Token Cache is Bypassed after Correlation-ID header was introduced

[nenaraab]

Issue Summary With this version

<dependency>
    <groupId>com.sap.cloud.security</groupId>
    <artifactId>token-api</artifactId>
    <version>2.11.3</version>
</dependency>

The correlation id header was introduced for outgoing token requests. As the cache key gets derived from the headers and the correlation id header is always unique per request, the CacheKey used is by definition always different. Therefore the token cache is never used and always bypassed.

This is an issue for all applications that excessively fetch (mTls-based) tokens or perform token exchanges to call reuse-services.

[nenaraab]

Solution The issue was fixed with releases 2.11.4 when using Spring Rest Operations or 2.11.5 when using Apache Rest Client.

Release Notes: https://github.com/SAP/cloud-security-xsuaa-integration/releases/tag/2.11.4 https://github.com/SAP/cloud-security-xsuaa-integration/releases/tag/2.11.5

[nenaraab]

Fixes with 2.11.5 version.

Furthermore, I'm happy to announce latest version of SAP Java Buildpack sap_java_buildpack-v1.45.3.zip is available on canary, which also contains this version.

C02YC4ERJGH6:lib d048418$ cf buildpacks
Getting buildpacks as nena.raab@sap.com...

position   name                                        stack        enabled   locked   filename
....
12         sap_java_buildpack                                       true      false    sap_java_buildpack-v1.45.3.zip
13         sap_java_buildpack_1_45                              true      false    sap_java_buildpack-v1.45.3.zip
14         sap_java_buildpack_1_43                              true      false    sap_java_buildpack-v1.43.0.zip
15         sap_java_buildpack_1_42                              true      false    sap_java_buildpack-v1.42.0.zip

This is the latest SJB version for that year.