Version 2.4.2-SNAPSHOT

Version 2.4.2-SNAPSHOT

• [java-security] Supports XSA (on-premise solutions)
• [java-security] Please note, that the group-id has changed to com.sap.cloud.security as documented here:
  https://github.com/SAP/cloud-security-xsuaa-integration/tree/master/java-security#maven-dependencies

Version 2.3.2

2.3.2

• [spring-xsuaa] Fix vulnerability issues and increased Spring versions.
• [spring-xsuaa] Fix issue in TokenBrokerResolver: second configured authentication method was ignored

Version 2.4.1-SNAPSHOT

• [java-security] Another Snapshot Version with improved error handling and option to configure the ClosableRestClient in context of the JwtValidatorBuilder and TokenAuthenticator.

Version 2.4.0-SNAPSHOT

• [java-security] Initial / Snapshot version of the new plain Java security libraries as documented here.
• [token-client] OidcConfigurationServiceWithCache supports basically Open-id Configuration endpoints as documented here.
• [token-client] OAuth2TokenKeyServiceWithCache supports JWKS endpoint with cache of identity service as documented here.

Version 2.3.0

2.3.0

• [spring-xsuaa] Spring tests fail with version 2.2.0, when auto-configuration is disabled and no RestOperations bean is specified.
• [token-client] Supports basically JWT Bearer Token Grant as documented here. NOTE this will no longer provide a refresh token!
• [token-client] Bug fix for state issue in HttpHeaderFactor (#200) that causes interference between different types of token flows.
• [spring-xsuaa] xsuaa bindings of plan apiaccess does not cause an error, as they get ignored for token validation.

Version 2.2.0

• [spring-xsuaa] PropertySourceFactory supports custom property sources and default can optionally be disabled with spring.xsuaa.disable-default-property-source=true
• [spring-xsuaa] Supports Spring Core 5.2.0.RELEASEand Spring Boot 2.2.0.RELEASE
• [spring-xsuaa] Deprecates TokenUrlUtils in favor of OAuth2ServiceEndpointsProvider
• [spring-xsuaa] XsuaaJwtDecoderBuilder can be configured with your RestOperations (RestTemplate). When using auto-configuration your RestTemplate bean is used by default.
• Internally, we've cleaned up maven dependencies (converged versions) and
  • removed transient dependency of spring-security-oauth2 to jackson.
  • introduced org.owasp.dependency-check-maven which performs CVSS checks.
• [token-client] supports password token flows as documented here.

Hint:

• Make sure that in @SpringBootTest annotation the XsuaaAutoConfiguration is specified before the XsuaaTokenFlowAutoConfiguration class.

Version 2.1.0

Version 2.1.0

• The token-client library supports Apache Http Client. So you can make use of it without any Spring dependencies! Have also a look at the java-tokenclient-usage sample application.
• Fix CVE-2018-1000613 by removing unnecessary dependencies (issue 144).
• Makes XsuaaMockWebServer more robust.
• Adds link to TechEd 2019 self-learning material.

Version 2.0.0

2.0.0

• Deleted package com.sap.xs2.security.container in order to avoid Class Loader issues, when an application makes use of SAP-libraries using the SAP-internal container lib like CAP.
  • As already mentioned use SpringSecurityContext class instead of SecurityContext class.
• Removed deprecated methods:
  • XsuaaServiceConfiguration.getTokenUrl()
  • XsuaaToken.getClaimAccessor() is not required anymore as Xsuaa itself implements JwtClaimAccessor .
• Deprecated TokenBroker interface and its implementation UaaTokenBroker, as this is going to be replaced with the OAuth2TokenService interface which is provided by the new token-client library. If you wish to configure / pass your RestTemplate you can pass an instance of OAuth2TokenService:

new TokenBrokerResolver( 
  <<your configuration>>, 
  <<your cache>>, 
  new XsuaaOAuth2TokenService(<<your restTemplate>>), 
  <<your authenticationInformationExtractor>>);

• TokenUlrUtils class is now package protected and will be deleted with version.
• token-client library supports basically Password-Grant Access Tokens.

Version 1.7.0

1.7.0

• We now provide a new slim token-client library with a XsuaaTokenFlows class, which serves as a factory for the different flows (user, refresh and client-credentials). This deprecates the existing Token.requestToken(XSTokenRequest) API.

  • The token-client library can be used by plain Java applications.
  • Auto-configuration is provided for Spring Boot applications only, when using XSUAA Spring Boot Starter.

• ANNOUNCEMENT: Please be aware that with version 2.0.0 we want to get rid of package com.sap.xs2.security.container in order to avoid Class Loader issues, when an application makes use of SAP-libraries using the SAP-internal container lib.

1.6.0

1.6.0

• Provides spring starter for spring-xsuaa, which enables auto-configuration as documented here

<dependency>
    <groupId>com.sap.cloud.security.xsuaa</groupId>
    <artifactId>xsuaa-spring-boot-starter</artifactId>
    <version>1.6.0</version>
</dependency>

• Supports reactive ServerHttpSecurity (Spring webflux). Have a look at the (webflux sample application)[samples/spring-webflux-security-xsuaa-usage/README.md]
• To make sure that the Spring SecurityContext is always initialized with a validated token use SpringSecurityContext.init() method as documented here
• To avoid issues, when an application makes use of SAP-libraries using the SAP-internal container lib, use SpringSecurityContext instead of SecurityContext
• Some enhancements for XSUAA integration

Incompatible changes

• As of version 1.6.0 you need to make use of XSUAA Spring Boot Starter in order to leverage auto-configuration (see Troubleshoot section here)