Merged
Conversation
Migrate DefaultHttpClientFactory from Apache HttpClient 4 to 5 with modern builder patterns and improved connection pooling. Key changes: - Replace manual socket factory registry with PoolingHttpClientConnectionManagerBuilder - Use DefaultClientTlsStrategy instead of deprecated SSLConnectionSocketFactoryBuilder - Add ConnectionConfig for better timeout management - Fix connection pool caching: restore computeIfAbsent() to properly reuse connection pools per client ID (was incorrectly using compute() which recreated pools on every request) - Explicitly configure TLS 1.2 and 1.3 support - Remove redundant setSSLContext() and setSSLSocketFactory() calls as SSL configuration is now embedded in the connection manager This resolves the "Connection pool shut down" issue by ensuring each client identity maintains its own isolated and reusable connection pool. Fixes: Connection pool shutdown errors reported in production Related: commit 5b77378 (May 2022 fix), commit 92d1888 (Jan 2024 regression)
Major dependency upgrades for release 4.0: 1. Jakarta EE Migration - Replace javax.annotation.* with jakarta.annotation.* across all modules - Aligns with Jakarta EE specification for Java EE namespace migration 2. Spring Framework Upgrades - Spring Boot: 3.5.9 → 4.0.3 - Spring Framework: 6.2.15 → 7.0.5 - Spring Security: 6.5.7 → 7.0.3 - Spring Security OAuth2: 6.5.7 → 7.0.3 3. Test Framework Upgrades - JUnit Jupiter: 5.12.2 → 6.0.3 - Maven Surefire: 3.5.4 → 3.5.5 Affected modules: - java-api, env, java-security, java-security-test - spring-security, spring-security-compatibility, spring-security-legacy-module - token-client - All sample applications No functional changes, purely dependency version updates and namespace migration for Jakarta EE compatibility.
…ove deprecated spring-xsuaa modules
Resolved conflicts: - token-client/DefaultHttpClientFactory.java: Keep HTTP Client 5 refactoring with ConnectionConfig - pom.xml: Use Jakarta annotation (2.1.1), JUnit Jupiter 6.0.3, reactor.test 3.8.3 - spring-security-legacy-module/pom.xml: Update parent version to 3.6.7 - Remove deprecated spring-xsuaa modules (spring-xsuaa-it, spring-xsuaa-starter, spring-xsuaa-test)
Update all module versions from 3.6.x to 4.0.0 to reflect the major release with breaking changes: - Jakarta EE migration (javax → jakarta) - Spring Boot 4.0 and Spring Framework 7.0 upgrade - JUnit Jupiter 6.0 upgrade - HTTP Client 5 migration All modules updated: - Parent pom - Core modules (java-api, env, java-security, token-client) - Spring modules (spring-security, spring-security-compatibility, spring-security-legacy-module) - Test modules (java-security-test) - All sample applications - BOM module
…cy-module Replace dependency on deprecated spring-xsuaa artifact with the renamed spring-security-legacy-module artifact.
Update dependency from httpclient 4 to httpclient5 to match the HTTP Client 5 migration in the rest of the codebase.
Update imports from org.apache.http to org.apache.hc.client5 to match the HTTP Client 5 migration. Files updated: - XsuaaTokenFlowAutoConfiguration.java - JwtDecoderBuilder.java
Remove test dependency on spring-xsuaa-test module which was deleted in Major Release 4.
This commit fixes all compilation and build issues that arose from
removing the deprecated spring-xsuaa module.
Changes:
- Remove spring-xsuaa test dependency from java-security/pom.xml
- Delete outdated SpringSecurityContextTest from java-security
(equivalent test exists in spring-security-legacy-module)
- Update HTTP Client 4 to 5 imports in test files:
* XsuaaTokenFlowAutoConfigurationTest
* JwtDecoderBuilderTest
Changed: org.apache.http.impl.client -> org.apache.hc.client5.http.impl.classic
- Add commons-io as explicit test dependency in token-client/pom.xml
(was previously a transitive dependency from spring-xsuaa-test)
- Rewrite Base64JwtDecoderTest to not depend on JwtGenerator
* Removed cyclic dependency: token-client -> java-security-test ->
java-security -> token-client
* Create test JWT tokens manually using Java's Base64 encoder
* Simplifies test and removes external utility dependency
- Restore compatibility Token interface for spring-security-compatibility
* Copy com.sap.cloud.security.xsuaa.token.Token interface
* Required for XsuaaTokenComp backwards compatibility wrapper
* Fix javadoc broken link to prevent javadoc build failure
All modules now compile successfully with mvn clean install -DskipTests
…atibility The spring-security-legacy-module is meant to provide the same functionality as spring-security from version 3.6.7, allowing users to continue using the library with Spring Boot 3.x without needing to migrate to version 4.0. Changes: - Override parent's Spring Boot 4.x versions with Spring Boot 3.x versions in the legacy module's properties section: * spring.boot.version: 4.0.3 → 3.5.9 * spring.core.version: 7.0.5 → 6.2.15 * spring.security.version: 7.0.3 → 6.5.7 * spring.security.oauth2.version: 7.0.3 → 6.5.7 * reactor.version: 3.8.3 → 3.8.2 * reactor.test.version: 3.8.3 → 3.8.2 - Hardcode reactor-core and reactor-test versions to 3.8.2 (matching 3.6.7) - Remove @disabled annotation from IdentityServicesPropertySourceFactoryTest (test now passes with correct Spring Boot 3.x versions) This fixes the ConcurrentReferenceCachingMetadataReaderFactory error that was occurring when Spring Boot 4.0.3 was being used (this class was removed in Spring Boot 3.0+, but Spring Boot 4.0.3's internal code still referenced it). All 114 tests now pass successfully (0 failures, 0 errors, 0 skipped).
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- Create SecurityHttpClient, SecurityHttpRequest, SecurityHttpResponse interfaces - Implement JavaHttpClientFactory using Java 11 HttpClient (priority 0) - Create token-client-apache module with ApacheHttpClientFactory (priority 100) - Add ServiceLoader configuration for both implementations - Update spring-security-legacy-module to depend on token-client-apache - Add HttpClientException constructor with cause parameter - Update BOM to include token-client-apache
…tion - Update DefaultOAuth2TokenService to use SecurityHttpClient - Update DefaultOAuth2TokenKeyService to use SecurityHttpClient - Update DefaultOidcConfigurationService to use SecurityHttpClient - Deprecate old HttpClientFactory and DefaultHttpClientFactory - Delegate deprecated factories to SecurityHttpClientProvider - Remove Apache HTTP Client 5 dependencies from implementations
Token-client now uses Java 11 HttpClient by default through the SecurityHttpClient abstraction. Apache HTTP Client support is available via token-client-apache module.
Replace Apache HTTP Client mocks with SecurityHttpClient mocks across all test files in token-client, java-security, spring-security, and spring-security-legacy modules. Changes: - Replace CloseableHttpClient mocks with SecurityHttpClient mocks - Remove HttpClientResponseHandler callback pattern - Replace with direct .thenReturn(response) for SecurityHttpResponse - Update HttpClientTestFactory to create SecurityHttpResponse objects - Replace any(HttpGet.class) with any(SecurityHttpRequest.class) - Replace any(HttpPost.class) with any(SecurityHttpRequest.class) - Add missing HttpHeaders imports where needed - Fix mock response setup to provide enough responses for all test calls - Rename deprecated HTTP client factory tests to .skip Test results: - token-client: 258 tests pass - java-security: 319 tests pass (2 skipped) - spring-security: 114 tests pass - spring-security-legacy: 114 tests pass Also includes: - Rename spring-security-legacy-module to spring-security-legacy - Add LegacyHttpClientWrapper for backward compatibility - Update ApacheHttpClientAdapter implementation
- Add missing @OverRide annotations to JavaSecurityContextHolderStrategy methods - Suppress deprecation warnings for intentional deprecated API usage in tests - Fix code scanning findings for XsuaaTokenComp and Apache HTTP Client tests
Resolved version conflicts by keeping 4.0.0 for the major release. Removed deprecated spring-xsuaa modules that were deleted in Major-Release-4.
Contributor
There was a problem hiding this comment.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
- Remove spring-xsuaa dependency from java-security-it/pom.xml - Delete tests that depend on removed spring-xsuaa module: - SpringXsuaaPerformanceIT.java - SpringSSRFAttackTest.java - Remove spring-xsuaa-it and spring-security-xsuaa-usage from CI workflow - Skip java-security-it tests in workflow (has API compatibility issues) The spring-xsuaa module was removed in v4.0.0
- Add LogSanitizer utility class to sanitize user-provided data before logging - Apply LogSanitizer to all identified log injection points: - DefaultOAuth2TokenKeyService: sanitize URI and headers in debug logs - SpringOAuth2TokenKeyService: sanitize URI and params in debug logs - OAuth2TokenKeyServiceWithCache: sanitize keyUri in error log - JwtAudienceValidator: sanitize audiences in debug log - ValidationResults: sanitize error descriptions in warning log - AbstractTokenAuthenticator: sanitize error messages in warning log - Add URI validation to prevent SSRF attacks: - Validate URI scheme (only HTTP/HTTPS allowed) - Validate URI host (must be present and non-empty) - Maintain all logging information while preventing control character injection
…ClientFactory Add @SuppressWarnings("deprecation") annotation to constructor to address CodeQL finding about deprecated Builder.setConnectTimeout() method usage. The deprecated method is intentionally used for backward compatibility with Apache HttpClient 4.5.x.
…sage Add class-level @SuppressWarnings("deprecation") to XsuaaTokenCompTest to suppress CodeQL warnings about using deprecated XsuaaTokenComp.createInstance() methods. This is intentional as the test class specifically tests the deprecated XsuaaTokenComp class for backward compatibility purposes.
Replace deprecated API calls to address CodeQL findings: - XsuaaTokenCompTest: Replace getSubdomain() with getClaimAsMap() to read subdomain from external attributes claim - XsuaaTokenCompTest: Replace getSubaccountId() with getZoneId() as the recommended alternative - SecurityTestRuleTest: Replace execute() with executeOpen() for HttpClient - SecurityTestExtensionTest: Replace execute() with executeOpen() for HttpClient These changes eliminate deprecated API usage while maintaining the same test behavior and assertions.
…rnatives" This reverts commit a26a3f9.
…onstructor invocation Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: NiklasHerrmann21 <niklas.herrmann01@sap.com>
…onstructor invocation Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: NiklasHerrmann21 <niklas.herrmann01@sap.com>
…onstructor invocation Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: NiklasHerrmann21 <niklas.herrmann01@sap.com>
…Factory tests - Rename .skip files back to .java for HttpClientFactory tests - Fix deprecated HttpClientFactory tests to work with Apache HttpClient - Add comprehensive tests for SecurityHttpClientFactory - Create TestSecurityHttpClientFactory to verify ServiceLoader priority mechanism - Add META-INF service configuration for test factory All factory tests now pass (5 tests total): - DefaultHttpClientFactoryTest: 1 test (redirect behavior) - HttpClientFactoryTest: 1 test (factory creation) - SecurityHttpClientFactoryTest: 3 tests (creation, null identity, priority)
kuntzed
reviewed
Mar 25, 2026
- Remove PR_SUMMARY.md (not needed in repository) - Fix CHANGELOG to correctly state that deprecated modules were removed (not just excluded) - Clarify that Apache HttpClient 4.5.14 remains as a dependency for backward compatibility - Fix artifact ID reference (spring-security-3-starter) - Add version 3.6.9 bugfix entry to CHANGELOG - Add missing bug fixes and improvements from recent commits
- Update version references from 3.6.8 to 4.0.0 in all module READMEs - Replace spring-xsuaa references with spring-security-3 - Fix artifact ID from resourceserver-security-spring-boot-starter-legacy to resourceserver-security-spring-boot-3-starter - Update token-client README to reference spring-security-3 instead of spring-xsuaa - Update samples README to remove deprecated spring-security-xsuaa-usage reference - Reorganize samples README by Spring Boot version (4.x vs 3.x) - Update java-security-test README to reference spring-security-3 All READMEs now accurately reflect the Major Release 4.0.0 module structure.
…ELOG - Move 'identical APIs to spring-xsuaa' note from spring-security-3 feature description to Removed Modules section - spring-security-3 is primarily the Spring Boot 3.x compatibility layer for spring-security - spring-xsuaa users should migrate to spring-security (Boot 4.x) or spring-security-3 (Boot 3.x) - Clarify that both replacement modules provide identical APIs to spring-xsuaa This makes the migration path clearer: spring-xsuaa users choose between spring-security (upgrade to Boot 4.x) or spring-security-3 (stay on Boot 3.x).
- java-security-xsuaa-usage → java-security-usage - java-security-identity-usage → java-security-usage-ias - Also fix typo: sap-java-builpack-api-usage → sap-java-buildpack-api-usage
…client support details - Change Spring Boot 4.x upgrade recommendation from "within your next major release cycle" to "as soon as possible" - Clarify Apache HttpClient 4 support is maintained via deprecated constructors (removed in 5.0.0) - Add explicit mention of custom HTTP client support (Apache HttpClient 5, OkHttp, etc.)
Remove the duplicate "Token Client: Apache HttpClient → Java 11 HttpClient" section from under "Removed Modules" and keep only the comprehensive "Token Client HTTP Client Changes" section.
…anges Add practical migration examples including: - Before/After Maven dependencies (3.6.8 → 4.0.0) - Option 1: Default Java 11 HttpClient (recommended) - Option 2: Deprecated Apache HttpClient constructors with code example - Option 3: Custom Apache HttpClient 5 with Maven dependency
Spring Security READMEs: - Replace spring-security-3 README with concise version referencing spring-security README - Add note about Spring Boot 3.x compatibility in spring-security README - Remove duplicate documentation (543 lines → 51 lines) HTTP Client Documentation: - Simplify APACHE_HTTPCLIENT_MIGRATION.md (377 lines → 193 lines) - Simplify CUSTOM_HTTP_CLIENT.md (435 lines → 252 lines) - Clarify that Apache HttpClient 4 support via deprecated constructors ends in 5.0.0 - Clarify that Apache HttpClient 4/5 support going forward is via custom HttpRequestExecutor only - Remove confusing statements about "native support" for Apache HttpClient All documentation now clearly states: - Java 11 HttpClient is the default (recommended) - Apache HttpClient 4 deprecated constructors (removed in 5.0.0) - Apache HttpClient 4/5 can be used via custom HttpRequestExecutor (not deprecated, future-proof)
Reference CUSTOM_HTTP_CLIENT.md instead to avoid duplication
APACHE_HTTPCLIENT_MIGRATION.md: - Add HttpClientFactory → SecurityHttpClientProvider migration example in Option 1 - Add HttpClientFactory.create() example to Option 2 (deprecated) - Reword Option 3 title to "Recommended for Custom Configurations" (remove "not deprecated" as that's obvious) - Remove OkHttp references CUSTOM_HTTP_CLIENT.md: - Move Apache HttpClient 4 section to top (before Apache HttpClient 5) - Reference built-in ApacheHttpClient4Executor (deprecated) with recommendation to copy implementation for long-term support - Remove standalone Apache HttpClient 4 code example section at bottom (duplicate) - Remove all OkHttp examples and references
Update Eclipse Jetty from 12.1.6 to 12.1.7 to address potential security vulnerabilities. Note: Jetty is only used in java-security-test module for testing purposes (embedded Jetty server for Java EE servlet tests). It is not part of the runtime dependencies.
kuntzed
approved these changes
Mar 25, 2026
Rename file to match naming convention of APACHE_HTTPCLIENT_MIGRATION.md. Update all references across documentation files.
NiklasHerrmann21
force-pushed
the
Major-Release-4
branch
from
b12933b to
349e32b
Compare
Properly integrate bugfixes from main (3.6.8-3.6.9): - Fix token exchange logic for App2App flows in DefaultIdTokenExtension (#1931) - Fix hybrid authentication issue with IAS/XSUAA configuration (#1927) All version numbers correctly kept at 4.0.0. Removed modules (spring-xsuaa, spring-xsuaa-test, spring-security-compatibility) properly deleted during merge.
Critical fix for BOM (java-bom): - Fix spring-security: changed from wrong groupId (xsuaa) to correct (com.sap.cloud.security) - Remove java-security-it (integration tests only, not a library) - Remove spring-security-starter (directory name, not artifactId) - Remove spring-security-3-starter (directory name, not artifactId) - Remove deleted modules (spring-xsuaa, spring-xsuaa-test, spring-security-compatibility) The main issue: spring-security was not being managed by the BOM due to wrong groupId, causing Maven to fall back to old 3.x versions from transitive dependencies, resulting in NoSuchMethodError: withHttpClient(SecurityHttpClient). Fixes customer issue in 4.0.0-RC2.
NiklasHerrmann21
force-pushed
the
Major-Release-4
branch
from
890e677 to
f83faa5
Compare
…ring module Move Spring-based OAuth2 token service implementations to a separate module to avoid classloader issues when token-client is used in environments where Spring is not available (e.g., SAP Java Buildpack's Tomcat lib folder). Moved classes: - XsuaaOAuth2TokenService - SpringOAuth2TokenKeyService - SpringOidcConfigurationService This is a breaking change: applications using these classes must now add the token-client-spring dependency.
- Add dedicated step to run java-security-it integration tests after main build - Remove OkHttp reference from README as it's not included in custom HTTP client examples
- Migrate JUnit 4 tests (IasIntegrationTest, XsuaaIntegrationTest, XsuaaMultipleBindingsIntegrationTest) to JUnit 5 - Replace @ClassRule with @RegisterExtension - Replace SecurityTestRule with SecurityTestExtension - Update static imports from SecurityTestRule to SecurityTest constants - Migrate JavaSSRFAttackTest to use SecurityHttpClient with ApacheHttpClient4Executor adapter - Use Mockito spy on real HttpClient instead of full mock to allow actual HTTP requests - Properly verify SSRF protection by capturing and asserting request host - Add apache.httpclient.version property to parent pom for version consistency All 9 integration tests now pass successfully.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.