From e99cde64dca17c337a300c3db51f979ded1cb133 Mon Sep 17 00:00:00 2001 From: muyao Date: Mon, 2 Feb 2026 16:58:38 +0800 Subject: [PATCH 1/2] prepare jca 2.11 --- eng/versioning/version_client.txt | 2 +- sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md | 4 +--- sdk/keyvault/azure-security-keyvault-jca/README.md | 2 +- sdk/keyvault/azure-security-keyvault-jca/pom.xml | 2 +- sdk/keyvault/azure-security-test-keyvault-jca/pom.xml | 2 +- 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/eng/versioning/version_client.txt b/eng/versioning/version_client.txt index 78057004bcff..bce8d12f8c25 100644 --- a/eng/versioning/version_client.txt +++ b/eng/versioning/version_client.txt @@ -182,7 +182,7 @@ com.azure:azure-security-attestation;1.1.38;1.2.0-beta.1 com.azure:azure-security-confidentialledger;1.0.34;1.1.0-beta.2 com.azure:azure-security-keyvault-administration;4.7.5;4.8.0-beta.1 com.azure:azure-security-keyvault-certificates;4.8.5;4.9.0-beta.1 -com.azure:azure-security-keyvault-jca;2.10.1;2.11.0-beta.1 +com.azure:azure-security-keyvault-jca;2.10.1;2.11.0 com.azure:azure-security-test-keyvault-jca;1.0.0;1.0.0 com.azure:azure-security-keyvault-keys;4.10.5;4.11.0-beta.1 com.azure:azure-security-keyvault-secrets;4.10.5;4.11.0-beta.1 diff --git a/sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md b/sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md index 57ba0c7bd1dd..aa059728fe20 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md +++ b/sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md @@ -1,12 +1,10 @@ # Release History -## 2.11.0-beta.1 (Unreleased) +## 2.11.0 (2026-02-03) ### Features Added - Added support for bearer token authentication via the `azure.keyvault.access-token` system property. This allows users to provide a pre-obtained access token for authentication, enabling multi-factor authentication scenarios without requiring client ID and client secret. Authentication priority order is: Managed Identity > Access Token > Client Credentials. -### Breaking Changes - ### Bugs Fixed - Fixed the NPE where the token object was not returned when the credential information was incorrect. - Fixed an issue where release-specific classes from BouncyCastle were not properly shaded for Java 9 and above, leading to potential class loading issues in multi-release JARs. ([#47127](https://github.com/Azure/azure-sdk-for-java/pull/47127)) diff --git a/sdk/keyvault/azure-security-keyvault-jca/README.md b/sdk/keyvault/azure-security-keyvault-jca/README.md index 90dbff7311f1..7b84f15a87d7 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/README.md +++ b/sdk/keyvault/azure-security-keyvault-jca/README.md @@ -64,7 +64,7 @@ add the direct dependency to your project as follows. com.azure azure-security-keyvault-jca - 2.10.1 + 2.11.0 ``` [//]: # ({x-version-update-end}) diff --git a/sdk/keyvault/azure-security-keyvault-jca/pom.xml b/sdk/keyvault/azure-security-keyvault-jca/pom.xml index bd54cea363c3..d88f79f83395 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/pom.xml +++ b/sdk/keyvault/azure-security-keyvault-jca/pom.xml @@ -14,7 +14,7 @@ com.azure azure-security-keyvault-jca - 2.11.0-beta.1 + 2.11.0 JCA Provider for Azure Key Vault The Java Crypto Architecture (JCA) Provider for Azure Key Vault diff --git a/sdk/keyvault/azure-security-test-keyvault-jca/pom.xml b/sdk/keyvault/azure-security-test-keyvault-jca/pom.xml index dd679f21c088..ef5629249a4c 100644 --- a/sdk/keyvault/azure-security-test-keyvault-jca/pom.xml +++ b/sdk/keyvault/azure-security-test-keyvault-jca/pom.xml @@ -25,7 +25,7 @@ com.azure azure-security-keyvault-jca - 2.11.0-beta.1 + 2.11.0 From 5021a18f30fa27f61adab482a268f3944c761226 Mon Sep 17 00:00:00 2001 From: Rujun Chen Date: Wed, 4 Feb 2026 14:21:44 +0800 Subject: [PATCH 2/2] Resolve api review comments for `azure-security-keyvault-jca` (#47891) (cherry picked from commit dff451eebcc1287c94cdeb246c2842c6cda879b0) --- .../keyvault/jca/KeyVaultKeyStore.java | 15 +- .../jca/KeyVaultLoadStoreParameter.java | 159 +++++++++++++++--- .../keyvault/jca/KeyVaultKeyStoreTest.java | 11 +- 3 files changed, 153 insertions(+), 32 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java index ee2d5c23cf7c..2af5c6c0af61 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java @@ -182,16 +182,19 @@ public static KeyStore getKeyVaultKeyStoreBySystemProperty() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException { KeyStore keyStore = KeyStore.getInstance(KeyVaultJcaProvider.PROVIDER_NAME); - KeyVaultLoadStoreParameter keyVaultLoadStoreParameter = new KeyVaultLoadStoreParameter( - System.getProperty("azure.keyvault.uri"), System.getProperty("azure.keyvault.tenant-id"), - System.getProperty("azure.keyvault.client-id"), System.getProperty("azure.keyvault.client-secret"), - System.getProperty("azure.keyvault.managed-identity"), System.getProperty("azure.keyvault.access-token")); + KeyVaultLoadStoreParameter.Builder builder + = KeyVaultLoadStoreParameter.createBuilder(System.getProperty("azure.keyvault.uri")) + .tenantId(System.getProperty("azure.keyvault.tenant-id")) + .clientId(System.getProperty("azure.keyvault.client-id")) + .clientSecret(System.getProperty("azure.keyvault.client-secret")) + .managedIdentity(System.getProperty("azure.keyvault.managed-identity")) + .accessToken(System.getProperty("azure.keyvault.access-token")); if (Boolean.parseBoolean(System.getProperty("azure.keyvault.disable-challenge-resource-verification"))) { - keyVaultLoadStoreParameter.disableChallengeResourceVerification(); + builder.disableChallengeResourceVerification(); } - keyStore.load(keyVaultLoadStoreParameter); + keyStore.load(builder.build()); return keyStore; } diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java index 1b75896e2a22..2ef64cc3b4bb 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java @@ -50,9 +50,11 @@ public final class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParam * Constructor. * * @param keyVaultUri The Azure Key Vault URI. + * @deprecated Use {@link #createBuilder(String)} instead for a more flexible and maintainable API. */ + @Deprecated public KeyVaultLoadStoreParameter(String keyVaultUri) { - this(keyVaultUri, null, null, null, null, null); + this(new Builder(keyVaultUri)); } /** @@ -60,9 +62,11 @@ public KeyVaultLoadStoreParameter(String keyVaultUri) { * * @param keyVaultUri The Azure Key Vault URI. * @param managedIdentity The managed identity. + * @deprecated Use {@link #createBuilder(String)} instead for a more flexible and maintainable API. */ + @Deprecated public KeyVaultLoadStoreParameter(String keyVaultUri, String managedIdentity) { - this(keyVaultUri, null, null, null, managedIdentity, null); + this(new Builder(keyVaultUri).managedIdentity(managedIdentity)); } /** @@ -72,9 +76,11 @@ public KeyVaultLoadStoreParameter(String keyVaultUri, String managedIdentity) { * @param tenantId The tenant id. * @param clientId The client id. * @param clientSecret The client secret. + * @deprecated Use {@link #createBuilder(String)} instead for a more flexible and maintainable API. */ + @Deprecated public KeyVaultLoadStoreParameter(String keyVaultUri, String tenantId, String clientId, String clientSecret) { - this(keyVaultUri, tenantId, clientId, clientSecret, null, null); + this(new Builder(keyVaultUri).tenantId(tenantId).clientId(clientId).clientSecret(clientSecret)); } /** @@ -85,31 +91,30 @@ public KeyVaultLoadStoreParameter(String keyVaultUri, String tenantId, String cl * @param clientId The client id. * @param clientSecret The client secret. * @param managedIdentity The managed identity. + * @deprecated Use {@link #createBuilder(String)} instead for a more flexible and maintainable API. */ + @Deprecated public KeyVaultLoadStoreParameter(String keyVaultUri, String tenantId, String clientId, String clientSecret, String managedIdentity) { - this(keyVaultUri, tenantId, clientId, clientSecret, managedIdentity, null); + this(new Builder(keyVaultUri).tenantId(tenantId) + .clientId(clientId) + .clientSecret(clientSecret) + .managedIdentity(managedIdentity)); } /** - * Constructor. + * Private constructor used by the builder. * - * @param keyVaultUri The Azure Key Vault URI. - * @param tenantId The tenant id. - * @param clientId The client id. - * @param clientSecret The client secret. - * @param managedIdentity The managed identity. - * @param accessToken The access token. + * @param builder The builder instance. */ - public KeyVaultLoadStoreParameter(String keyVaultUri, String tenantId, String clientId, String clientSecret, - String managedIdentity, String accessToken) { - - this.keyVaultUri = keyVaultUri; - this.tenantId = tenantId; - this.clientId = clientId; - this.clientSecret = clientSecret; - this.managedIdentity = managedIdentity; - this.accessToken = accessToken; + private KeyVaultLoadStoreParameter(Builder builder) { + this.keyVaultUri = builder.keyVaultUri; + this.tenantId = builder.tenantId; + this.clientId = builder.clientId; + this.clientSecret = builder.clientSecret; + this.managedIdentity = builder.managedIdentity; + this.accessToken = builder.accessToken; + this.disableChallengeResourceVerification = builder.disableChallengeResourceVerification; } /** @@ -154,7 +159,7 @@ public String getManagedIdentity() { * * @return The access token. */ - public String getAccessToken() { + String getAccessToken() { return accessToken; } @@ -193,4 +198,116 @@ boolean isChallengeResourceVerificationDisabled() { public void disableChallengeResourceVerification() { disableChallengeResourceVerification = true; } + + /** + * Creates a new builder instance for constructing KeyVaultLoadStoreParameter. + * + * @param keyVaultUri The Azure Key Vault URI (required). + * @return A new builder instance. + */ + public static Builder createBuilder(String keyVaultUri) { + return new Builder(keyVaultUri); + } + + /** + * Builder class for constructing KeyVaultLoadStoreParameter instances with a fluent API. + * This provides a clearer and more maintainable way to create instances compared to + * multiple overloaded constructors. + */ + public static final class Builder { + private final String keyVaultUri; + private String tenantId; + private String clientId; + private String clientSecret; + private String managedIdentity; + private String accessToken; + private boolean disableChallengeResourceVerification = false; + + /** + * Creates a new builder with the required Key Vault URI. + * + * @param keyVaultUri The Azure Key Vault URI (required). + */ + private Builder(String keyVaultUri) { + if (keyVaultUri == null) { + throw new IllegalArgumentException("keyVaultUri cannot be null"); + } + this.keyVaultUri = keyVaultUri; + } + + /** + * Sets the tenant id for authentication. + * + * @param tenantId The tenant id. + * @return This builder instance. + */ + public Builder tenantId(String tenantId) { + this.tenantId = tenantId; + return this; + } + + /** + * Sets the client id for authentication. + * + * @param clientId The client id. + * @return This builder instance. + */ + public Builder clientId(String clientId) { + this.clientId = clientId; + return this; + } + + /** + * Sets the client secret for authentication. + * + * @param clientSecret The client secret. + * @return This builder instance. + */ + public Builder clientSecret(String clientSecret) { + this.clientSecret = clientSecret; + return this; + } + + /** + * Sets the managed identity for authentication. + * + * @param managedIdentity The user-assigned managed identity. + * @return This builder instance. + */ + public Builder managedIdentity(String managedIdentity) { + this.managedIdentity = managedIdentity; + return this; + } + + /** + * Sets the access token for authentication. + * + * @param accessToken The access token. + * @return This builder instance. + */ + public Builder accessToken(String accessToken) { + this.accessToken = accessToken; + return this; + } + + /** + * Disables verifying if the authentication challenge resource matches the Key Vault or + * Managed HSM domain. This verification is performed by default. + * + * @return This builder instance. + */ + public Builder disableChallengeResourceVerification() { + this.disableChallengeResourceVerification = true; + return this; + } + + /** + * Builds and returns a new KeyVaultLoadStoreParameter instance with the configured values. + * + * @return A new KeyVaultLoadStoreParameter instance. + */ + public KeyVaultLoadStoreParameter build() { + return new KeyVaultLoadStoreParameter(this); + } + } } diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultKeyStoreTest.java b/sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultKeyStoreTest.java index 1199492586c5..c926906b8301 100644 --- a/sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultKeyStoreTest.java +++ b/sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultKeyStoreTest.java @@ -31,11 +31,12 @@ public class KeyVaultKeyStoreTest { public static void setEnvironmentProperty() { PropertyConvertorUtils.putEnvironmentPropertyToSystemPropertyForKeyVaultJca(); keystore = new KeyVaultKeyStore(); - KeyVaultLoadStoreParameter parameter - = new KeyVaultLoadStoreParameter(PropertyConvertorUtils.getPropertyValue("AZURE_KEYVAULT_ENDPOINT"), - PropertyConvertorUtils.getPropertyValue("AZURE_KEYVAULT_TENANT_ID"), - PropertyConvertorUtils.getPropertyValue("AZURE_KEYVAULT_CLIENT_ID"), - PropertyConvertorUtils.getPropertyValue("AZURE_KEYVAULT_CLIENT_SECRET")); + KeyVaultLoadStoreParameter parameter = KeyVaultLoadStoreParameter + .createBuilder(PropertyConvertorUtils.getPropertyValue("AZURE_KEYVAULT_ENDPOINT")) + .tenantId(PropertyConvertorUtils.getPropertyValue("AZURE_KEYVAULT_TENANT_ID")) + .clientId(PropertyConvertorUtils.getPropertyValue("AZURE_KEYVAULT_CLIENT_ID")) + .clientSecret(PropertyConvertorUtils.getPropertyValue("AZURE_KEYVAULT_CLIENT_SECRET")) + .build(); certificateName = PropertyConvertorUtils.getPropertyValue("AZURE_KEYVAULT_CERTIFICATE_NAME"); keystore.engineLoad(parameter); }