Version 2.13.7

[token-client]

• Fixes regression introduced with logback dependency not having scope test

Dependency upgrades

• Bump org.json from to 20230227

Version 2.13.6

[env]

• CFEnvironment has migrated to use btp-environment-variable-access library for accessing configuration from VCAP_SERVICES

[java-security]

• XsUserInfoAdapter.getSystemAttribute() supports in token xs.system.attributes values in string format along with string array

‼️ slf4j API version has been reverted back to 1.7.x to be in line with spring-boot 2.x supported slf4j API version

Dependency upgrades

• Bump spring.boot.version from 2.7.8 to 2.7.9
• Bump spring.security.version from 5.8.1 to 5.8.2

Full Changelog: 2.13.5...2.13.6

Version 2.13.5

[spring-xsuaa]

• improved logging for JwtAudienceValidator

[java-security]

• enables token validation without zones

Dependency upgrades

• Bump httpclient from 4.5.13 to 4.5.14
• Bump btp-environment-variable-access java-bom from 0.5.1 to 0.5.2
• Bump spring.boot.version from 2.7.5 to 2.7.8
• Bump spring.core.version from 5.3.23 to 5.3.25
• Bump spring.security.version from 5.7.5 to 5.8.1
• Bump slf4j.api.version from 2.0.3 to 2.0.6

Full Changelog: 2.13.4...2.13.5

Version 2.13.4

[spring-xsuaa][spring-security]

• Patches CVE-2022-31692 vulnerability in spring security dependency.

[java-security-test]

• scim_id added as default attribute for identity token Jwt generator

Dependency upgrades

• Bump spring.security.version from 5.7.3 to 5.7.5
• Bump btp-environment-variable-access java-bom from 0.4.1 to 0.5.1
• Bump spring.boot.version from 2.7.3 to 2.7.5
• Bump reactor-core from 3.4.23 to 3.4.24
• Bump slf4j.api.version from 2.0.0 to 2.0.3
• Bump spring-boot-starter-parent from 2.7.3 to 2.7.5

Version 2.13.3

[spring-xsuaa-starter]

• Patches CVE 2022-25857 vulnerability in spring boot starter transient dependency.

Dependency upgrades

• Bump spring-boot-starter-parent from 2.7.1 to 2.7.3
• Bump slf4j.api.version from 1.7.36 to 2.0.0

Version 2.13.2

[java-security]

• Bug fix for regression in XSUserInfoAdapter.getMultiValueAttributeFromExtObject() when error was thrown accessing xs.user.attributes with empty array value. It throws an error only in case of non existing attribute as before 2.12.3

Dependency upgrades

• Bump spring.security.version from 5.7.2 to 5.7.3
• Bump java-bom(https://github.com/SAP/btp-environment-variable-access) from 0.4.0 to 0.4.1

Version 2.13.1

[token-client]

• DefaultHttpClientFactory creates CloseableHttpClient with disabled redirects to avoid security vulnerabilities.
  ‼️ For your custom CloseableHttpClient implementation make sure to disable redirects as well. ‼️

• all TokenServices and TokenKeyServices have been enhanced to add to all outgoing requests a user-agent header that contains value
  token-client/x.x.x where x.x.x is token-client version being used

[spring-xsuaa]

• XsuaaJwtDecoder catches bases64 decoder IllegalArgumentException that can be caused by decoding malformed verificationkey from xsuaa service configuration to avoid 500 Internal server error responses

Dependency upgrades

• Bump spring.boot.version from 2.7.1 to 2.7.2.
• Bump https://github.com/SAP/btp-environment-variable-access from 0.3.1 to 0.4.0.
• Bump reactor-core from 3.4.21 to 3.4.22

Version 2.13.0

[env]

• uses https://github.com/SAP/btp-environment-variable-access (version 0.3.1), which supports access to service credentials in K8s/Kyma environment provisioned by SAP BTP Service Operator. Usage of service-catalog is no longer supported. With that there is no service-manager longer required to distinguish the service instance plan, when multiple xsuaa instances are bound (#855)

[token-client]

• NPE bug fix for UriUtil.replaceSubdomain(@Nonnull URI, @Nullable subdomain) in cases when provided URI does not contain host(no http/s schema provided) #943

[samples]

• java-security-usage, spring-security-basic-auth, spring-security-hybrid-usage adjusted for service-operator higher than v0.2.3 usage

Dependency upgrades

• Bump log4j2.version from 2.17.2 to 2.18.0
• Bumps spring.core.version from 5.3.21 to 5.3.22.
• Bumps reactor-core from 3.4.19 to 3.4.21.

Full Changelog: 2.12.3...2.13.0

Version 2.12.3

[spring-xsuaa][spring-security-compatibility]

• bug fix for #910 XsuaaToken.getXSUserAttribute, XsuaaTokenComp.getXSUserAttribute methods' return null if claim is not present as documented in javadoc.

[java-api]

• Token.getAttributeFromClaimAsStringList javadoc has been fixed, this method supposed to return empty List in case of missing attribute instead of null

Dependency upgrades

• Bump spring.security.version from 5.7.1 to 5.7.2
• Bump spring.boot.version from 2.7.0 to 2.7.1
• Bump spring.core.version from 5.3.20 to 5.3.21
• Bump reactor-core from 3.4.18 to 3.4.19
• Bump spring-boot-starter-parent version from 2.6.7 to 2.7.1

Version 2.12.2

[spring-xsuaa][spring-security]

• Fixes CVE-2022-22978 vulnerability in spring security version

Dependency upgrades

• Bump spring.security.version from 5.6.3 to 5.7.1
• Bump spring.boot.version from 2.6.7 to 2.7.0
• Bump com.squareup.okhttp3:mockwebserver to 4.9.3