Releases: SAP/cloud-security-services-integration-library
Releases · SAP/cloud-security-services-integration-library
Version 2.4.4
- [java-security] Initial / released version of the new plain Java security libraries as documented here.
Version 2.4.2-SNAPSHOT
Version 2.4.2-SNAPSHOT
- [java-security] Supports XSA (on-premise solutions)
- [java-security] Please note, that the group-id has changed to
com.sap.cloud.security
as documented here:
https://github.com/SAP/cloud-security-xsuaa-integration/tree/master/java-security#maven-dependencies
Version 2.3.2
2.3.2
- [spring-xsuaa] Fix vulnerability issues and increased Spring versions.
- [spring-xsuaa] Fix issue in TokenBrokerResolver: second configured authentication method was ignored
Version 2.4.1-SNAPSHOT
- [java-security] Another Snapshot Version with improved error handling and option to configure the
ClosableRestClient
in context of theJwtValidatorBuilder
andTokenAuthenticator
.
Version 2.4.0-SNAPSHOT
- [java-security] Initial / Snapshot version of the new plain Java security libraries as documented here.
- [token-client] OidcConfigurationServiceWithCache supports basically Open-id Configuration endpoints as documented here.
- [token-client] OAuth2TokenKeyServiceWithCache supports JWKS endpoint with cache of identity service as documented here.
Version 2.3.0
2.3.0
- [spring-xsuaa] Spring tests fail with version
2.2.0
, when auto-configuration is disabled and noRestOperations
bean is specified. - [token-client] Supports basically JWT Bearer Token Grant as documented here. NOTE this will no longer provide a refresh token!
- [token-client] Bug fix for state issue in HttpHeaderFactor (#200) that causes interference between different types of token flows.
- [spring-xsuaa] xsuaa bindings of plan
apiaccess
does not cause an error, as they get ignored for token validation.
Version 2.2.0
- [spring-xsuaa]
PropertySourceFactory
supports custom property sources and default can optionally be disabled withspring.xsuaa.disable-default-property-source=true
- [spring-xsuaa] Supports Spring Core
5.2.0.RELEASE
and Spring Boot2.2.0.RELEASE
- [spring-xsuaa] Deprecates
TokenUrlUtils
in favor ofOAuth2ServiceEndpointsProvider
- [spring-xsuaa]
XsuaaJwtDecoderBuilder
can be configured with yourRestOperations
(RestTemplate
). When using auto-configuration yourRestTemplate
bean is used by default. - Internally, we've cleaned up maven dependencies (converged versions) and
- removed transient dependency of
spring-security-oauth2
tojackson
. - introduced
org.owasp.dependency-check-maven
which performs CVSS checks.
- removed transient dependency of
- [token-client] supports password token flows as documented here.
Hint:
- Make sure that in
@SpringBootTest
annotation theXsuaaAutoConfiguration
is specified before theXsuaaTokenFlowAutoConfiguration
class.
Version 2.1.0
Version 2.1.0
- The
token-client
library supports Apache Http Client. So you can make use of it without any Spring dependencies! Have also a look at the java-tokenclient-usage sample application. - Fix CVE-2018-1000613 by removing unnecessary dependencies (issue 144).
- Makes
XsuaaMockWebServer
more robust. - Adds link to TechEd 2019 self-learning material.
Version 2.0.0
2.0.0
- Deleted package
com.sap.xs2.security.container
in order to avoid Class Loader issues, when an application makes use of SAP-libraries using the SAP-internal container lib like CAP.- As already mentioned use
SpringSecurityContext
class instead ofSecurityContext
class.
- As already mentioned use
- Removed deprecated methods:
XsuaaServiceConfiguration.getTokenUrl()
XsuaaToken.getClaimAccessor()
is not required anymore asXsuaa
itself implementsJwtClaimAccessor
.
- Deprecated
TokenBroker
interface and its implementationUaaTokenBroker
, as this is going to be replaced with theOAuth2TokenService
interface which is provided by the newtoken-client
library. If you wish to configure / pass yourRestTemplate
you can pass an instance ofOAuth2TokenService
:
new TokenBrokerResolver(
<<your configuration>>,
<<your cache>>,
new XsuaaOAuth2TokenService(<<your restTemplate>>),
<<your authenticationInformationExtractor>>);
TokenUlrUtils
class is now package protected and will be deleted with version.token-client
library supports basically Password-Grant Access Tokens.
Version 1.7.0
1.7.0
-
We now provide a new slim
token-client
library with aXsuaaTokenFlows
class, which serves as a factory for the different flows (user, refresh and client-credentials). This deprecates the existingToken.requestToken(XSTokenRequest)
API.- The
token-client
library can be used by plain Java applications. - Auto-configuration is provided for Spring Boot applications only, when using XSUAA Spring Boot Starter.
- The
-
ANNOUNCEMENT: Please be aware that with version
2.0.0
we want to get rid of packagecom.sap.xs2.security.container
in order to avoid Class Loader issues, when an application makes use of SAP-libraries using the SAP-internal container lib.