[spring-xsuaa] Resolve issues with Nimbus-JOSE-JWT version 9.0 com.nimbusds.jose.Header.toJSONObject usage

[liga-oz]

With Nimbus-Jose-JWT version 9.0 method com.nimbusds.jose.Header.toJSONObject() signature changes - method returns Map<String, Object> instead of net.minidev.json.JSONObject as per changelog.

As of Spring Security OAuth2 JOSE version 5.4.0 Nimbus-Jose-JWT 9.0 is used.

Find usages in spring xsuaa modules and resolve potential java.lang.NoSuchMethodError errors.

[nenaraab]

Related References:

• https://github.com/spring-projects/spring-security/issues/9120
• https://stackoverflow.com/questions/64764311/dependency-conflicts-between-sap-cloud-sdk-and-sap-cloud-security-xsuaa-integrat (contact @MatKuhr)
• https://github.com/SAP/cloud-security-xsuaa-integration/issues/413

[Sachpat]

Hi @liga-oz @nenaraab this is one of the questions from our secBOM users @patrickhuy , Do you know whether it's possible to use spring boot 2.4.x and downgrade spring security and jose-jwt and then use the xsuaa lib?

[liga-oz]

Hi @Sachpat,

if you specify explicitly the jose-jwt library like here and no other methods you use require the newer version of jose-jwt it should be possible.

Best Regards, Liga

[Sachpat]

Thanks @liga-oz . I hope that answers your question @patrickhuy . :)

[anshulsaxena-93]

Hi @liga-oz

Below is my POM still same issue.

Can you please help here?

<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">

4.0.0

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.4.0-M3</version>
    <relativePath /> <!-- lookup parent from repository -->
</parent>

<properties>
    <maven-jar-plugin.version>3.1.1</maven-jar-plugin.version>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    <java.version>1.8</java.version>
    <cxf.version>3.3.5</cxf.version>
    <olingo.version>2.0.11</olingo.version>
    <olingo.commons>4.7.1-sap-01</olingo.commons>
    <io.guava.version>28.1-jre</io.guava.version>
    <org.json.version>20180813</org.json.version>
    <sap.cloud.security.version>2.7.7</sap.cloud.security.version>
    <nimbus-verison>7.9</nimbus-verison>
</properties>

<dependencies>

    <!-- Web Module -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <!-- JPA -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>

    <!-- Tomcat Server -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-tomcat</artifactId>
        <scope>provided</scope>
    </dependency>

    <!-- Olingo -->
    <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-frontend-jaxrs</artifactId>
        <version>${cxf.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.olingo</groupId>
        <artifactId>olingo-odata2-jpa-processor-api</artifactId>
        <version>${olingo.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.eclipse.persistence</groupId>
                <artifactId>javax.persistence</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
    <dependency>
        <groupId>org.apache.olingo</groupId>
        <artifactId>olingo-odata2-jpa-processor-core</artifactId>
        <version>${olingo.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.eclipse.persistence</groupId>
                <artifactId>javax.persistence</artifactId>
            </exclusion>
            <exclusion>
                <groupId>javax.ws.rs</groupId>
                <artifactId>javax.ws.rs-api</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
    <dependency>
        <groupId>org.apache.olingo</groupId>
        <artifactId>odata-commons-core</artifactId>
        <version>${olingo.commons}</version>
    </dependency>

    <!-- HANA & Cloud Connectors -->
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-cloudfoundry-connector</artifactId>
        <version>1.2.2.RELEASE</version>
        <scope>runtime</scope>
    </dependency>
    <dependency>
        <groupId>com.sap.hana.cloud</groupId>
        <artifactId>spring-cloud-cloudfoundry-hana-service-connector</artifactId>
        <version>1.0.4.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-spring-service-connector</artifactId>
        <version>1.2.2.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>com.sap.cloud.db.jdbc</groupId>
        <artifactId>ngdbc</artifactId>
        <version>2.3.55</version>
    </dependency>

    <!-- SAP cloud security -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-jose</artifactId>
        <version>5.3.4.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>com.sap.cloud.security.xsuaa</groupId>
        <artifactId>xsuaa-spring-boot-starter</artifactId>
        <version>${sap.cloud.security.version}</version>
    </dependency>

    <!-- Email -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-mail</artifactId>
    </dependency>

    <dependency>
        <groupId>io.pivotal.cfenv</groupId>
        <artifactId>java-cfenv-boot</artifactId>
        <version>2.2.2.RELEASE</version>
    </dependency>

    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
    </dependency>

    <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava</artifactId>
        <version>${io.guava.version}</version>
    </dependency>

    <dependency>
        <groupId>com.jayway.jsonpath</groupId>
        <artifactId>json-path</artifactId>
    </dependency>

    <dependency>
        <groupId>org.json</groupId>
        <artifactId>json</artifactId>
        <version>${org.json.version}</version>
    </dependency>

    <!-- H2 Database -->
    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
        <scope>runtime</scope>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

<profiles>
    <profile>
        <id>local</id>
        <properties>
            <activatedProperties>local</activatedProperties>
        </properties>
        <activation>
            <activeByDefault>true</activeByDefault>
        </activation>
    </profile>
    <profile>
        <id>cloud</id>
        <activation>
            <activeByDefault>false</activeByDefault>
        </activation>
        <properties>
            <activatedProperties>cloud</activatedProperties>
        </properties>
    </profile>
</profiles>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

[liga-oz]

Hi @anshulsaxena-93,

this seems to be related to #429, please try out the solution: https://github.com/SAP/cloud-security-xsuaa-integration/issues/429#issuecomment-743116356

Kind Regards, Liga

[folz-a]

Any ETA when the fix will be part of a release?

[liga-oz]

Hi @folz-a,

in Q1 2021.

Best Regards, Liga

[liga-oz]

Fixed with version 2.8.1