Releases: spring-projects/spring-security
Releases Β· spring-projects/spring-security
5.6.8
β New Features
- automatically manage docs version (with collector) #11943
πͺ² Bug Fixes
- Add rncToXsd task description to CONTRIBUTING.adoc #11935
- AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #11730
- Build fails with missing project property cloneOutputDirectory #11969
- GitHubMilestoneApiTests due_on Should Use LocalDate #11708
- HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #11728
- NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #11712
- RemoteJwkSet is not refreshed when encountering an unknown KID #11724
- Updated reference to architecture page #11778
π¨ Dependency Upgrades
- Update Gradle Enterprise plugin to 3.11.1 #11827
- Update hibernate-entitymanager to 5.6.12.Final #12005
- Update io.projectreactor to 2020.0.24 #12001
- Update io.rsocket to 1.1.3 #12003
- Update jackson-bom to 2.13.4.20221012 #11997
- Update jackson-databind to 2.13.4.1 #11998
- Update jackson-datatype-jsr310 to 2.13.4 #11999
- Update mockk to 1.12.8 #12000
- Update org.eclipse.jetty to 9.4.49.v20220914 #12004
- Update org.springframework to 5.3.23 #12006
- Update org.springframework.data to 2021.1.8 #12007
- Update reactor-netty to 1.0.24 #12002
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.0-M7
βͺ Breaking Changes
- csrfRequestAttributeName = _csrf #11764
- Remove Configuration meta-annotation from Enable* annotations #11653
- Remove unsafe/deprecated
Encryptors.querableText(CharSequence,CharSequence)#8980 - Use SHA256 by default in Remember Me #11520
β New Features
- Add native hints for basic
@PostAuthorizeusage #11737 - Add native-image support for PreAuthorize #11446
- Performance enhancement in HttpSessionRequestCache #11750
- Remove FilterSecurityInterceptor from WebSecurity #11325
- Remove setAuthenticationManager from HttpSecurityConfiguration #11776
πͺ² Bug Fixes
- Document in xsd security-context-explicit-save defaults to true #11773
- Fix IP address parse error message in IpAddressMatcher#parseAddress() #11713
- NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #11710
- org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11042
- Sources and javadocs missing in latest snapshots #10602
- Update javadoc of HttpSecurity, WebSecurityConfiguration and WebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #11288
π¨ Dependency Upgrades
- Update aspectj-plugin to 6.5.1 #11859
- Update com.nimbusds to 9.43.1 #11858
- Update Gradle Enterprise plugin to 3.11.1 #11832
- Update hibernate-core to 6.1.3.Final #11867
- Update hsqldb to 2.7.0 #11868
- Update htmlunit to 2.64.0 #11865
- Update htmlunit-driver to 2.64.0 #11872
- Update io.projectreactor to 3.5.0-M6 #11861
- Update io.rsocket to 1.1.3 #11863
- Update jackson-bom to 2.13.4 #11855
- Update jackson-databind to 2.13.4 #11856
- Update jackson-datatype-jsr310 to 2.13.4 #11857
- Update jakarta.inject to 2.0.1 #11864
- Update junit-bom to 5.9.0 #11870
- Update logback-classic to 1.4.1 #11854
- Update mockk to 1.12.8 #11860
- Update org.eclipse.jetty to 11.0.12 #11866
- Update org.mockito to 4.8.0 #11871
- Update org.springframework to 6.0.0-M6 #11833
- Update reactor-netty to 1.1.0-M6 #11862
- Update to mockito 4.7.0 #11749
- Upgrade to Spring LDAP 3.0.0-M3 #11718
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.0-M3
β New Features
@WithMockUserSupported as Merged Annotation #11782- Add AspectJ support to
@EnableMethodSecurity#11326 - Add CsrfFilter.csrfAttributeName #11699
- add information to README describing how to build the reference docs #11876
- Add new interfaces for CSRF request processing #11781
- Add remaining methods from ExpressionUrlAuthorizationConfigurer to Me⦠#11667
- Add Support for LazyCsrfTokenRepository to Defer Loading CsrfTokens #11700
- Configurable authentication converter for resource-servers with token introspection #11661
- CsrfFilter Accesses Session on Every Request #11456
- Document that Method Security Co-routine Support Skips Downstream Interceptors #10920
- HttpSecurityDsl should support apply method #11754
- Javadoc typo 'sue' -> 'use' #11794
- Mistake in Kotlin code representation is fixed #11753
- ReactiveAuthorizationManager + Reactive Method Security #9867
- Update javadoc of Kotlin DSL to reflect the deprecation of WebSecurityConfigurerAdapter #11646
- webflux logout not working when project defines a context path (spring.webflux.base-path) #11716
πͺ² Bug Fixes
- AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #11726
- GitHubMilestoneApiTests due_on Should Use LocalDate #11706
- HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #11449
- Modify words #11709
- SAML2 Login fails with CSP in chrome based browsers #11676
π¨ Dependency Upgrades
- Update aspectj-plugin to 6.5.1 #11839
- Update com.nimbusds to 9.43.1 #11838
- Update Gradle Enterprise plugin to 3.11.1 #11831
- Update hibernate-entitymanager to 5.6.11.Final #11846
- Update hsqldb to 2.7.0 #11847
- Update htmlunit to 2.64.0 #11844
- Update htmlunit-driver to 2.64.0 #11850
- Update io.projectreactor to 2020.0.23 #11841
- Update io.rsocket to 1.1.3 #11843
- Update jackson-bom to 2.13.4 #11835
- Update jackson-databind to 2.13.4 #11836
- Update jackson-datatype-jsr310 to 2.13.4 #11837
- Update junit-bom to 5.9.0 #11848
- Update logback-classic to 1.4.1 #11834
- Update mockk to 1.12.8 #11840
- Update org.eclipse.jetty to 9.4.49.v20220914 #11845
- Update org.mockito to 4.8.0 #11849
- Update org.springframework to 5.3.23 #11851
- Update reactor-netty to 1.1.0-M6 #11842
- Update to mockito 4.7.0 #11748
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.0-M2
β New Features
- Add hash-based Content-Security-Policy for SAML post pages #11631
- Allow customization of redirect strategy #11387
- Receive AuthnRequest Id and Response InResponseTo in Saml2AuthenticationRequestRepository #11468
- Set permissions for GitHub actions #11367
πͺ² Bug Fixes
- "Well-Know" should be "Well-Known" #11613
- Add Deprecated annotation to WebSecurity#securityInterceptor #11634
- RequestRejectedHandler does not reliable prevent Internal Server Error #11645
- Spring Security SAML fails in Chrome because of favicon request #11657
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.3
β New Features
- Add Kotlin example showing integration with WebTestClient #9998
- Set permissions for GitHub actions #11642
- Update javadoc of EnableWebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #11650
πͺ² Bug Fixes
- Add Deprecated annotation to WebSecurity#securityInterceptor #11637
- Check saganCreateRelease saganDeleteRelease Required Permissions #11425
- org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11605
- RequestAttributeSecurityContextRepository.loadContext(HttpServletRequest) should never return null SecurityContext #11606
- RequestRejectedHandler does not reliable prevent Internal Server Error #11672
- Sources and javadocs missing in latest snapshots #11628
- Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11484
- Update javadoc of HttpSecurity, WebSecurityConfiguration and WebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #11651
π¨ Dependency Upgrades
- Update hibernate-entitymanager to 5.6.10.Final #11694
- Update io.projectreactor to 2020.0.22 #11691
- Update jsonassert to 1.5.1 #11696
- Update mockk to 1.12.5 #11690
- Update org.eclipse.jetty to 9.4.48.v20220622 #11693
- Update org.jetbrains.kotlinx to 1.6.4 #11695
- Update org.springframework to 5.3.22 #11697
- Update org.springframework.data to 2021.2.2 #11698
5.6.7
β New Features
- Add Kotlin example showing integration with WebTestClient #11612
- Set permissions for GitHub actions #11644
πͺ² Bug Fixes
- Add Deprecated annotation to WebSecurity#securityInterceptor #11636
- Fix saganCreateRelease saganDeleteRelease Required Permissions #11426
- org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11608
- RequestRejectedHandler does not reliable prevent Internal Server Error #11673
- Sources and javadocs missing in latest snapshots #11629
- Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11485
π¨ Dependency Upgrades
- Update hibernate-entitymanager to 5.6.10.Final #11683
- Update io.projectreactor to 2020.0.22 #11680
- Update jsonassert to 1.5.1 #11684
- Update mockk to 1.12.5 #11679
- Update org.eclipse.jetty to 9.4.48.v20220622 #11682
- Update org.springframework to 5.3.22 #11685
- Update org.springframework.data to 2021.1.6 #11686
- Update reactor-netty to 1.0.22 #11681
6.0.0-M6
βͺ Breaking Changes
- Change interface with constants to final class #10960
- Claims contain an instance of java.net.URL and are used in hash-based containers #10673
- Consider using OAuth2Token instead of AbstractOAuth2Token #10959
- FilterSecurityInterceptor applies to every request by default #11466
- Remove deprecated allowMultipleAuthorizationRequests #11564
- Remove deprecated converters in OAuth2AccessTokenResponseHttpMessageConverter #11513
- Remove deprecated CustomUserTypesOAuth2UserService #11511
- Remove deprecated implicit authorization grant type #11506
- Remove deprecated NimbusAuthorizationCodeTokenResponseClient #11512
- Remove deprecated NimbusJwtDecoderJwkSupport #11507
- Remove deprecated OAuth2IntrospectionClaimAccessor #11499
- Remove deprecated UnAuthenticatedServerOAuth2AuthorizedClientRepository #11508
- Remove deprecations in AbstractOAuth2AuthorizationGrantRequest #11517
- Remove deprecations in AuthorizationRequestRepository #11519
- Remove deprecations in ClaimAccessor #11585
- Remove deprecations in ClientAuthenticationMethod #11516
- Remove deprecations in ClientRegistration #11518
- Remove deprecations in JwtAuthenticationConverter #11587
- Remove deprecations in OAuth2AuthorizedClientArgumentResolver #11584
- Remove deprecations in OidcClientInitiatedLogoutSuccessHandler #11565
- Remove deprecations in OidcUserInfo #11586
- Remove deprecations in ServerOAuth2AuthorizedClientExchangeFilterFunction #11589
- Remove deprecations in ServletOAuth2AuthorizedClientExchangeFilterFunction #11588
β New Features
- Add LDAP runtime hints #11438
- Add Runtime Hints for basic setup #11431
- AnonymousAuthenticationFilter Accesses Session on Every Request #11465
- Consider updating testing examples to use JUnit Jupiter #10934
- CookieServerCsrfTokenRepository doesn't support setting MaxAge #11432
- Remove dependency on conmmons-codec by using java.util.Base64 #11319
- SAML2 customizable URLs #8873
- Update DelegatingSecurityContextTaskScheduler to implement new Required Methods #11474
- Update java version to 17.0.3-tem #11370
- Update javadoc in CommonOAuth2Provider #11490
- Use JDK 17 on build #11324
πͺ² Bug Fixes
- CsrfWebFilter null save content-type check #11205
- Docs example uses
access(String)withauthorizeHttpRequests()#11280 - Fix method call example on documentation #11380
- Fix saganCreateRelease saganDeleteRelease Required Permissions #11423
- Fix tests using root cause for exception messages #11372
- Fix title render issue of Digest Authentication document #11291
- Fix typo in BasicLookupStrategy Javadoc #11336
- Fix typo on NimbusJwtDecoderTests #11394
- Fixed typo in comment for changePassword method #11274
- KeyInfo missing in AuthnRequest when using OpenSaml4AuthenticationRequestResolver #11354
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11379
- Should SAML metadata EntityDescriptor tag have the
md:prefix? #11283 - Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11470
- Update usage of deprecated reactor.util.context.Context.putAll method #11476
- Use Collection in examples #11478
π¨ Dependency Upgrades
- Update aspectj-plugin to 6.5.0.3 #11524
- Update assertj-core to 3.23.1 #11531
- Update com.nimbusds to 9.38.1 #11523
- Update Gradle Enterprise plugin #11398
- Update hibernate-core-jakarta to 5.6.10.Final #11533
- Update htmlunit to 2.63.0 #11530
- Update htmlunit-driver to 2.63.0 #11538
- Update io.projectreactor to 3.5.0-M4 #11525
- Update io.r2dbc:r2dbc-h2 to 1.0.0.RC1 #11479
- Update io.spring.javaformat to 0.0.34 #11527
- Update jakarta.annotation-api to 2.1.1 #11528
- Update jakarta.servlet.jsp-api to 3.1.0 #11529
- Update jsonassert to 1.5.1 #11539
- Update junit-bom to 5.9.0-RC1 #11536
- Update org.eclipse.jetty to 11.0.11 #11532
- Update org.jetbrains.kotlin to 1.7.10 #11534
- Update org.jetbrains.kotlinx to 1.6.4 #11535
- Update org.junit.jupiter to 5.9.0-RC1 #11537
- Update org.springframework to 6.0.0-M5 #11594
- Update reactor-netty to 1.1.0-M4 #11526
- Update spring-data-jpa to 3.0.0-M5 #11540
- Update spring-ldap-core to 2.4.1 #11541
- Update to Kotlin 1.7 #11374
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.0-M1
βͺ Breaking Changes
- SecurityExpressionHandler#createEvaluationContext should defer lookup of Authentication #9667
β New Features
- Add AuthorizationManager that uses ExpressionHandler #11105
- Add AuthorizationManager XML Support for Filter Security #11305
- Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri #11383
- Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri #11229
- Add Jackson Support for Saml2AuthenticationException #11176
- Add MethodExpressionAuthorizationManager #11493
- Add relyingPartyRegistrationId to AbstractSaml2AuthenticationRequest #11195
- Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer #11393
- Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer #11360
- Add RoleHierarchyAuthorizationManager #11304
- Add support AuthorizationManager + #11323
- AnonymousAuthenticationFilter Accesses Session on Every Request #11457
- AuthorizationManager for WebSocket Security #11076
- Branch 5.8.x should point to samples branch 5.8.x #11203
- Build modules using Java 8 #10816
- Check Samples should run against the current artifacts #10344
- Consider updating testing examples to use JUnit Jupiter #11294
- Deprecate Resource Owner Password Credentials grant #11590
- Ensure that SecurityContext is correctly preserved in MockMvc tests when using SecurityContextHolderStrategy
@Bean#11444 - HttpSessionRequestCache Causes Session Access on Every Request #11453
- Improve docs on dispatcherTypeMatcher #11505
- Improve docs on dispatcherTypeMatcher #11467
- InterceptMethodsBeanDefinitionDecorator should allow using AuthorizationManager #11328
- Missing reactive DelegatingRequestMatcherHeaderWriter #11073
- OidcClientInitiatedServerLogoutSuccessHandler should understand redirect uri placeholders #11381
- OidcClientInitiatedServerLogoutSuccessHandler should understand redirect uri placeholders #11378
- OpenSaml4AuthenticationRequestResolver should have a customizable URI #10840
- Password Encoding Improvements #11482
- phoneNumberVerified field is Boolean type #11315
- Provide alternative for MD5 hashing in remember me token #8549
- Remove dependency on commons-codec by using java.util.Base64 (for 5.8.x) #11322
- Support multiple SingleLogoutService bindings #11286
- Update Saml2WebSsoAuthenticationFilter requestAuthentication for SAMLart #11192
- Use SecurityContextHolderStrategy for defaults #11062
πͺ² Bug Fixes
- Docs example uses access(String) with authorizeHttpRequests() #11295
- Failed signature verification on SAML2 LogoutRequest #11235
- Fix
OAuth2ResourceServerConfigurermember variable using Java 9+ feature #10695 - Form Login not possible when a single OAuth2 Provider is configured #11375
- Multiple .requestMatchers().mvcMatchers() override previous one #10956
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11382
- SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11262
- ServerRequestCacheWebFilter causes WebSession to be read every request #7157
- Should SAML metadata EntityDescriptor tag have the md: prefix? #11312
- Some Security Expressions cause NPE when used within
@Query#11196 - Spring Security SAML2 Single Logout After Session Expiration Not Working from External App #11389
- Use Base64 encoder with no CRLF in output for SAML 2.0 messages #11270
π¨ Dependency Upgrades
- Update aspectj-plugin to 6.5.0.3 #11546
- Update assertj-core to 3.23.1 #11552
- Update com.nimbusds to 9.38.1 #11545
- Update hibernate-entitymanager to 5.6.10.Final #11554
- Update htmlunit to 2.63.0 #11551
- Update htmlunit-driver to 2.63.0 #11559
- Update io.projectreactor to 2020.0.21 #11548
- Update io.spring.javaformat to 0.0.34 #11550
- Update jackson-bom to 2.13.3 #11542
- Update jackson-databind to 2.13.3 #11543
- Update jackson-datatype-jsr310 to 2.13.3 #11544
- Update jsonassert to 1.5.1 #11560
- Update junit-bom to 5.9.0-RC1 #11557
- Update mockk to 1.12.4 #11547
- Update org.eclipse.jetty to 9.4.48.v20220622 #11553
- Update org.jetbrains.kotlin to 1.7.10 #11555
- Update org.jetbrains.kotlinx to 1.6.4 #11556
- Update org.junit.jupiter to 5.9.0-RC1 #11558
- Update org.springframework to 5.3.22 #11561
- Update org.springframework.data to 2021.2.2 #11562
- Update reactor-netty to 1.1.0-M4 #11549
- Update spring-ldap-core to 2.4.1 #11563
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.2
β New Features
- Consider updating testing examples to use JUnit Jupiter #11293
πͺ² Bug Fixes
- Some Security Expressions cause NPE when used within
@Query#11289 - CsrfWebFilter null save content-type check #11341
- Docs example uses access(String) with authorizeHttpRequests() #11296
- Fix typo in BasicLookupStrategy Javadoc #11339
- KeyInfo missing in AuthnRequest when using OpenSaml4AuthenticationRequestResolver #11358
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11384
- SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11284
- SecurityContextRepository.loadContext(HttpServletRequest) cache result #11390
- Should SAML metadata EntityDescriptor tag have the md: prefix? #11311
- Update opaque-token.adoc #11303
π¨ Dependency Upgrades
- Update aspectj-plugin to 6.4.3.1 #11402
- Update hibernate-entitymanager to 5.6.9.Final #11405
- Update io.projectreactor to 2020.0.20 #11403
- Update jackson-bom to 2.13.3 #11399
- Update jackson-databind to 2.13.3 #11400
- Update jackson-datatype-jsr310 to 2.13.3 #11401
- Update org.jetbrains.kotlinx to 1.6.3 #11406
- Update org.opensaml:opensaml-core4 to 4.1.1 #11410
- Update org.springframework to 5.3.21 #11407
- Update org.springframework.data to 2021.2.1 #11408
- Update reactor-netty to 1.0.20 #11404
- Update spring-ldap-core to 2.4.1 #11409
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.6.6
β New Features
- Consider updating testing examples to use JUnit Jupiter #11292
πͺ² Bug Fixes
- CsrfWebFilter null save content-type check #11342
- Docs example uses access(String) with authorizeHttpRequests() #11297
- Fix typo in BasicLookupStrategy Javadoc #11340
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11385
- SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11285
- Should SAML metadata EntityDescriptor tag have the md: prefix? #11310
- Some Security Expressions cause NPE when used within
@Query#11290
π¨ Dependency Upgrades
- Update hibernate-entitymanager to 5.6.9.Final #11416
- Update io.projectreactor to 2020.0.20 #11414
- Update jackson-bom to 2.13.3 #11411
- Update jackson-databind to 2.13.3 #11412
- Update jackson-datatype-jsr310 to 2.13.3 #11413
- Update org.opensaml:opensaml-core4 to 4.1.1 #11420
- Update org.springframework to 5.3.21 #11417
- Update org.springframework.data to 2021.1.5 #11418
- Update reactor-netty to 1.0.20 #11415
- Update spring-ldap-core to 2.3.8.RELEASE #11419