Releases: SAP/cloud-security-services-integration-library
Releases · SAP/cloud-security-services-integration-library
Version 2.15.0
🔥 Hot fix for the CVE-2023-5072
- [java-security]
- add x-azp header to IAS JWKS fetching and adjust JWKS cache key
OAuth2TokenKeyService
andOAuth2TokenKeyServiceWithCache
- Refactor API to use generic Map instead of explicit IAS-specific parameters
Dependency upgrades
- Bump org.json.version from 20230618 to 20231013
- Bump spring.security.version from 5.8.6 to 5.8.7
- Bump spring.boot.version from 2.7.15 to 2.7.16
- Bump spring.core.version from 5.3.29 to 5.3.30
- Bump reactor-core from 3.4.32 to 3.4.33
- Bump com.sap.cloud.environment.servicebinding 0.9.0 to 0.10.0
- Bump commons-io from 2.13.0 to 2.14.0
Version 3.2.1
🔥 Hot fix for the CVE-2023-5072
Dependency upgrades
- Bump spring.boot.version from 3.1.4 to 3.1.5
- Bump log4j2.version from 2.20.0 to 2.21.0
- Bump spring.security.version from 6.1.4 to 6.1.5
- Bump org.json:json from 20230618 to 20231013
Version 3.2.0
- [java-security]
- add
x-azp
header to IAS JWKS fetching - adjust JWKS cache key for OAuth2TokenKeyService and OAuth2TokenKeyServiceWithCache
- Refactor API to use generic Map instead of explicit IAS-specific parameters
- add
Dependency upgrades
- Bump io.projectreactor:reactor-core from 3.5.9 to 3.5.11
- Bump spring.core.version from 6.0.11 to 6.0.13
- Bump spring.security.version from 6.1.3 to 6.1.4
- Bump commons-io:commons-io from 2.13.0 to 2.14.0
- Bump com.sap.cloud.environment.servicebinding from 0.9.0 to 0.10.0
- Bump spring.boot.version from 3.1.3 to 3.1.4
- Bump slf4j.api.version from 2.0.7 to 2.0.9
Version 3.1.3
- [java-security]
- Fixes NPE when accessing
XsuaaToken.getPrincipal()
andgrantType
is null (#1261)
- Fixes NPE when accessing
- [token-client]
- fixes JWKs fetch from identity service issue when
app_tid
is not present in the token - theX-app_tid
andX-client_id
headers are only added when both values are available. DefaultOAuth2TokenService
- fixes issue when in case of unsuccessful token fetch
OAuth2ServiceException.withHeaders()
headers field were filled with only one entry containing all headers as a string
- fixes issue when in case of unsuccessful token fetch
DefaultOAuth2TokenKeyService
andSpringOAuth2TokenKeyService
- improved error handling
OAuth2ServiceException
that's thrown status code != 200 case doesn't get swallowed- fixes
OAuth2ServiceException.withHeaders()
semantically incorrect behavior when headers were filled with request headers instead of response headers OAuth2ServiceException
generated by unsuccessful JWKs fetch contains request headers as well
- improved error handling
OAuth2ServiceException
updated header message - contains nowResponse Headers
instead ofHeaders
- fixes JWKs fetch from identity service issue when
Dependency upgrades
- Bump spring.security.version from 6.1.2 to 6.1.3
- Bump spring.boot.version from 3.1.2 to 3.1.3
Version 2.14.2
- [java-security]
- Fixes NPE when accessing
XsuaaToken.getPrincipal()
andgrantType
is null (#1261)
- Fixes NPE when accessing
- [token-client]
- fixes JWKs fetch from identity service issue when
app_tid
is not present in the token - theX-app_tid
andX-client_id
headers are only added when both values are available. DefaultOAuth2TokenService
- fixes issue when in case of unsuccessful token fetch
OAuth2ServiceException.withHeaders()
headers field were filled with only one entry containing all headers as a string
- fixes issue when in case of unsuccessful token fetch
DefaultOAuth2TokenKeyService
andSpringOAuth2TokenKeyService
- improved error handling
OAuth2ServiceException
that's thrown status code != 200 case doesn't get swallowed- fixes
OAuth2ServiceException.withHeaders()
semantically incorrect behavior when headers were filled with request headers instead of response headers OAuth2ServiceException
generated by unsuccessful JWKs fetch contains request headers as well
- improved error handling
OAuth2ServiceException
updated header message - contains nowResponse Headers
instead ofHeaders
- fixes JWKs fetch from identity service issue when
Dependency upgrades
- Bump spring.security.version from 5.8.5 to 5.8.6
- Bump spring.boot.version from 2.7.14 to 2.7.15
- Bump reactor-core from 3.4.31 to 3.4.32
Version 3.1.2
- [token-client]
OAuth2ServiceException
has been extended with getter methodgetHeaders()
that gives the access to failed request's response headersXsuaaOAuth2TokenService
andDefaultOAuth2TokenService
add the response headers and status code to the thrownOAuth2ServiceException
Version 3.1.1
- [env]
ServiceBindingEnvironment
has been extended with a methodgetServiceConfigurationsAsList()
that returns a list of all available service configurations parsed from environment- in case of multiple service configurations of the same service plans
ServiceBindingEnvironment.getXsuaaConfiguration()
andServiceBindingEnvironment.getServiceConfigurations()
will return the first one from the list.
This adjustment ensures that the logic is in line with the 2.x major version.
- [token-client] reverted removal of
OAuth2ServiceException.getHttpStatusCode()
Dependency upgrades
- Bump com.sap.cloud.environment.servicebinding:java-bom from 0.8.0 to 0.9.0
Version 2.14.1
- [token-client]
OAuth2ServiceException
has been extended with getter methodgetHeaders()
that gives the access to failed request's response headersXsuaaOAuth2TokenService
andDefaultOAuth2TokenService
add the response headers and status code to the thrownOAuth2ServiceException
Dependency upgrades
- Bump btp-environment-variable-access from 0.8.0 to 0.9.0
Version 3.1.0
❗ IMPORTANT Update ❗
The zone_uuid
claim in Identity service tokens has been deprecated and is now replaced by the app_tid
claim. You should use the app_tid
claim to identify the unique tenant id, which was previously referred to as the zone.
- [java-api]
Token
interface is extended with default methodgetAppTid()
andgetZoneId()
method has been deprecated, usegetAppTid()
method instead⚠️ This is also relevant for Xsuaa applications not only Identity based applicationsTokenClaims
is extended with theSAP_GLOBAL_APP_TID
andSAP_GLOBAL_ZONE_ID
is deprecated
- [token-client]
OAuth2TokenKeyService
interface has been extended withretrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId)
methodHttpHeaders
constants are extended withX-app_tid
andX-client_id
headers- JWKs fetch from identity service going forward requires mandatory headers:
X-app_tid
abdX-client_id
this has been updated in the default implementations of theOAuth2TokenKeyService
:DefaultOAuth2TokenKeyService
OAuth2TokenKeyServiceWithCache
(java-security module)SpringOAuth2TokenKeyService
- [java-security]
AbstractToken
is serializable fixes #1209 - [java-security-test]
JwtGenerator
addsapp_tid
claims with the default valuethe-app-tid
to the Identity tokens. ❗Some adaption might be required when calling thegetZoneId()
method as it will return now theapp_tid
value back when default values are used.
Dependency upgrades
- Bump spring.core.version from 6.0.9 to 6.0.11
- Bump spring.boot.version from 3.0.6 to 3.1.2
- Bump spring.security.version from 6.0.3 to 6.1.2
- Bump reactor-core from 3.5.6 to 3.5.8
- Bump btp-environment-variable-access from 0.6.0 to 0.8.0
- Bump json from 20230227 to 20230618
- Bump commons-io from 2.11.0 to 2.13.0
Version 2.14.0
❗ IMPORTANT Update ❗
The zone_uuid
claim in Identity service tokens has been deprecated and is now replaced by the app_tid
claim. You should use the app_tid
claim to identify the unique tenant id, which was previously referred to as the zone.
- [java-api]
Token
interface is extended with default methodgetAppTid()
andgetZoneId()
method has been deprecated, usegetAppTid()
method instead⚠️ This is also relevant for Xsuaa applications not only Identity based applicationsTokenClaims
is extended with theSAP_GLOBAL_APP_TID
andSAP_GLOBAL_ZONE_ID
is deprecated
- [token-client]
OAuth2TokenKeyService
interface has been extended withretrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId)
methodHttpHeaders
constants are extended withX-app_tid
andX-client_id
headers- JWKs fetch from identity service going forward requires mandatory headers:
X-app_tid
andX-client_id
this has been updated in the default implementations of theOAuth2TokenKeyService
:DefaultOAuth2TokenKeyService
OAuth2TokenKeyServiceWithCache
(java-security module)SpringOAuth2TokenKeyService
- [java-security]
AbstractToken
is serializable #1207 - [java-security-test]
JwtGenerator
addsapp_tid
claims with the default valuethe-app-tid
to the Identity tokens. ❗Some adaption might be required when calling thegetZoneId()
method as it will return now theapp_tid
value back when default values are used.
Dependency upgrades
- Bump spring.core.version from 5.3.27 to 5.3.29
- Bump spring.boot.version from 2.7.10 to 2.7.14
- Bump spring.security.version from 5.8.3 to 5.8.5
- Bump reactor-core from 3.4.24 to 3.4.31
- Bump btp-environment-variable-access from 0.6.0 to 0.8.0
- Bump json from 20230227 to 20230618
- Bump commons-io from 2.11.0 to 2.13.0