Bump com.sap.cloud.security:java-api from 3.6.9 to 4.0.5 in /ams-cap-bookshop

[dependabot]

Bumps com.sap.cloud.security:java-api from 3.6.9 to 4.0.5.

Release notes

Sourced from com.sap.cloud.security:java-api's releases.

4.0.5

• Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

  • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
  • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
  • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally

• Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

  • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
  • The app_tid is extracted from the incoming access token and included when present

4.0.4

improve domain validation handling

4.0.3

Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

• Spring Boot 3.x → 4.0.3
• Spring Framework 6.x → 7.0.5
• Spring Security 6.x → 7.0.3
• Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

• Now uses Java 11 HttpClient by default (no Apache HttpClient dependency)
• Apache HttpClient 4 constructors deprecated (removed in 5.0.0)
• Custom HTTP clients supported via SecurityHttpClientFactory

Removed Modules:

• spring-xsuaa* → use spring-security or spring-security-3
• spring-security-compatibility → use spring-security-3

Token Client Spring Classes:

• Spring-dependent classes moved to new token-client-spring module

New Features

Spring Boot 3.x Compatibility:

• spring-security-3 - Core module for Spring Boot 3.5.9

... (truncated)

Changelog

Sourced from com.sap.cloud.security:java-api's changelog.

4.0.5

• Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

  • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
  • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
  • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally

• Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

  • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
  • The app_tid is extracted from the incoming access token and included when present

4.0.4

• Improve domain validation handling in JwtValidatorBuilder for IAS tokens

4.0.3

• Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

• Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0 - Major Release

This is a major release with breaking changes. The library has been upgraded to Spring Boot 4.x and Jakarta EE 10. For applications still on Spring Boot 3.x, compatibility modules are provided. Please check the 4.0 Migration Guide for comprehensive upgrade instructions

⚠️ BREAKING CHANGES

Spring Boot and Jakarta EE Version Upgrades

• Spring Boot: Upgraded from 3.x to 4.0.3
• Spring Framework: Upgraded from 6.x to 7.0.5
• Spring Security: Upgraded from 6.x to 7.0.3
• Jakarta Servlet API: Upgraded from 6.0.0 to 6.1.0
• Java: Minimum version remains Java 17
• JUnit Jupiter: Upgraded from 5.12.2 to 6.0.3

HTTP Client Default Changed

Token-client module now uses Java 11's HttpClient as the default implementation. Apache HttpClient 4 remains available as a dependency for backward compatibility.

Impact:

• ✅ No code changes required if you use the default (parameterless) constructors
• ⚠️ Deprecated constructors added for backward compatibility with Apache HttpClient 4
• ❌ Will be removed in version 5.0.0 - Plan to migrate to Java HttpClient or custom implementation

... (truncated)

Commits

• 2f9e42e Feature/restore httpclientfactory services (#1948)
• eddb3a9 Bugfix/add app tid to id token exchange (#1949)
• acb1d15 improve domain validation handling (#1945)
• ed3b9ef Bugfix/4.0.2 (#1939)
• ea432c8 Bugfix/4.0.2 (#1938)
• 4dce88b Merge pull request #1936 from SAP/feature/token-client-spring-3-module
• 3073f80 docs: Update migration guide with correct Spring Boot 3.x starter name
• f25b05e refactor: Centralize Spring Boot 3.x versions in parent POM
• c3fba41 feat: Add token-client-spring-3 module for Spring Boot 3.x compatibility
• 315650b Bugfix/id token exchange cert url and release 4.0.1 (#1935)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)