Skip to content

Releases: SAP/cloud-security-services-integration-library

Version 3.1.2

11 Aug 18:25
@liga-oz liga-oz
3.1.2
976c4d0
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 3.1.2
  • [token-client]
    • OAuth2ServiceException has been extended with getter method getHeaders() that gives the access to failed request's response headers
    • XsuaaOAuth2TokenService and DefaultOAuth2TokenService add the response headers and status code to the thrown OAuth2ServiceException
Assets 2
Loading

Version 3.1.1

11 Aug 14:26
@liga-oz liga-oz
3.1.1
003db33
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 3.1.1
  • [env]
    • ServiceBindingEnvironment has been extended with a method getServiceConfigurationsAsList() that returns a list of all available service configurations parsed from environment
    • in case of multiple service configurations of the same service plans ServiceBindingEnvironment.getXsuaaConfiguration() and ServiceBindingEnvironment.getServiceConfigurations() will return the first one from the list.
      This adjustment ensures that the logic is in line with the 2.x major version.
  • [token-client] reverted removal of OAuth2ServiceException.getHttpStatusCode()

Dependency upgrades

Assets 2
Loading

Version 2.14.1

11 Aug 18:25
@liga-oz liga-oz
2.14.1
2ceaf87
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.14.1
  • [token-client]
    • OAuth2ServiceException has been extended with getter method getHeaders() that gives the access to failed request's response headers
    • XsuaaOAuth2TokenService and DefaultOAuth2TokenService add the response headers and status code to the thrown OAuth2ServiceException

Dependency upgrades

  • Bump btp-environment-variable-access from 0.8.0 to 0.9.0
Assets 2
Loading

Version 3.1.0

24 Jul 13:27
@liga-oz liga-oz
3.1.0
8a8903a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 3.1.0

❗ IMPORTANT Update ❗

The zone_uuid claim in Identity service tokens has been deprecated and is now replaced by the app_tid claim. You should use the app_tid claim to identify the unique tenant id, which was previously referred to as the zone.

  • [java-api]
    • Token interface is extended with default method getAppTid() and getZoneId() method has been deprecated, use getAppTid() method instead ⚠️ This is also relevant for Xsuaa applications not only Identity based applications
    • TokenClaims is extended with the SAP_GLOBAL_APP_TID and SAP_GLOBAL_ZONE_ID is deprecated
  • [token-client]
    • OAuth2TokenKeyService interface has been extended with retrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId) method
    • HttpHeaders constants are extended with X-app_tid and X-client_id headers
    • JWKs fetch from identity service going forward requires mandatory headers: X-app_tid abd X-client_id this has been updated in the default implementations of the OAuth2TokenKeyService:
      • DefaultOAuth2TokenKeyService
      • OAuth2TokenKeyServiceWithCache (java-security module)
      • SpringOAuth2TokenKeyService
  • [java-security] AbstractToken is serializable fixes #1209
  • [java-security-test] JwtGenerator adds app_tid claims with the default value the-app-tid to the Identity tokens. ❗Some adaption might be required when calling the getZoneId() method as it will return now the app_tid value back when default values are used.

Dependency upgrades

  • Bump spring.core.version from 6.0.9 to 6.0.11
  • Bump spring.boot.version from 3.0.6 to 3.1.2
  • Bump spring.security.version from 6.0.3 to 6.1.2
  • Bump reactor-core from 3.5.6 to 3.5.8
  • Bump btp-environment-variable-access from 0.6.0 to 0.8.0
  • Bump json from 20230227 to 20230618
  • Bump commons-io from 2.11.0 to 2.13.0
Assets 2
Loading

Version 2.14.0

24 Jul 13:27
@liga-oz liga-oz
2.14.0
05791c5
Compare
Choose a tag to compare
Version 2.14.0

❗ IMPORTANT Update ❗

The zone_uuid claim in Identity service tokens has been deprecated and is now replaced by the app_tid claim. You should use the app_tid claim to identify the unique tenant id, which was previously referred to as the zone.

  • [java-api]
    • Token interface is extended with default method getAppTid() and getZoneId() method has been deprecated, use getAppTid() method instead ⚠️ This is also relevant for Xsuaa applications not only Identity based applications
    • TokenClaims is extended with the SAP_GLOBAL_APP_TID and SAP_GLOBAL_ZONE_ID is deprecated
  • [token-client]
    • OAuth2TokenKeyService interface has been extended with retrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId) method
    • HttpHeaders constants are extended with X-app_tid and X-client_id headers
    • JWKs fetch from identity service going forward requires mandatory headers: X-app_tid and X-client_id this has been updated in the default implementations of the OAuth2TokenKeyService:
      • DefaultOAuth2TokenKeyService
      • OAuth2TokenKeyServiceWithCache (java-security module)
      • SpringOAuth2TokenKeyService
  • [java-security] AbstractToken is serializable #1207
  • [java-security-test] JwtGenerator adds app_tid claims with the default value the-app-tid to the Identity tokens. ❗Some adaption might be required when calling the getZoneId() method as it will return now the app_tid value back when default values are used.

Dependency upgrades

  • Bump spring.core.version from 5.3.27 to 5.3.29
  • Bump spring.boot.version from 2.7.10 to 2.7.14
  • Bump spring.security.version from 5.8.3 to 5.8.5
  • Bump reactor-core from 3.4.24 to 3.4.31
  • Bump btp-environment-variable-access from 0.6.0 to 0.8.0
  • Bump json from 20230227 to 20230618
  • Bump commons-io from 2.11.0 to 2.13.0
Assets 2
Loading

Version 3.0.1

16 May 08:01
@liga-oz liga-oz
3.0.1
df97ff2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 3.0.1

[spring-xsuaa]

  • fixes incompatible TLS version for DefaultSpringHttpClientFactory

Dependency upgrades

  • Bump spring.core.version from 6.0.8 to 6.0.9
  • Bump reactor-core from 3.5.5 to 3.5.6
  • Bump btp-environment-variable-access from 0.5.2 to 0.6.0
Assets 2
Loading

Version 3.0.0

24 Apr 07:56
@liga-oz liga-oz
3.0.0
67672cd
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 3.0.0

Baseline changes

cloud-security-services-integration-library requires

  • Java 17
  • Spring Boot 3.0.x
  • Spring security 6.0.x

Breaking Changes

  • Identity service configurations need to provide domains via String array in JSON key 'identity.credentials.domains'. Providing String values under key 'identity.credentials.domain' is not supported anymore. IAS configurations from service bindings have been generated like this for a long time already. This should only affect old configuration files manually written for testing.

Removed modules

Removed deprecated classes and interfaces

  • [api]
    • XSPrincipal, XSUserInfoException → not needed anymore with new Token interface
  • [env]
    • CFEnvironment, K8sEnvironment → use instead ServiceBindingEnvironment
    • CFConstants, K8sConstants → use instead ServiceConstants
  • [java-security]
    • XSUserInfo, XSUserInfoAdapter → use instead Token interface and Token#getClaimAsString with TokenClaims.XSUAA constants to access XSUAA-specific claims.
    • SAPOfflineTokenServicesCloud → use instead [spring-security] module
  • [spring-xsuaa]
    • XSTokenRequest, TokenBroker, UaaTokenBroker → use instead token-client module to fetch XSUAA tokens via XsuaaTokenFlows
    • TokenBrokerResolver, AuthenticaionMethod → No longer provided. See spring-security-basic-auth sample how to write your own implementation.
    • IasXsuaaExchangeBroker → Exchange is not supported by XSUAA service anymore.
    • TokenUrlUtils → use instead OAuth2ServiceEndpointsProvider
    • XsuaaServicesParser → use instead Environments#getCurrent or new ServiceBindingEnvironment(new SapVcapServicesServiceBindingAccessor(any -> xsuaaConfigJson))
    • OAuth2AuthenticationConverter → Not supported anymore because deprecated by Spring Security: https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
  • [token-client]
    • UserTokenFlow → use instead JwtBearerTokenFlow

Removed deprecated methods

  • [java-security]
    • OAuth2TokenKeyServiceWithCache#withCacheTime, OAuth2TokenKeyServiceWithCache#withCacheSize → use instead OAuth2TokenKeyServiceWithCache#withCacheConfiguration
    • SAPOfflineTokenServicesCloud#SAPOfflineTokenServicesCloud(OAuth2ServiceConfiguration)
  • [java-security-test]
    • SecurityTestRule#getConfigurationBuilderFromFile → use instead SecurityTestRule#getOAuth2ServiceConfigurationBuilderFromFile
    • SecurityTestRule#getWireMockRule → use instead SecurityTestRule#getWireMockServer
  • [spring-xsuaa]
    • Token#getExpirationDate → use instead Token#getExpiration
  • [spring-xsuaa-test]
    • Base64JwtDecoder#Base64JwtDecoder → use instead Base64JwtDecoder#getInstance
  • [token-client]
    • XsuaaTokenFlows#userTokenFlow → use instead XsuaaTokenFlows#jwtBearerTokenFlow
    • OAuth2TokenService#retrieveAccessTokenViaUserTokenGrant → use instead OAuth2TokenService#retrieveAccessTokenViaJwtBearerTokenGrant
    • OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant(URI, ClientIdentity, String, Map, boolean) → use instead OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant with null for argument subdomain
    • DefaultOAuth2TokenService#DefaultOAuth2TokenService → use instead DefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient)
    • XsuaaOAuth2TokenService#XsuaaOAuth2TokenService → use instead XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient)
    • DefaultOAuth2TokenService#DefaultOAuth2TokenService(TokenCacheConfiguration) → use instead DefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
    • XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(TokenCacheConfiguration) → use instead XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
    • XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(URI), XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String) → use instead XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String, String)
    • OAuth2TokenResponse#getExpiredAtDate → use instead OAuth2TokenResponse#getExpiredAt
    • Base64JwtDecoder#Base64JwtDecoder → use instead Base64JwtDecoder#getInstance

Removed deprecated fields

  • [java-api]
    • GrantType#USER_TOKEN → use instead GrantType#JWT_BEARER
  • [token-client]
    • OAuth2TokenServiceConstants#GRANT_TYPE_USER_TOKEN → use instead GrantType#JWT_BEARER
  • [spring-xsuaa]
    • Token#GRANTTYPE_CLIENTCREDENTIAL → use instead GrantType#CLIENT_CREDENTIALS
Assets 2
Loading

Version 2.13.9

18 Apr 07:35
@liga-oz liga-oz
2.13.9
96666d7
Compare
Choose a tag to compare
Version 2.13.9

Patches CVE-2023-20863

[env]

  • for backward compatibility domain is also supported along with the domains attribute for Identity service configuration #1153

[token-client]

  • warning messages has been removed when using DefaultHttpClientFactory, HTTP client settings have been updated see README for more information
  • UserTokenFlow is deprecated, use jwtBearerTokenFlow instead #1135

Dependency upgrades

  • Bump spring.core.version from 5.3.26 to 5.3.27
  • Bump log4j2.version from 2.19.0 to 2.20.0
Assets 2
Loading

Version 2.13.8

29 Mar 07:32
@liga-oz liga-oz
2.13.8
e6c4211
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.13.8

[spring-xsuaa]

  • Synchronizes XsuaaJwtDecoder cache configuration with internal NimbusJwtDecoder cache
  • Improved logging for XsuaaJwtDecoder fallback key validation

Dependency upgrades

  • Bump spring.boot.version from 2.7.9 to 2.7.10
Assets 2
Loading

Version 2.13.7

06 Mar 08:37
@liga-oz liga-oz
2.13.7
2a8dedf
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.13.7

[token-client]

  • Fixes regression introduced with logback dependency not having scope test

Dependency upgrades

  • Bump org.json from to 20230227
Assets 2
Loading