Fix flaky

.github/workflows/first_test.yml

@@ -0,0 +1,27 @@
+name: Test:AuthenticationTokenTest.equals
+run-name: Known Flaky test
+on: [push]
+jobs:
+  Test_Without_Nondex_Shuffling:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          java-version: '8'
+          distribution: 'temurin'
+      - name: Test
+        run: mvn -pl spring-security test -Dtest=com.sap.cloud.security.spring.token.authentication.AuthenticationTokenTest#equals
+
+  Test_With_Nondex_Shuffling:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          java-version: '8'
+          distribution: 'temurin'
+      - name: Test
+        run: mvn -pl spring-security edu.illinois:nondex-maven-plugin:2.1.1:nondex -Dtest=com.sap.cloud.security.spring.token.authentication.AuthenticationTokenTest#equals

.github/workflows/fosstars-project-report.yml

@@ -10,7 +10,7 @@ jobs:
     name: "Security rating"
     steps:
       - uses: actions/checkout@v2.3.4
-      - uses: SAP/fosstars-rating-core-action@v1.1.1
+      - uses: SAP/fosstars-rating-core-action@v1.10.0
         with:
           report-branch: fosstars-report
-          token: "${{ secrets.GITHUB_TOKEN }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/maven.yml → .github/workflows/maven-build-2.x.yml

@@ -1,13 +1,13 @@
-# SPDX-FileCopyrightText: 2018-2021 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
+# SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
 # SPDX-License-Identifier: Apache-2.0
 ---
-name: Java CI with Maven
+name: Maven Build main-2.x
 
 on:
   push:
-    branches: [ main ]
+    branches: [ main-2.x ]
   pull_request:
-    branches: [ main ]
+    branches: [ main-2.x ]
 
 jobs:
   build:

CHANGELOG.md

@@ -1,6 +1,22 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 2.13.7
+- [token-client] Fixes regression introduced with logback dependency not having scope test
+
+#### Dependency upgrades
+- Bump org.json from to 20230227
+
+## 2.13.6
+- [env] `CFEnvironment` has migrated to use btp-environment-variable-access library for accessing configuration from VCAP_SERVICES
+- [java-security] `XsUserInfoAdapter.getSystemAttribute()` supports in token `xs.system.attributes` values in string format along with string array
+
+‼️ slf4j API version has been reverted back to 1.7.x to be in line with spring-boot 2.x supported slf4j API version
+
+#### Dependency upgrades
+* Bump spring.boot.version from 2.7.8 to 2.7.9
+* Bump spring.security.version from 5.8.1 to 5.8.2
+
 ## 2.13.5
 - [spring-xsuaa] improved logging for JwtAudienceValidator
 - [java-security] enables token validation without zones

README.md

@@ -31,7 +31,7 @@ The SAP Java Buildpack integrates token validation into the tomcat server. Appli
 See [sap-java-builpack-api-usage](samples/sap-java-buildpack-api-usage) for an example.
 
 ### Changes with SAP Java Buildpack 1.26.0
-The former SAP Java Buildpack versions have used deprecated (Spring) Security libraries and had to be updated. As of version 1.26.0 SAP Java Buildpack uses the [`java-security`](/java-security) library. Please consider these (migration) guides:
+The former SAP Java Buildpack versions have used deprecated (Spring) Security libraries and had to be updated. Starting with version 1.26.0 SAP Java Buildpack uses the [`java-security`](/java-security) library. Please consider these (migration) guides:
 
 - [MANDATORY: clean-up deprecated dependencies](https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/java-security/Migration_SAPJavaBuildpackProjects.md)
 - [OPTIONAL: Leverage new APIs and features](https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/java-security/Migration_SAPJavaBuildpackProjects_V2.md)
@@ -67,7 +67,7 @@ Spring Boot provides OAuth resource servers. Application developers requiring au
 ### Requirements
 - Java 8 or 11
 - maven 3.3.9 or later
-- as of version 2.6.1 Spring Boot >= 2.2 is required. Consequently, it also requires Spring Security version >= 5.2
+- starting with version 2.6.1 Spring Boot >= 2.2 is required. Consequently, it also requires Spring Security version >= 5.2
 
 ### Sample
 - See [spring-security-hybrid-usage](samples/spring-security-hybrid-usage) for an example.
@@ -95,4 +95,4 @@ Libraries and information provided here is around the topic of integrating with
 Open an issue in GitHub.
 
 # Licensing
-Please see our [LICENSE](LICENSES/Apache-2.0.txt) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the [REUSE tool](https://api.reuse.software/info/github.com/SAP/cloud-security-xsuaa-integration).
+Please see our [LICENSE](LICENSES/Apache-2.0.txt) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the [REUSE tool](https://api.reuse.software/info/github.com/SAP/cloud-security-xsuaa-integration).

api/README.md

@@ -5,6 +5,6 @@
 <dependency>
     <groupId>com.sap.cloud.security.xsuaa</groupId>
     <artifactId>api</artifactId>
-    <version>2.13.5</version>
+    <version>2.13.7</version>
 </dependency>
 ```

api/pom.xml

@@ -11,7 +11,7 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>2.13.5</version>
+		<version>2.13.7</version>
 	</parent>
 
 	<packaging>jar</packaging>

bom/pom.xml

@@ -8,7 +8,7 @@
 
     <groupId>com.sap.cloud.security</groupId>
     <artifactId>java-bom</artifactId>
-    <version>2.13.5</version>
+    <version>2.13.7</version>
     <packaging>pom</packaging>
     <name>java-bom</name>
 

env/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>com.sap.cloud.security.xsuaa</groupId>
         <artifactId>parent</artifactId>
-        <version>2.13.5</version>
+        <version>2.13.7</version>
     </parent>
 
     <groupId>com.sap.cloud.security</groupId>

java-api/README.md

@@ -5,6 +5,6 @@
 <dependency>
     <groupId>com.sap.cloud.security</groupId>
     <artifactId>java-api</artifactId>
-    <version>2.13.5</version>
+    <version>2.13.7</version>
 </dependency>
 ```

java-api/pom.xml

@@ -9,7 +9,7 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>2.13.5</version>
+		<version>2.13.7</version>
 	</parent>
 
 	<groupId>com.sap.cloud.security</groupId>

java-security-it/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <artifactId>parent</artifactId>
         <groupId>com.sap.cloud.security.xsuaa</groupId>
-        <version>2.13.5</version>
+        <version>2.13.7</version>
     </parent>
 
     <artifactId>java-security-it</artifactId>

java-security-test/README.md

@@ -22,7 +22,7 @@ It includes for example a `JwtGenerator` that generates JSON Web Tokens (JWT) th
 <dependency>
     <groupId>com.sap.cloud.security</groupId>
     <artifactId>java-security-test</artifactId>
-    <version>2.13.5</version>
+    <version>2.13.7</version>
     <scope>test</scope>
 </dependency>
 ```
@@ -31,7 +31,7 @@ It includes for example a `JwtGenerator` that generates JSON Web Tokens (JWT) th
 Find an example on how to use the test utilities [here](/samples/java-security-usage).
 
 ### Jwt Generator
-Using `JwtGenerator` you can create tokens of type [`Token`](/java-security/src/main/java/com/sap/cloud/security/token/Token.java), which offers you a `getTokenValue()` method that returns the encoded and signed Jwt token. By default its signed with a random RSA key pair (as of version `2.8.1`). In case you like to provide the token via `Authorization` header to your application you need to prefix the access token with `Bearer `. 
+Using `JwtGenerator` you can create tokens of type [`Token`](/java-security/src/main/java/com/sap/cloud/security/token/Token.java), which offers you a `getTokenValue()` method that returns the encoded and signed Jwt token. By default its signed with a random RSA key pair (starting with version `2.8.1`). In case you like to provide the token via `Authorization` header to your application you need to prefix the access token with `Bearer `. 
 
 ```java
 Token token = JwtGenerator.getInstance(Service.XSUAA, "client-id")
@@ -105,7 +105,7 @@ public class HelloJavaServletTest {
 
 
 ### JUnit 5
-JUnit 5 does no longer support `Rule`. As of `java-security-test` version `2.7.8` you can implement using [JUnit 5 extensions](https://junit.org/junit5/docs/current/user-guide/#extensions) instead. 
+JUnit 5 does no longer support `Rule`. Starting with `java-security-test` version `2.7.8` you can implement using [JUnit 5 extensions](https://junit.org/junit5/docs/current/user-guide/#extensions) instead. 
 
 
 `XsuaaExtension` class as well as the `IasExtension` class implements the `BeforeAllCallback` to configure and start `WireMock` as mock server for the identity service. Furthermore, it implements the `AfterAllCallback` to stop the running server(s).

java-security-test/pom.xml

@@ -9,7 +9,7 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>2.13.5</version>
+		<version>2.13.7</version>
 	</parent>
 
 	<groupId>com.sap.cloud.security</groupId>

java-security/Migration_SAPJavaBuildpackProjects.md

@@ -61,4 +61,4 @@ This comes with a change regarding scopes. For a business application A that wan
 In case you face issues to apply the migration steps check this [troubleshoot](README.md#troubleshoot) for known issues and how to file the issue.
 
 ## [OPTIONAL] Leverage new API and features
-You can continue [here](Migration_SAPJavaBuildpackProjects_V2.md) to understand what needs to be done to leverage the new `java-api` that is exposed by the SAP Java Buildpack as of version `1.26.1`.
+You can continue [here](Migration_SAPJavaBuildpackProjects_V2.md) to understand what needs to be done to leverage the new `java-api` that is exposed by the SAP Java Buildpack starting with version `1.26.1`.

java-security/Migration_SAPJavaBuildpackProjects_V2.md

@@ -3,7 +3,7 @@
 
 **This document is only applicable for J2EE web applications securing their application with SAP Java Buildpack.** 
 
-This migration document is a step-by-step guide explaining how to leverage the new api that is exposed by the SAP Java Buildpack as of version `1.26.1`.
+This migration document is a step-by-step guide explaining how to leverage the new api that is exposed by the SAP Java Buildpack starting with version `1.26.1`.
 
 ## Prerequisites
 
@@ -12,7 +12,7 @@ Please note, this Migration Guide is only intended for applications, using SAP J
 **Before you proceed, make sure you have completed [this guide](Migration_SAPJavaBuildpackProjects.md).**
 
 ## Adapt Maven Dependencies <a name="maven"></a>
-To use the latest API exposed by SAP Java Buildpack version as of version `1.26.1` the dependency declared in maven `pom.xml` needs to be adapted.
+To use the latest API exposed by SAP Java Buildpack version starting with version `1.26.1` the dependency declared in maven `pom.xml` needs to be adapted.
 
 First make sure you have the following dependency defined in your pom.xml:
 ```xml
@@ -29,7 +29,7 @@ Now you are ready to **remove** the dependency to the **`api`** by deleting the
     <artifactId>api</artifactId>
 </dependency>
 ```
-The dependency `com.sap.cloud.security:java-api` is the new api exposed by the SAP Java Buildpack as of version `1.26.1`.
+The dependency `com.sap.cloud.security:java-api` is the new api exposed by the SAP Java Buildpack starting with version `1.26.1`.
 
 ## Adapt Environment Variable
 As the new `java-api` is incompatible with the former one, you have to tell the SAP Java Buildpack, that you want to use the latest api. This is done by setting the `ENABLE_SECURITY_JAVA_API_V2` environment variable to `true` as part of your deployment descriptor, e.g. in your `manifest.yml` file.

java-security/Migration_SpringSecurityProjects.md

@@ -37,19 +37,19 @@ First make sure you have the following dependencies defined in your pom.xml:
 <dependency>
   <groupId>com.sap.cloud.security.xsuaa</groupId>
   <artifactId>api</artifactId>
-  <version>2.13.5</version>
+  <version>2.13.7</version>
 </dependency>
 <dependency>
   <groupId>com.sap.cloud.security</groupId>
   <artifactId>java-security</artifactId>
-  <version>2.13.5</version>
+  <version>2.13.7</version>
 </dependency>
 
 <!-- new java-security dependencies for unit tests -->
 <dependency>
   <groupId>com.sap.cloud.security</groupId>
   <artifactId>java-security-test</artifactId>
-  <version>2.13.5</version>
+  <version>2.13.7</version>
   <scope>test</scope>
 </dependency>
 ```

java-security/README.md

@@ -30,8 +30,8 @@ In case of XSUAA does the JWT provide a valid `jku` token header parameter that
 
 ## Supported Identity Services
 - XSUAA
-- as of version `2.8.0` IAS
-- as of version `2.9.0` IAS tokens from multiple tenants and zones
+- starting with version `2.8.0` IAS
+- starting with version `2.9.0` IAS tokens from multiple tenants and zones
 
 ## Supported Algorithms
 
@@ -47,7 +47,7 @@ In case of XSUAA does the JWT provide a valid `jku` token header parameter that
 <dependency>
     <groupId>com.sap.cloud.security</groupId>
     <artifactId>java-security</artifactId>
-    <version>2.13.5</version>
+    <version>2.13.7</version>
 </dependency>
 <dependency>
     <groupId>org.apache.httpcomponents</groupId>
@@ -309,7 +309,7 @@ Or, alternatively in `src/main/webapp/WEB-INF/web.xml`:
 
 
 #### java.util.ServiceConfigurationError: com.sap.cloud.security.token.TokenFactory: Provider com.sap.cloud.security.servlet.HybridTokenFactory not a subtype
-As of version [`2.8.3`](https://github.com/SAP/cloud-security-xsuaa-integration/releases/tag/2.8.3) the version of `java-api` needs to match the version of `java-security` client library. In case you use the **SAP Java Buildpack** `java-security` is provided. To keep them in synch its recommended to use [SAP Java Buildpack BoM](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/6c6936e8e4ea40c9a9a69f6783b1e978.html) of the respective SAP Java Buildpack version and as done in the [sap-java-buildpack-api-usage sample](/samples/sap-java-buildpack-api-usage/pom.xml).
+Starting with version [`2.8.3`](https://github.com/SAP/cloud-security-xsuaa-integration/releases/tag/2.8.3) the version of `java-api` needs to match the version of `java-security` client library. In case you use the **SAP Java Buildpack** `java-security` is provided. To keep them in synch its recommended to use [SAP Java Buildpack BoM](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/6c6936e8e4ea40c9a9a69f6783b1e978.html) of the respective SAP Java Buildpack version and as done in the [sap-java-buildpack-api-usage sample](/samples/sap-java-buildpack-api-usage/pom.xml).
 
 ## Specs und References
 1. [JSON Web Token](https://tools.ietf.org/html/rfc7519)

java-security/pom.xml

@@ -9,7 +9,7 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>2.13.5</version>
+		<version>2.13.7</version>
 	</parent>
 
 	<groupId>com.sap.cloud.security</groupId>

pom.xml

@@ -7,7 +7,7 @@
 
 	<groupId>com.sap.cloud.security.xsuaa</groupId>
 	<artifactId>parent</artifactId>
-	<version>2.13.5</version>
+	<version>2.13.7</version>
 	<packaging>pom</packaging>
 
 	<name>parent</name>
@@ -57,15 +57,15 @@
 		<maven.compiler.source>1.8</maven.compiler.source>
 		<maven.source.plugin.version>3.2.1</maven.source.plugin.version>
 		<!-- make sure that spring core and spring boot versions are compatible-->
-		<spring.boot.version>2.7.8</spring.boot.version>
+		<spring.boot.version>2.7.9</spring.boot.version>
 		<spring.core.version>5.3.25</spring.core.version>
-		<spring.security.version>5.8.1</spring.security.version>
+		<spring.security.version>5.8.2</spring.security.version>
 		<spring.security.oauth2.version>2.5.2.RELEASE</spring.security.oauth2.version>
 		<spring.security.jwt.version>1.1.1.RELEASE</spring.security.jwt.version>
 		<reactor.version>3.4.24</reactor.version>
 		<log4j2.version>2.19.0</log4j2.version>
-		<slf4j.api.version>2.0.6</slf4j.api.version> <!--see also here http://www.slf4j.org/faq.html#changesInVersion18 -->
-		<org.json.version>20220924</org.json.version>
+		<slf4j.api.version>1.7.36</slf4j.api.version> <!--see also here http://www.slf4j.org/faq.html#changesInVersion18 -->
+		<org.json.version>20230227</org.json.version>
 		<sap.cloud.env.servicebinding.version>0.5.2</sap.cloud.env.servicebinding.version>
 		<google.jsr305.version>3.0.2</google.jsr305.version>
 		<apache.httpclient.version>4.5.14</apache.httpclient.version>
@@ -83,7 +83,7 @@
 		<wiremock.version>2.35.0</wiremock.version>
 		<javax.annotation.version>1.3.2</javax.annotation.version>
 		<spotbugs.annotations.version>4.7.3</spotbugs.annotations.version>
-		<spotbugs.version>4.7.3.0</spotbugs.version>
+		<spotbugs.version>4.7.3.2</spotbugs.version>
 		<skipTests>false</skipTests>
 		<jacoco.skip>${skipTests}</jacoco.skip>
 	</properties>
@@ -383,7 +383,7 @@
 						<plugin>
 							<groupId>org.owasp</groupId> <!--scans for vulnerabilities-->
 							<artifactId>dependency-check-maven</artifactId>
-							<version>8.1.0</version>
+							<version>8.1.2</version>
 							<executions>
 								<execution>
 									<goals>

samples/java-security-usage-ias/pom.xml

@@ -6,7 +6,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.sap.cloud.security.xssec.samples</groupId>
     <artifactId>java-security-usage-ias</artifactId>
-    <version>2.13.5</version>
+    <version>2.13.7</version>
     <packaging>war</packaging>
 
     <!--profiles>
@@ -27,7 +27,7 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>
-        <sap.cloud.security.version>2.13.5</sap.cloud.security.version>
+        <sap.cloud.security.version>2.13.7</sap.cloud.security.version>
         <slf4j.api.version>2.0.5</slf4j.api.version>
         <apache.httpclient.version>4.5.14</apache.httpclient.version>
         <javax.servlet.api.version>4.0.1</javax.servlet.api.version>

samples/java-security-usage/pom.xml

@@ -6,7 +6,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.sap.cloud.security.xssec.samples</groupId>
     <artifactId>java-security-usage</artifactId>
-    <version>2.13.5</version>
+    <version>2.13.7</version>
     <packaging>war</packaging>
 
     <!--profiles>
@@ -27,7 +27,7 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>
-        <sap.cloud.security.version>2.13.5</sap.cloud.security.version>
+        <sap.cloud.security.version>2.13.7</sap.cloud.security.version>
         <slf4j.api.version>2.0.5</slf4j.api.version>
         <apache.httpclient.version>4.5.14</apache.httpclient.version>
         <javax.servlet.api.version>4.0.1</javax.servlet.api.version>

samples/java-tokenclient-usage/pom.xml

@@ -6,13 +6,13 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.sap.cloud.security.xssec.samples</groupId>
     <artifactId>java-tokenclient-usage</artifactId>
-    <version>2.13.5</version>
+    <version>2.13.7</version>
     <packaging>war</packaging>
 
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>
-        <sap.cloud.security.version>2.13.5</sap.cloud.security.version>
+        <sap.cloud.security.version>2.13.7</sap.cloud.security.version>
         <apache.httpclient.version>4.5.14</apache.httpclient.version>
         <javax.servlet.api.version>4.0.1</javax.servlet.api.version>
         <slf4j.api.version>2.0.5</slf4j.api.version>