Version 3.0.1

[spring-xsuaa]

• fixes incompatible TLS version for DefaultSpringHttpClientFactory

Dependency upgrades

• Bump spring.core.version from 6.0.8 to 6.0.9
• Bump reactor-core from 3.5.5 to 3.5.6
• Bump btp-environment-variable-access from 0.5.2 to 0.6.0

Version 3.0.0

Baseline changes

cloud-security-services-integration-library requires

• Java 17
• Spring Boot 3.0.x
• Spring security 6.0.x

Breaking Changes

• Identity service configurations need to provide domains via String array in JSON key 'identity.credentials.domains'. Providing String values under key 'identity.credentials.domain' is not supported anymore. IAS configurations from service bindings have been generated like this for a long time already. This should only affect old configuration files manually written for testing.

Removed modules

• spring-xsuaa-mock → use java-security-test instead

Removed deprecated classes and interfaces

• [api]
  • XSPrincipal, XSUserInfoException → not needed anymore with new Token interface
• [env]
  • CFEnvironment, K8sEnvironment → use instead ServiceBindingEnvironment
  • CFConstants, K8sConstants → use instead ServiceConstants
• [java-security]
  • XSUserInfo, XSUserInfoAdapter → use instead Token interface and Token#getClaimAsString with TokenClaims.XSUAA constants to access XSUAA-specific claims.
  • SAPOfflineTokenServicesCloud → use instead [spring-security] module
• [spring-xsuaa]
  • XSTokenRequest, TokenBroker, UaaTokenBroker → use instead token-client module to fetch XSUAA tokens via XsuaaTokenFlows
  • TokenBrokerResolver, AuthenticaionMethod → No longer provided. See spring-security-basic-auth sample how to write your own implementation.
  • IasXsuaaExchangeBroker → Exchange is not supported by XSUAA service anymore.
  • TokenUrlUtils → use instead OAuth2ServiceEndpointsProvider
  • XsuaaServicesParser → use instead Environments#getCurrent or new ServiceBindingEnvironment(new SapVcapServicesServiceBindingAccessor(any -> xsuaaConfigJson))
  • OAuth2AuthenticationConverter → Not supported anymore because deprecated by Spring Security: https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
• [token-client]
  • UserTokenFlow → use instead JwtBearerTokenFlow

Removed deprecated methods

• [java-security]
  • OAuth2TokenKeyServiceWithCache#withCacheTime, OAuth2TokenKeyServiceWithCache#withCacheSize → use instead OAuth2TokenKeyServiceWithCache#withCacheConfiguration
  • SAPOfflineTokenServicesCloud#SAPOfflineTokenServicesCloud(OAuth2ServiceConfiguration) →
• [java-security-test]
  • SecurityTestRule#getConfigurationBuilderFromFile → use instead SecurityTestRule#getOAuth2ServiceConfigurationBuilderFromFile
  • SecurityTestRule#getWireMockRule → use instead SecurityTestRule#getWireMockServer
• [spring-xsuaa]
  • Token#getExpirationDate → use instead Token#getExpiration
• [spring-xsuaa-test]
  • Base64JwtDecoder#Base64JwtDecoder → use instead Base64JwtDecoder#getInstance
• [token-client]
  • XsuaaTokenFlows#userTokenFlow → use instead XsuaaTokenFlows#jwtBearerTokenFlow
  • OAuth2TokenService#retrieveAccessTokenViaUserTokenGrant → use instead OAuth2TokenService#retrieveAccessTokenViaJwtBearerTokenGrant
  • OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant(URI, ClientIdentity, String, Map, boolean) → use instead OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant with null for argument subdomain
  • DefaultOAuth2TokenService#DefaultOAuth2TokenService → use instead DefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient)
  • XsuaaOAuth2TokenService#XsuaaOAuth2TokenService → use instead XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient)
  • DefaultOAuth2TokenService#DefaultOAuth2TokenService(TokenCacheConfiguration) → use instead DefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
  • XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(TokenCacheConfiguration) → use instead XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
  • XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(URI), XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String) → use instead XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String, String)
  • OAuth2TokenResponse#getExpiredAtDate → use instead OAuth2TokenResponse#getExpiredAt
  • Base64JwtDecoder#Base64JwtDecoder → use instead Base64JwtDecoder#getInstance

Removed deprecated fields

• [java-api]
  • GrantType#USER_TOKEN → use instead GrantType#JWT_BEARER
• [token-client]
  • OAuth2TokenServiceConstants#GRANT_TYPE_USER_TOKEN → use instead GrantType#JWT_BEARER
• [spring-xsuaa]
  • Token#GRANTTYPE_CLIENTCREDENTIAL → use instead GrantType#CLIENT_CREDENTIALS

Version 2.13.9

Patches CVE-2023-20863

[env]

• for backward compatibility domain is also supported along with the domains attribute for Identity service configuration #1153

[token-client]

• warning messages has been removed when using DefaultHttpClientFactory, HTTP client settings have been updated see README for more information
• UserTokenFlow is deprecated, use jwtBearerTokenFlow instead #1135

Dependency upgrades

• Bump spring.core.version from 5.3.26 to 5.3.27
• Bump log4j2.version from 2.19.0 to 2.20.0

Version 2.13.8

[spring-xsuaa]

• Synchronizes XsuaaJwtDecoder cache configuration with internal NimbusJwtDecoder cache
• Improved logging for XsuaaJwtDecoder fallback key validation

Dependency upgrades

• Bump spring.boot.version from 2.7.9 to 2.7.10

Version 2.13.7

[token-client]

• Fixes regression introduced with logback dependency not having scope test

Dependency upgrades

• Bump org.json from to 20230227

Version 2.13.6

[env]

• CFEnvironment has migrated to use btp-environment-variable-access library for accessing configuration from VCAP_SERVICES

[java-security]

• XsUserInfoAdapter.getSystemAttribute() supports in token xs.system.attributes values in string format along with string array

‼️ slf4j API version has been reverted back to 1.7.x to be in line with spring-boot 2.x supported slf4j API version

Dependency upgrades

• Bump spring.boot.version from 2.7.8 to 2.7.9
• Bump spring.security.version from 5.8.1 to 5.8.2

Full Changelog: 2.13.5...2.13.6

Version 2.13.5

[spring-xsuaa]

• improved logging for JwtAudienceValidator

[java-security]

• enables token validation without zones

Dependency upgrades

• Bump httpclient from 4.5.13 to 4.5.14
• Bump btp-environment-variable-access java-bom from 0.5.1 to 0.5.2
• Bump spring.boot.version from 2.7.5 to 2.7.8
• Bump spring.core.version from 5.3.23 to 5.3.25
• Bump spring.security.version from 5.7.5 to 5.8.1
• Bump slf4j.api.version from 2.0.3 to 2.0.6

Full Changelog: 2.13.4...2.13.5

Version 2.13.4

[spring-xsuaa][spring-security]

• Patches CVE-2022-31692 vulnerability in spring security dependency.

[java-security-test]

• scim_id added as default attribute for identity token Jwt generator

Dependency upgrades

• Bump spring.security.version from 5.7.3 to 5.7.5
• Bump btp-environment-variable-access java-bom from 0.4.1 to 0.5.1
• Bump spring.boot.version from 2.7.3 to 2.7.5
• Bump reactor-core from 3.4.23 to 3.4.24
• Bump slf4j.api.version from 2.0.0 to 2.0.3
• Bump spring-boot-starter-parent from 2.7.3 to 2.7.5

Version 2.13.3

[spring-xsuaa-starter]

• Patches CVE 2022-25857 vulnerability in spring boot starter transient dependency.

Dependency upgrades

• Bump spring-boot-starter-parent from 2.7.1 to 2.7.3
• Bump slf4j.api.version from 1.7.36 to 2.0.0

Version 2.13.2

[java-security]

• Bug fix for regression in XSUserInfoAdapter.getMultiValueAttributeFromExtObject() when error was thrown accessing xs.user.attributes with empty array value. It throws an error only in case of non existing attribute as before 2.12.3

Dependency upgrades

• Bump spring.security.version from 5.7.2 to 5.7.3
• Bump java-bom(https://github.com/SAP/btp-environment-variable-access) from 0.4.0 to 0.4.1