Skip to content

Releases: SAP/cloud-security-services-integration-library

BETA Version 0.1.0

17 Feb 11:55
757c745
Compare
Choose a tag to compare

0.1.0 [BETA] ⭐

[spring-security] new spring boot security client library that supports Token validation from XSUAA and IAS identity provider in parallel as described here.

An initial migration guide on how to migrate from spring-xsuaa is available here.

Version 2.8.5

17 Feb 10:10
ad95524
Compare
Choose a tag to compare

2.8.5

  • [java-security] load environment from VCAP_SERVICES formatted json file (#471)
  • [java-security] performance: make sure ServiceLoader loads services only once (#467)
  • [java-api] move getAttributeFromClaimAsString and getAttributeFromClaimAsStringList methods from AccessToken to its Token parent interface.

Version 2.8.4

27 Jan 16:27
Compare
Choose a tag to compare
  • [java-security] Make HybridTokenFactory more failure tolerant
  • [spring-xsuaa-test] Prefills "ext_atr" "enhancer" with XSUAA

Update Versions

  • [all]
    • commons-io 2.6 --> 2.8.0
    • org.apache.httpcomponents » httpclient 4.5.9 --> 4.5.13
    • spring.core.version 5.3.2 --> 5.3.3
    • spring.boot.version 2.4.1 --> 2.4.2
  • [java-security-test]
    • org.eclipse.jetty 9.4.35.v20201120 --> 9.4.36.v20210114
  • [token-client]
    • caffeine 2.8.6 --> 2.8.8
    • org.json 20200518 --> 20201115
  • [spring-xsuaa]
    • caffeine 2.8.6 --> 2.8.8
    • reactor-core 3.3.7.RELEASE --> 3.4.2
    • log4j-to-slf4j 2.13.3 --> 2.14.0

Version 2.8.3

15 Jan 17:35
16ee313
Compare
Choose a tag to compare
  • [java-api] AccessToken exposes the getSubaccountId() method. Further information about the usage of getSubaccountId() and getZoneId() can be read here.
  • [java-api] [java-security] allows hybrid token creation via Token.create(String encodedToken). The feature is available when using token authenticator. In order to avoid ServiceLoader issues, make sure that you don't mix up different versions of these client libraries. E.g., its not possible to use com.sap.cloud.security:java-api:2.8.3 together with com.sap.cloud.security:java-security:2.8.2. See also here.
  • [samples/sap-java-buildpack-api-usage] uses SAP Java Buildpack BoM (sample).
  • [token-client] UserTokenFlow enhances request with X-zid header that corresponds to zone id.

Version 2.8.2

07 Jan 16:08
1a30a08
Compare
Choose a tag to compare

2.8.2

  • [java-security]
    • HOTFIX for 2.8.1 version.
    • Beta release of ias2xsuaa token exchange. Further information can be found here.

Version 2.8.1

30 Dec 17:25
42facb5
Compare
Choose a tag to compare

2.8.1

  • [spring-xsuaa]
    • Beta release of ias2xsuaa token exchange. Further information can be found here.
    • Replaces dependencies to JSON Parser of net.minidev with org.json (fixes #414).
    • The following dependencies were updated:
      • spring.boot.version 2.3.5.RELEASE --> 2.4.1
      • spring.core.version 5.2.10.RELEASE --> 5.3.2
      • spring.security.version 5.3.5.RELEASE --> 5.4.2

Version 2.8.0

26 Nov 16:16
974227d
Compare
Choose a tag to compare
  • [java-security]
    • getClientId() method was added to Token interface. getClientId() method should be used instead of getClaimAsString(TokenClaims.XSUAA.CLIENT_ID). TokenClaims.XSUAA.CLIENT_ID is deprecated.
    • Supports IAS token validation. IAS_SERVICE_NAME has not be provided any longer. You can find a sample here.
  • [java-security-test] In case you like to overwrite the client id using JwtGenerator using withClaimValue() or withClaimValues() method, it's recommended to set the azp claim instead using withClaimValue(TokenClaims.AUTHORIZATION_PARTY, "T000310").
  • [spring-xsuaa]
    • getClientId() method implementation of Token interface has been changed. Using azp and as fallback aud and cid claims to obtain client id.
  • ⚠️ backward incompatible change: usage of deprecated org.springframework.security.oauth:spring-security-oauth2 dependency in OAuth2AuthenticationConverter was removed.
    OAuth2AuthenticationConverter.convert() method return type has changed from org.springframework.security.oauth2.provider.OAuth2Authentication to org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication
    • Migration tips
      • when necessary, org.springframework.security.oauth:spring-security-oauth2 dependency need to be provided explicitly
      • OAuth2WebSecurityExpressionHandler() won't work in conjunction with OAuth2AuthenticationConverter, as it expects OAuth2Authentication class instead of BearerTokenAuthentication when deriving authorization claims. Use hasAuthority() or hasAnyAuthority() instead of explicitly defined expressionHandler(new OAuth2WebSecurityExpressionHandler()) and access() expression for authorized requests.
  • The following dependency was removed:
    • org.springframework.security.oauth:spring-security-oauth2
  • The following dependencies were updated:
    • spring.boot.version 2.3.4.RELEASE --> 2.3.5.RELEASE
    • spring.core.version 5.2.9.RELEASE --> 5.2.10.RELEASE
    • spring.security.version 5.3.4.RELEASE --> 5.3.5.RELEASE
    • caffeine.version 2.8.2 --> 2.8.6

Version 2.7.8

15 Oct 17:09
1c807eb
Compare
Choose a tag to compare
  • [java-security-test] Supports JUnit 5 Tests with XsuaaExtension, IasExtension and SecurityTestExtension as documented here.
  • [java-security] Does not fail in case of Xsuaa services of type: apiacess (#382).
  • [spring-xsuaa-starter] Upgrade Spring versions:
    • spring.boot.version: 2.3.1.RELEASE --> 2.3.4.RELEASE
    • spring.core.version: 5.2.8.RELEASE --> 5.2.9.RELEASE
  • The following dependencies were updated:
    • Jetty 9.4.24.v20191120 --> 9.4.31.v20200723
    • javax.servlet-api.version 3.0.1 --> 3.1.0
    • Apache HTTP client 4.5.8 --> 4.5.9
    • Wiremock 2.25.1 --> 2.27.2

Version 2.7.7

10 Sep 07:34
5e48468
Compare
Choose a tag to compare

2.7.7

  • [spring-xsuaa] Update Spring versions
    • spring.core.version: 5.2.7.RELEASE --> 5.2.8.RELEASE
    • spring.security.version: 5.3.3.RELEASE --> 5.3.4.RELEASE
  • [java-security-test] SecurityTest and SecurityTestRule provides a better support for integration tests with a mockserver. It is now possible to upload the configuration and the token from a json file. Take our integration tests as a sample java-security-it.
  • [java-security] DefaultJsonObject.getAsStringList(propertyName) parses the JSON object for a given property and returns a String list. This works also in case the property is not a JSON array but a JSON String.
  • [java-security-it] New integration test project. Existing integration tests have been restructured and moved here. Additionally, JWT token validation performance tests have been added for java-security and spring-xsuaa.

Version 2.7.6

18 Aug 15:08
a4e0f20
Compare
Choose a tag to compare
  • [token-client] Fixes ClientCredentialsTokenFlow.scopes() and UserTokenFlow.scopes() to support multiple scopes. The scope form parameter has to provide a space-delimited list (and not comma-delimited list).
  • [java-security] Improve compatibility of SAPOfflineTokenServicesCloud
    • There was incompatibility in the implementation of SAPOfflineTokenServicesCloud that caused the remoteUser of the HttpServletRequest to always return the client id of the XSUAA service binding. This was changed so that it now works like in the old implementation. This means that the remoteUser now returns either the user_name claim of the token for user tokens or the value of the client id cid claim of the token for all other tokens (e.g. client tokens).