Skip to content

Bump com.sap.cloud.security.xsuaa:spring-xsuaa from 2.3.2 to 2.17.0 #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump com.sap.cloud.security.xsuaa:spring-xsuaa from 2.3.2 to 2.17.0 #9

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Dec 13, 2023

Bumps com.sap.cloud.security.xsuaa:spring-xsuaa from 2.3.2 to 2.17.0.

Release notes

Sourced from com.sap.cloud.security.xsuaa:spring-xsuaa's releases.

Version 2.17.0

⚠️ when using java-security-test module you might need to adjust the uaadomain in the service configuration with a port where the wiremock token key server is running on. e.g. it should be changed from localhost --> http://localhost:XXXX (you can access wiremock token key server address using testRule.getWiremockServer().baseUrl())

  • [java-security]
    • [XSUAA/IAS] Adapt optimized server API
  • [spring-xsuaa]
    • Adapt optimized server API

Version 2.16.0

  • [env]
    • add Environment#getServiceConfigurationsAsList to retrieve all service configurations as lists mapped by service (XSUAA/IAS)
  • [spring-security]
    • IdentityServicesPropertySourceFactory now populates Spring properties with ALL Xsuaa configurations found in the environment instead of only one (arbitrary) configuration of service plan 'application' and one (optional, arbitrary) additional one of service plan 'broker'.
    • XsuaaServiceConfigurations#getConfigurations now contains ALL Xsuaa configurations found as a result of the previous change
    • HybridIdentityServicesAutoConfiguration was adjusted for backward compatibility to still create a JwtDecoder that uses the same XSUAA configurations as before for token validation (one of plan 'application' and an optional one of plan 'broker')

Dependency upgrades

  • Bump spring.security.version from 5.8.7 to 5.8.8
  • Bump spring.boot.version from 2.7.16 to 2.7.17
  • Bump log4j2 from 2.20.0 to 2.21.1
  • Bump com.sap.cloud.environment.servicebinding from 0.10.0 to 0.10.1
  • Bump commons-io from 2.14.0 to 2.15.0

Version 2.15.0

🔥 Hot fix for the CVE-2023-5072

  • [java-security]
    • add x-azp header to IAS JWKS fetching and adjust JWKS cache key
    • OAuth2TokenKeyService and OAuth2TokenKeyServiceWithCache
      • Refactor API to use generic Map instead of explicit IAS-specific parameters

Dependency upgrades

  • Bump org.json.version from 20230618 to 20231013
  • Bump spring.security.version from 5.8.6 to 5.8.7
  • Bump spring.boot.version from 2.7.15 to 2.7.16
  • Bump spring.core.version from 5.3.29 to 5.3.30
  • Bump reactor-core from 3.4.32 to 3.4.33
  • Bump com.sap.cloud.environment.servicebinding 0.9.0 to 0.10.0
  • Bump commons-io from 2.13.0 to 2.14.0

Version 2.14.2

  • [java-security]
    • Fixes NPE when accessing XsuaaToken.getPrincipal() and grantType is null (#1261)
  • [token-client]
    • fixes JWKs fetch from identity service issue when app_tid is not present in the token - the X-app_tid and X-client_id headers are only added when both values are available.
    • DefaultOAuth2TokenService
      • fixes issue when in case of unsuccessful token fetch OAuth2ServiceException.withHeaders() headers field were filled with only one entry containing all headers as a string
    • DefaultOAuth2TokenKeyService and SpringOAuth2TokenKeyService
      • improved error handling
        • OAuth2ServiceException that's thrown status code != 200 case doesn't get swallowed
        • fixes OAuth2ServiceException.withHeaders() semantically incorrect behavior when headers were filled with request headers instead of response headers

... (truncated)

Changelog

Sourced from com.sap.cloud.security.xsuaa:spring-xsuaa's changelog.

Change Log

All notable changes to this project will be documented in this file.

3.3.1

✅ Resolves a Breaking Change introduced in version 3.3.0. Consumers should be able to update to 3.3.1 from a version < 3.3.0 without having to adjust test credentials used in their unit tests when using java-security-test or spring-xsuaa-mock.

In version 3.3.1, when java-security-test is loaded (which should only occur during testing), credentials with localhost as the uaadomain (XSUAA) or trusted domains (IAS) can be used to validate tokens that include a port for localhost in their jku (XSUAA) or issuer (IAS). It's important to note that token validation is less strict in this case and may accept certain edge cases of malicious tokens that would not be accepted in a production environment.

Dependency upgrades

  • Bump spring.boot.version from 3.1.5 to 3.1.6
  • Bump spring.core.version from 6.0.13 to 6.0.14
  • Bump spring.security.version from 6.1.5 to 6.2.0
  • Bump apache.httpclient5.version from 5.2.1 to 5.2.3
  • Bump wiremock.version from 3.0.0-beta-10 to 3.3.1 and replace org.wiremock.wiremock-standalone with com.github.tomakehurst.wiremock
  • Bump logback-core, logback-classic from 1.4.6 to 1.4.14

3.3.0

Breaking Change ⚠️ [java-security-test] (Resolved in version 3.3.1): To validate mocked XSUAA tokens issued by java-security-test module, the UAA_DOMAIN property of the service configuration must now include the full address of the Wiremock server in the format http://localhost:\.
Likewise, for validating IAS tokens issued by the java-security-test module, the trusted domains array of the service configuration needs to include the Wiremock URL including the port but NOT the protocol, i.e. in the format localhost:<PORT>.
The full wiremock URL including http:// and <PORT> is available via SecurityTestContext#getWireMockServer#baseUrl.

  • [java-security]
    • [XSUAA/IAS] Adapt optimized server API
  • [spring-xsuaa]
    • Adapt optimized server API

3.2.1

Hot fix for the CVE-2023-5072

Dependency upgrades

  • Bump spring.boot.version from 3.1.4 to 3.1.5
  • Bump log4j2.version from 2.20.0 to 2.21.0
  • Bump spring.security.version from 6.1.4 to 6.1.5
  • Bump org.json:json from 20230618 to 20231013

3.2.0

  • [java-security]
    • add x-azp header to IAS JWKS fetching and adjust JWKS cache key
    • OAuth2TokenKeyService and OAuth2TokenKeyServiceWithCache
      • Refactor API to use generic Map instead of explicit IAS-specific parameters

Dependency upgrades

  • Bump io.projectreactor:reactor-core from 3.5.9 to 3.5.11
  • Bump spring.core.version from 6.0.11 to 6.0.13
  • Bump spring.security.version from 6.1.3 to 6.1.4
  • Bump commons-io:commons-io from 2.13.0 to 2.14.0
  • Bump com.sap.cloud.environment.servicebinding from 0.9.0 to 0.10.0
  • Bump spring.boot.version from 3.1.3 to 3.1.4
  • Bump slf4j.api.version from 2.0.7 to 2.0.9

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump com.sap.cloud.security.xsuaa:spring-xsuaa from 2.3.2 to 2.17.0
99386c1 
Bumps [com.sap.cloud.security.xsuaa:spring-xsuaa](https://github.com/SAP/cloud-security-xsuaa-integration) from 2.3.2 to 2.17.0.
- [Release notes](https://github.com/SAP/cloud-security-xsuaa-integration/releases)
- [Changelog](https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md)
- [Commits](SAP/cloud-security-services-integration-library@2.3.2...2.17.0)

---
updated-dependencies:
- dependency-name: com.sap.cloud.security.xsuaa:spring-xsuaa
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Dec 13, 2023
@lmb-aleleite
Copy link

lmb-aleleite commented Apr 5, 2024

Aprova isso meu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lmb-aleleite