Releases: SAP/cloud-security-services-integration-library
Releases · SAP/cloud-security-services-integration-library
Version 2.16.0
- [env]
- add Environment#getServiceConfigurationsAsList to retrieve all service configurations as lists mapped by service (XSUAA/IAS)
- [spring-security]
- IdentityServicesPropertySourceFactory now populates Spring properties with ALL Xsuaa configurations found in the environment instead of only one (arbitrary) configuration of service plan 'application' and one (optional, arbitrary) additional one of service plan 'broker'.
- XsuaaServiceConfigurations#getConfigurations now contains ALL Xsuaa configurations found as a result of the previous change
- HybridIdentityServicesAutoConfiguration was adjusted for backward compatibility to still create a JwtDecoder that uses the same XSUAA configurations as before for token validation (one of plan 'application' and an optional one of plan 'broker')
Dependency upgrades
- Bump spring.security.version from 5.8.7 to 5.8.8
- Bump spring.boot.version from 2.7.16 to 2.7.17
- Bump log4j2 from 2.20.0 to 2.21.1
- Bump com.sap.cloud.environment.servicebinding from 0.10.0 to 0.10.1
- Bump commons-io from 2.14.0 to 2.15.0
Version 2.15.0
🔥 Hot fix for the CVE-2023-5072
- [java-security]
- add x-azp header to IAS JWKS fetching and adjust JWKS cache key
OAuth2TokenKeyService
andOAuth2TokenKeyServiceWithCache
- Refactor API to use generic Map instead of explicit IAS-specific parameters
Dependency upgrades
- Bump org.json.version from 20230618 to 20231013
- Bump spring.security.version from 5.8.6 to 5.8.7
- Bump spring.boot.version from 2.7.15 to 2.7.16
- Bump spring.core.version from 5.3.29 to 5.3.30
- Bump reactor-core from 3.4.32 to 3.4.33
- Bump com.sap.cloud.environment.servicebinding 0.9.0 to 0.10.0
- Bump commons-io from 2.13.0 to 2.14.0
Version 3.2.1
🔥 Hot fix for the CVE-2023-5072
Dependency upgrades
- Bump spring.boot.version from 3.1.4 to 3.1.5
- Bump log4j2.version from 2.20.0 to 2.21.0
- Bump spring.security.version from 6.1.4 to 6.1.5
- Bump org.json:json from 20230618 to 20231013
Version 3.2.0
- [java-security]
- add
x-azp
header to IAS JWKS fetching - adjust JWKS cache key for OAuth2TokenKeyService and OAuth2TokenKeyServiceWithCache
- Refactor API to use generic Map instead of explicit IAS-specific parameters
- add
Dependency upgrades
- Bump io.projectreactor:reactor-core from 3.5.9 to 3.5.11
- Bump spring.core.version from 6.0.11 to 6.0.13
- Bump spring.security.version from 6.1.3 to 6.1.4
- Bump commons-io:commons-io from 2.13.0 to 2.14.0
- Bump com.sap.cloud.environment.servicebinding from 0.9.0 to 0.10.0
- Bump spring.boot.version from 3.1.3 to 3.1.4
- Bump slf4j.api.version from 2.0.7 to 2.0.9
Version 3.1.3
- [java-security]
- Fixes NPE when accessing
XsuaaToken.getPrincipal()
andgrantType
is null (#1261)
- Fixes NPE when accessing
- [token-client]
- fixes JWKs fetch from identity service issue when
app_tid
is not present in the token - theX-app_tid
andX-client_id
headers are only added when both values are available. DefaultOAuth2TokenService
- fixes issue when in case of unsuccessful token fetch
OAuth2ServiceException.withHeaders()
headers field were filled with only one entry containing all headers as a string
- fixes issue when in case of unsuccessful token fetch
DefaultOAuth2TokenKeyService
andSpringOAuth2TokenKeyService
- improved error handling
OAuth2ServiceException
that's thrown status code != 200 case doesn't get swallowed- fixes
OAuth2ServiceException.withHeaders()
semantically incorrect behavior when headers were filled with request headers instead of response headers OAuth2ServiceException
generated by unsuccessful JWKs fetch contains request headers as well
- improved error handling
OAuth2ServiceException
updated header message - contains nowResponse Headers
instead ofHeaders
- fixes JWKs fetch from identity service issue when
Dependency upgrades
- Bump spring.security.version from 6.1.2 to 6.1.3
- Bump spring.boot.version from 3.1.2 to 3.1.3
Version 2.14.2
- [java-security]
- Fixes NPE when accessing
XsuaaToken.getPrincipal()
andgrantType
is null (#1261)
- Fixes NPE when accessing
- [token-client]
- fixes JWKs fetch from identity service issue when
app_tid
is not present in the token - theX-app_tid
andX-client_id
headers are only added when both values are available. DefaultOAuth2TokenService
- fixes issue when in case of unsuccessful token fetch
OAuth2ServiceException.withHeaders()
headers field were filled with only one entry containing all headers as a string
- fixes issue when in case of unsuccessful token fetch
DefaultOAuth2TokenKeyService
andSpringOAuth2TokenKeyService
- improved error handling
OAuth2ServiceException
that's thrown status code != 200 case doesn't get swallowed- fixes
OAuth2ServiceException.withHeaders()
semantically incorrect behavior when headers were filled with request headers instead of response headers OAuth2ServiceException
generated by unsuccessful JWKs fetch contains request headers as well
- improved error handling
OAuth2ServiceException
updated header message - contains nowResponse Headers
instead ofHeaders
- fixes JWKs fetch from identity service issue when
Dependency upgrades
- Bump spring.security.version from 5.8.5 to 5.8.6
- Bump spring.boot.version from 2.7.14 to 2.7.15
- Bump reactor-core from 3.4.31 to 3.4.32
Version 3.1.2
- [token-client]
OAuth2ServiceException
has been extended with getter methodgetHeaders()
that gives the access to failed request's response headersXsuaaOAuth2TokenService
andDefaultOAuth2TokenService
add the response headers and status code to the thrownOAuth2ServiceException
Version 3.1.1
- [env]
ServiceBindingEnvironment
has been extended with a methodgetServiceConfigurationsAsList()
that returns a list of all available service configurations parsed from environment- in case of multiple service configurations of the same service plans
ServiceBindingEnvironment.getXsuaaConfiguration()
andServiceBindingEnvironment.getServiceConfigurations()
will return the first one from the list.
This adjustment ensures that the logic is in line with the 2.x major version.
- [token-client] reverted removal of
OAuth2ServiceException.getHttpStatusCode()
Dependency upgrades
- Bump com.sap.cloud.environment.servicebinding:java-bom from 0.8.0 to 0.9.0
Version 2.14.1
- [token-client]
OAuth2ServiceException
has been extended with getter methodgetHeaders()
that gives the access to failed request's response headersXsuaaOAuth2TokenService
andDefaultOAuth2TokenService
add the response headers and status code to the thrownOAuth2ServiceException
Dependency upgrades
- Bump btp-environment-variable-access from 0.8.0 to 0.9.0
Version 3.1.0
❗ IMPORTANT Update ❗
The zone_uuid
claim in Identity service tokens has been deprecated and is now replaced by the app_tid
claim. You should use the app_tid
claim to identify the unique tenant id, which was previously referred to as the zone.
- [java-api]
Token
interface is extended with default methodgetAppTid()
andgetZoneId()
method has been deprecated, usegetAppTid()
method instead⚠️ This is also relevant for Xsuaa applications not only Identity based applicationsTokenClaims
is extended with theSAP_GLOBAL_APP_TID
andSAP_GLOBAL_ZONE_ID
is deprecated
- [token-client]
OAuth2TokenKeyService
interface has been extended withretrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId)
methodHttpHeaders
constants are extended withX-app_tid
andX-client_id
headers- JWKs fetch from identity service going forward requires mandatory headers:
X-app_tid
abdX-client_id
this has been updated in the default implementations of theOAuth2TokenKeyService
:DefaultOAuth2TokenKeyService
OAuth2TokenKeyServiceWithCache
(java-security module)SpringOAuth2TokenKeyService
- [java-security]
AbstractToken
is serializable fixes #1209 - [java-security-test]
JwtGenerator
addsapp_tid
claims with the default valuethe-app-tid
to the Identity tokens. ❗Some adaption might be required when calling thegetZoneId()
method as it will return now theapp_tid
value back when default values are used.
Dependency upgrades
- Bump spring.core.version from 6.0.9 to 6.0.11
- Bump spring.boot.version from 3.0.6 to 3.1.2
- Bump spring.security.version from 6.0.3 to 6.1.2
- Bump reactor-core from 3.5.6 to 3.5.8
- Bump btp-environment-variable-access from 0.6.0 to 0.8.0
- Bump json from 20230227 to 20230618
- Bump commons-io from 2.11.0 to 2.13.0