restOperations) {
 		logger.info("auto-configures JwtDecoder");
 		return new XsuaaJwtDecoderBuilder(xsuaaServiceConfiguration)
 				.withRestOperations(restOperations)

spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/TokenUrlUtils.java

@@ -7,8 +7,9 @@
 import org.springframework.util.Assert;
 
 /**
- * @deprecated in favor of {@link com.sap.cloud.security.xsuaa.client.OAuth2ServiceEndpointsProvider}.
- * Will be deleted with version 3.0.0.
+ * @deprecated in favor of
+ *             {@link com.sap.cloud.security.xsuaa.client.OAuth2ServiceEndpointsProvider}.
+ *             Will be deleted with version 3.0.0.
  */
 @Deprecated
 final class TokenUrlUtils {
@@ -73,7 +74,7 @@ private static String getUrl(final String endpoint, final String uaaUrl, final S
 		String protocol = uri.getScheme();
 
 		String tenantTokenUrl = String.format("%s://%s", protocol, tenantUaaDomain + endpoint);
-		logger.debug("Created tenant token URL {}.",tenantTokenUrl);
+		logger.debug("Created tenant token URL {}.", tenantTokenUrl);
 		return tenantTokenUrl;
 	}
 

spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/UaaTokenBroker.java

@@ -12,8 +12,8 @@
 import com.sap.cloud.security.xsuaa.client.XsuaaOAuth2TokenService;
 
 /**
- * @deprecated in favor of {@link OAuth2TokenService}. We are
- *             going to delete that in 3.0.0.
+ * @deprecated in favor of {@link OAuth2TokenService}. We are going to delete
+ *             that in 3.0.0.
  */
 public class UaaTokenBroker implements TokenBroker {
 

spring-xsuaa/src/test/java/com/sap/cloud/security/xsuaa/autoconfiguration/XsuaaAutoConfigurationTest.java

@@ -89,7 +89,7 @@ public void serviceConfigurationDisabledByDisableDefaultPropertySourceProperty()
 			assertThat(context).doesNotHaveBean("xsuaaServiceConfiguration");
 		});
 	}
-	
+
 	@Test
 	public void autoConfigurationInactive_if_noJwtOnClasspath() {
 		contextRunner.withClassLoader(new FilteredClassLoader(Jwt.class)) // removes Jwt.class from classpath