Version 2.13.1

[token-client]

• DefaultHttpClientFactory creates CloseableHttpClient with disabled redirects to avoid security vulnerabilities.
  ‼️ For your custom CloseableHttpClient implementation make sure to disable redirects as well. ‼️

• all TokenServices and TokenKeyServices have been enhanced to add to all outgoing requests a user-agent header that contains value
  token-client/x.x.x where x.x.x is token-client version being used

[spring-xsuaa]

• XsuaaJwtDecoder catches bases64 decoder IllegalArgumentException that can be caused by decoding malformed verificationkey from xsuaa service configuration to avoid 500 Internal server error responses

Dependency upgrades

• Bump spring.boot.version from 2.7.1 to 2.7.2.
• Bump https://github.com/SAP/btp-environment-variable-access from 0.3.1 to 0.4.0.
• Bump reactor-core from 3.4.21 to 3.4.22

Version 2.13.0

[env]

• uses https://github.com/SAP/btp-environment-variable-access (version 0.3.1), which supports access to service credentials in K8s/Kyma environment provisioned by SAP BTP Service Operator. Usage of service-catalog is no longer supported. With that there is no service-manager longer required to distinguish the service instance plan, when multiple xsuaa instances are bound (#855)

[token-client]

• NPE bug fix for UriUtil.replaceSubdomain(@Nonnull URI, @Nullable subdomain) in cases when provided URI does not contain host(no http/s schema provided) #943

[samples]

• java-security-usage, spring-security-basic-auth, spring-security-hybrid-usage adjusted for service-operator higher than v0.2.3 usage

Dependency upgrades

• Bump log4j2.version from 2.17.2 to 2.18.0
• Bumps spring.core.version from 5.3.21 to 5.3.22.
• Bumps reactor-core from 3.4.19 to 3.4.21.

Full Changelog: 2.12.3...2.13.0

Version 2.12.3

[spring-xsuaa][spring-security-compatibility]

• bug fix for #910 XsuaaToken.getXSUserAttribute, XsuaaTokenComp.getXSUserAttribute methods' return null if claim is not present as documented in javadoc.

[java-api]

• Token.getAttributeFromClaimAsStringList javadoc has been fixed, this method supposed to return empty List in case of missing attribute instead of null

Dependency upgrades

• Bump spring.security.version from 5.7.1 to 5.7.2
• Bump spring.boot.version from 2.7.0 to 2.7.1
• Bump spring.core.version from 5.3.20 to 5.3.21
• Bump reactor-core from 3.4.18 to 3.4.19
• Bump spring-boot-starter-parent version from 2.6.7 to 2.7.1

Version 2.12.2

[spring-xsuaa][spring-security]

• Fixes CVE-2022-22978 vulnerability in spring security version

Dependency upgrades

• Bump spring.security.version from 5.6.3 to 5.7.1
• Bump spring.boot.version from 2.6.7 to 2.7.0
• Bump com.squareup.okhttp3:mockwebserver to 4.9.3

Version 2.12.1

• [java-security] JwtIssuerValidator rules have been relaxed, it accepts issuers without https schema

Dependency upgrades

• Bump jackson-databind from 2.13.2.2 to 2.13.3
• Bump spring.core.version from 5.3.19 to 5.3.20
• Bump reactor-core from 3.4.17 to 3.4.18

Version 2.12.0

• [token-client]
  • This improves the default Apache Http Client configuration, provided with DefaultHttpClientFactory, so that warning message "In productive environment provide well configured HttpClientFactory service" (described here) is no longer logged in case of certificate based setup, and stakeholders must not overwrite the default configuration.
    • Usages of HTTP Clients as part of this client library are depicted here.
    • In case there is no certificate given in VCAP_SERVICES a default http client gets created (HttpClients.createDefault()) and the message is still logged with severity WARNING .

Details DefaultHttpClientFactory

It sets

• connect timeout = 5 sec
• connection request timeout = 5 sec
• socket timeout = 5 sec

Furthermore, it makes sure that per client id SSLContext, SSLConnectionSocketFactory and PoolingHttpClientConnectionManager is created only once per instance.

It introduces a PoolingHttpClientConnectionManager and limits

• maximum connections per route to 4 (default is 2)
• and the maximum connections to 20

Dependency upgrades

• Bump spring-security-oauth2 from 2.5.1.RELEASE to 2.5.2.RELEASE
• Bump spring-boot-starter version from 2.6.6 to 2.6.7

Full Changelog: 2.11.16...2.12.0

Version 2.11.16

• [all]

  • ❗ Dependency on spotbugs-annotations should be optional, follows recommendation from here and is no longer provided as transient dependency. In case you need it, you can add it by yourself in pom.xml:

    <properties>
         <spotbugs.annotations.version>4.6.0</spotbugs.annotations.version>
    </properties>
    ...
    <dependency>
       <groupId>com.github.spotbugs</groupId>
       <artifactId>spotbugs-annotations</artifactId>
       <version>${spotbugs.annotations.version}</version>
    </dependency>

• [spring-xsuaa]

  • ❗ Dependency on javax.annotation-api should be optional and is no longer provided as transient dependency. In case you need it, you can add it by yourself in pom.xml:

    <properties>
         <javax.annotation.version>1.3.2</javax.annotation.version>
    </properties>
    ...
    <dependency>
         <groupId>javax.annotation</groupId>
         <artifactId>javax.annotation-api</artifactId>
         <version>${javax.annotation.version}</version>
     </dependency>

• [java-api] [token-client] Dependency on spotbugs-annotations is now optional

• [java-security] [spring-security] JwtSignatureValidator improvements:

  • Only identity service requires x-zone_uuid header for token keys retrieval
  • in case of signature mismatch the result should expose the signature of the encoded JWT token

• [spring-security]
  Introduces with spring-security-compatibility a compatibility module that provides with XsuaaTokenComp class an option to decorate a token issued by xsuaa to com.sap.cloud.security.xsuaa.token.Token api, which was used in spring-xsuaa.

  • See also Migration Guide and PR #847

Dependency upgrades

• Bump spring-boot-starter-parent version from 2.5.2 to 2.6.6
• Bump reactor-core from 3.4.16 to 3.4.17

Full Changelog: 2.11.15...2.11.16

Version 2.11.15

2.11.15

[spring-xsuaa][spring-security]

• fix CVE-2022-22965 vulnerability in spring version

Dependency upgrades

• Bump spring.security.version from 5.3.17 to 5.3.18
• Bump spring.boot.version from 2.6.4 to 2.6.6
• Bump spring-beans from 5.3.17 to 5.3.18

Full Changelog: 2.11.14...2.11.15

Version 2.11.14

• [java-security]
  • Never log certificates
  • Improves Jwks cache handling
  • add further logs in respect to key mismatches
• [spring-xsuaa]
  • XsuaaJwtDecoder must ignore line breaks in verificationkey
• [java-security-test]
  • Bump jackson-databind.version from 2.12.1 to 2.13.2.2 (solves security vulnerability)

Dependency upgrades

• Bump slf4j.api.version from 1.7.35 to 1.7.36
• Bump spring.security.version from 5.6.1 to 5.6.2
• Bump log4j2.version from 2.17.1 to 2.17.2
• Bump spring.boot.version from 2.6.3 to 2.6.4
• Bump reactor-core from 3.4.15 to 3.4.16
• Bump json from 20211205 to 20220320
• Bump spring.core.version from 5.3.15 to 5.3.17

Full Changelog: 2.11.13...2.11.14

Version 2.11.13

• [java-security]
  • removes audience check as part of JwtX5tValidator
• [spring-xsuaa]
  • XsuaaServiceConfigurationDefault supports access to other credentials (fix #802)
  • XsuaaServiceConfigurationDefault supports non relaxed-binding rules for non spring framework cases
  • auto-configures mtls-based rest operations w/o credential-type=x509 property
• [spring-security]
  • HybridJwtDecoder should support xsuaa only (see #790)
  • auto-configures mtls-based rest operations w/o credential-type=x509 property
  • auto-configures token flows if no secret but certificate is given