Version 2.3.2

2.3.2

• [spring-xsuaa] Fix vulnerability issues and increased Spring versions.
• [spring-xsuaa] Fix issue in TokenBrokerResolver: second configured authentication method was ignored

Version 2.4.1-SNAPSHOT

• [java-security] Another Snapshot Version with improved error handling and option to configure the ClosableRestClient in context of the JwtValidatorBuilder and TokenAuthenticator.

Version 2.4.0-SNAPSHOT

• [java-security] Initial / Snapshot version of the new plain Java security libraries as documented here.
• [token-client] OidcConfigurationServiceWithCache supports basically Open-id Configuration endpoints as documented here.
• [token-client] OAuth2TokenKeyServiceWithCache supports JWKS endpoint with cache of identity service as documented here.

Version 2.3.0

2.3.0

• [spring-xsuaa] Spring tests fail with version 2.2.0, when auto-configuration is disabled and no RestOperations bean is specified.
• [token-client] Supports basically JWT Bearer Token Grant as documented here. NOTE this will no longer provide a refresh token!
• [token-client] Bug fix for state issue in HttpHeaderFactor (#200) that causes interference between different types of token flows.
• [spring-xsuaa] xsuaa bindings of plan apiaccess does not cause an error, as they get ignored for token validation.

Version 2.2.0

• [spring-xsuaa] PropertySourceFactory supports custom property sources and default can optionally be disabled with spring.xsuaa.disable-default-property-source=true
• [spring-xsuaa] Supports Spring Core 5.2.0.RELEASEand Spring Boot 2.2.0.RELEASE
• [spring-xsuaa] Deprecates TokenUrlUtils in favor of OAuth2ServiceEndpointsProvider
• [spring-xsuaa] XsuaaJwtDecoderBuilder can be configured with your RestOperations (RestTemplate). When using auto-configuration your RestTemplate bean is used by default.
• Internally, we've cleaned up maven dependencies (converged versions) and
  • removed transient dependency of spring-security-oauth2 to jackson.
  • introduced org.owasp.dependency-check-maven which performs CVSS checks.
• [token-client] supports password token flows as documented here.

Hint:

• Make sure that in @SpringBootTest annotation the XsuaaAutoConfiguration is specified before the XsuaaTokenFlowAutoConfiguration class.

Version 2.1.0

Version 2.1.0

• The token-client library supports Apache Http Client. So you can make use of it without any Spring dependencies! Have also a look at the java-tokenclient-usage sample application.
• Fix CVE-2018-1000613 by removing unnecessary dependencies (issue 144).
• Makes XsuaaMockWebServer more robust.
• Adds link to TechEd 2019 self-learning material.

Version 2.0.0

2.0.0

• Deleted package com.sap.xs2.security.container in order to avoid Class Loader issues, when an application makes use of SAP-libraries using the SAP-internal container lib like CAP.
  • As already mentioned use SpringSecurityContext class instead of SecurityContext class.
• Removed deprecated methods:
  • XsuaaServiceConfiguration.getTokenUrl()
  • XsuaaToken.getClaimAccessor() is not required anymore as Xsuaa itself implements JwtClaimAccessor .
• Deprecated TokenBroker interface and its implementation UaaTokenBroker, as this is going to be replaced with the OAuth2TokenService interface which is provided by the new token-client library. If you wish to configure / pass your RestTemplate you can pass an instance of OAuth2TokenService:

new TokenBrokerResolver( 
  <<your configuration>>, 
  <<your cache>>, 
  new XsuaaOAuth2TokenService(<<your restTemplate>>), 
  <<your authenticationInformationExtractor>>);

• TokenUlrUtils class is now package protected and will be deleted with version.
• token-client library supports basically Password-Grant Access Tokens.

Version 1.7.0

1.7.0

• We now provide a new slim token-client library with a XsuaaTokenFlows class, which serves as a factory for the different flows (user, refresh and client-credentials). This deprecates the existing Token.requestToken(XSTokenRequest) API.

  • The token-client library can be used by plain Java applications.
  • Auto-configuration is provided for Spring Boot applications only, when using XSUAA Spring Boot Starter.

• ANNOUNCEMENT: Please be aware that with version 2.0.0 we want to get rid of package com.sap.xs2.security.container in order to avoid Class Loader issues, when an application makes use of SAP-libraries using the SAP-internal container lib.

1.6.0

1.6.0

• Provides spring starter for spring-xsuaa, which enables auto-configuration as documented here

<dependency>
    <groupId>com.sap.cloud.security.xsuaa</groupId>
    <artifactId>xsuaa-spring-boot-starter</artifactId>
    <version>1.6.0</version>
</dependency>

• Supports reactive ServerHttpSecurity (Spring webflux). Have a look at the (webflux sample application)[samples/spring-webflux-security-xsuaa-usage/README.md]
• To make sure that the Spring SecurityContext is always initialized with a validated token use SpringSecurityContext.init() method as documented here
• To avoid issues, when an application makes use of SAP-libraries using the SAP-internal container lib, use SpringSecurityContext instead of SecurityContext
• Some enhancements for XSUAA integration

Incompatible changes

• As of version 1.6.0 you need to make use of XSUAA Spring Boot Starter in order to leverage auto-configuration (see Troubleshoot section here)

1.5.0

1.5.0

• Supports jku URI which is provided as part of the JSON Web Signature (JWS). The jku of the Jwt token header references the public key URI of the Xsuaa OAuth Authorization Server, and needs to match to the xsuaa.uaadomain.
• Completely customizable auto-configurations so that apps can override the spring-xsuaa defaults:
  • auto-configuration for Xsuaa OAuth Authorization Server is documented here.
  • auto-configuration for Xsuaa Mock Server configuration can be found here.
• Uses apache slf4j Logger for better log analysis on Cloud Foundry. This is provided with org.springframework.boot:spring-boot-starter-logging.
• Improves and enhances sample application.
• Renames class TokenImpl to XsuaaToken. Furthermore for convenience XsuaaToken subclasses org.springframework.security.oauth2.jwt.Jwt.
• Subclassing of TokenAuthenticationConverter is no longer allowed, instead TokenAuthenticationConverter can be configured with your own AuthoritiesExtractor implementation (an example can be found here).
• Please note that the port of the mock web server that is provided with the xsuaa mock library had to be defined statically. It runs now always on port 33195.
• Find more complex examples here: https://github.com/SAP/cloud-application-security-sample