SecurityContext broken for version 5.9.0 using AMS

[SAPilot]

Issue Description

We got an issue with the new update

com.sap.cloud.sdk:sdk-bom (source)	import	minor	5.8.0 -> 5.9.0

[newtork]

(Just a guess) We updated the security library from 3.4.0 to 3.4.3

Could you check what happens if you enforce the previous library version by prepending (or was it appending?) the following to the SDK BOM entry in your POM...?

<!-- SAP Business Technology Platform - Cloud Foundry XSUAA Client -->
<dependency>
  <groupId>com.sap.cloud.security</groupId>
  <artifactId>java-bom</artifactId>
  <version>3.4.0</version>
  <scope>import</scope>
  <type>pom</type>
</dependency>

[SAPilot]

adding this dependency in dependencyManagement with version 3.5.0 fixed the issue temporarily

[newtork]

Could you please share the mvn dependency:tree of the failing project? There seems to be a dependency conflict for transitive com.sap.cloud.security artifacts

[SAPilot]

Updating the security-patched-spring-boot-starter to version 3.2.6-sap-01 fixed the issue

<groupId>com.sap.sgs</groupId>
<artifactId>security-patched-spring-boot-starter</artifactId>
<version>3.2.6-sap-01</version>

[SAPilot]

Issue is not fixed. There is a difference between running all the tests at once and running classes separately. If one is running all the tests, there is no issue. Running a test class e.g. FiscalYearVariantPeriodIntegrationTest is causing Cannot invoke "com.sap.cloud.security.ams.api.Principal.getAttributes()" because "principal" is null

Adding the cloud.security.version 3.5.0 is working at the moment:

<dependencyManagement>
    <dependencies>
       <dependency>
          <groupId>com.sap.cloud.security</groupId>
          <artifactId>java-bom</artifactId>
          <version>${com.sap.cloud.security.version}</version>
          <type>pom</type>
          <scope>import</scope>
       </dependency>
    </dependencies>
</dependencyManagement>

Dependency tree without the dependency above:

com.sap.finance.grl:grl-period-control-srv:jar:1.0.0 +- com.sap.cds:cds-starter-spring-boot:jar:2.9.1:compile | +- com.sap.cds:cds-services-api:jar:2.9.1:compile | | +- com.sap.cds:cds4j-api:jar:2.9.2:compile | | - com.sap.cloud.environment.servicebinding.api:java-core-api:jar:0.10.5:compile | +- com.sap.cds:cds-services-impl:jar:2.9.1:compile | | +- com.sap.cloud.environment.servicebinding.api:java-access-api:jar:0.10.5:compile | | - org.apache.commons:commons-csv:jar:1.10.0:compile | +- com.sap.cds:cds-feature-jdbc:jar:2.9.1:runtime | | +- com.sap.cds:cds4j-runtime:jar:2.9.2:runtime | | | - com.sap.cds:cds4j-jdbc-spi:jar:2.9.2:runtime | | - com.sap.cds:cds4j-tx:jar:2.9.2:runtime | +- com.sap.cds:cds-framework-spring-boot:jar:2.9.1:runtime | +- org.springframework.boot:spring-boot-starter-web:jar:3.2.5:compile | | +- org.springframework.boot:spring-boot-starter-tomcat:jar:3.2.5:compile | | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:10.1.20:compile | | | - org.apache.tomcat.embed:tomcat-embed-websocket:jar:10.1.20:compile | | - org.springframework:spring-webmvc:jar:6.1.6:compile | - org.springframework.boot:spring-boot-starter-jdbc:jar:3.2.5:compile | +- com.zaxxer:HikariCP:jar:5.0.1:compile | - org.springframework:spring-jdbc:jar:6.1.6:compile +- com.sap.cds:cds-adapter-odata-v4:jar:2.9.1:runtime | +- com.sap.cds:cds-adapter-api:jar:2.9.1:compile | +- com.sap.cds:cds-services-utils:jar:2.9.1:compile | | +- com.sap.cloud.sdk.cloudplatform:connectivity-oauth:jar:5.9.0:compile | | +- io.opentelemetry:opentelemetry-api:jar:1.31.0:compile | | | - io.opentelemetry:opentelemetry-context:jar:1.31.0:compile | | +- com.sap.cloud.security.xsuaa:token-client:jar:3.4.3:compile | | - com.sap.cloud.mt:tools:jar:2.9.2:compile | +- com.sap.cds:cds4j-core:jar:2.9.2:compile | +- com.sap.cloud.mt:cds-mtx:jar:2.9.2:compile | | - commons-io:commons-io:jar:2.16.1:compile | +- com.sap.cds.repackaged:odata-v4-lib:jar:2.9.1:runtime | | +- commons-codec:commons-codec:jar:1.16.1:compile | | +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.15.4:runtime | | | - org.codehaus.woodstox:stax2-api:jar:4.2.1:runtime | | - com.fasterxml:aalto-xml:jar:1.3.2:runtime | - org.slf4j:slf4j-api:jar:2.0.13:compile +- com.sap.cds:cds-starter-cloudfoundry:jar:2.9.1:compile | +- com.sap.cds:cds-feature-hana:jar:2.9.1:compile | | - com.sap.cloud.db.jdbc:ngdbc:jar:2.20.17:compile | +- com.sap.cds:cds-feature-mt:jar:2.9.1:compile | | +- com.sap.cds:cds-integration-cloud-sdk:jar:2.9.1:compile | | | - com.sap.cloud.sdk.frameworks:resilience4j:jar:4.30.0:compile | | +- com.sap.cloud.mt:multi-tenant-runtime:jar:2.9.2:compile | | - com.sap.cloud.mt:multi-tenant-subscription:jar:2.9.2:compile | | - com.sap.cloud.instancemanager:client:jar:3.14.0:compile | +- com.sap.cds:cds-feature-cloudfoundry:jar:2.9.1:compile | | - com.sap.cloud.environment.servicebinding:java-sap-vcap-services:jar:0.10.5:compile | +- com.sap.cds:cds-feature-xsuaa:jar:2.9.1:compile | - com.sap.cloud.security.xsuaa:xsuaa-spring-boot-starter:jar:3.4.3:compile | - com.sap.cloud.security.xsuaa:spring-xsuaa:jar:3.4.3:compile | - org.apache.logging.log4j:log4j-to-slf4j:jar:2.21.1:compile | - org.apache.logging.log4j:log4j-api:jar:2.21.1:compile +- com.sap.cds:cds-feature-kafka:jar:2.9.1:compile | +- com.sap.cds:cds-services-messaging:jar:2.9.1:compile | | - jakarta.jms:jakarta.jms-api:jar:3.1.0:compile | - org.apache.kafka:kafka-clients:jar:3.6.2:compile | +- com.github.luben:zstd-jni:jar:1.5.5-1:runtime | +- org.lz4:lz4-java:jar:1.8.0:runtime | - org.xerial.snappy:snappy-java:jar:1.1.10.4:runtime +- com.sap.cds:cds-feature-identity:jar:2.9.1:compile | +- com.sap.cloud.security:java-api:jar:3.4.3:compile | - com.sap.cloud.security:java-security:jar:3.4.3:compile +- org.projectlombok:lombok:jar:1.18.32:provided +- com.sap.hcp.cf.logging:cf-java-logging-support-logback:jar:3.8.3:compile | - com.sap.hcp.cf.logging:cf-java-logging-support-core:jar:3.8.3:compile | - com.fasterxml.jackson.jr:jackson-jr-objects:jar:2.15.4:compile +- com.sap.hcp.cf.logging:cf-java-logging-support-servlet-jakarta:jar:3.8.3:compile | +- com.auth0:java-jwt:jar:4.4.0:compile | - com.fasterxml.jackson.core:jackson-databind:jar:2.17.1:compile +- org.springframework:spring-core:jar:6.1.6:compile | - org.springframework:spring-jcl:jar:6.1.6:compile +- org.springframework:spring-web:jar:6.1.6:compile | +- org.springframework:spring-beans:jar:6.1.6:compile | - io.micrometer:micrometer-observation:jar:1.12.5:compile | - io.micrometer:micrometer-commons:jar:1.12.5:compile +- org.springframework.retry:spring-retry:jar:2.0.5:compile +- org.springframework.boot:spring-boot-starter-actuator:jar:3.2.5:compile | +- org.springframework.boot:spring-boot-starter:jar:3.2.5:compile | | +- org.springframework.boot:spring-boot:jar:3.2.5:compile | | +- org.springframework.boot:spring-boot-starter-logging:jar:3.2.5:compile | | | +- ch.qos.logback:logback-classic:jar:1.4.14:compile | | | | - ch.qos.logback:logback-core:jar:1.4.14:compile | | | - org.slf4j:jul-to-slf4j:jar:2.0.13:compile | | - jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile | +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:3.2.5:compile | | - org.springframework.boot:spring-boot-actuator:jar:3.2.5:compile | - io.micrometer:micrometer-jakarta9:jar:1.12.5:compile | - io.micrometer:micrometer-core:jar:1.12.5:compile | +- org.hdrhistogram:HdrHistogram:jar:2.1.12:runtime | - org.latencyutils:LatencyUtils:jar:2.0.3:runtime +- org.springframework.boot:spring-boot-starter-security:jar:3.2.5:compile | +- org.springframework:spring-aop:jar:6.1.6:compile | +- org.springframework.security:spring-security-config:jar:6.2.4:compile | | - org.springframework:spring-context:jar:6.1.6:compile | - org.springframework.security:spring-security-web:jar:6.2.4:compile | - org.springframework:spring-expression:jar:6.1.6:compile +- org.springframework.boot:spring-boot-starter-aop:jar:3.2.5:compile | - org.aspectj:aspectjweaver:jar:1.9.22:compile +- org.springframework.boot:spring-boot-starter-validation:jar:3.2.5:compile | +- org.apache.tomcat.embed:tomcat-embed-el:jar:10.1.20:compile | - org.hibernate.validator:hibernate-validator:jar:8.0.1.Final:compile | +- org.jboss.logging:jboss-logging:jar:3.5.3.Final:compile | - com.fasterxml:classmate:jar:1.6.0:compile +- com.sap.dwc:util-cap:jar:2.3.8:compile | +- org.apache.httpcomponents.client5:httpclient5:jar:5.2.3:compile | | +- org.apache.httpcomponents.core5:httpcore5:jar:5.2.4:compile | | - org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2.4:compile | - com.sap.dwc.commons:commons-util:jar:2.23.0:compile +- com.sap.dwc:util-headers:jar:2.3.8:compile | - com.sap.dwc:util-model:jar:2.3.8:compile +- com.sap.dwc:util-product-config:jar:2.3.8:compile +- com.sap.dwc:util-mutual-authentication:jar:2.3.8:compile | +- org.bouncycastle:bcprov-jdk18on:jar:1.77:compile | - org.bouncycastle:bcpkix-jdk18on:jar:1.78.1:compile | - org.bouncycastle:bcutil-jdk18on:jar:1.78.1:compile +- com.sap.dwc:util-btp-security-lib-integration:jar:2.3.8:compile | - com.jayway.jsonpath:json-path:jar:2.9.0:compile +- com.sap.dwc:util-routing:jar:2.3.8:compile +- com.sap.calm.x:calm-kafka-clientlib:jar:2.1.2-20240514134521_dcf171eca96141e071f99ee50be94b32d425ee8d:compile | +- io.cloudevents:cloudevents-json-jackson:jar:3.0.0:compile | | - io.cloudevents:cloudevents-core:jar:3.0.0:compile | | - io.cloudevents:cloudevents-api:jar:3.0.0:compile | +- io.cloudevents:cloudevents-kafka:jar:3.0.0:compile | +- org.apache.avro:avro:jar:1.11.3:compile | +- org.apache.commons:commons-compress:jar:1.26.0:compile | +- org.immutables:value:jar:2.10.1:compile | +- com.fasterxml.jackson.core:jackson-core:jar:2.17.1:compile | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.17.1:compile | +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.15.4:compile | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.17.1:compile | +- jakarta.validation:jakarta.validation-api:jar:3.0.2:compile | +- com.sap.cloud.sdk.cloudplatform:connectivity-dwc:jar:5.9.0:compile | +- org.jsoup:jsoup:jar:1.15.3:compile | +- org.springframework.security:spring-security-oauth2-client:jar:6.2.4:compile | | +- org.springframework.security:spring-security-oauth2-core:jar:6.2.4:compile | | - com.nimbusds:oauth2-oidc-sdk:jar:9.43.3:compile | | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile | | +- com.nimbusds:content-type:jar:2.2:compile | | - com.nimbusds:lang-tag:jar:1.7:compile | +- org.springframework.kafka:spring-kafka:jar:3.1.4:compile | | +- org.springframework:spring-messaging:jar:6.1.6:compile | | - org.springframework:spring-tx:jar:6.1.6:compile | +- io.pivotal.cfenv:java-cfenv:jar:3.1.5:compile | | - com.cedarsoftware:json-io:jar:4.19.1:compile | | - com.novell.ldap:jldap:jar:2009-10-07:compile | +- org.apache.commons:commons-collections4:jar:4.4:compile | +- com.google.code.gson:gson:jar:2.10.1:compile | +- org.springframework.cloud:spring-cloud-context:jar:4.1.2:compile | | - org.springframework.security:spring-security-crypto:jar:6.2.4:compile | - org.apache.commons:commons-text:jar:1.12.0:compile +- com.sap.cloud.tenantlifecycle:euporie-api:jar:2.0.0-20240509122112_728368f5a0a8fe4a41ee5bc1db6f3859eaca64e1:compile | +- org.springframework.boot:spring-boot-starter-json:jar:3.2.5:compile | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.15.4:compile | | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.15.4:compile | - com.sap.cloud.tenantlifecycle:euporie-api-domain:jar:2.0.0-20240509122112_728368f5a0a8fe4a41ee5bc1db6f3859eaca64e1:compile +- com.sap.cloud.tenantlifecycle:hegemone-specs:jar:2.0.0-20240513130705_00f533e420545e0e839cf760869d2eb3facaa160:compile +- com.sap.cloud.sdk.cloudplatform:dwc-cf:jar:5.9.0:compile | - com.sap.cloud.sdk:sdk-core:jar:5.9.0:compile | +- com.sap.cloud.sdk.cloudplatform:connectivity-destination-service:jar:5.9.0:compile | - com.sap.cloud.sdk.cloudplatform:servlet-jakarta:jar:5.9.0:compile +- com.sap.cloud.sdk.cloudplatform:resilience:jar:5.9.0:compile | +- com.sap.cloud.sdk.cloudplatform:resilience-api:jar:5.9.0:compile | - com.sap.cloud.sdk.cloudplatform:resilience4j:jar:5.9.0:compile | +- io.github.resilience4j:resilience4j-circuitbreaker:jar:2.2.0:compile | | - io.github.resilience4j:resilience4j-core:jar:2.2.0:compile | +- io.github.resilience4j:resilience4j-bulkhead:jar:2.2.0:compile | +- io.github.resilience4j:resilience4j-timelimiter:jar:2.2.0:compile | +- io.github.resilience4j:resilience4j-retry:jar:2.2.0:compile | +- io.github.resilience4j:resilience4j-ratelimiter:jar:2.2.0:compile | - javax.cache:cache-api:jar:1.1.1:compile +- com.sap.cloud.sdk.cloudplatform:connectivity-apache-httpclient4:jar:5.9.0:compile | +- com.sap.cloud.sdk.cloudplatform:cloudplatform-core:jar:5.9.0:compile | +- com.sap.cloud.sdk.cloudplatform:cloudplatform-connectivity:jar:5.9.0:compile | | - com.mikesamuel:json-sanitizer:jar:1.2.3:compile | +- com.sap.cloud.sdk.cloudplatform:caching:jar:5.9.0:compile | +- com.sap.cloud.sdk.cloudplatform:tenant:jar:5.9.0:compile | +- com.sap.cloud.sdk.cloudplatform:security:jar:5.9.0:compile | +- org.slf4j:jcl-over-slf4j:jar:2.0.13:runtime | +- io.vavr:vavr:jar:0.10.4:compile | | - io.vavr:vavr-match:jar:0.10.4:compile | +- com.google.guava:guava:jar:33.2.0-jre:compile | | +- com.google.guava:failureaccess:jar:1.0.2:compile | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile | | +- org.checkerframework:checker-qual:jar:3.43.0:compile | | +- com.google.errorprone:error_prone_annotations:jar:2.27.1:compile | | - com.google.j2objc:j2objc-annotations:jar:3.0.0:compile | +- com.github.ben-manes.caffeine:caffeine:jar:3.1.8:compile | +- org.apache.httpcomponents:httpcore:jar:4.4.16:compile | +- org.apache.httpcomponents:httpclient:jar:4.5.14:compile | - org.apache.commons:commons-lang3:jar:3.14.0:compile +- com.sap.cp.auditlog:audit-java-client-api:jar:2.6.0:compile +- com.sap.cp.auditlog:audit-java-client-impl:jar:2.6.0:compile | +- com.sap.cloud.security:env:jar:3.4.3:compile | | +- com.sap.cloud.environment.servicebinding:java-sap-service-operator:jar:0.10.5:compile | | +- com.sap.cloud.environment.servicebinding.api:java-consumption-api:jar:0.10.5:compile | | - org.json:json:jar:20231013:compile | - com.sap.cp.auditlog:auditlog-common:jar:2.2.16:compile +- io.swagger.core.v3:swagger-annotations:jar:2.2.21:compile +- org.openapitools:jackson-databind-nullable:jar:0.2.6:compile +- com.sap.cloud.security:resourceserver-security-spring-boot-starter:jar:3.4.3:compile | +- com.sap.cloud.security:spring-security:jar:3.4.3:compile | | +- com.nimbusds:nimbus-jose-jwt:jar:9.37.3:compile | | - io.projectreactor:reactor-core:jar:3.6.5:compile | | - org.reactivestreams:reactive-streams:jar:1.0.4:compile | +- org.springframework.security:spring-security-oauth2-jose:jar:6.2.4:compile | +- org.springframework.security:spring-security-oauth2-resource-server:jar:6.2.4:compile | - org.springframework.boot:spring-boot-autoconfigure:jar:3.2.5:compile +- com.sap.cloud.security.ams.client:cap-support:jar:1.4.0:compile | - com.sap.cloud.security.ams.dcl:client:jar:0.20.0:compile +- com.sap.cloud.security.ams.client:jakarta-ams:jar:1.4.0:compile | - com.sap.cloud.security.ams.dcl:rt.opa:jar:0.20.0:runtime | - com.sap.cloud.security.ams.dcl:spi:jar:0.20.0:runtime +- com.sap.cloud.security.ams.client:spring-boot-starter-ams-resourceserver:jar:1.4.0:compile | - com.sap.cloud.security.ams.client:spring-ams:jar:1.4.0:compile +- org.yaml:snakeyaml:jar:2.2:compile +- org.springframework.boot:spring-boot-starter-test:jar:3.2.5:test | +- org.springframework.boot:spring-boot-test:jar:3.2.5:test | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:3.2.5:test | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:test | | - jakarta.activation:jakarta.activation-api:jar:2.1.3:test | +- net.minidev:json-smart:jar:2.5.1:compile | | - net.minidev:accessors-smart:jar:2.5.1:compile | | - org.ow2.asm:asm:jar:9.6:compile | +- org.assertj:assertj-core:jar:3.24.2:test | | - net.bytebuddy:byte-buddy:jar:1.14.13:test | +- org.awaitility:awaitility:jar:4.2.1:test | +- org.hamcrest:hamcrest:jar:2.2:test | +- org.mockito:mockito-core:jar:5.7.0:test | | +- net.bytebuddy:byte-buddy-agent:jar:1.14.13:test | | - org.objenesis:objenesis:jar:3.3:test | +- org.mockito:mockito-junit-jupiter:jar:5.7.0:test | +- org.skyscreamer:jsonassert:jar:1.5.1:test | +- org.springframework:spring-test:jar:6.1.6:test | - org.xmlunit:xmlunit-core:jar:2.9.1:test +- org.junit.jupiter:junit-jupiter:jar:5.10.2:test | - org.junit.jupiter:junit-jupiter-api:jar:5.10.2:test | +- org.opentest4j:opentest4j:jar:1.3.0:test | - org.junit.platform:junit-platform-commons:jar:1.10.2:test +- org.junit.jupiter:junit-jupiter-engine:jar:5.10.2:test | +- org.junit.platform:junit-platform-engine:jar:1.10.2:test | - org.apiguardian:apiguardian-api:jar:1.1.2:test +- org.junit.jupiter:junit-jupiter-params:jar:5.10.2:test +- com.h2database:h2:jar:2.2.224:test +- org.springframework.security:spring-security-test:jar:6.2.4:test | - org.springframework.security:spring-security-core:jar:6.2.4:compile +- com.sap.cloud.security.ams.client:spring-boot-starter-ams-test:jar:1.4.0:test +- com.sap.cloud.security.ams.client:java-ams-test:jar:1.4.0:test | - com.sap.cloud.security.opa:binaries:pom:0.60.0-sap-0.3.7:test | +- com.sap.cloud.security.opa:binaries.linux:jar:0.60.0-sap-0.3.7:test | +- com.sap.cloud.security.opa:binaries.macos:jar:0.60.0-sap-0.3.7:test | - com.sap.cloud.security.opa:binaries.windows:jar:0.60.0-sap-0.3.7:test +- com.sap.cumulus.jiralinking:jira-annotation:jar:3.5.3:test +- com.sap.cloud.security:java-security-test:jar:3.4.3:test | +- junit:junit:jar:4.13.2:test | | - org.hamcrest:hamcrest-core:jar:2.2:test | +- org.eclipse.jetty:jetty-server:jar:12.0.8:test | | +- org.eclipse.jetty:jetty-http:jar:12.0.8:test | | | - org.eclipse.jetty:jetty-util:jar:12.0.8:test | | - org.eclipse.jetty:jetty-io:jar:12.0.8:test | +- org.eclipse.jetty.ee10:jetty-ee10-servlet:jar:12.0.8:test | | +- jakarta.servlet:jakarta.servlet-api:jar:6.0.0:test | | +- org.eclipse.jetty:jetty-security:jar:12.0.8:test | | - org.eclipse.jetty:jetty-session:jar:12.0.8:test | +- org.eclipse.jetty.ee10:jetty-ee10-webapp:jar:12.0.8:test | | - org.eclipse.jetty:jetty-xml:jar:12.0.8:test | - org.wiremock:wiremock-standalone:jar:3.5.4:test +- com.tngtech.archunit:archunit:jar:1.3.0:test +- com.google.code.bean-matchers:bean-matchers:jar:0.14:test - org.reflections:reflections:jar:0.10.2:test +- org.javassist:javassist:jar:3.28.0-GA:test - com.google.code.findbugs:jsr305:jar:3.0.2:compile

[newtork]

• I took your project from main branch - having SDK 5.9.0.
• I ran mvn clean install successfully without issues, like you said.
• I ran test FiscalYearVariantPeriodIntegrationTest via IntelliJ and observed the same error message you explained.

However when I downgrade SDK to 5.8.0, then I still observed the same error.

• Therefore I would decline SDK involvement in this problem.
• You could check why mvn clean install works for the whole project, but not for individual tests - could be a test setup issue.
• You could check whether the application works when deployed, or whether you see the same error message like above.
• You could approach the DwC colleagues and open a ticket there.

While debugging I've definitely noticed some incompatibilities between SAP Security Library and DwC Library

Debugging protocol

Policy Evaluator calls com.sap.cloud.security.ams.api.Principal.create()

(Screenshot)

calls com.sap.cloud.security.ams.api.PrincipalBuilder#createPrincipalFromSecurityContext( class com.sap.cloud.security.adapter.spring.SpringSecurityContext )

(Screenshot)

calls com.sap.cloud.security.adapter.spring.SpringSecurityContext#getToken()

(Screenshot)

SAP Spring Security Library does not have logic implemented to resolve a token from DwcPrincipal. Returning null.

My observation: When getToken() resolves to null then a Principal will not be created, leading to NullPointerException.

[SAPilot]

Thank you for your help. I created the follow up issue in DwC https://github.tools.sap/deploy-with-confidence/issues/issues/2373