Skip to content

Releases: SAP/cloud-security-services-integration-library

3.5.4

06 Nov 09:30
16020e1
Compare
Choose a tag to compare
  • [java-security] Reduce log level to debug for errors during certificate parsing
  • [samples] Cleanup and rework most sample applications

Dependency upgrades

  • Bump org.mockito:mockito-core from 5.12.0 to 5.14.2
  • Bump org.eclipse.jetty.version from 12.0.12 to 12.0.13
  • Bump log4j2.version from 2.23.1 to 2.24.1
  • Bump spring.security.version from 6.3.3 to 6.3.4
  • Bump spring.core.version from 6.1.12 to 6.1.14
  • Bump spring.boot.version from 3.3.2 to 3.3.3

Version 3.5.3

22 Aug 14:51
d14800c
Compare
Choose a tag to compare
  • [java-security] Reenable sap-java-buildpack-api-usage sample using Tomcat 10

Dependency upgrades

  • Bump spring.security.version from 6.3.1 to 6.3.3
  • Bump io.projectreactor:reactor-core from 3.6.7 to 3.6.9
  • Bump slf4j.api.version from 2.0.13 to 2.0.16
  • Bump org.eclipse.jetty.version from 12.0.7 to 12.0.12
  • Bump spring.core.version from 6.1.10 to 6.1.12
  • Bump spring.boot.version from 3.3.1 to 3.3.2
  • Bump org.wiremock:wiremock-standalone from 3.7.0 to 3.9.1

Version 3.5.2

28 Jun 15:09
2902893
Compare
Choose a tag to compare
  • [spring-xsuaa] Remove new X5tCertificateThumbprintValidator from spring-xsuaa validators

Dependency upgrades

  • Bump spring.boot.version from 3.3.0 to 3.3.1

Version 3.5.1

20 Jun 13:14
629aef6
Compare
Choose a tag to compare
  • [java-security]
    • Improved JWK fetch error handling
  • [spring-security]
    • extended autoconfiguration for proof token check for all JwtDecoders
    • Improved JWK fetch error handling/logging. In case of unsuccessful response from JWK server the error will be mapped
      to 5XX status code

Dependency upgrades

  • Bump spring.core.version from 6.1.7 to 6.1.10
  • Bump spring.boot.version from 3.2.5 to 3.3.0
  • Bump spring.security.version from 6.3.0 to 6.3.1
  • bump caffeine version to 3.1.8
  • Bump jakarta.servlet:jakarta.servlet-api from 6.0.0 to 6.1.0
  • Bump io.projectreactor:reactor-core from 3.6.6 to 3.6.7
  • Bump com.nimbusds:nimbus-jose-jwt from 9.39.1 to 9.40

Version 3.5.0

17 May 11:34
e4215fa
Compare
Choose a tag to compare
  • [java-api]
    • ClientIdentity interface has been extended with 2 new methods getCertificateChain()
      and getPrivateKey()
      and ClientCertificate class has been extended with new constructor that takes java.security.cert.Certificate[]
      and java.security.PrivateKey as an argument and corresponding getters for these fields.
    • user_token grant type has been re-added to GrantType enum
  • [token-client] SSLContextFactory class has been extended and supports Keys in PKCS#8 format with ECC algorithm.
  • [spring-security]
    • fixed NPE in IdentityServicesPropertySourceFactory on application startup when bound to a list of XSUAA services
      whose service plans are ALL not supported
    • provides an autoconfiguration that creates an Identity Service JwtDecoder with enabled proof token check. To enable
      it, set the sap.spring.security.identity.prooftoken spring property to true.
    • Fixes an issue with MockMvc when the SecurityContexts are synced. It sets SecurityContextStrategy based on an
      EnvironmentPostProcessor as in this scenario the servlet initialization is not happening and the code runs too late
      due to that.

Dependency upgrades

  • Bump io.projectreactor:reactor-core from 3.6.5 to 3.6.6
  • Bump com.nimbusds:nimbus-jose-jwt from 9.37.3 to 9.39.1
  • Bump spring.core.version from 6.1.6 to 6.1.7

Version 3.4.3

08 May 16:52
aed5bf1
Compare
Choose a tag to compare
  • [spring-security] improved custom SecurityContextStrategy registration for the SecurityContextAutoConfiguration class. It uses ServletContextInitializer to hook early into the initialization phase.

Dependency upgrades

Version 3.4.2

26 Apr 08:17
5255a2c
Compare
Choose a tag to compare
  • [spring-security]
    • fixes a NPE bug introduced in the HybridJwtDecoder when the incoming request does not
      contain x-forwarded-client-cert header
    • SecurityContextAutoConfiguration which synchronises all SecurityContexts is now enabled by default. To disable it
      set the sap.spring.security.hybrid.sync_securitycontext spring property to false

Version 3.4.1

25 Apr 12:56
Compare
Choose a tag to compare
  • [spring-security] fixes a NPE bug introduced in the IasJwtDecoder when the incoming request does not
    contain x-forwarded-client-cert header

Dependency upgrades

  • Bumps spring.boot.version from 3.2.4 to 3.2.5.
  • Bumps slf4j.api.version from 2.0.12 to 2.0.13
  • Bumps spring.security.version from 6.2.3 to 6.2.4.

Version 2.17.5

19 Apr 16:11
2b6c678
Compare
Choose a tag to compare

Dependency upgrades

  • bump spring-core version to 5.3.34
  • bump spring-security version to 5.8.12

Version 3.4.0

12 Apr 11:49
9852a6b
Compare
Choose a tag to compare
  • [java-api] SecurityContext has been extended with a thread local storage for Service
    Plans. setServicePlans(), getServicePlans(), clearServicePlans() methods have been added.
  • [java-security]
    • added support for Identity Service Proof Token validation. Proof Token validation can be enabled by
      calling JwtValidatorBuilder.enableProofTokenCheck(). Once enabled, it will forward the X509 client certificate from the
      request header x-fowarded-client-cert as x-client_cert header to the /oauth2/token_keys endpoint.
    • DefaultOAuth2TokenKeyService saves the service plans from response header x-osb_plan (identity broker service plan)
      in the new SecurityContext thread local storage for Service Plans. The header should be available when proof token validation is enabled.
      In this case, a x-client_cert is sent in the request to /oauth2/token_keys which should trigger the x-osb_plan response header.
  • [spring-security] fixes a bug in ReactiveHybridJwtDecoder when parsing iat claim #1490

Dependency upgrades

  • Bump commons-io:commons-io from 2.15.1 to 2.16.1
  • Bump spring.boot.version from 3.2.2 to 3.2.4
  • Bump spring.core.version from 6.1.5 to 6.1.6
  • Bump io.projectreactor:reactor-core from 3.6.2 to 3.6.5
  • Bump com.sap.cloud.environment.servicebinding:java-bom from
    0.10.3 to 0.10.4
  • Bump spring.security.version from 6.2.1 to 6.2.3
  • Bump org.springframework:spring-web from 6.1.4 to 6.1.5
  • Bump org.json:json from 20240205 to 20240303