Skip to content

Releases: SAP/cloud-security-services-integration-library

Version 2.12.1

16 May 11:59
@liga-oz liga-oz
2.12.1
4af5a40
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.12.1
  • [java-security] JwtIssuerValidator rules have been relaxed, it accepts issuers without https schema

Dependency upgrades

  • Bump jackson-databind from 2.13.2.2 to 2.13.3
  • Bump spring.core.version from 5.3.19 to 5.3.20
  • Bump reactor-core from 3.4.17 to 3.4.18
Assets 2
Loading

Version 2.12.0

05 May 11:52
@nenaraab nenaraab
2.12.0
35c3aea
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.12.0
  • [token-client]
    • This improves the default Apache Http Client configuration, provided with DefaultHttpClientFactory, so that warning message "In productive environment provide well configured HttpClientFactory service" (described here) is no longer logged in case of certificate based setup, and stakeholders must not overwrite the default configuration.
      • Usages of HTTP Clients as part of this client library are depicted here.
      • In case there is no certificate given in VCAP_SERVICES a default http client gets created (HttpClients.createDefault()) and the message is still logged with severity WARNING .

Details DefaultHttpClientFactory

It sets

  • connect timeout = 5 sec
  • connection request timeout = 5 sec
  • socket timeout = 5 sec

Furthermore, it makes sure that per client id SSLContext, SSLConnectionSocketFactory and PoolingHttpClientConnectionManager is created only once per instance.

It introduces a PoolingHttpClientConnectionManager and limits

  • maximum connections per route to 4 (default is 2)
  • and the maximum connections to 20

Dependency upgrades

  • Bump spring-security-oauth2 from 2.5.1.RELEASE to 2.5.2.RELEASE
  • Bump spring-boot-starter version from 2.6.6 to 2.6.7

Full Changelog: 2.11.16...2.12.0

Assets 2
Loading

Version 2.11.16

21 Apr 17:19
@nenaraab nenaraab
2.11.16
6ad4887
Compare
Choose a tag to compare
Version 2.11.16

  • [all]

    • ❗ Dependency on spotbugs-annotations should be optional, follows recommendation from here and is no longer provided as transient dependency. In case you need it, you can add it by yourself in pom.xml: 
      <properties>
     <spotbugs.annotations.version>4.6.0</spotbugs.annotations.version>
</properties>
...
<dependency>
   <groupId>com.github.spotbugs</groupId>
   <artifactId>spotbugs-annotations</artifactId>
   <version>${spotbugs.annotations.version}</version>
</dependency>

  • [spring-xsuaa]

    • ❗ Dependency on javax.annotation-api should be optional and is no longer provided as transient dependency. In case you need it, you can add it by yourself in pom.xml: 
      <properties>
     <javax.annotation.version>1.3.2</javax.annotation.version>
</properties>
...
<dependency>
     <groupId>javax.annotation</groupId>
     <artifactId>javax.annotation-api</artifactId>
     <version>${javax.annotation.version}</version>
 </dependency>

  • [java-api] [token-client] Dependency on spotbugs-annotations is now optional

  • [java-security] [spring-security] JwtSignatureValidator improvements:

    • Only identity service requires x-zone_uuid header for token keys retrieval
    • in case of signature mismatch the result should expose the signature of the encoded JWT token

  • [spring-security]
    Introduces with spring-security-compatibility a compatibility module that provides with XsuaaTokenComp class an option to decorate a token issued by xsuaa to com.sap.cloud.security.xsuaa.token.Token api, which was used in spring-xsuaa.

Dependency upgrades

  • Bump spring-boot-starter-parent version from 2.5.2 to 2.6.6
  • Bump reactor-core from 3.4.16 to 3.4.17

Full Changelog: 2.11.15...2.11.16

Assets 2
Loading

Version 2.11.15

01 Apr 09:54
@nenaraab nenaraab
2.11.15
102ef26
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.11.15

2.11.15

[spring-xsuaa][spring-security]

Dependency upgrades

  • Bump spring.security.version from 5.3.17 to 5.3.18
  • Bump spring.boot.version from 2.6.4 to 2.6.6
  • Bump spring-beans from 5.3.17 to 5.3.18

Full Changelog: 2.11.14...2.11.15

Assets 2
Loading

Version 2.11.14

29 Mar 18:32
@nenaraab nenaraab
2.11.14
e1dc6ad
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.11.14
  • [java-security]
    • Never log certificates
    • Improves Jwks cache handling
    • add further logs in respect to key mismatches
  • [spring-xsuaa]
    • XsuaaJwtDecoder must ignore line breaks in verificationkey
  • [java-security-test]
    • Bump jackson-databind.version from 2.12.1 to 2.13.2.2 (solves security vulnerability)

Dependency upgrades

  • Bump slf4j.api.version from 1.7.35 to 1.7.36
  • Bump spring.security.version from 5.6.1 to 5.6.2
  • Bump log4j2.version from 2.17.1 to 2.17.2
  • Bump spring.boot.version from 2.6.3 to 2.6.4
  • Bump reactor-core from 3.4.15 to 3.4.16
  • Bump json from 20211205 to 20220320
  • Bump spring.core.version from 5.3.15 to 5.3.17

Full Changelog: 2.11.13...2.11.14

Assets 2
Loading

Version 2.11.13

07 Feb 17:17
@nenaraab nenaraab
2.11.13
e9d9b5a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.11.13
  • [java-security]
    • removes audience check as part of JwtX5tValidator
  • [spring-xsuaa]
    • XsuaaServiceConfigurationDefault supports access to other credentials (fix #802)
    • XsuaaServiceConfigurationDefault supports non relaxed-binding rules for non spring framework cases
    • auto-configures mtls-based rest operations w/o credential-type=x509 property
  • [spring-security]
    • HybridJwtDecoder should support xsuaa only (see #790)
    • auto-configures mtls-based rest operations w/o credential-type=x509 property
    • auto-configures token flows if no secret but certificate is given
Assets 2
Loading

Version 2.11.12

28 Jan 16:28
@nenaraab nenaraab
2.11.12
e1f50a7
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.11.12
  • [java-security] XsuaaTokenAuthenticator should support validation of tokens issued by Cloud Foundry UAA (NGPBUG-175120)

Dependency upgrades

  • Bump reactor-core from 3.4.13 to 3.4.14
  • Bump spring.core.version from 5.3.14 to 5.3.15
  • Bump slf4j.api.version from 1.7.32 to 1.7.35
  • Bump spring.boot.version from 2.6.2 to 2.6.3
Assets 2
Loading

Version 2.11.11

07 Jan 09:00
@nenaraab nenaraab
2.11.11
1a2f73d
Compare
Choose a tag to compare
Version 2.11.11
  • Ensure compatibility with Java 11 (see PR #775)
  • [spring-xsuaa-starter] xsuaaMtlsRestOperations and xsuaaRestOperations are only auto-configured if XsuaaServiceConfiguration bean is given
  • [java-security] Support oidc tokens from single tenant apps w/o zone_uuid claim (NGPBUG-170120)

Dependency upgrades

  • remove net.minidev:json-smart
  • Bump log4j2.version from 2.17.0 to 2.17.1
Assets 2
Loading

Version 2.11.10

22 Dec 19:48
@liga-oz liga-oz
2.11.10
c7737b8
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.11.10

2.11.10

[spring-xsuaa-starter] Patches CVE-2021-42550

Dependency upgrades

  • Bump spring.boot.version from 2.6.1 to 2.6.2 contains logback 1.2.9 (CVE-2021-42550)
  • Bump dependency-check-maven from 6.5.0 to 6.5.1
  • Bump logcaptor from 2.7.4 to 2.7.7
Assets 2
Loading

Version 2.11.9

21 Dec 16:32
@nenaraab nenaraab
2.11.9
f9a36f6
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.11.9
  • provides Bill of Material that helps you to keep all of your SAP security related dependencies on sync:
<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.sap.cloud.security</groupId>
            <artifactId>java-bom</artifactId>
            <version>2.11.9</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

See sample.

Dependency upgrades

  • Bump spring.security.version from 5.6.0 to 5.6.1
  • Bump spring.core.version from 5.3.13 to 5.3.14
  • Bump log4j-api to 2.17.0 (CVE-2021-45105)
  • Sets Spring property log4j2.version to 2.17.0 and overwrites org.apache.logging.log4j:log4j-to-slf4j and org.apache.logging.log4j:log4j-api version used in the Spring projects. This patch is not urgent, see also Blog: Log4J2 Vulnerability and Spring Boot.
  • Bump reactor-core from 3.4.12 to 3.4.13
  • Bump log4j-to-slf4j from 2.14.1 to 2.17.0
Assets 2
Loading