Version 2.5.1

2.5.1

• [java-api] As preparation for the SAP Java Buildpack the interfaces, as well as the SecurityContext is extracted to java-api.
• [java-security] AccessTokens provided via the SpringSecurityContext should also support the hasLocalScope method.
• [java-security] support XSUAA service plan default which is used by simple XSA applications

Version 2.5.0

2.5.0

• [java-security-test] JwtGenerator.withClaimsFromFile accepts claims from a file.
• [java-security] Provides with SpringSecurityContext an alternative way of accessing jwt tokens for Spring applications in asynchronous threads.
• [token-client] The UserTokenFlow has used the "user_token" grant type together with the "refresh_token" grant type in order to do the token exchange.
  After the consumption of UAA 4.27 we can adapt the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer".
  This reduces the round trips to the XSUAA from 2 to 1. Further, it eliminates the need for the user to have scope "uaa.user". The feature flag xsuaa.userTokenFlow.useJwtBearer has become obsolete. NOTE the jwt bearer token grant does no longer provide a refresh token!!!

Version 2.4.5

• [java-security] Initial / released version of the new plain Java security libraries as documented here.

Version 2.4.4

• [java-security] Initial / released version of the new plain Java security libraries as documented here.

Version 2.4.2-SNAPSHOT

Version 2.4.2-SNAPSHOT

• [java-security] Supports XSA (on-premise solutions)
• [java-security] Please note, that the group-id has changed to com.sap.cloud.security as documented here:
  https://github.com/SAP/cloud-security-xsuaa-integration/tree/master/java-security#maven-dependencies

Version 2.3.2

2.3.2

• [spring-xsuaa] Fix vulnerability issues and increased Spring versions.
• [spring-xsuaa] Fix issue in TokenBrokerResolver: second configured authentication method was ignored

Version 2.4.1-SNAPSHOT

• [java-security] Another Snapshot Version with improved error handling and option to configure the ClosableRestClient in context of the JwtValidatorBuilder and TokenAuthenticator.

Version 2.4.0-SNAPSHOT

• [java-security] Initial / Snapshot version of the new plain Java security libraries as documented here.
• [token-client] OidcConfigurationServiceWithCache supports basically Open-id Configuration endpoints as documented here.
• [token-client] OAuth2TokenKeyServiceWithCache supports JWKS endpoint with cache of identity service as documented here.

Version 2.3.0

2.3.0

• [spring-xsuaa] Spring tests fail with version 2.2.0, when auto-configuration is disabled and no RestOperations bean is specified.
• [token-client] Supports basically JWT Bearer Token Grant as documented here. NOTE this will no longer provide a refresh token!
• [token-client] Bug fix for state issue in HttpHeaderFactor (#200) that causes interference between different types of token flows.
• [spring-xsuaa] xsuaa bindings of plan apiaccess does not cause an error, as they get ignored for token validation.

Version 2.2.0

• [spring-xsuaa] PropertySourceFactory supports custom property sources and default can optionally be disabled with spring.xsuaa.disable-default-property-source=true
• [spring-xsuaa] Supports Spring Core 5.2.0.RELEASEand Spring Boot 2.2.0.RELEASE
• [spring-xsuaa] Deprecates TokenUrlUtils in favor of OAuth2ServiceEndpointsProvider
• [spring-xsuaa] XsuaaJwtDecoderBuilder can be configured with your RestOperations (RestTemplate). When using auto-configuration your RestTemplate bean is used by default.
• Internally, we've cleaned up maven dependencies (converged versions) and
  • removed transient dependency of spring-security-oauth2 to jackson.
  • introduced org.owasp.dependency-check-maven which performs CVSS checks.
• [token-client] supports password token flows as documented here.

Hint:

• Make sure that in @SpringBootTest annotation the XsuaaAutoConfiguration is specified before the XsuaaTokenFlowAutoConfiguration class.