cloud-security-services-integration-library

• [token-client]
  • OAuth2ServiceException has been extended with getter method getHeaders() that gives the access to failed request's response headers
  • XsuaaOAuth2TokenService and DefaultOAuth2TokenService add the response headers and status code to the thrown OAuth2ServiceException

• [token-client]
  • OAuth2ServiceException has been extended with getter method getHeaders() that gives the access to failed request's response headers
  • XsuaaOAuth2TokenService and DefaultOAuth2TokenService add the response headers and status code to the thrown OAuth2ServiceException

Dependency upgrades

• Bump btp-environment-variable-access from 0.8.0 to 0.9.0

• [env]
  • ServiceBindingEnvironment has been extended with a method getServiceConfigurationsAsList() that returns a list of all available service configurations parsed from environment
  • in case of multiple service configurations of the same service plans ServiceBindingEnvironment.getXsuaaConfiguration() and ServiceBindingEnvironment.getServiceConfigurations() will return the first one from the list.
    This adjustment ensures that the logic is in line with the 2.x major version.
• [token-client] reverted removal of OAuth2ServiceException.getHttpStatusCode()

Dependency upgrades

• Bump com.sap.cloud.environment.servicebinding:java-bom from 0.8.0 to 0.9.0

❗ IMPORTANT Update

The zone_uuid claim in Identity service tokens has been deprecated and is now replaced by the app_tid claim. You should use the app_tid claim to identify the unique tenant id, which was previously referred to as the zone.

• [java-api]
  • Token interface is extended with default method getAppTid() and getZoneId() method has been deprecated, use getAppTid() method instead
  • TokenClaims is extended with the SAP_GLOBAL_APP_TID and SAP_GLOBAL_ZONE_ID is deprecated
• [token-client]
  • OAuth2TokenKeyService interface has been extended with retrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId) method
  • HttpHeaders constants are extended with X-app_tid abd X-client_id headers
  • JWKs fetch from identity service going forward requires mandatory headers: X-app_tid abd X-client_id this has been updated in the default implementations of the OAuth2TokenKeyService:
    • DefaultOAuth2TokenKeyService
    • OAuth2TokenKeyServiceWithCache (java-security module)
    • SpringOAuth2TokenKeyService
• [java-security] AbstractToken is serializable fixes #1209

Dependency upgrades

• Bump spring.core.version from 6.0.9 to 6.0.11
• Bump spring.boot.version from 3.0.6 to 3.1.2
• Bump spring.security.version from 6.0.3 to 6.1.2
• Bump reactor-core from 3.5.6 to 3.5.8
• Bump btp-environment-variable-access from 0.6.0 to 0.8.0
• Bump json from 20230227 to 20230618
• Bump commons-io from 2.11.0 to 2.13.0

❗ IMPORTANT Update

The zone_uuid claim in Identity service tokens has been deprecated and is now replaced by the app_tid claim. You should use the app_tid claim to identify the unique tenant id, which was previously referred to as the zone.

• [java-api]
  • Token interface is extended with default method getAppTid() and getZoneId() method has been deprecated, use getAppTid() method instead
  • TokenClaims is extended with the SAP_GLOBAL_APP_TID and SAP_GLOBAL_ZONE_ID is deprecated
• [token-client]
  • OAuth2TokenKeyService interface has been extended with retrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId) method
  • HttpHeaders constants are extended with X-app_tid abd X-client_id headers
  • JWKs fetch from identity service going forward requires mandatory headers: X-app_tid abd X-client_id this has been updated in the default implementations of the OAuth2TokenKeyService:
    • DefaultOAuth2TokenKeyService
    • OAuth2TokenKeyServiceWithCache (java-security module)
    • SpringOAuth2TokenKeyService
• [java-security] AbstractToken is serializable #1207

Dependency upgrades

• Bump spring.core.version from 5.3.27 to 5.3.29
• Bump spring.boot.version from 2.7.10 to 2.7.14
• Bump spring.security.version from 5.8.3 to 5.8.5
• Bump reactor-core from 3.4.24 to 3.4.31
• Bump btp-environment-variable-access from 0.6.0 to 0.8.0
• Bump json from 20230227 to 20230618
• Bump commons-io from 2.11.0 to 2.13.0

[spring-xsuaa]

• fixes incompatible TLS version for DefaultSpringHttpClientFactory

Dependency upgrades

• Bump spring.core.version from 6.0.8 to 6.0.9
• Bump reactor-core from 3.5.5 to 3.5.6
• Bump btp-environment-variable-access from 0.5.2 to 0.6.0

Baseline changes

cloud-security-services-integration-library requires

• Java 17
• Spring Boot 3.0.x
• Spring security 6.0.x

Breaking Changes

• Identity service configurations need to provide domains via String array in JSON key 'identity.credentials.domains'. Providing String values under key 'identity.credentials.domain' is not supported anymore. IAS configurations from service bindings have been generated like this for a long time already. This should only affect old configuration files manually written for testing.

Removed modules

• spring-xsuaa-mock → use java-security-test instead

Removed deprecated classes and interfaces

• [api]
  • XSPrincipal, XSUserInfoException → not needed anymore with new Token interface
• [env]
  • CFEnvironment, K8sEnvironment → use instead ServiceBindingEnvironment
  • CFConstants, K8sConstants → use instead ServiceConstants
• [java-security]
  • XSUserInfo, XSUserInfoAdapter → use instead Token interface and Token#getClaimAsString with TokenClaims.XSUAA constants to access XSUAA-specific claims.
  • SAPOfflineTokenServicesCloud → use instead [spring-security] module
• [spring-xsuaa]
  • XSTokenRequest, TokenBroker, UaaTokenBroker → use instead token-client module to fetch XSUAA tokens via XsuaaTokenFlows
  • TokenBrokerResolver, AuthenticaionMethod → No longer provided. See spring-security-basic-auth sample how to write your own implementation.
  • IasXsuaaExchangeBroker → Exchange is not supported by XSUAA service anymore.
  • TokenUrlUtils → use instead OAuth2ServiceEndpointsProvider
  • XsuaaServicesParser → use instead Environments#getCurrent or new ServiceBindingEnvironment(new SapVcapServicesServiceBindingAccessor(any -> xsuaaConfigJson))
  • OAuth2AuthenticationConverter → Not supported anymore because deprecated by Spring Security: https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
• [token-client]
  • UserTokenFlow → use instead JwtBearerTokenFlow

Removed deprecated methods

• [java-security]
  • OAuth2TokenKeyServiceWithCache#withCacheTime, OAuth2TokenKeyServiceWithCache#withCacheSize → use instead OAuth2TokenKeyServiceWithCache#withCacheConfiguration
  • SAPOfflineTokenServicesCloud#SAPOfflineTokenServicesCloud(OAuth2ServiceConfiguration) →
• [java-security-test]
  • SecurityTestRule#getConfigurationBuilderFromFile → use instead SecurityTestRule#getOAuth2ServiceConfigurationBuilderFromFile
  • SecurityTestRule#getWireMockRule → use instead SecurityTestRule#getWireMockServer
• [spring-xsuaa]
  • Token#getExpirationDate → use instead Token#getExpiration
• [spring-xsuaa-test]
  • Base64JwtDecoder#Base64JwtDecoder → use instead Base64JwtDecoder#getInstance
• [token-client]
  • XsuaaTokenFlows#userTokenFlow → use instead XsuaaTokenFlows#jwtBearerTokenFlow
  • OAuth2TokenService#retrieveAccessTokenViaUserTokenGrant → use instead OAuth2TokenService#retrieveAccessTokenViaJwtBearerTokenGrant
  • OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant(URI, ClientIdentity, String, Map, boolean) → use instead OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant with null for argument subdomain
  • DefaultOAuth2TokenService#DefaultOAuth2TokenService → use instead DefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient)
  • XsuaaOAuth2TokenService#XsuaaOAuth2TokenService → use instead XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient)
  • DefaultOAuth2TokenService#DefaultOAuth2TokenService(TokenCacheConfiguration) → use instead DefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
  • XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(TokenCacheConfiguration) → use instead XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
  • XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(URI), XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String) → use instead XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String, String)
  • OAuth2TokenResponse#getExpiredAtDate → use instead OAuth2TokenResponse#getExpiredAt
  • Base64JwtDecoder#Base64JwtDecoder → use instead Base64JwtDecoder#getInstance

Removed deprecated fields

• [java-api]
  • GrantType#USER_TOKEN → use instead GrantType#JWT_BEARER
• [token-client]
  • OAuth2TokenServiceConstants#GRANT_TYPE_USER_TOKEN → use instead GrantType#JWT_BEARER
• [spring-xsuaa]
  • Token#GRANTTYPE_CLIENTCREDENTIAL → use instead GrantType#CLIENT_CREDENTIALS

Patches CVE-2023-20863

[env]

• for backward compatibility domain is also supported along with the domains attribute for Identity service configuration #1153

[token-client]

• warning messages has been removed when using DefaultHttpClientFactory, HTTP client settings have been updated see README for more information
• UserTokenFlow is deprecated, use jwtBearerTokenFlow instead #1135

Dependency upgrades

• Bump spring.core.version from 5.3.26 to 5.3.27
• Bump log4j2.version from 2.19.0 to 2.20.0

[spring-xsuaa]

• Synchronizes XsuaaJwtDecoder cache configuration with internal NimbusJwtDecoder cache
• Improved logging for XsuaaJwtDecoder fallback key validation

Dependency upgrades

• Bump spring.boot.version from 2.7.9 to 2.7.10

[token-client]

• Fixes regression introduced with logback dependency not having scope test

Dependency upgrades

• Bump org.json from to 20230227

[env]

• CFEnvironment has migrated to use btp-environment-variable-access library for accessing configuration from VCAP_SERVICES

[java-security]

• XsUserInfoAdapter.getSystemAttribute() supports in token xs.system.attributes values in string format along with string array

‼️ slf4j API version has been reverted back to 1.7.x to be in line with spring-boot 2.x supported slf4j API version

Dependency upgrades

• Bump spring.boot.version from 2.7.8 to 2.7.9
• Bump spring.security.version from 5.8.1 to 5.8.2

Full Changelog: https://github.com/SAP/cloud-security-xsuaa-integration/compare/2.13.5...2.13.6

[spring-xsuaa]

• improved logging for JwtAudienceValidator

[java-security]

• enables token validation without zones

Dependency upgrades

• Bump httpclient from 4.5.13 to 4.5.14
• Bump btp-environment-variable-access java-bom from 0.5.1 to 0.5.2
• Bump spring.boot.version from 2.7.5 to 2.7.8
• Bump spring.core.version from 5.3.23 to 5.3.25
• Bump spring.security.version from 5.7.5 to 5.8.1
• Bump slf4j.api.version from 2.0.3 to 2.0.6

Full Changelog: https://github.com/SAP/cloud-security-xsuaa-integration/compare/2.13.4...2.13.5

[spring-xsuaa][spring-security]

• Patches CVE-2022-31692 vulnerability in spring security dependency.

[java-security-test]

• scim_id added as default attribute for identity token Jwt generator

Dependency upgrades

• Bump spring.security.version from 5.7.3 to 5.7.5
• Bump btp-environment-variable-access java-bom from 0.4.1 to 0.5.1
• Bump spring.boot.version from 2.7.3 to 2.7.5
• Bump reactor-core from 3.4.23 to 3.4.24
• Bump slf4j.api.version from 2.0.0 to 2.0.3
• Bump spring-boot-starter-parent from 2.7.3 to 2.7.5

[spring-xsuaa-starter]

• Patches CVE 2022-25857 vulnerability in spring boot starter transient dependency.

Dependency upgrades

• Bump spring-boot-starter-parent from 2.7.1 to 2.7.3
• Bump slf4j.api.version from 1.7.36 to 2.0.0

[java-security]

• Bug fix for regression in XSUserInfoAdapter.getMultiValueAttributeFromExtObject() when error was thrown accessing xs.user.attributes with empty array value. It throws an error only in case of non existing attribute as before 2.12.3

Dependency upgrades

• Bump spring.security.version from 5.7.2 to 5.7.3
• Bump java-bom(https://github.com/SAP/btp-environment-variable-access) from 0.4.0 to 0.4.1

[token-client]

• DefaultHttpClientFactory creates CloseableHttpClient with disabled redirects to avoid security vulnerabilities.
  ‼️ For your custom CloseableHttpClient implementation make sure to disable redirects as well. ‼️

• all TokenServices and TokenKeyServices have been enhanced to add to all outgoing requests a user-agent header that contains value
  token-client/x.x.x where x.x.x is token-client version being used

[spring-xsuaa]

• XsuaaJwtDecoder catches bases64 decoder IllegalArgumentException that can be caused by decoding malformed verificationkey from xsuaa service configuration to avoid 500 Internal server error responses

Dependency upgrades

• Bump spring.boot.version from 2.7.1 to 2.7.2.
• Bump https://github.com/SAP/btp-environment-variable-access from 0.3.1 to 0.4.0.
• Bump reactor-core from 3.4.21 to 3.4.22

[env]

• uses https://github.com/SAP/btp-environment-variable-access (version 0.3.1), which supports access to service credentials in K8s/Kyma environment provisioned by SAP BTP Service Operator. Usage of service-catalog is no longer supported. With that there is no service-manager longer required to distinguish the service instance plan, when multiple xsuaa instances are bound (#855)

[token-client]

• NPE bug fix for UriUtil.replaceSubdomain(@Nonnull URI, @Nullable subdomain) in cases when provided URI does not contain host(no http/s schema provided) #943

[samples]

• java-security-usage, spring-security-basic-auth, spring-security-hybrid-usage adjusted for service-operator higher than v0.2.3 usage

Dependency upgrades

• Bump log4j2.version from 2.17.2 to 2.18.0
• Bumps spring.core.version from 5.3.21 to 5.3.22.
• Bumps reactor-core from 3.4.19 to 3.4.21.

Full Changelog: https://github.com/SAP/cloud-security-xsuaa-integration/compare/2.12.3...2.13.0

[spring-xsuaa][spring-security-compatibility]

• bug fix for #910 XsuaaToken.getXSUserAttribute, XsuaaTokenComp.getXSUserAttribute methods' return null if claim is not present as documented in javadoc.

[java-api]

• Token.getAttributeFromClaimAsStringList javadoc has been fixed, this method supposed to return empty List in case of missing attribute instead of null

Dependency upgrades

• Bump spring.security.version from 5.7.1 to 5.7.2
• Bump spring.boot.version from 2.7.0 to 2.7.1
• Bump spring.core.version from 5.3.20 to 5.3.21
• Bump reactor-core from 3.4.18 to 3.4.19
• Bump spring-boot-starter-parent version from 2.6.7 to 2.7.1

[spring-xsuaa][spring-security]

• Fixes CVE-2022-22978 vulnerability in spring security version

Dependency upgrades

• Bump spring.security.version from 5.6.3 to 5.7.1
• Bump spring.boot.version from 2.6.7 to 2.7.0
• Bump com.squareup.okhttp3:mockwebserver to 4.9.3

• [java-security] JwtIssuerValidator rules have been relaxed, it accepts issuers without https schema

Dependency upgrades

• Bump jackson-databind from 2.13.2.2 to 2.13.3
• Bump spring.core.version from 5.3.19 to 5.3.20
• Bump reactor-core from 3.4.17 to 3.4.18