** Do not use 4.35.0 **

Warning

Please use the next version of UAA as we identified a backward incompatibility issue in upgrading to Spring Security 5 on 7/19/2019, the next release would revert this unexpected breaking change.

Features

• Improve performance for /Users/ endpoint by 10+ times

Updates

• CVE-2019-3794::UAA should support Content-Security-Policy on email_sent endpoint to prevent clickjacking
• Update to Spring Security 5.1.5
• Bump dependency: Upgrade org.springframework.security:spring-security-core to version 4.2.12 or later

Bug Fixes

• Users should be able to revoke their own tokens without needing uaa.admin or tokens.revoke
• UAA should allow case variations in redirect uri domains
• Documentation Improvement: UAA security administrators can view UAA audit events in https://docs.cloudfoundry.org/
• Documentation Bug: typo in expireInMonths

Stories included in this release are prepared by @wc22222