Version 3.4.2

• [spring-security]
  • fixes a NPE bug introduced in the HybridJwtDecoder when the incoming request does not
    contain x-forwarded-client-cert header
  • SecurityContextAutoConfiguration which synchronises all SecurityContexts is now enabled by default. To disable it
    set the sap.spring.security.hybrid.sync_securitycontext spring property to false

Version 3.4.1

• [spring-security] fixes a NPE bug introduced in the IasJwtDecoder when the incoming request does not
  contain x-forwarded-client-cert header

Dependency upgrades

• Bumps spring.boot.version from 3.2.4 to 3.2.5.
• Bumps slf4j.api.version from 2.0.12 to 2.0.13
• Bumps spring.security.version from 6.2.3 to 6.2.4.

Version 2.17.5

Dependency upgrades

• bump spring-core version to 5.3.34
• bump spring-security version to 5.8.12

Version 3.4.0

• [java-api] SecurityContext has been extended with a thread local storage for Service
  Plans. setServicePlans(), getServicePlans(), clearServicePlans() methods have been added.
• [java-security]
  • added support for Identity Service Proof Token validation. Proof Token validation can be enabled by
    calling JwtValidatorBuilder.enableProofTokenCheck(). Once enabled, it will forward the X509 client certificate from the
    request header x-fowarded-client-cert as x-client_cert header to the /oauth2/token_keys endpoint.
  • DefaultOAuth2TokenKeyService saves the service plans from response header x-osb_plan (identity broker service plan)
    in the new SecurityContext thread local storage for Service Plans. The header should be available when proof token validation is enabled.
    In this case, a x-client_cert is sent in the request to /oauth2/token_keys which should trigger the x-osb_plan response header.
• [spring-security] fixes a bug in ReactiveHybridJwtDecoder when parsing iat claim #1490

Dependency upgrades

• Bump commons-io:commons-io from 2.15.1 to 2.16.1
• Bump spring.boot.version from 3.2.2 to 3.2.4
• Bump spring.core.version from 6.1.5 to 6.1.6
• Bump io.projectreactor:reactor-core from 3.6.2 to 3.6.5
• Bump com.sap.cloud.environment.servicebinding:java-bom from
  0.10.3 to 0.10.4
• Bump spring.security.version from 6.2.1 to 6.2.3
• Bump org.springframework:spring-web from 6.1.4 to 6.1.5
• Bump org.json:json from 20240205 to 20240303

Version 2.17.4

Dependency Upgrades

• bump spring-core version to 5.3.33
• bump spring-security version to 5.8.11
• bump og4j2.version to 2.23.1
• bump commons io version to 2.16.1
• bump org.json.version to 20240303
• bump sap.cloud.env.servicebinding.version to 0.10.4

Version 3.3.5

• [spring-xsuaa] fixes a NPE bug in XsuaaJwtDecoder when uaadomain value is null
• [spring-security] reactive token validation supported with a help of ReactiveSecurityContext
  and ReactiveHybridJwtDecoder to allow more versatile use of spring-security library, also
  see spring-security ReadMe.md
• [samples]
  • spring-security-hybrid-usage demonstrates how to use multiple Xsuaa
    bindings
  • new sample spring-weblux-security-hybrid-usage that showcases
    usage of Reactive Token validation

Dependency upgrades

• Bump com.sap.cloud.environment.servicebinding from 0.10.2 to 0.10.3
• Bump slf4j.api.version from 2.0.11 to 2.0.12
• Bump org.json:json from 20231013 to 20240205
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.3 to 5.3.1
• Bump spring.boot.version from 3.2.1 to 3.2.2
• Bump spring.core.version from 6.1.3 to 6.1.4

Version 2.17.3

• [java-security]
  • add name property of service binding as property to OAuth2ServiceConfiguration
  • reduce HybridTokenFactory logging noise - in case of missing service configuration warn message will be logged just once
• [java-api]
  • add ServiceConstant#NAME which can be used to access that property
• [env]
  • service plan property is no longer uppercased when building OAuth2ServiceConfiguration from service bindings of the environment
• [spring-security]
  • fixes a bug in which a second XSUAA configuration of plan "broker" was ignored in spring-security auto-configuration for versions >= 2.16.0 and < 2.17.3
  • add setName getName, setPlan, getPlan to OAuth2ServiceConfigurationProperties, which means, the list of XsuaaServiceConfigurations can now be filtered based on these properties.
• [token-client]
  • remove httpclient caching from DefaultHttpClientFactory (#1416)ybr

Dependency upgrades

• bump spring-core version to 5.3.31
• bump spring-security version to 5.8.9
• bump commons io version to 2.15.1

Version 3.3.4

• [env] service plan property is no longer uppercased when building OAuth2ServiceConfiguration from service bindings of the environment
• [spring-security] fixes a bug in which a second XSUAA configuration of plan "broker" was ignored in spring-security auto-configuration for versions 3.3.2 and 3.3.3

Dependency upgrades

• Bump io.projectreactor:reactor-core from 3.6.1 to 3.6.2
• Bump spring.core.version from 6.1.2 to 6.1.3
• Bump slf4j.api.version from 2.0.10 to 2.0.11

Version 3.3.3

• [java-security]
  • reduce HybridTokenFactory logging noise - in case of missing service configuration warn message will be logged just once
  • upgrade jetty ee9 to jetty ee10
• [java-security-test]
  • fixes version mismatch issue when jetty BoM is used
  • JwtGenerator ensures that claims are always in the same order
• [token-client]
  • remove httpclient caching from DefaultHttpClientFactory (#1416)

Dependency upgrades

• Bump spring.boot.version from 3.2.0 to 3.2.1
• Bump spring.core.version from 6.0.14 to 6.1.2
• Bump log4j2.version from 2.22.0 to 2.22.1
• Bump slf4j.api.version from 2.0.9 to 2.0.10

Version 3.3.2

• [java-security]
  • add name property of service binding as property to OAuth2ServiceConfiguration
• [java-api]
  • add ServiceConstant#NAME which can be used to access that property
• [spring-security]
  • IdentityServicesPropertySourceFactory now populates Spring properties with ALL Xsuaa configurations found in the environment instead of only one (arbitrary) configuration of service plan 'application' and one (optional, arbitrary) additional one of service plan 'broker'.
  • XsuaaServiceConfigurations#getConfigurations now contains ALL Xsuaa configurations found as a result of the previous change
  • HybridIdentityServicesAutoConfiguration was adjusted for backward compatibility to still create a JwtDecoder that uses the same XSUAA configurations as before for token validation (one of plan 'application' and an optional one of plan 'broker')
  • add setName getName, setPlan, getPlan to OAuth2ServiceConfigurationProperties, which means, the list of XsuaaServiceConfigurations can now be filtered based on these properties.
• [java-security-test]
  • upgrade the Jetty servlet to jetty-ee9-servlet (fixes issues with the Spring Boot 3.2 upgrade)

Dependency upgrades

• Bump spring.boot.version from 3.1.6 to 3.2.0
• Bump spring.core.version from 6.0.14 to 6.1.2
• Bump spring.security.version from 6.2.0 to 6.2.1
• Bump commons-io:commons-io from 2.15.0 to 2.15.1
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.2.3 to 5.3
• Bump log4j2.version from 2.21.1 to 2.22.0
• Bump io.projectreactor:reactor-core from 3.5.11 to 3.6.0
• Bump org.eclipse.jetty:jetty-bom from 11.0.18 to 12.0.5