Version 3.5.2

• [spring-xsuaa] Remove new X5tCertificateThumbprintValidator from spring-xsuaa validators

Dependency upgrades

• Bump spring.boot.version from 3.3.0 to 3.3.1

Version 3.5.1

• [java-security]
  • Improved JWK fetch error handling
• [spring-security]
  • extended autoconfiguration for proof token check for all JwtDecoders
  • Improved JWK fetch error handling/logging. In case of unsuccessful response from JWK server the error will be mapped
    to 5XX status code

Dependency upgrades

• Bump spring.core.version from 6.1.7 to 6.1.10
• Bump spring.boot.version from 3.2.5 to 3.3.0
• Bump spring.security.version from 6.3.0 to 6.3.1
• bump caffeine version to 3.1.8
• Bump jakarta.servlet:jakarta.servlet-api from 6.0.0 to 6.1.0
• Bump io.projectreactor:reactor-core from 3.6.6 to 3.6.7
• Bump com.nimbusds:nimbus-jose-jwt from 9.39.1 to 9.40

Version 3.5.0

• [java-api]
  • ClientIdentity interface has been extended with 2 new methods getCertificateChain()
    and getPrivateKey()
    and ClientCertificate class has been extended with new constructor that takes java.security.cert.Certificate[]
    and java.security.PrivateKey as an argument and corresponding getters for these fields.
  • user_token grant type has been re-added to GrantType enum
• [token-client] SSLContextFactory class has been extended and supports Keys in PKCS#8 format with ECC algorithm.
• [spring-security]
  • fixed NPE in IdentityServicesPropertySourceFactory on application startup when bound to a list of XSUAA services
    whose service plans are ALL not supported
  • provides an autoconfiguration that creates an Identity Service JwtDecoder with enabled proof token check. To enable
    it, set the sap.spring.security.identity.prooftoken spring property to true.
  • Fixes an issue with MockMvc when the SecurityContexts are synced. It sets SecurityContextStrategy based on an
    EnvironmentPostProcessor as in this scenario the servlet initialization is not happening and the code runs too late
    due to that.

Dependency upgrades

• Bump io.projectreactor:reactor-core from 3.6.5 to 3.6.6
• Bump com.nimbusds:nimbus-jose-jwt from 9.37.3 to 9.39.1
• Bump spring.core.version from 6.1.6 to 6.1.7

Version 3.4.3

• [spring-security] improved custom SecurityContextStrategy registration for the SecurityContextAutoConfiguration class. It uses ServletContextInitializer to hook early into the initialization phase.

Dependency upgrades

• Bump com.sap.cloud.environment.servicebinding:java-bom from 0.10.4 to 0.10.5.

Version 3.4.2

• [spring-security]
  • fixes a NPE bug introduced in the HybridJwtDecoder when the incoming request does not
    contain x-forwarded-client-cert header
  • SecurityContextAutoConfiguration which synchronises all SecurityContexts is now enabled by default. To disable it
    set the sap.spring.security.hybrid.sync_securitycontext spring property to false

Version 3.4.1

• [spring-security] fixes a NPE bug introduced in the IasJwtDecoder when the incoming request does not
  contain x-forwarded-client-cert header

Dependency upgrades

• Bumps spring.boot.version from 3.2.4 to 3.2.5.
• Bumps slf4j.api.version from 2.0.12 to 2.0.13
• Bumps spring.security.version from 6.2.3 to 6.2.4.

Version 2.17.5

Dependency upgrades

• bump spring-core version to 5.3.34
• bump spring-security version to 5.8.12

Version 3.4.0

• [java-api] SecurityContext has been extended with a thread local storage for Service
  Plans. setServicePlans(), getServicePlans(), clearServicePlans() methods have been added.
• [java-security]
  • added support for Identity Service Proof Token validation. Proof Token validation can be enabled by
    calling JwtValidatorBuilder.enableProofTokenCheck(). Once enabled, it will forward the X509 client certificate from the
    request header x-fowarded-client-cert as x-client_cert header to the /oauth2/token_keys endpoint.
  • DefaultOAuth2TokenKeyService saves the service plans from response header x-osb_plan (identity broker service plan)
    in the new SecurityContext thread local storage for Service Plans. The header should be available when proof token validation is enabled.
    In this case, a x-client_cert is sent in the request to /oauth2/token_keys which should trigger the x-osb_plan response header.
• [spring-security] fixes a bug in ReactiveHybridJwtDecoder when parsing iat claim #1490

Dependency upgrades

• Bump commons-io:commons-io from 2.15.1 to 2.16.1
• Bump spring.boot.version from 3.2.2 to 3.2.4
• Bump spring.core.version from 6.1.5 to 6.1.6
• Bump io.projectreactor:reactor-core from 3.6.2 to 3.6.5
• Bump com.sap.cloud.environment.servicebinding:java-bom from
  0.10.3 to 0.10.4
• Bump spring.security.version from 6.2.1 to 6.2.3
• Bump org.springframework:spring-web from 6.1.4 to 6.1.5
• Bump org.json:json from 20240205 to 20240303

Version 2.17.4

Dependency Upgrades

• bump spring-core version to 5.3.33
• bump spring-security version to 5.8.11
• bump og4j2.version to 2.23.1
• bump commons io version to 2.16.1
• bump org.json.version to 20240303
• bump sap.cloud.env.servicebinding.version to 0.10.4

Version 3.3.5

• [spring-xsuaa] fixes a NPE bug in XsuaaJwtDecoder when uaadomain value is null
• [spring-security] reactive token validation supported with a help of ReactiveSecurityContext
  and ReactiveHybridJwtDecoder to allow more versatile use of spring-security library, also
  see spring-security ReadMe.md
• [samples]
  • spring-security-hybrid-usage demonstrates how to use multiple Xsuaa
    bindings
  • new sample spring-weblux-security-hybrid-usage that showcases
    usage of Reactive Token validation

Dependency upgrades

• Bump com.sap.cloud.environment.servicebinding from 0.10.2 to 0.10.3
• Bump slf4j.api.version from 2.0.11 to 2.0.12
• Bump org.json:json from 20231013 to 20240205
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.3 to 5.3.1
• Bump spring.boot.version from 3.2.1 to 3.2.2
• Bump spring.core.version from 6.1.3 to 6.1.4