improve domain validation handling

improve domain validation handling

• Split token-client module into three modules for improved dependency management:
  • token-client-core: Plain Java implementation without Spring dependencies
  • token-client-spring: Spring-specific implementations (SpringOAuth2TokenKeyService, SpringOidcConfigurationService, XsuaaOAuth2TokenService)
  • token-client: Wrapper module including both for backward compatibility
• Applications without Spring can now use token-client-core to avoid unnecessary Spring dependencies
• Existing applications using token-client continue to work without changes
• java-security module now depends on token-client-core instead of token-client (removing unnecessary Spring transitive dependencies)

Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

• Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
• Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

• Spring Boot 3.x → 4.0.3
• Spring Framework 6.x → 7.0.5
• Spring Security 6.x → 7.0.3
• Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

• Now uses Java 11 HttpClient by default (no Apache HttpClient dependency)
• Apache HttpClient 4 constructors deprecated (removed in 5.0.0)
• Custom HTTP clients supported via SecurityHttpClientFactory

Removed Modules:

• spring-xsuaa* → use spring-security or spring-security-3
• spring-security-compatibility → use spring-security-3

Token Client Spring Classes:

• Spring-dependent classes moved to new token-client-spring module

New Features

Spring Boot 3.x Compatibility:

• spring-security-3 - Core module for Spring Boot 3.5.9
• resourceserver-security-spring-boot-3-starter - Starter for Spring Boot 3.x

Pluggable HTTP Client:

• Support for Apache HttpClient 4.x/5.x, OkHttp, SAP Cloud SDK, custom implementations

Documentation

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/MIGRATION_4.0.md

https://github.com/SAP/cloud-security-services-integration-library/blob/main/token-client/APACHE_HTTPCLIENT_MIGRATION.md

• https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md#400---major-release