Bot releases are hidden (Show)
Published by liga-oz 6 months ago
IasJwtDecoder
when the incoming request does notx-forwarded-client-cert
headerspring.boot.version
from 3.2.4 to 3.2.5.slf4j.api.version
from 2.0.12 to 2.0.13spring.security.version
from 6.2.3 to 6.2.4.Published by liga-oz 6 months ago
Published by liga-oz 6 months ago
Published by liga-oz 6 months ago
SecurityContext
has been extended with a thread local storage for ServicesetServicePlans()
, getServicePlans()
, clearServicePlans()
methods have been added.JwtValidatorBuilder.enableProofTokenCheck()
. Once enabled, it will forward the X509 client certificate from thex-fowarded-client-cert
as x-client_cert
header to the /oauth2/token_keys
endpoint.DefaultOAuth2TokenKeyService
saves the service plans from response header x-osb_plan
(identity broker service plan)SecurityContext
thread local storage for Service Plans. The header should be available when proof token validation is enabled.x-client_cert
is sent in the request to /oauth2/token_keys
which should trigger the x-osb_plan
response header.ReactiveHybridJwtDecoder
when parsing iat
claim #1490Published by liga-oz 8 months ago
XsuaaJwtDecoder
when uaadomain value is nullReactiveSecurityContext
ReactiveHybridJwtDecoder
to allow more versatile use of spring-security library, alsoPublished by liga-oz 9 months ago
Published by liga-oz 9 months ago
OAuth2ServiceConfiguration
from service bindings of the environmentPublished by liga-oz 10 months ago
HybridTokenFactory
logging noise - in case of missing service configuration warn message will be logged just onceJwtGenerator
ensures that claims are always in the same orderPublished by liga-oz 10 months ago
name
property of service binding as property to OAuth2ServiceConfigurationIdentityServicesPropertySourceFactory
now populates Spring properties with ALL Xsuaa configurations found in the environment instead of only one (arbitrary) configuration of service plan 'application' and one (optional, arbitrary) additional one of service plan 'broker'.XsuaaServiceConfigurations#getConfigurations
now contains ALL Xsuaa configurations found as a result of the previous changeHybridIdentityServicesAutoConfiguration
was adjusted for backward compatibility to still create a JwtDecoder that uses the same XSUAA configurations as before for token validation (one of plan 'application' and an optional one of plan 'broker')setName
getName
, setPlan
, getPlan
to OAuth2ServiceConfigurationProperties
, which means, the list of XsuaaServiceConfigurations
can now be filtered based on these properties.Published by liga-oz 11 months ago
✅ Resolves a Breaking Change introduced in version 3.3.0. Consumers should be able to update to 3.3.1 from a version < 3.3.0 without having to adjust test credentials used in their unit tests when using java-security-test
or spring-xsuaa-mock
.
In version 3.3.1, when java-security-test
is loaded (which should only occur during testing), credentials with localhost
as the uaadomain
(XSUAA) or trusted domains
(IAS) can be used to validate tokens that include a port for localhost
in their jku
(XSUAA) or issuer
(IAS). It's important to note that token validation is less strict in this case and may accept certain edge cases of malicious tokens that would not be accepted in a production environment.
Published by liga-oz 11 months ago
✅ Resolves a Breaking Change introduced in version 2.17.0. Consumers should be able to update to 2.17.2 from a version <= 2.16.0 without having to adjust test credentials used in their unit tests when using java-security-test
or spring-xsuaa-mock
.
In version 2.17.2, when java-security-test
or spring-xsuaa-mock
are loaded (which should only occur during testing), credentials with localhost
as the uaadomain
(XSUAA) or trusted domains
(IAS) can be used to validate tokens that include a port for localhost
in their jku
(XSUAA) or issuer
(IAS). It's important to note that token validation is less strict in this case and may accept certain edge cases of malicious tokens that would not be accepted in a production environment.
Published by liga-oz 11 months ago
Published by liga-oz 11 months ago
[java-security-test] ⚠️ Breaking Change To validate mocked XSUAA tokens issued by java-security-test module, the uaadomain
property of the service configuration must now include the port of the Wiremock server.
Likewise for validating IAS tokens, the trusted domains
array of the service configuration also needs to include the Wiremock URL including the port.
The full wiremock URL is available via SecurityTestContext#getWireMockServer#baseUrl
.
Note: If you are building your configuration via SecurityTestContext#getOAuth2ServiceConfigurationBuilderFromFile
, this will already be preconfigured correctly, but you must not overwrite these properties with only "localhost".
[java-security]
[spring-xsuaa]
Published by liga-oz 11 months ago
⚠️ when using java-security-test
module you might need to adjust the uaadomain
in the service configuration with a port where the wiremock token key server is running on. e.g. it should be changed from localhost
--> http://localhost:XXXX
(you can access wiremock token key server address using testRule.getWiremockServer().baseUrl()
)
Published by finkmanAtSap 11 months ago
Published by liga-oz 12 months ago
🔥 Hot fix for the CVE-2023-5072
OAuth2TokenKeyService
and OAuth2TokenKeyServiceWithCache
Published by liga-oz 12 months ago
🔥 Hot fix for the CVE-2023-5072
Published by liga-oz about 1 year ago
x-azp
header to IAS JWKS fetchingPublished by liga-oz about 1 year ago
XsuaaToken.getPrincipal()
and grantType
is null (#1261)app_tid
is not present in the token - the X-app_tid
and X-client_id
headers are only added when both values are available.DefaultOAuth2TokenService
OAuth2ServiceException.withHeaders()
headers field were filled with only one entry containing all headers as a stringDefaultOAuth2TokenKeyService
and SpringOAuth2TokenKeyService
OAuth2ServiceException
that's thrown status code != 200 case doesn't get swallowedOAuth2ServiceException.withHeaders()
semantically incorrect behavior when headers were filled with request headers instead of response headersOAuth2ServiceException
generated by unsuccessful JWKs fetch contains request headers as wellOAuth2ServiceException
updated header message - contains now Response Headers
instead of Headers
Published by liga-oz about 1 year ago
XsuaaToken.getPrincipal()
and grantType
is null (#1261)app_tid
is not present in the token - the X-app_tid
and X-client_id
headers are only added when both values are available.DefaultOAuth2TokenService
OAuth2ServiceException.withHeaders()
headers field were filled with only one entry containing all headers as a stringDefaultOAuth2TokenKeyService
and SpringOAuth2TokenKeyService
OAuth2ServiceException
that's thrown status code != 200 case doesn't get swallowedOAuth2ServiceException.withHeaders()
semantically incorrect behavior when headers were filled with request headers instead of response headersOAuth2ServiceException
generated by unsuccessful JWKs fetch contains request headers as wellOAuth2ServiceException
updated header message - contains now Response Headers
instead of Headers