5.5.6

🪲 Bug Fixes

• AuthorizationManagerWebInvocationPrivilegeEvaluator should grant access when AuthorizationManager abstains #10952
• Change HashSet to LinkedHashSet for RelyingPartyRegistration credentials #10917

🔨 Dependency Upgrades

• Update com.fasterxml.jackson.core to 2.13.2.2 #11130
• Update com.fasterxml.jackson.datatype to 2.13.2 #11131
• Update io.projectreactor to 2020.0.18 #11132
• Update io.rsocket to 1.1.2 #11134
• Update jackson-bom to 2.12.6.20220326 #11129
• Update logback-classic to 1.2.11 #11128
• Update org.aspectj to 1.9.9.1 #11135
• Update org.eclipse.jetty to 9.4.46.v20220331 #11136
• Update org.springframework to 5.3.19 #11137
• Update org.springframework.data to 2021.0.10 #11138
• Update reactor-netty to 1.0.18 #11133
• Update spring-ldap-core to 2.3.7.RELEASE #11139

6.0.0-M3

🔨 Dependency Upgrades

• Update spring-data-bom to 2022.0.0-M3 #11017

6.0.0-M2

⏪ Breaking Changes

• Fixed ClientAuthenticationMethod inconsistent equals and hashCode #10559

⭐ New Features

• Add default value for version in gitHubCheckMilestoneHasNoOpenIssues task #10921
• Add gradle task for updating to next development version #10975
• Do not run CI on tags #10974
• Remove spring-security-openid module #10773
• Update CI pipeline to push next snapshot version after release #10977

🪲 Bug Fixes

• commons-logging:commons-logging is a transitive dependency of some modules #10499
• Do not rely on javax. group ids #10501

🔨 Dependency Upgrades

• Update aspectj-plugin to 6.4.1 #10984
• Update com.nimbusds to 9.30 #10983
• Update hibernate-core-jakarta to 5.6.7.Final #10992
• Update htmlunit to 2.59.0 #10990
• Update htmlunit-driver to 2.59.0 #10993
• Update io.projectreactor to 2020.0.17 #10986
• Update io.r2dbc to 0.9.1.RELEASE #10988
• Update io.spring.javaformat to 0.0.31 #10989
• Update jackson-bom to 2.13.2 #10980
• Update jackson-databind to 2.13.2 #10981
• Update jackson-datatype-jsr310 to 2.13.2 #10982
• Update logback-classic to 1.2.11 #10979
• Update mockk to 1.12.3 #10985
• Update org.eclipse.jetty to 11.0.8 #10991
• Update org.slf4j to 1.7.36 #10994
• Update reactor-netty to 1.0.17 #10987
• Update spring-ldap-core to 2.3.6.RELEASE #10995
• Upgrade to AspectJ 1.9.8 #10349

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @sjohnr
• @jlaci
• @eleftherias

5.7.0-M3

⏪ Breaking Changes

• ServerHttpBasicAuthenticationConverter uses platform's default charset #10903
• Use utf-8 in ServerHttpBasicAuthenticationConverter #10911

⭐ New Features

• OidcClientInitiatedLogoutSuccessHandler resolves redirect uri placeholders #10935
• Add support in xml configuration #9012
• Add InResponseTo validation support #9174
• Add Jackson Support for saml2 Module #10907
• Add Kotlin example for SecuritySocketAcceptorInterceptor of RSocket #10932
• Add method to customize EntityDescriptor and SPSSODescriptor #10925
• Add OpenSamlMetadataResolver#setEntityDescriptorCustomizer #10839
• Add Persistence to Documentation #10962
• Add RequestAttributeSecurityContextRepository #10918
• Add SAML 2.0 Login and Logout XML Support #10685
• Add SAML 2.0 Single Logout XML Support #10842
• Add SecurityContextHolderFilter #9635
• Add support for customizing claims in JWT Client Assertion #10972
• Add support for validation of InResponseTo attribute when validating SAML2 responses #10849
• Consider adding factory method to UsernamePasswordAuthenticationToken #10790
• Consider enabling PKCE for confidential clients #6548
• fix gh_10846 #10898
• HttpSessionSecurityContextRepository saves with original response #10947
• Implemented Add Kotlin example for SecuritySocketAcceptorInterceptor o… #10936
• OAuth2AuthorizedClientArgumentResolver couldn't use ReactiveOAuth2AuthorizedClientManager registered in the Context #10846
• Polish UsernamePasswordAuthenticationFilter method #10970
• Provide ability to customize claims in Jwt Client Assertion #9855
• UsernamePasswordAuthenticationToken factory methods #10901

🪲 Bug Fixes

• AuthorizationManagerWebInvocationPrivilegeEvaluator should grant access when AuthorizationManager abstains #10950
• Change HashSet to LinkedHashSet for RelyingPartyRegistration credentials #10912
• DefaultSecurityFilterChain: Wrong log message "Will not secure" #10909
• Edit declaration of PasswordEncoder interface of Cryptography section #10922
• Edit declaration of PasswordEncoder interface of Cryptography section #10910
• Line breaks in Base64 encoded LogoutResponse cause an IllegalArgumentException #10923
• Preserve order of RelyingPartRegistration credentials #10924

🔨 Dependency Upgrades

• Update com.nimbusds to 9.31 #11003
• Update hibernate-entitymanager to 5.6.7.Final #11008
• Update htmlunit to 2.60.0 #11007
• Update htmlunit-driver to 2.60.0 #11010
• Update io.projectreactor to 2020.0.17 #11005
• Update jackson-bom to 2.13.2 #11000
• Update jackson-databind to 2.13.2 #11001
• Update jackson-datatype-jsr310 to 2.13.2 #11002
• Update logback-classic to 1.2.11 #10999
• Update mockk to 1.12.3 #11004
• Update org.jetbrains.kotlin to 1.6.20-RC #11009
• Update org.springframework to 5.3.17 #11011
• Update reactor-netty to 1.0.17 #11006
• Update spring-data-bom to 2021.2.0-M4 #11014
• Update spring-data-jpa to 2.7.0-M4 #11012

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @Lijamaija
• @sjohnr
• @fast-reflexes
• @svschouw-bb
• @muhdalavu
• @ShinDongHun1
• @talerngpong
• @fhanik
• @Enkosz
• @nor-ek
• @ugrave
• @frozenice
• @marcusdacoregio

5.7.0-M2

⭐ New Features

• Add serialVersionUID to DefaultSavedRequest and SavedCookie #10594
• Add EntitiesDescriptor Support #10787
• add Kotlin example for logout configuration of reactive authentication #10823
• Add Kotlin example for logout configuration of reactive authentication #10819
• Add LDAP AuthenticationManager factory #10138
• Add OpenSaml custom types to Saml2AuthenticatedPrincipal #10809
• Add OpenSamlAssertingPartyDetails #10794
• Add Request AuthenticationManagerResolvers #7366
• Add Saml2AuthenticationRequestResolver #10355
• Add Saml2AuthenticationRequestResolver #9277
• Add serialVersionUID to DefaultSavedRequest and SavedCookie #10676
• Add Session Index Support #10784
• Consider Adding OpenSamlAssertingPartyDetails #10781
• Deprecate WebSecurityConfigurerAdapter #10822
• Document SecurityFilterChain bean based configuration #10003
• Expose JDBC default user schema DDL location as public constant #10837
• Fix for gh10663 encryptedID #10689
• Introduce a Map-based AuthenticationManagerResolver #6762
• Make Saml2AuthenticationRequests serializable #10608
• Make WebAuthenticationDetails constructor public #10830
• Print ignore message DefaultSecurityFilterChain #9526
• RelyingPartyRegistrations should read all entities #10782
• SAML 2.0 Response handling should have a better error message when decryption is not allowed #10220
• Saml2AuthenticationRequests not serializable cause exception when using jdbc session #10550
• Support @Transient SecurityContext and Provide TransientSecurityContext #9995
• Support extensions of WebAuthenticationDetails when using Jackson serialization #10564
• Support multiple RequestRejectedHandler beans. #10603
• Update reference documentation to use LDAP AuthenticationManager factory #10789

🪲 Bug Fixes

• add Kotlin examples for Spring Data Integration of servlet application #10834
• Add Kotlin examples for Spring Data Integration of servlet application #10827
• Apply configurers from spring.factories to HttpSecurity bean #10815
• Cannot create OrRequestMatcher with List.of(...) #10703
• commons-logging:commons-logging is a transitive dependency of some modules #10771
• Default configurer in spring.factories is not applied when using SecurityFilterChain #10814
• Do not rely on javax. group ids #10769
• Fix broken link to SAML2 login example #10800
• Fix typo in role hierarchy document #10804
• Getting Spring Security Reference Doc have a error #10736
• Replace StringUtils class of oauth2-oidc-sdk completely #10805
• RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext #10779
• Update docs to use multi-tenancy #10829
• web.ignoring().mvcMatchers is confuse in someway about the debug output in the console #9334

🔨 Dependency Upgrades

• Update aspectj-plugin to 6.4.1 #10880
• Update com.nimbusds to 9.27 #10879
• Update hibernate-entitymanager to 5.6.5.Final #10888
• Update htmlunit to 2.58.0 #10885
• Update htmlunit-driver to 2.58.0 #10890
• Update io.projectreactor to 2020.0.16 #10881
• Update io.r2dbc to 0.9.1.RELEASE #10883
• Update io.spring.javaformat to 0.0.31 #10884
• Update org.aspectj to 1.9.8 #10886
• Update org.eclipse.jetty to 9.4.45.v20220203 #10887
• Update org.jetbrains.kotlin to 1.6.20-M1 #10889
• Update org.slf4j to 1.7.36 #10891
• Update org.springframework to 5.3.16 #10892
• Update reactor-netty to 1.0.16 #10882

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @bitrecycling
• @giger85
• @jzheaux
• @ysavchen
• @kdombeck
• @eleftherias
• @igorpele
• @talerngpong
• @Drezir
• @jprinet
• @marcusdacoregio
• @jakspok
• @manueljordan

5.6.2

⏪ Breaking Changes

• Saml2 metadata includes SingleLogoutService even if saml2 logout is disabled / not configured #10734

⭐ New Features

• Document Authorize HTTP Requests for Reactive Security #10801
• Introduce AuthorizationManagerWebInvocationPrivilegeEvaluator #10682

🪲 Bug Fixes

• add Kotlin examples for Spring Data Integration of servlet application #10848
• commons-logging:commons-logging is a transitive dependency of some modules #10772
• Do not rely on javax. group ids #10770
• Fix broken link to SAML2 login example #10806
• Getting Spring Security Reference Docs have a error #10796
• Make source code compatible with JDK 8 #10699
• Replace StringUtils class of oauth2-oidc-sdk completely #10824
• RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext #10792
• WebInvocationPrivilegeEvaluator Bean should support multiple SecurityFilterChains #10680

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.5.Final #10873
• Update io.projectreactor to 2020.0.16 #10867
• Update io.spring.javaformat to 0.0.31 #10870
• Update logback-classic to 1.2.10 #10865
• Update mockk to 1.12.2 #10866
• Update org.aspectj to 1.9.8 #10871
• Update org.eclipse.jetty to 9.4.45.v20220203 #10872
• Update org.slf4j to 1.7.36 #10874
• Update org.springframework to 5.3.16 #10875
• Update org.springframework.data to 2021.1.2 #10876
• Update r2dbc-h2 to 0.8.5.RELEASE #10869
• Update reactor-netty to 1.0.16 #10868
• Update spring-ldap-core to 2.3.6.RELEASE #10877

5.5.5

⭐ New Features

• Introduce AuthorizationManagerWebInvocationPrivilegeEvaluator #10683

🪲 Bug Fixes

• Add Kotlin examples for Spring Data Integration of servlet application #10847
• Replace StringUtils class of oauth2-oidc-sdk completely #10825
• Getting Spring Security Reference Docs have a error #10797
• RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext #10791
• Make source code compatible with JDK 8 #10700
• WebInvocationPrivilegeEvaluator Bean should support multiple SecurityFilterChains #10681

🔨 Dependency Upgrades

• Update spring-ldap-core to 2.3.6.RELEASE #10863
• Update org.springframework.data to 2021.0.9 #10862
• Update org.springframework to 5.3.16 #10861
• Update org.slf4j to 1.7.36 #10860
• Update org.eclipse.jetty to 9.4.45.v20220203 #10859
• Update org.aspectj to 1.9.8 #10858
• Update io.spring.javaformat to 0.0.31 #10857
• Update r2dbc-h2 to 0.8.5.RELEASE #10856
• Update reactor-netty to 1.0.16 #10855
• Update io.projectreactor to 2020.0.16 #10854
• Update logback-classic to 1.2.10 #10851

6.0.0-M1

⏪ Breaking Changes

• move HttpSecurityDsl and common files to annotation package #10474
• Resolve HttpSecurityDsl Package Tangle #10333

⭐ New Features

• Add NameIdFormat support to RelyingPartyRegistration #9115
• Clean up Reference Documentation #9668
• Clear null authentication to fix ThreadLocal leak #9877
• Gh-10333 move HttpSecurityDsl to another package #10429
• LdapAuthoritiesPopulator should be postProcessed #9276
• make SP NameIDPolicy configurable in RelyingPartyRegistration #9227
• PermitAllSupport supports AuthorizeHttpRequestsConfigurer #10543
• Update Authorization Documentation #10442

🪲 Bug Fixes

• #10504 Replace setJWTClaimSetJWSKeySelector in example code #10508
• Documentation fix in Customizing OpenSAML’s AuthnRequest Instance section #10463
• Fix JwtClaimValidator error type #10500
• Structure101 Plugin uses a dead repository link #10697
• Test fails due to HttpMethod changes #10569

🔨 Dependency Upgrades

• Switch workflows to use a JDK17 baseline #10353
• Update aspectj-plugin to 6.3.0 #10498
• Update assertj-core to 3.22.0 #10748
• Update cas-client-core to 3.6.4 #10753
• Update com.nimbusds to 9.22 #10741
• Update hibernate-core-jakarta to 5.6.3.Final #10751
• Update hsqldb to 2.6.1 #10752
• Update htmlunit to 2.56.0 #10747
• Update htmlunit-driver to 2.56.0 #10756
• Update io.projectreactor to 2020.0.15 #10743
• Update io.r2dbc to 0.9.0.RELEASE #10745
• Update jackson-bom to 2.13.1 #10738
• Update jackson-databind to 2.13.1 #10739
• Update jackson-datatype-jsr310 to 2.13.1 #10740
• Update jakarta.annotation-api to 2.1.0-B1 #10746
• Update junit-bom to 5.8.2 #10754
• Update logback-classic to 1.2.10 #10737
• Update mockk to 1.12.2 #10742
• Update org.bouncycastle to 1.70 #10749
• Update org.eclipse.jetty to 11.0.7 #10750
• Update org.junit.jupiter to 5.8.2 #10755
• Update org.slf4j to 1.7.33 #10757
• Update reactor-netty to 1.0.15 #10744
• Update spring-data-bom to 2022.0.0-M1 #10759
• Update spring-ldap-core to 2.3.5.RELEASE #10758
• Update to Gradle 7.3 #10480
• Update to Spring Framework 6.0 #10360
• Upgrade to JDK 17 #10343
• Upgrade to Kotlin Coroutines 1.6.0 #10707
• Upgrade to Spring Framework 6.0.0-M2 #10706

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @jason076
• @amergey
• @fhanik
• @jmax01
• @larsgrefer
• @nor-ek
• @Buzzardo
• @shirosaki
• @hotire
• @igorpele

5.7.0-M1

⏪ Breaking Changes

• Saml2 metadata includes SingleLogoutService even if saml2 logout is disabled / not configured #10607

⭐ New Features

• Add Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy security headers #9385
• Add Cross-Origin-Resource-Policy security header #10118
• Add Cross Origin Policies headers DSL support #10141
• Add hasIpAddress to Reactive Kotlin DSL #10571
• Add ObjectIdentityGenerator customization to JdbcAclService #10081
• Add RedirectStrategy customization to ChannelSecurityConfigurer for R… #10161
• Allow custom OAuth2ErrorHttpMessageConverter with OAuth2ErrorResponseErrorHandler #10425
• Allow custom OAuth2ErrorHttpMessageConverter with OAuth2ErrorResponse… #10432
• Avoid using SpEL to change the meaning of the injection point #10075
• BasicLookupStrategy for ACL defines the ObjectIdentity as not interchangable #10079
• Clarify behaviour of enableSessionUrlRewriting #7644
• Client JwtBearer grant type should support non Jwt principal #9812
• Fix CsrfConfigurer default AccessDeniedHandler consistency #10154
• Fix Gradle Deprecation Warnings #10446
• Fix typo in Expression matcher Javadocs #10688
• HttpServlet3RequestFactory should set 'details' when creating the authentication token. #9579
• Introduce AuthorizationManagerWebInvocationPrivilegeEvaluator #10590
• Prevent using both authorizeRequests and authorizeHttpRequests #10574
• Prevent using both authorizeRequests and authorizeHttpRequests #10573
• Provide Jackson serialization support for LDAP classes #9263
• Set 'details' on authentication token created by HttpServlet3RequestFactory #9597
• Spring Security WebFlux IP Whitelist #7765
• Structure101 plugin should retrive most recent binary #10696
• Support for changing prefix and suffix in DelegatingPasswordEncoder #10278
• Support IP whitelist for Spring Security Webflux #10007
• Update Spring Security to 5.7 #10509

🪲 Bug Fixes

• #10505 Fixed jwtDecoder example code #10510
• AuthorityAuthorizationManager incorrectly compares GrantedAuthority #10566
• WebInvocationPrivilegeEvaluator Bean should support multiple SecurityFilterChains #10554
• A null SingleLogoutServiceLocation should not cause a NullPointerException #10674
• clockSkew Javadoc is not consistent with implementation #10174
• Configure WebInvocationPrivilegeEvaluator for multiple SecurityFilterChains #10575
• Fix case sensitive headers comparison #10578
• Fix Reactive OAuth2 Kotlin DSL examples #10586
• Fix the bug that the custom GrantedAuthority comparison fails #10588
• Kotlin DSL examples in reactive oauth2 docs call build twice #10580
• Make source code compatible with JDK 8 #10695
• Multi-tenancy Documentation - JwtDecoder sample has multiple errors #10505
• Prevent Save @Transient Authentication with existing HttpSession #9993
• StaticServerHttpHeadersWriter should work with case-insensitive header names #10557
• Update clockSkew javadoc according to implementation #10358

🔨 Dependency Upgrades

• Update aspectj-plugin to 6.3.0 #10514
• Update aspectj-plugin to 6.3.0 #10492
• Update assertj-core to 3.22.0 #10720
• Update cas-client-core to 3.6.4 #10723
• Update com.nimbusds to 9.22 #10713
• Update hibernate-entitymanager to 5.6.3.Final #10722
• Update htmlunit to 2.56.0 #10718
• Update htmlunit-driver to 2.56.0 #10728
• Update io.projectreactor to 2020.0.15 #10715
• Update io.r2dbc to 0.9.0.RELEASE #10717
• Update jackson-bom to 2.13.1 #10710
• Update jackson-databind to 2.13.1 #10711
• Update jackson-datatype-jsr310 to 2.13.1 #10712
• Update junit-bom to 5.8.2 #10726
• Update logback-classic to 1.2.10 #10709
• Update mockk to 1.12.2 #10714
• Update org.aspectj to 1.9.8.RC3 #10719
• Update org.bouncycastle to 1.70 #10721
• Update org.jetbrains.kotlin to 1.6.10 #10724
• Update org.jetbrains.kotlinx to 1.6.0 #10725
• Update org.junit.jupiter to 5.8.2 #10727
• Update org.slf4j to 1.7.33 #10729
• Update org.springframework to 5.3.15 #10730
• Update org.springframework.data to 2021.2.0-M1 #10731
• Update reactor-netty to 1.0.15 #10716
• Update spring-ldap-core to 2.4.0-M1 #10732

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @heowc
• @sjohnr
• @snicoll
• @Ditscheridou
• @qavid
• @karltinawi
• @OrangeDog
• @markusheiden
• @jmax01
• @larsgrefer
• @okohub
• @rwinch
• @khamlaoui
• @christophejan
• @marcusdacoregio
• @terminux

5.6.1

⭐ New Features

• Document authentication helper method in WebClient integration #10468
• Document authentication helper method in WebClient integration for Servlet Environments #10120
• Document parameters converter in oauth2 client servlet docs #10469
• Document parameters converter in oauth2 client servlet docs #10467

🪲 Bug Fixes

• AuthorityAuthorizationManager incorrectly compares GrantedAuthority #10595
• clockSkew Javadoc is not consistent with implementation #10535
• Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #10560
• Kotlin DSL examples in reactive oauth2 docs call build twice #10591
• StaticServerHttpHeadersWriter should work with case-insensitive header names #10581

🔨 Dependency Upgrades

• Update cas-client-core to 3.6.4 #10654
• Update hibernate-entitymanager to 5.6.3.Final #10653
• Update io.projectreactor to 2020.0.14 #10651
• Update jackson-bom to 2.13.1 #10647
• Update jackson-databind to 2.13.1 #10648
• Update jackson-datatype-jsr310 to 2.13.1 #10649
• Update junit-bom to 5.8.2 #10656
• Update logback-classic to 1.2.9 #10646
• Update mockk to 1.12.1 #10650
• Update org.jetbrains.kotlin to 1.5.32 #10655
• Update org.junit.jupiter to 5.8.2 #10657
• Update org.springframework to 5.3.14 #10658
• Update reactor-netty to 1.0.14 #10652
• Update spring-ldap-core to 2.3.5.RELEASE #10659

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @sjohnr