Box Java SDK

The Box Java SDK for interacting with the Box Content API.

Latest Release

Latest release can be found here.

Versions

We use a modified version of Semantic Versioning for all changes. See version strategy for details which is effective from 30 July 2022.

Supported Version

Only the current MAJOR version of SDK is supported. New features, functionality, bug fixes, and security updates will only be added to the current MAJOR version.

A current release is on the leading edge of our SDK development, and is intended for customers who are in active development and want the latest and greatest features. Instead of stating a release date for a new feature, we set a fixed minor or patch release cadence of maximum 2-3 months (while we may release more often). At the same time, there is no schedule for major or breaking release. Instead, we will communicate one quarter in advance the upcoming breaking change to allow customers to plan for the upgrade. We always recommend that all users run the latest available minor release for whatever major version is in use. We highly recommend upgrading to the latest SDK major release at the earliest convenient time and before the EOL date.

Version schedule

Getting Started

Getting Started Docs: https://developer.box.com/guides/tooling/sdks/java/ API Reference: https://developer.box.com/reference/

Quickstart

The SDK can be obtained by adding it as a maven dependency, cloning the source into your project, or by downloading one of the precompiled JARs from the releases page on GitHub.

IF YOU USE THE JAR, you'll also need to include several dependencies:

1. minimal-json v0.9.5 Maven: com.eclipsesource.minimal-json:minimal-json:0.9.5
2. jose4j v0.7.9 Maven: org.bitbucket.b_c:jose4j:0.7.9
3. bouncycastle bcprov-jdk15on v1.57 Maven: org.bouncycastle:bcprov-jdk15on:1.57
4. bouncycastle bcpkix-jdk15on v1.57 Maven: org.bouncycastle:bcpkix-jdk15on:1.57
5. Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 If you don't install this, you'll get an exception about key length or exception about parsing PKCS private key for Box Developer Edition. This is not a Box thing, this is a U.S. Government requirement concerning strong encryption. The listed jar is for Oracle JRE. There might be other similar JARs for different JRE versions like the one below for IBM JDK Java Cryptography Extension for IBM JDK

An app has to be authorized by the admin of the enterprise before these tests. It's always good to begin with the Getting Started Section at Box's developer website

Quick Test

Following things work only if the app has been configured and authorized as mentioned here

Here is a simple example of how to authenticate with the API using a developer token and then print the ID and name of each item in your root folder.

BoxAPIConnection api = new BoxAPIConnection("developer-token");
BoxFolder rootFolder = BoxFolder.getRootFolder(api);
for (BoxItem.Info itemInfo : rootFolder) {
    System.out.format("[%s] %s\n", itemInfo.getID(), itemInfo.getName());
}

For more details on how to get started, check out the overview guide. It has a short explanation of how the SDK works and how you can get started using it.

Sample Projects

Three sample projects can be found in src/example.

Main

This project will output your name and a list of the files and folders in your root directory.

To run the project, first provide a developer token in src/example/java/com/box/sdk/example/Main.java. You can obtain a developer token from your application's developer console.

public final class Main {
    private static final String DEVELOPER_TOKEN = "<YOUR_DEVELOPER_TOKEN>";

    // ...
}

Then just invoke gradle runExample to run the Main example!

Other projects

Below projects need app configurations stored in JSON format in config.json file at location src/example/config/.

This configuration file can be downloaded from your application's Configuration tab in the developer console

CreateAppUser

This project will output the user id of enterprise admin and will create a new App User for the enterprise.

To run the project, first provide the name of the app user in src/example/java/com/box/sdk/example/CreateAppUser.java.

public final class CreateAppUser {

    private static final String APP_USER_NAME = "";
    private static final String EXTERNAL_APP_USER_ID = "";

    // ...
}

Then just invoke gradle runCreateAppUser to run the CreateAppUser example!

Note: The JCE bundled with oracle JRE supports keys upto 128 bit length only. To use larger cryptographic keys, install JCE Unlimited Strength Jurisdiction Policy Files.

AccessAsAppUser

This project will retrieve the information of the given App User and will list the files/folders under root folder.

To run the project, first provide the Id of the app user in src/example/java/com/box/sdk/example/CreateAppUser.java.

public final class AccessAsAppUser {

    private static final String USER_ID = "";

    // ...
}

Then just invoke gradle runAccessAsAppUser to run the AccessAsAppUser example!

Note: The JCE bundled with oracle JRE supports keys upto 128 bit length only. To use larger cryptographic keys, install JCE Unlimited Strength Jurisdiction Policy Files.

BoxDeveloperEditionAPIConnectionAsEnterpriseUser

This example shows how to get tokens for an enterprise user, say admin of the enterprise and do actions on behalf of admin.

To run the project, follow below steps

1. Turn on Enterprise in Application Access section in Developer Console for the app

2. Turn on Generate User Access Tokens in Advanced Features section in Developer Console for the app

3. Provide the Id of the admin user (or any enterprise user) in src/example/java/com/box/sdk/example/BoxDeveloperEditionAPIConnectionAsEnterpriseUser.java.

public final class BoxDeveloperEditionAPIConnectionAsEnterpriseUser {

   private static final String USER_ID = "";
   // ...
   Reader reader = new FileReader("src/example/config/config.json");
   BoxConfig boxConfig = BoxConfig.readFrom(reader);

   BoxDeveloperEditionAPIConnection api = 
           new BoxDeveloperEditionAPIConnection(USER_ID, DeveloperEditionEntityType.USER, boxConfig, accessTokenCache);
}

Compatibility

The Box Java SDK is compatible with Java 8 and up.

Building

The SDK uses Gradle for its build system. SDK comes with Gradle wrapper. Running ./gradlew build from the root of the repository will compile, lint, and test the SDK.

$ ./gradlew build

The SDK also includes integration tests which make real API calls, and therefore are run separately from unit tests. Integration tests should be run against a test account since they create and delete data. To run the integration tests, remove the .template extension from src/test/config/config.properties.template and fill in your test account's information. Then run:

$ ./gradlew integrationTest

Documentation

You can find guides and tutorials in the doc directory.

• BUILD ON BOX PLATFORM
• Javadocs
• Overview
• Configuration
• Logging
• Authentication
• Files
• Folders
• Comments
• Collaborations
• Collaboration Allowlists
• Events
• Search
• Users
• Groups
• Tasks
• Trash
• Collections
• Devices
• Retention Policies
• Legal Holds Policy
• Watermarking
• Webhooks
• Web Links
• Metadata Templates
• Classifications
• Recent Items

Javadocs are generated when gradle javadoc is run and can be found in build/doc/javadoc.

Vulnerabilities in Bouncycastle libraries

In Box Java SDK we are using:

• org.bouncycastle:bcpkix-jdk15on:1.57
• org.bouncycastle:bcprov-jdk15on:1.57

There are some moderate vulnerabilities reported against those versions:

• CVE-2020-26939 - Observable Differences in Behavior to Error Inputs in Bouncy Castle
• CVE-2020-15522 - Timing based private key exposure in Bouncy Castle

We cannot upgrade those libraries as they are working with FIPS 140-2 certified cryptographic module. Some of our customers require certified cryptography module and our SDK must work with it.

If you want to use modern bcpkix-jdk15on and bcprov-jdk15on than you can exclude them while importing Java Box SDK and provide you own versions:

Gradle example

implementation('com.box:box-java-sdk:x.y.z') {
   exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on'
   exclude group: 'org.bouncycastle', module: 'bcpkix-jdk15on'
}
runtimeOnly('org.bouncycastle:bcprov-jdk15on:1.70')
runtimeOnly('org.bouncycastle:bcpkix-jdk15on:1.70')

Maven example:

<dependencies>
   <dependency>
      <groupId>com.box</groupId>
      <artifactId>box-java-sdk</artifactId>
      <version>x.y.z</version>
      <scope>compile</scope>
      <exclusions>
        <exclusion>
          <groupId>org.bouncycastle</groupId>
          <artifactId>bcprov-jdk15on</artifactId>
        </exclusion>
         <exclusion>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpkix-jdk15on</artifactId>
         </exclusion>
      </exclusions> 
   </dependency>
   <dependency>
      <groupId>org.bouncycastle</groupId>
      <artifactId>bcprov-jdk15on</artifactId>
      <version>1.70</version>
      <scope>runtime</scope>
   </dependency>
   <dependency>
      <groupId>org.bouncycastle</groupId>
      <artifactId>bcpkix-jdk15on</artifactId>
      <version>1.70</version>
      <scope>runtime</scope>
   </dependency>
</dependencies>

Copyright and License

Copyright 2019 Box, Inc. All rights reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.