Merge branch 'main' into autoconfig_for_prooftoken_validation

pom.xml

@@ -58,12 +58,12 @@
 		<maven.source.plugin.version>3.2.1</maven.source.plugin.version>
 		<!-- make sure that spring core and spring boot versions are compatible-->
 		<spring.boot.version>3.2.5</spring.boot.version>
-		<spring.core.version>6.1.6</spring.core.version>
+		<spring.core.version>6.1.7</spring.core.version>
 		<spring.security.version>6.2.4</spring.security.version>
 		<spring.security.oauth2.version>2.5.2.RELEASE</spring.security.oauth2.version>
 		<spring.security.jwt.version>1.1.1.RELEASE</spring.security.jwt.version>
 		<org.eclipse.jetty.version>12.0.7</org.eclipse.jetty.version>
-		<reactor.version>3.6.5</reactor.version>
+		<reactor.version>3.6.6</reactor.version>
 		<log4j2.version>2.23.1</log4j2.version>
 		<slf4j.api.version>2.0.13</slf4j.api.version> <!--see also here http://www.slf4j.org/faq.html#changesInVersion18 -->
 		<org.json.version>20240303</org.json.version>
@@ -80,7 +80,7 @@
 		<mockito.version>5.12.0</mockito.version>
 		<assertj.version>3.25.3</assertj.version>
 		<wiremock.version>3.5.4</wiremock.version>
-		<reactor.test.version>3.6.5</reactor.test.version>
+		<reactor.test.version>3.6.6</reactor.test.version>
 		<javax.annotation.version>1.3.2</javax.annotation.version>
 		<spotbugs.annotations.version>4.8.5</spotbugs.annotations.version>
 		<spotbugs.version>4.8.5.0</spotbugs.version>
@@ -385,7 +385,7 @@
 						<plugin>
 							<groupId>org.owasp</groupId> <!--scans for vulnerabilities-->
 							<artifactId>dependency-check-maven</artifactId>
-							<version>9.1.0</version>
+							<version>9.2.0</version>
 							<executions>
 								<execution>
 									<goals>

spring-security-starter/src/main/resources/META-INF/spring.factories

@@ -0,0 +1,2 @@
+org.springframework.boot.env.EnvironmentPostProcessor=\
+com.sap.cloud.security.spring.autoconfig.SecurityContextEnvironmentPostProcessor

spring-security-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports

@@ -1,4 +1,3 @@
 com.sap.cloud.security.spring.autoconfig.HybridIdentityServicesAutoConfiguration
 com.sap.cloud.security.spring.autoconfig.HybridAuthorizationAutoConfiguration
 com.sap.cloud.security.spring.autoconfig.XsuaaTokenFlowAutoConfiguration
-com.sap.cloud.security.spring.autoconfig.SecurityContextAutoConfiguration

spring-security/README.md

@@ -84,7 +84,7 @@ In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/
 | [HybridAuthorizationAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridAuthorizationAutoConfiguration.java)       | Creates a converter ([XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java)) that removes the XSUAA application identifier from the scope names, allowing local scope checks to be performed using [Spring's common built-in expression](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#el-common-built-in) `hasAuthority`. Supports only single Xsuaa binding |
 | [HybridIdentityServicesAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridIdentityServicesAutoConfiguration.java) | Configures a `JwtDecoder` which is able to decode and validate tokens from Xsuaa and/or Identity service<br/>Furthermore it registers `IdentityServiceConfiguration` and optionally `XsuaaServiceConfiguration`, that allow overriding the identity service configurations found in the service bindings (via `identity.*` and `xsuaa.*` properties).                                                                                                                          |
 | [XsuaaTokenFlowAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/XsuaaTokenFlowAutoConfiguration.java)                 | Configures an `XsuaaTokenFlows` bean to fetch the XSUAA tokens. Starting with `2.10.0` version it supports X.509 based authentication                                                                                                                                                                                                                                                                                                                                          |
-| [SecurityContextAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java)               | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync                                                                                                                                                                                                   |
+| [SecurityContextEnvironmentPostProcessor](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java)               | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync                                                                                                                                                                                                   |
 
 #### Autoconfiguration properties
 | Autoconfiguration property              | Default value | Description                                                                                                             |
@@ -96,7 +96,7 @@ In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/
 You can gradually replace auto-configurations as explained [here](https://docs.spring.io/spring-boot/docs/current/reference/html/using-boot-auto-configuration.html).
 
 #### Multiple Xsuaa configurations
-:warning: In case of multiple Xsuaa configurations, the [XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java) bean is not autoconfigured. 
+:warning: In case of multiple Xsuaa configurations, the [XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java) bean is not autoconfigured.
 The bean needs to be created manually based on the service configuration you want the converter to be initialized with.
 
 For example, to create a converter that removes the application identifier of the *first* XSUAA configuration from the scope names, you could create the following bean:
@@ -122,7 +122,7 @@ This is an example how to configure your application as Spring Security OAuth 2.
 @EnableWebSecurity
 @PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = { "" })
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
-    
+
     @Autowired
     Converter<Jwt, AbstractAuthenticationToken> authConverter; // only required for XSUAA
 
@@ -141,11 +141,11 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
 }
 ```
 
-> :bulb: Please note that the autoconfigured authentication converter only supports ```hasAuthority```-checks for scopes provided with the Xsuaa access token. 
+> :bulb: Please note that the autoconfigured authentication converter only supports ```hasAuthority```-checks for scopes provided with the Xsuaa access token.
 > In case you need to consider authorizations provided via an OIDC token from IAS you need to provide your own converter instead.
 
 #### Custom Authorization Converter
-You may want to configure the security chain with your own Authorization Converter by implementing the `Converter<Jwt, AbstractAuthenticationToken>` interface. 
+You may want to configure the security chain with your own Authorization Converter by implementing the `Converter<Jwt, AbstractAuthenticationToken>` interface.
 Here is an example implementation that provides authorities based on Identity service groups.
 The leading prefix "IASAUTHZ_" is removed for easier authorization checks.\
 The implementation delegates to the default `authConverter` in case of an Xsuaa access token.
@@ -284,11 +284,11 @@ public class Listener {
 
      @Autowired
      JwtDecoder jwtDecoder;
-    
+
      @Autowired
      Converter<Jwt, AbstractAuthenticationToken> authConverter;
 
-    
+
      public void onEvent(String encodedToken) {
         if (encodedToken != null) {
             SpringSecurityContext.init(encodedToken, jwtDecoder, authConverter);
@@ -327,15 +327,15 @@ In an `application.yml` the test configuration suitable for use with `java-secur
 sap.security.services:
     identity:
       clientid:  sb-clientId!t0815  # SecurityTest.DEFAULT_CLIENT_ID
-      domains:   
+      domains:
         - localhost                 # SecurityTest.DEFAULT_DOMAIN
     xsuaa:
       xsappname: xsapp!t0815        # SecurityTest.DEFAULT_APP_ID
       uaadomain: localhost          # SecurityTest.DEFAULT_DOMAIN
       clientid:  sb-clientId!t0815  # SecurityTest.DEFAULT_CLIENT_ID
       url:       http://localhost   # SecurityTest.DEFAULT_URL
-```  
-	
+```
+
 #### Multiple XSUAA bindings
 
 If you need to manually configure the application for more than one XSUAA service instances (e.g. one of
@@ -344,9 +344,9 @@ plan `application` and another one of plan `broker`).
 ````yaml
  sap.security.services:
    xsuaa[0]:
-     ...     # credentials of XSUAA of plan 'application' 
+     ...     # credentials of XSUAA of plan 'application'
    xsuaa[1]:
-     clientid:  # clientid of XSUAA of plan 'broker' 
+     clientid:  # clientid of XSUAA of plan 'broker'
 ````
 
 :warning: Autoconfiguration for multiple Xsuaa service instance bindings is not available for
@@ -355,10 +355,10 @@ You will need to provide it manually. An example can be
 found [here](../samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/XsuaaAuthzConverter.java).
 
 ### Local testing
-To run or debug your secured application locally you need to provide the mandatory Xsuaa or Identity service configuration attributes prior to launching the application. 
+To run or debug your secured application locally you need to provide the mandatory Xsuaa or Identity service configuration attributes prior to launching the application.
 There are two ways how to provide the service configuration to your Spring Boot application:
-1. As Spring properties in `application.yaml` or `application.properties` files 
-   
+1. As Spring properties in `application.yaml` or `application.properties` files
+
    The security library requires the following key value pairs to start successfully:
    - For Xsuaa
      ```yaml
@@ -374,33 +374,33 @@ There are two ways how to provide the service configuration to your Spring Boot
        sap.security.services:
            identity:
              clientid:  sb-clientId!t0815  # SecurityTest.DEFAULT_CLIENT_ID
-             domains:   
+             domains:
                - localhost                 # SecurityTest.DEFAULT_DOMAIN
        ```
-   
+
    :bulb: The provided values above correspond with the [JwtGenerator](../java-security-test/src/main/java/com/sap/cloud/security/test/JwtGenerator.java) default values from `java-security-test` library, meaning you can generate tokens and test them with this service configuration.
 
-2. As `VCAP_SERVICES` environment variable 
+2. As `VCAP_SERVICES` environment variable
     The value of the `VCAP_SERVICES` environment variable needs to be in the following format
    ```json
    {"xsuaa": [
                 {
-                  "credentials": {                   
+                  "credentials": {
                           "clientid": "sb-clientId!t0815",
-                          "xsappname": "xsapp!t0815",                   
-                          "uaadomain": "localhost",                                    
-                          "url": "https://localhost"           
-                  }    
+                          "xsappname": "xsapp!t0815",
+                          "uaadomain": "localhost",
+                          "url": "https://localhost"
+                  }
                 }
              ]
    }
    ```
-> :bulb: To evaluate your application using an actual Identity service, you can obtain the service configuration information from the Identity or Xsuaa service instance created in the SAP BTP Cockpit. 
+> :bulb: To evaluate your application using an actual Identity service, you can obtain the service configuration information from the Identity or Xsuaa service instance created in the SAP BTP Cockpit.
 > Then, use this data to populate the application.yml or the VCAP_SERVICES environment variable.
 
 
 ## Troubleshooting
-In case you face issues, [submit an issue on GitHub](https://github.com/SAP/cloud-security-services-integration-library/issues/new/choose) 
+In case you face issues, [submit an issue on GitHub](https://github.com/SAP/cloud-security-services-integration-library/issues/new/choose)
 and include the following details:
 - any security-related dependencies used including version, get maven dependency tree with `mvn dependency:tree`
 - [debug logs](#set-debug-log-level)
@@ -446,9 +446,9 @@ Field authConverter in com.sap.cloud.test.SecurityConfiguration required a bean
 ```
 Make sure that you have defined the following mandatory attribute in the service configuration (VCAP_SERVICES env variable or application.yaml or application.properties)
 - for Xsuaa
-  - xsappname 
-  - uaadomain 
-  - clientid 
+  - xsappname
+  - uaadomain
+  - clientid
   - url
 - for Identity service
   - domains
@@ -464,9 +464,9 @@ You will need to provide it manually. An example can be
 found [here](../samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/XsuaaAuthzConverter.java).
 
 ## Samples
-- [Hybrid Usage](../samples/spring-security-hybrid-usage)    
+- [Hybrid Usage](../samples/spring-security-hybrid-usage)
 Demonstrates how to leverage ``spring-security`` library to secure a Spring Boot web application with tokens issued by SAP Identity service or XSUAA. Furthermore, it documents how to implement Spring WebMvcTests using `java-security-test` library.
-- [Basic Auth Usage](../samples/spring-security-basic-auth)    
+- [Basic Auth Usage](../samples/spring-security-basic-auth)
 Legacy example that demonstrates how to leverage ``spring-security`` library to secure a Spring Boot web application with username/password provided via Basic Auth header. Furthermore, it documents how to implement Spring WebMvcTests using `java-security-test` library.
 - [Webflux Hybrid Usage](../samples/spring-webflux-security-hybrid-usage)\
 Shows how to use ``spring-security`` library with both tokens issued by XSUAA and SAP Identity service in an reactive environment.

spring-security/pom.xml

@@ -22,7 +22,7 @@
 		<dependency>
 			<groupId>com.nimbusds</groupId>
 			<artifactId>nimbus-jose-jwt</artifactId>
-			<version>9.39</version>
+			<version>9.39.1</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>

spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java

@@ -0,0 +1,34 @@
+/**
+ * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
+ * <p>
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package com.sap.cloud.security.spring.autoconfig;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.env.EnvironmentPostProcessor;
+import org.springframework.core.env.ConfigurableEnvironment;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy;
+/**
+ * Instantiates a {@link com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy}, which keeps the
+ * {@code com.sap.cloud.security.token.SecurityContext} in sync
+ *
+ * <p>
+ * Can be disabled with with property {@code sap.spring.security.hybrid.auto = false}.
+ */
+public class SecurityContextEnvironmentPostProcessor implements EnvironmentPostProcessor {
+
+	@Override
+	public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
+		String autoConfig = environment.getProperty("sap.spring.security.hybrid.auto");
+		String syncContext = environment.getProperty("sap.spring.security.hybrid.sync_securitycontext");
+		if ((autoConfig == null || Boolean.valueOf(autoConfig)) &&
+				(syncContext == null || Boolean.valueOf(syncContext)) &&
+				!(SecurityContextHolder.getContextHolderStrategy() instanceof JavaSecurityContextHolderStrategy)) {
+			SecurityContextHolder.setContextHolderStrategy(new JavaSecurityContextHolderStrategy());
+		}
+	}
+
+}