Releases: SAP/cloud-security-services-integration-library
Version 2.13.2
[java-security]
- Bug fix for regression in XSUserInfoAdapter.getMultiValueAttributeFromExtObject() when error was thrown accessing xs.user.attributes with empty array value. It throws an error only in case of non existing attribute as before 2.12.3
Dependency upgrades
- Bump spring.security.version from 5.7.2 to 5.7.3
- Bump java-bom(https://github.com/SAP/btp-environment-variable-access) from 0.4.0 to 0.4.1
Version 2.13.1
[token-client]
-
DefaultHttpClientFactory creates CloseableHttpClient with disabled redirects to avoid security vulnerabilities.
‼️ For your custom CloseableHttpClient implementation make sure to disable redirects as well.‼️ -
all TokenServices and TokenKeyServices have been enhanced to add to all outgoing requests a user-agent header that contains value
token-client/x.x.x where x.x.x is token-client version being used
[spring-xsuaa]
- XsuaaJwtDecoder catches bases64 decoder IllegalArgumentException that can be caused by decoding malformed verificationkey from xsuaa service configuration to avoid 500 Internal server error responses
Dependency upgrades
- Bump spring.boot.version from 2.7.1 to 2.7.2.
- Bump https://github.com/SAP/btp-environment-variable-access from 0.3.1 to 0.4.0.
- Bump reactor-core from 3.4.21 to 3.4.22
Version 2.13.0
[env]
- uses https://github.com/SAP/btp-environment-variable-access (version 0.3.1), which supports access to service credentials in K8s/Kyma environment provisioned by SAP BTP Service Operator. Usage of service-catalog is no longer supported. With that there is no service-manager longer required to distinguish the service instance plan, when multiple xsuaa instances are bound (#855)
[token-client]
- NPE bug fix for
UriUtil.replaceSubdomain(@Nonnull URI, @Nullable subdomain)
in cases when provided URI does not contain host(no http/s schema provided) #943
[samples]
java-security-usage
,spring-security-basic-auth
,spring-security-hybrid-usage
adjusted for service-operator higher than v0.2.3 usage
Dependency upgrades
- Bump log4j2.version from 2.17.2 to 2.18.0
- Bumps
spring.core.version
from 5.3.21 to 5.3.22. - Bumps reactor-core from 3.4.19 to 3.4.21.
Full Changelog: 2.12.3...2.13.0
Version 2.12.3
[spring-xsuaa][spring-security-compatibility]
- bug fix for #910
XsuaaToken.getXSUserAttribute
,XsuaaTokenComp.getXSUserAttribute
methods' returnnull
if claim is not present as documented in javadoc.
[java-api]
Token.getAttributeFromClaimAsStringList
javadoc has been fixed, this method supposed to return emptyList
in case of missing attribute instead ofnull
Dependency upgrades
- Bump spring.security.version from 5.7.1 to 5.7.2
- Bump spring.boot.version from 2.7.0 to 2.7.1
- Bump spring.core.version from 5.3.20 to 5.3.21
- Bump reactor-core from 3.4.18 to 3.4.19
- Bump spring-boot-starter-parent version from 2.6.7 to 2.7.1
Version 2.12.2
[spring-xsuaa][spring-security]
- Fixes CVE-2022-22978 vulnerability in spring security version
Dependency upgrades
- Bump spring.security.version from 5.6.3 to 5.7.1
- Bump spring.boot.version from 2.6.7 to 2.7.0
- Bump com.squareup.okhttp3:mockwebserver to 4.9.3
Version 2.12.1
- [java-security]
JwtIssuerValidator
rules have been relaxed, it accepts issuers withouthttps
schema
Dependency upgrades
- Bump jackson-databind from 2.13.2.2 to 2.13.3
- Bump spring.core.version from 5.3.19 to 5.3.20
- Bump reactor-core from 3.4.17 to 3.4.18
Version 2.12.0
- [token-client]
- This improves the default Apache Http Client configuration, provided with
DefaultHttpClientFactory
, so that warning message "In productive environment provide well configured HttpClientFactory service" (described here) is no longer logged in case of certificate based setup, and stakeholders must not overwrite the default configuration.- Usages of HTTP Clients as part of this client library are depicted here.
- In case there is no certificate given in
VCAP_SERVICES
a default http client gets created (HttpClients.createDefault()
) and the message is still logged with severityWARNING
.
- This improves the default Apache Http Client configuration, provided with
Details DefaultHttpClientFactory
It sets
- connect timeout = 5 sec
- connection request timeout = 5 sec
- socket timeout = 5 sec
Furthermore, it makes sure that per client id SSLContext
, SSLConnectionSocketFactory
and PoolingHttpClientConnectionManager
is created only once per instance.
It introduces a PoolingHttpClientConnectionManager
and limits
- maximum connections per route to 4 (default is 2)
- and the maximum connections to 20
Dependency upgrades
- Bump spring-security-oauth2 from 2.5.1.RELEASE to 2.5.2.RELEASE
- Bump spring-boot-starter version from 2.6.6 to 2.6.7
Full Changelog: 2.11.16...2.12.0
Version 2.11.16
-
[all]
- ❗ Dependency on
spotbugs-annotations
should be optional, follows recommendation from here and is no longer provided as transient dependency. In case you need it, you can add it by yourself inpom.xml
:<properties> <spotbugs.annotations.version>4.6.0</spotbugs.annotations.version> </properties> ... <dependency> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-annotations</artifactId> <version>${spotbugs.annotations.version}</version> </dependency>
- ❗ Dependency on
-
[spring-xsuaa]
- ❗ Dependency on
javax.annotation-api
should be optional and is no longer provided as transient dependency. In case you need it, you can add it by yourself inpom.xml
:<properties> <javax.annotation.version>1.3.2</javax.annotation.version> </properties> ... <dependency> <groupId>javax.annotation</groupId> <artifactId>javax.annotation-api</artifactId> <version>${javax.annotation.version}</version> </dependency>
- ❗ Dependency on
-
[java-api] [token-client] Dependency on spotbugs-annotations is now optional
-
[java-security] [spring-security] JwtSignatureValidator improvements:
- Only identity service requires
x-zone_uuid
header for token keys retrieval - in case of signature mismatch the result should expose the signature of the encoded JWT token
- Only identity service requires
-
[spring-security]
Introduces withspring-security-compatibility
a compatibility module that provides withXsuaaTokenComp
class an option to decorate a token issued by xsuaa tocom.sap.cloud.security.xsuaa.token.Token
api, which was used inspring-xsuaa
.- See also Migration Guide and PR #847
Dependency upgrades
- Bump spring-boot-starter-parent version from 2.5.2 to 2.6.6
- Bump reactor-core from 3.4.16 to 3.4.17
Full Changelog: 2.11.15...2.11.16
Version 2.11.15
2.11.15
[spring-xsuaa][spring-security]
- fix CVE-2022-22965 vulnerability in spring version
Dependency upgrades
- Bump spring.security.version from 5.3.17 to 5.3.18
- Bump spring.boot.version from 2.6.4 to 2.6.6
- Bump spring-beans from 5.3.17 to 5.3.18
Full Changelog: 2.11.14...2.11.15
Version 2.11.14
- [java-security]
- Never log certificates
- Improves Jwks cache handling
- add further logs in respect to key mismatches
- [spring-xsuaa]
- XsuaaJwtDecoder must ignore line breaks in verificationkey
- [java-security-test]
- Bump jackson-databind.version from 2.12.1 to 2.13.2.2 (solves security vulnerability)
Dependency upgrades
- Bump slf4j.api.version from 1.7.35 to 1.7.36
- Bump spring.security.version from 5.6.1 to 5.6.2
- Bump log4j2.version from 2.17.1 to 2.17.2
- Bump spring.boot.version from 2.6.3 to 2.6.4
- Bump reactor-core from 3.4.15 to 3.4.16
- Bump json from 20211205 to 20220320
- Bump spring.core.version from 5.3.15 to 5.3.17
Full Changelog: 2.11.13...2.11.14