Version 2.5.2

2.5.2

• [java-api], [java-security], [token-client] works with logger api slf4j-api and does no longer provide the slf4j-implementation. Please have a look at the java-security/README.md#logging documentation.
• [xsuaa-spring-boot-starter] update spring-boot (security) dependency versions #239.
• [java-security-test] SecurityTestRule.setKeys allows to customize private/public keys that are located in the resource path, e.g. src/main/resources or src/test/resources.
• [java-security-test] configures the modulus of the public key provided by WireMock. With that the public key can be consumed by the Nimbus Jwt decoder.
• [java-security-test] JwtGenerator now generates a default jwks_url (jku) for XSUAA tokens.
• [samples/spring-security-xsuaa-usage] demonstrates how to setup JUnit tests using java-security-test library.

Dependency upgrades

• Spring Security 5.2.2
• Spring Boot 2.2.5
• Spring Core to 5.2.4

Version 2.5.1

2.5.1

• [java-api] As preparation for the SAP Java Buildpack the interfaces, as well as the SecurityContext is extracted to java-api.
• [java-security] AccessTokens provided via the SpringSecurityContext should also support the hasLocalScope method.
• [java-security] support XSUAA service plan default which is used by simple XSA applications

Version 2.5.0

2.5.0

• [java-security-test] JwtGenerator.withClaimsFromFile accepts claims from a file.
• [java-security] Provides with SpringSecurityContext an alternative way of accessing jwt tokens for Spring applications in asynchronous threads.
• [token-client] The UserTokenFlow has used the "user_token" grant type together with the "refresh_token" grant type in order to do the token exchange.
  After the consumption of UAA 4.27 we can adapt the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer".
  This reduces the round trips to the XSUAA from 2 to 1. Further, it eliminates the need for the user to have scope "uaa.user". The feature flag xsuaa.userTokenFlow.useJwtBearer has become obsolete. NOTE the jwt bearer token grant does no longer provide a refresh token!!!

Version 2.4.5

• [java-security] Initial / released version of the new plain Java security libraries as documented here.

Version 2.4.4

• [java-security] Initial / released version of the new plain Java security libraries as documented here.

Version 2.4.2-SNAPSHOT

Version 2.4.2-SNAPSHOT

• [java-security] Supports XSA (on-premise solutions)
• [java-security] Please note, that the group-id has changed to com.sap.cloud.security as documented here:
  https://github.com/SAP/cloud-security-xsuaa-integration/tree/master/java-security#maven-dependencies

Version 2.3.2

2.3.2

• [spring-xsuaa] Fix vulnerability issues and increased Spring versions.
• [spring-xsuaa] Fix issue in TokenBrokerResolver: second configured authentication method was ignored

Version 2.4.1-SNAPSHOT

• [java-security] Another Snapshot Version with improved error handling and option to configure the ClosableRestClient in context of the JwtValidatorBuilder and TokenAuthenticator.

Version 2.4.0-SNAPSHOT

• [java-security] Initial / Snapshot version of the new plain Java security libraries as documented here.
• [token-client] OidcConfigurationServiceWithCache supports basically Open-id Configuration endpoints as documented here.
• [token-client] OAuth2TokenKeyServiceWithCache supports JWKS endpoint with cache of identity service as documented here.

Version 2.3.0

2.3.0

• [spring-xsuaa] Spring tests fail with version 2.2.0, when auto-configuration is disabled and no RestOperations bean is specified.
• [token-client] Supports basically JWT Bearer Token Grant as documented here. NOTE this will no longer provide a refresh token!
• [token-client] Bug fix for state issue in HttpHeaderFactor (#200) that causes interference between different types of token flows.
• [spring-xsuaa] xsuaa bindings of plan apiaccess does not cause an error, as they get ignored for token validation.