Version 2.7.2

2.7.2

• [java-security]
  • Audience Validation accepts tokens of grant type user_token that does not provide aud claim. In that case JwtAudienceValidator derives the audiences from the scopes.

❗ IMPORTANT Update

• Use getSubaccountId() only to fetch the subaccount id, e.g. for calling the metering API for user-based pricing.
• In case you are interested in the customers tenant GUID make use of getZoneId() instead!
• In upcoming releases (2009B) - especially for new subaccounts - subaccount id will no longer match the tenant GUID which is provided via the xsuaa access token as zid claim or via the ias oidc token as zone_uuid claim.

Version 2.7.1

2.7.1

• [java-security]
  • XSUserInfoAdapter provides now the subdomain that is required for token exchange via getSubdomain() method.
  • Avoid warning messages "IAS Service is not yet supported!". #273
  • rename Token claim "sap_uid" to „user_uuid“.
  • Token Key Cache can now be customized via XsuaaTokenAuthenticator.
  • XSUserInfoAdapter supports requestTokenForUser() method.
  • set validators to package private, you can customize the JWT validators using the JwtValidatorBuilder.
  • Create validation results lazy. Avoid false warning validation results from JwtAudienceValidator (#290), e.g.
    Jwt token with audience [<appId>, uaa] is not issued for these clientIds: [<appId>].
• [spring-xsuaa] Improve logs of Audience Validators.
• [spring-xsuaa-starter] Upgrade Spring versions:
  • spring.boot.version: 2.2.6.RELEASE --> 2.3.0.RELEASE
  • spring.core.version: 5.2.5.RELEASE --> 5.2.6.RELEASE
  • spring.security.version: 5.3.1.RELEASE --> 5.3.2.RELEASE
  • spring.security.oauth2: 2.4.0.RELEASE -> 2.4.1.RELEASE
• [spring-xsuaa-test]
  • renamed file privateKey.txt to spring-xsuaa-privateKey.txt and publicKey.txt to spring-xsuaa-publicKey.txt to avoid name clashes in context of CAP, which results in a strange IllegalArgumentException:failed to construct sequence from byte[]: DEF length 1213 object truncated by 2. This can happen when you use java-security-test and spring-xsuaa-test in parallel.
  • For new applications spring-xsuaa-test can be replaced in favor of java-security-test for unit testing. For testing your app locally you can setup your local environment with the VCAP_SERVICES in order to test with your XSUAA instance on Cloud Foundry.
• [token-client]
  • more detailed debug logs and details to exception; decoded token gets logged.
  • supports optional scope parameter to reduce scopes that are provided via CientCredentialsTokenFlow or UserTokenFlow.
  • By default requested tokens are now cached. You can disable the cache globally or per request as described here.
  • never log an encoded token! Instead you can log the OAuth2TokenResponse itself: the toString() method provides the content of the decoded token (clear text). Be aware that this contains sensitive user data.

Version 2.6.2

2.6.2

• [java-security] XSUserInfoAdapter provides full compatible implementation of com.sap.xsa.security.container.XSUserInfo.java interface. Support token exchanges using XsuaaTokenFlows api.
• [spring-xsuaa] Improve support of multiple XSUAA Bindings as described here.

Version 2.6.1

2.6.1

• [spring-xsuaa-starter] Upgrade Spring versions:
  • spring.boot.version: 2.2.5.RELEASE --> 2.2.6.RELEASE
  • spring.core.version: 5.2.4.RELEASE --> 5.2.5.RELEASE
  • spring.security.version: 5.2.2.RELEASE --> 5.3.1.RELEASE

Version 2.6.0

2.6.0

• [spring-xsuaa] SpringSecurityContext throws AccessDeniedException instead of IllegalStateException when authentication does not contain principal of type Token.
• [java-security] JwtAudienceValidator Support Audience Validation of Xsuaa Broker clones (multiple xsuaa bindings): NGPBUG-111540.
• [java-security-test] Basic support fo JUnit 5 (Jupiter) as documented here.
• [java-security-test] Deprecation: SecurityTestRule#getWireMockRule() needs to be replaced by getWireMockServer().
• [java-security-test] One instance of SecurityTestRule should run only one WireMock server. With that @ClassRule SecurityTestRule can be declared in a base class.

Version 2.5.3

2.5.3

• [spring-xsuaa] XsuaaJwtDecoder supports verificationkey from VCAP_SERVICES as fallback public key.
• [spring-xsuaa] when using auto-configuration and expose your own RestTemplate RestOperations bean, have a look at this documentation.
• [java-security-test] JwtGenerator supports withLocalScopes().
• [java-security] SapIdToken should return value of claim "sap_uid" (SAPGlobalUserID) as Principal name.
• [java-security] JwtAudienceValidator Support Audience Validation of Xsuaa Broker clones: NGPBUG-111540.
• [java-api] enhanced with config interfaces, which are relevant for SAP Java Buildpack.
• [api] changes XSUserInfoException from Exception to RuntimeException. This reflects the json-lib change in java-container-security (version 3.12.0).
• [token-client] [java-security] Base64JwtDecoder makes use of urldecoder. This is a prerequisite when using java-security for oidc token validation, where the encoded token may contain _ and - characters. It fixes unexpected error with message: Illegal base64 character 5f or Illegal base64 character 2d.

Version 2.5.2

2.5.2

• [java-api], [java-security], [token-client] works with logger api slf4j-api and does no longer provide the slf4j-implementation. Please have a look at the java-security/README.md#logging documentation.
• [xsuaa-spring-boot-starter] update spring-boot (security) dependency versions #239.
• [java-security-test] SecurityTestRule.setKeys allows to customize private/public keys that are located in the resource path, e.g. src/main/resources or src/test/resources.
• [java-security-test] configures the modulus of the public key provided by WireMock. With that the public key can be consumed by the Nimbus Jwt decoder.
• [java-security-test] JwtGenerator now generates a default jwks_url (jku) for XSUAA tokens.
• [samples/spring-security-xsuaa-usage] demonstrates how to setup JUnit tests using java-security-test library.

Dependency upgrades

• Spring Security 5.2.2
• Spring Boot 2.2.5
• Spring Core to 5.2.4

Version 2.5.1

2.5.1

• [java-api] As preparation for the SAP Java Buildpack the interfaces, as well as the SecurityContext is extracted to java-api.
• [java-security] AccessTokens provided via the SpringSecurityContext should also support the hasLocalScope method.
• [java-security] support XSUAA service plan default which is used by simple XSA applications

Version 2.5.0

2.5.0

• [java-security-test] JwtGenerator.withClaimsFromFile accepts claims from a file.
• [java-security] Provides with SpringSecurityContext an alternative way of accessing jwt tokens for Spring applications in asynchronous threads.
• [token-client] The UserTokenFlow has used the "user_token" grant type together with the "refresh_token" grant type in order to do the token exchange.
  After the consumption of UAA 4.27 we can adapt the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer".
  This reduces the round trips to the XSUAA from 2 to 1. Further, it eliminates the need for the user to have scope "uaa.user". The feature flag xsuaa.userTokenFlow.useJwtBearer has become obsolete. NOTE the jwt bearer token grant does no longer provide a refresh token!!!

Version 2.4.5

• [java-security] Initial / released version of the new plain Java security libraries as documented here.