3.5.6

• [java-security] Add support for Envoy XFCC header format

Dependency upgrades

• Bump spring.core.version from 6.2.0 to 6.2.1
• Bump io.projectreactor:reactor-core from 3.6.9 to 3.7.1
• Bump io.projectreactor:reactor-test from 3.7.0 to 3.7.1

3.5.5

• [token-client] Support CRLF line-endings in PEM formatted service keys

Dependency upgrades

• Bump org.apache.httpcomponents.client5:httpclient5 from 5.3.1 to 5.4.1
• Bump io.projectreactor:reactor-test from 3.6.9 to 3.7.0
• Update spring versions
  • core to 6.2.0
  • boot to 3.4.0
  • security to 6.4.1
• Bump org.wiremock:wiremock-standalone from 3.9.1 to 3.9.2
• Bump uk.org.webcompere:system-stubs-jupiter from 2.1.6 to 2.1.7
• Bump com.nimbusds:nimbus-jose-jwt from 9.40 to 9.47
• Bump com.sap.cloud.environment.servicebinding:java-bom from 0.10.5 to 0.20.0
• Bump log4j2.version from 2.24.1 to 2.24.2
• Bump org.apache.maven.plugins:maven-pmd-plugin from 3.24.0 to 3.26.0
• Bump org.apache.maven.plugins:maven-source-plugin from 3.2.1 to 3.3.1
• Bump net.revelc.code:impsort-maven-plugin from 1.11.0 to 1.12.0
• Bump org.owasp:dependency-check-maven from 10.0.3 to 11.1.0
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.5 to 3.2.7
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.8.0 to 3.11.1
• Bump org.apache.maven.plugins:maven-surefire-plugin from 3.4.0 to 3.5.2
• Bump com.github.spotbugs:spotbugs-maven-plugin from 4.8.6.2 to 4.8.6.6
• Bump commons-io:commons-io from 2.16.1 to 2.18.0

3.5.4

• [java-security] Reduce log level to debug for errors during certificate parsing
• [samples] Cleanup and rework most sample applications

Dependency upgrades

• Bump org.mockito:mockito-core from 5.12.0 to 5.14.2
• Bump org.eclipse.jetty.version from 12.0.12 to 12.0.13
• Bump log4j2.version from 2.23.1 to 2.24.1
• Bump spring.security.version from 6.3.3 to 6.3.4
• Bump spring.core.version from 6.1.12 to 6.1.14
• Bump spring.boot.version from 3.3.2 to 3.3.3

Version 3.5.3

• [java-security] Reenable sap-java-buildpack-api-usage sample using Tomcat 10

Dependency upgrades

• Bump spring.security.version from 6.3.1 to 6.3.3
• Bump io.projectreactor:reactor-core from 3.6.7 to 3.6.9
• Bump slf4j.api.version from 2.0.13 to 2.0.16
• Bump org.eclipse.jetty.version from 12.0.7 to 12.0.12
• Bump spring.core.version from 6.1.10 to 6.1.12
• Bump spring.boot.version from 3.3.1 to 3.3.2
• Bump org.wiremock:wiremock-standalone from 3.7.0 to 3.9.1

Version 3.5.2

• [spring-xsuaa] Remove new X5tCertificateThumbprintValidator from spring-xsuaa validators

Dependency upgrades

• Bump spring.boot.version from 3.3.0 to 3.3.1

Version 3.5.1

• [java-security]
  • Improved JWK fetch error handling
• [spring-security]
  • extended autoconfiguration for proof token check for all JwtDecoders
  • Improved JWK fetch error handling/logging. In case of unsuccessful response from JWK server the error will be mapped
    to 5XX status code

Dependency upgrades

• Bump spring.core.version from 6.1.7 to 6.1.10
• Bump spring.boot.version from 3.2.5 to 3.3.0
• Bump spring.security.version from 6.3.0 to 6.3.1
• bump caffeine version to 3.1.8
• Bump jakarta.servlet:jakarta.servlet-api from 6.0.0 to 6.1.0
• Bump io.projectreactor:reactor-core from 3.6.6 to 3.6.7
• Bump com.nimbusds:nimbus-jose-jwt from 9.39.1 to 9.40

Version 3.5.0

• [java-api]
  • ClientIdentity interface has been extended with 2 new methods getCertificateChain()
    and getPrivateKey()
    and ClientCertificate class has been extended with new constructor that takes java.security.cert.Certificate[]
    and java.security.PrivateKey as an argument and corresponding getters for these fields.
  • user_token grant type has been re-added to GrantType enum
• [token-client] SSLContextFactory class has been extended and supports Keys in PKCS#8 format with ECC algorithm.
• [spring-security]
  • fixed NPE in IdentityServicesPropertySourceFactory on application startup when bound to a list of XSUAA services
    whose service plans are ALL not supported
  • provides an autoconfiguration that creates an Identity Service JwtDecoder with enabled proof token check. To enable
    it, set the sap.spring.security.identity.prooftoken spring property to true.
  • Fixes an issue with MockMvc when the SecurityContexts are synced. It sets SecurityContextStrategy based on an
    EnvironmentPostProcessor as in this scenario the servlet initialization is not happening and the code runs too late
    due to that.

Dependency upgrades

• Bump io.projectreactor:reactor-core from 3.6.5 to 3.6.6
• Bump com.nimbusds:nimbus-jose-jwt from 9.37.3 to 9.39.1
• Bump spring.core.version from 6.1.6 to 6.1.7

Version 3.4.3

• [spring-security] improved custom SecurityContextStrategy registration for the SecurityContextAutoConfiguration class. It uses ServletContextInitializer to hook early into the initialization phase.

Dependency upgrades

• Bump com.sap.cloud.environment.servicebinding:java-bom from 0.10.4 to 0.10.5.

Version 3.4.2

• [spring-security]
  • fixes a NPE bug introduced in the HybridJwtDecoder when the incoming request does not
    contain x-forwarded-client-cert header
  • SecurityContextAutoConfiguration which synchronises all SecurityContexts is now enabled by default. To disable it
    set the sap.spring.security.hybrid.sync_securitycontext spring property to false

Version 3.4.1

• [spring-security] fixes a NPE bug introduced in the IasJwtDecoder when the incoming request does not
  contain x-forwarded-client-cert header

Dependency upgrades

• Bumps spring.boot.version from 3.2.4 to 3.2.5.
• Bumps slf4j.api.version from 2.0.12 to 2.0.13
• Bumps spring.security.version from 6.2.3 to 6.2.4.