0

We're trying to use SAP SpringBoot Starter XSUAA 2.7.8 (https://github.com/SAP/cloud-security-xsuaa-integration) together with the SAP CloudSDK for Java 3.32.0.

The CloudSDK depends on part of the xsuaa (java-api, java-security, tokenclient, java-security-test) version 2.7.8, but does not use spring-xsuaa. The CloudSDK also depends on Spring Security 5.4.1. When we add xsuaa-spring-boot-starter, our security integration tests break, and at runtime we run into token validation errors at the "rest api" side (rest controllers) of our app. It seems to be due to the fact that xsuaa-spring-boot-starter depends on Spring Security 5.3.4.RELEASE.

We get errors saying: java.lang.NoSuchMethodError: 'java.util.Map com.nimbusds.jose.Header.toJSONObject(). This is a know issue with spring security 5.4.1 (https://github.com/spring-projects/spring-security/issues/9120). As the issue states spring security is meant to be used with springboot 2.4 and not 2.3 which is used by the cloud sdk.

We've not been able to resolve this issue. Can this be the cause of different dependencies? If so, any ideas on how to resolve these?

Thanks,

Danny

Danny Kruitbosch
  • 41
  • 7

1 Answers1

0

Edit: As of version 3.33.0 the SDK comes with the below configuration by default in the Spring Archetype.

Your observation is correct, this is a dependency conflict introduced by the different Spring security versions.

In case you are using the SDK BOM you need to explicitly set the Spring security version before it would be set by the SDK BOM:

<dependencyManagement>
    <dependencies>
        <!-- override spring security from Cloud SDK -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-jose</artifactId>
            <version>5.3.4.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-resource-server</artifactId>
            <version>5.3.4.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>com.sap.cloud.sdk</groupId>
            <artifactId>sdk-bom</artifactId>
            <version>${sap.cloud.sdk.version}</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <version>${spring-boot.version}</version>
        </dependency>
        <dependency>
            <groupId>com.sap.cloud.security.xsuaa</groupId>
            <artifactId>xsuaa-spring-boot-starter</artifactId>
            <version>${sap.cloud.security.version}</version>
        </dependency>
    </dependencies>
</dependencyManagement>

Currently the SDK Spring Archetype is being updated to ship with this configuration by default until Spring Boot 2.4 is released.

MatKuhr
  • 505
  • 4
  • 13