Bot releases are hidden (Show)
Published by liga-oz about 1 year ago
OAuth2ServiceException
has been extended with getter method getHeaders()
that gives the access to failed request's response headersXsuaaOAuth2TokenService
and DefaultOAuth2TokenService
add the response headers and status code to the thrown OAuth2ServiceException
Published by liga-oz about 1 year ago
OAuth2ServiceException
has been extended with getter method getHeaders()
that gives the access to failed request's response headersXsuaaOAuth2TokenService
and DefaultOAuth2TokenService
add the response headers and status code to the thrown OAuth2ServiceException
Published by liga-oz about 1 year ago
ServiceBindingEnvironment
has been extended with a method getServiceConfigurationsAsList()
that returns a list of all available service configurations parsed from environmentServiceBindingEnvironment.getXsuaaConfiguration()
and ServiceBindingEnvironment.getServiceConfigurations()
will return the first one from the list.OAuth2ServiceException.getHttpStatusCode()
Published by liga-oz about 1 year ago
The zone_uuid
claim in Identity service tokens has been deprecated and is now replaced by the app_tid
claim. You should use the app_tid
claim to identify the unique tenant id, which was previously referred to as the zone.
Token
interface is extended with default method getAppTid()
and getZoneId()
method has been deprecated, use getAppTid()
method insteadTokenClaims
is extended with the SAP_GLOBAL_APP_TID
and SAP_GLOBAL_ZONE_ID
is deprecatedOAuth2TokenKeyService
interface has been extended with retrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId)
methodHttpHeaders
constants are extended with X-app_tid
abd X-client_id
headersX-app_tid
abd X-client_id
this has been updated in the default implementations of the OAuth2TokenKeyService
:
DefaultOAuth2TokenKeyService
OAuth2TokenKeyServiceWithCache
(java-security module)SpringOAuth2TokenKeyService
AbstractToken
is serializable fixes #1209Published by liga-oz about 1 year ago
The zone_uuid
claim in Identity service tokens has been deprecated and is now replaced by the app_tid
claim. You should use the app_tid
claim to identify the unique tenant id, which was previously referred to as the zone.
Token
interface is extended with default method getAppTid()
and getZoneId()
method has been deprecated, use getAppTid()
method insteadTokenClaims
is extended with the SAP_GLOBAL_APP_TID
and SAP_GLOBAL_ZONE_ID
is deprecatedOAuth2TokenKeyService
interface has been extended with retrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId)
methodHttpHeaders
constants are extended with X-app_tid
abd X-client_id
headersX-app_tid
abd X-client_id
this has been updated in the default implementations of the OAuth2TokenKeyService
:
DefaultOAuth2TokenKeyService
OAuth2TokenKeyServiceWithCache
(java-security module)SpringOAuth2TokenKeyService
AbstractToken
is serializable #1207Published by liga-oz over 1 year ago
[spring-xsuaa]
DefaultSpringHttpClientFactory
Published by liga-oz over 1 year ago
cloud-security-services-integration-library
requires
spring-xsuaa-mock
→ use java-security-test insteadXSPrincipal
, XSUserInfoException
→ not needed anymore with new Token interfaceCFEnvironment
, K8sEnvironment
→ use instead ServiceBindingEnvironment
CFConstants
, K8sConstants
→ use instead ServiceConstants
XSUserInfo
, XSUserInfoAdapter
→ use instead Token interface and Token#getClaimAsString
with TokenClaims.XSUAA constants to access XSUAA-specific claims.SAPOfflineTokenServicesCloud
→ use instead [spring-security] moduleXSTokenRequest
, TokenBroker
, UaaTokenBroker
→ use instead token-client module to fetch XSUAA tokens via XsuaaTokenFlowsTokenBrokerResolver
, AuthenticaionMethod
→ No longer provided. See spring-security-basic-auth
sample how to write your own implementation.IasXsuaaExchangeBroker
→ Exchange is not supported by XSUAA service anymore.TokenUrlUtils
→ use instead OAuth2ServiceEndpointsProvider
XsuaaServicesParser
→ use instead Environments#getCurrent
or new ServiceBindingEnvironment(new SapVcapServicesServiceBindingAccessor(any -> xsuaaConfigJson))
OAuth2AuthenticationConverter
→ Not supported anymore because deprecated by Spring Security: https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
UserTokenFlow
→ use instead JwtBearerTokenFlow
OAuth2TokenKeyServiceWithCache#withCacheTime
, OAuth2TokenKeyServiceWithCache#withCacheSize
→ use instead OAuth2TokenKeyServiceWithCache#withCacheConfiguration
SAPOfflineTokenServicesCloud#SAPOfflineTokenServicesCloud(OAuth2ServiceConfiguration)
→SecurityTestRule#getConfigurationBuilderFromFile
→ use instead SecurityTestRule#getOAuth2ServiceConfigurationBuilderFromFile
SecurityTestRule#getWireMockRule
→ use instead SecurityTestRule#getWireMockServer
Token#getExpirationDate
→ use instead Token#getExpiration
Base64JwtDecoder#Base64JwtDecoder
→ use instead Base64JwtDecoder#getInstance
XsuaaTokenFlows#userTokenFlow
→ use instead XsuaaTokenFlows#jwtBearerTokenFlow
OAuth2TokenService#retrieveAccessTokenViaUserTokenGrant
→ use instead OAuth2TokenService#retrieveAccessTokenViaJwtBearerTokenGrant
OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant(URI, ClientIdentity, String, Map, boolean)
→ use instead OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant with null for argument subdomain
DefaultOAuth2TokenService#DefaultOAuth2TokenService
→ use instead DefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient)
XsuaaOAuth2TokenService#XsuaaOAuth2TokenService
→ use instead XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient)
DefaultOAuth2TokenService#DefaultOAuth2TokenService(TokenCacheConfiguration)
→ use instead DefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(TokenCacheConfiguration)
→ use instead XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(URI)
, XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String)
→ use instead XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String, String)
OAuth2TokenResponse#getExpiredAtDate
→ use instead OAuth2TokenResponse#getExpiredAt
Base64JwtDecoder#Base64JwtDecoder
→ use instead Base64JwtDecoder#getInstance
GrantType#USER_TOKEN
→ use instead GrantType#JWT_BEARER
OAuth2TokenServiceConstants#GRANT_TYPE_USER_TOKEN
→ use instead GrantType#JWT_BEARER
Token#GRANTTYPE_CLIENTCREDENTIAL
→ use instead GrantType#CLIENT_CREDENTIALS
Published by liga-oz over 1 year ago
Patches CVE-2023-20863
[env]
domain
is also supported along with the domains
attribute for Identity service configuration #1153[token-client]
DefaultHttpClientFactory
, HTTP client settings have been updated see README for more informationUserTokenFlow
is deprecated, use jwtBearerTokenFlow instead #1135Published by liga-oz over 1 year ago
[spring-xsuaa]
XsuaaJwtDecoder
cache configuration with internal NimbusJwtDecoder
cacheXsuaaJwtDecoder
fallback key validationPublished by liga-oz over 1 year ago
[token-client]
Published by liga-oz over 1 year ago
[env]
CFEnvironment
has migrated to use btp-environment-variable-access library for accessing configuration from VCAP_SERVICES[java-security]
XsUserInfoAdapter.getSystemAttribute()
supports in token xs.system.attributes
values in string format along with string array‼️ slf4j API version has been reverted back to 1.7.x to be in line with spring-boot 2.x supported slf4j API version
Full Changelog: https://github.com/SAP/cloud-security-xsuaa-integration/compare/2.13.5...2.13.6
Published by liga-oz over 1 year ago
[spring-xsuaa]
[java-security]
Full Changelog: https://github.com/SAP/cloud-security-xsuaa-integration/compare/2.13.4...2.13.5
Published by liga-oz almost 2 years ago
[spring-xsuaa][spring-security]
[java-security-test]
Published by liga-oz about 2 years ago
[spring-xsuaa-starter]
Published by liga-oz about 2 years ago
[java-security]
Published by liga-oz about 2 years ago
[token-client]
DefaultHttpClientFactory creates CloseableHttpClient with disabled redirects to avoid security vulnerabilities.
‼️ For your custom CloseableHttpClient implementation make sure to disable redirects as well. ‼️
all TokenServices and TokenKeyServices have been enhanced to add to all outgoing requests a user-agent header that contains value
token-client/x.x.x where x.x.x is token-client version being used
[spring-xsuaa]
Published by liga-oz about 2 years ago
[env]
[token-client]
UriUtil.replaceSubdomain(@Nonnull URI, @Nullable subdomain)
in cases when provided URI does not contain host(no http/s schema provided) #943[samples]
java-security-usage
, spring-security-basic-auth
, spring-security-hybrid-usage
adjusted for service-operator higher than v0.2.3 usagespring.core.version
from 5.3.21 to 5.3.22.Full Changelog: https://github.com/SAP/cloud-security-xsuaa-integration/compare/2.12.3...2.13.0
Published by liga-oz over 2 years ago
[spring-xsuaa][spring-security-compatibility]
XsuaaToken.getXSUserAttribute
, XsuaaTokenComp.getXSUserAttribute
methods' return null
if claim is not present as documented in javadoc.[java-api]
Token.getAttributeFromClaimAsStringList
javadoc has been fixed, this method supposed to return empty List
in case of missing attribute instead of null
Published by liga-oz over 2 years ago
[spring-xsuaa][spring-security]
Published by liga-oz over 2 years ago
JwtIssuerValidator
rules have been relaxed, it accepts issuers without https
schema