6.1.6

⭐ New Features

• Document that Shibboleth Repository is Required for SAML Support #14294
• Integrate HandlerMappingIntrospector Caching #14128
• OAuth2 Resource Server is exposing server information. #14277
• Resolve RequestMatcher at request-time #14085

🪲 Bug Fixes

• AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #14266
• Authentication not propagated correctly after migrating to SB3 #14111
• Authorization does not show up on Features section #14104
• DefaultLoginPageGeneratingFilter should be able to handle AuthenticationExceptions without message #14117
• Fix broken link for servlet getting started page #14119
• Fix typo in method-security.adoc #14059
• fix wrong document about "jws-algorithms" #14279
• Improve error message when ServletRegistration API is unavailable #14231
• improve render in headers.adoc #14101
• On Cancel, ObservationWebFilterDecorator Starts After-Filter Span without Stopping It #14063
• ReactiveRemoteJWKSource caches invalid response status into jwkSetURL #14041
• References to WebFlux docs do not link to them #14107
• relay_state should not be included in signing calculation when it is null #14038
• samesite set by Tomcat CookieProcessor ignored when creating XSRF-TOKEN cookie in CsrfTokenRepository #14131
• Security configuration is failed to be initialized in a Servlet 6.0 container #14165
• Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #14114
• Spring Security metric names should not contain dashes #14066
• spring.security counters inaccurate due onComplete and cancel() #14146
• Update Java Config Spring MVC documentation #14233
• Update logout.adoc: Replace Directives with Directive #14062

🔨 Dependency Upgrades

• Bump actions/checkout from 3 to 4 #14310
• Bump actions/setup-java from 3 to 4 #14327
• Bump ch.qos.logback:logback-classic from 1.4.11 to 1.4.13 #14214
• Bump ch.qos.logback:logback-classic from 1.4.13 to 1.4.14 #14238
• Bump com.unboundid:unboundid-ldapsdk from 6.0.10 to 6.0.11 #14224
• Bump Gamesight/slack-workflow-status from 1.0.1 to 1.2.0 #14317
• Bump Gradle Wrapper from 8.4 to 8.5 #14218
• Bump io-spring-javaformat from 0.0.39 to 0.0.40 #14158
• Bump io.micrometer:micrometer-observation from 1.10.12 to 1.10.13 #14134
• Bump io.projectreactor:reactor-bom from 2022.0.12 to 2022.0.13 #14144
• Bump io.projectreactor:reactor-bom from 2022.0.13 to 2022.0.14 #14288
• Bump org-aspectj from 1.9.20.1 to 1.9.21 #14272
• Bump org-eclipse-jetty from 11.0.17 to 11.0.18 #14081
• Bump org.springframework.data:spring-data-bom from 2022.0.11 to 2022.0.12 #14173
• Bump org.springframework:spring-framework-bom from 6.0.13 to 6.0.14 #14159
• Bump org.springframework:spring-framework-bom from 6.0.14 to 6.0.15 #14312
• Bump sjohnr/slack-workflow-status from 1.pre.beta to 1.1.0 #14315
• Bump slackapi/slack-github-action from 1.19.0 to 1.24.0 #14316
• Bump spring-io/spring-gradle-build-action from 1 to 2 #14305

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Ruffeng, @dependabot[bot], @github-actions[bot], @marbon87, and @sadidshaikh

5.8.9

⭐ New Features

• Document that Shibboleth Repository is Required for SAML Support #14286
• OAuth2 Resource Server is exposing server information. #13730
• Resolve RequestMatcher at request-time #14078
• Update Java Config Spring MVC documentation #14220

🪲 Bug Fixes

• AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #13625
• Authentication not propagated correctly after migrating to SB3 #12877
• Authorization does not show up on Features section #14099
• Documentation about configuring SecuritySocketAcceptorInterceptor in Spring Boot is confusing #13718
• Fix caching error state in ReactiveRemoteJWKSource #13976
• fix wrong document about "jws-algorithms" #14252
• Improve error message when ServletRegistration API is unavailable #14221
• References to WebFlux docs do not link to them #14100
• relay_state should not be included in signing calculation when it is null #13913
• Security configuration is failed to be initialized in a Servlet 6.0 container #13794
• Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #13644
• X-Xss-Protection header "1; mode=block" differs in Servlet and Reactive #11948
• XML namespace with saml2-login configuration fails using Java 8 and spring-security 5.8 #12483

🔨 Dependency Upgrades

• Bump actions/checkout from 3 to 4 #14313
• Bump actions/setup-java from 3 to 4 #14307
• Bump ch.qos.logback:logback-classic from 1.2.12 to 1.2.13 #14240
• Bump Gamesight/slack-workflow-status from 1.0.1 to 1.2.0 #14301
• Bump io-spring-javaformat from 0.0.39 to 0.0.40 #14153
• Bump io.projectreactor.netty:reactor-netty from 1.0.38 to 1.0.39 #14143
• Bump io.projectreactor.netty:reactor-netty from 1.0.39 to 1.0.40 #14290
• Bump io.projectreactor:reactor-bom from 2020.0.37 to 2020.0.38 #14142
• Bump io.projectreactor:reactor-bom from 2020.0.38 to 2020.0.39 #14291
• Bump org.springframework.data:spring-data-bom from 2021.2.17 to 2021.2.18 #14170
• Bump org.springframework:spring-framework-bom from 5.3.30 to 5.3.31 #14154
• Bump slackapi/slack-github-action from 1.19.0 to 1.24.0 #14303
• Bump spring-io/spring-gradle-build-action from 1 to 2 #14308

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @dongelci
• @dependabot[bot]

6.2.0

⭐ New Features

• AuthorizationManager[Before/After]ReactiveMethodInterceptor doesn't support Kotlin coroutines #12080
• Simplify configuration of OAuth2 Client component model #11783

🪲 Bug Fixes

• On Cancel, ObservationWebFilterDecorator Starts After-Filter Span without Stopping It #14064
• Authentication not propagated correctly after migrating to SB3 #14112
• Authorization does not show up on Features section #14105
• Fix obsolete comment and typos #14060
• Fix typo in documentation #14130
• improve render in headers.adoc #14102
• ReactiveRemoteJWKSource caches invalid response status into jwkSetURL #14042
• References to WebFlux docs do not link to them #14108
• relay_state should not be included in signing calculation when it is null #14039
• samesite set by Tomcat CookieProcessor ignored when creating XSRF-TOKEN cookie in CsrfTokenRepository #14138
• Security configuration is failed to be initialized in a Servlet 6.0 container #14166
• Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #14115
• Spring Security metric names should not contain dashes #14067
• spring.security counters inaccurate due onComplete and cancel() #14147
• The latest "OAuth2AuthorizedClientManager" class is not AOT ready #14094
• UnboundIdContainer should be marked as not running at shutdown #14095

🔨 Dependency Upgrades

• Bump io-spring-javaformat from 0.0.39 to 0.0.40 #14156
• Bump io.micrometer:micrometer-observation from 1.12.0-RC1 to 1.12.0 #14135
• Bump io.projectreactor:reactor-bom from 2023.0.0-RC1 to 2023.0.0 #14145
• Bump org.junit:junit-bom from 5.10.0 to 5.10.1 #14097
• Bump org.springframework.data:spring-data-bom from 2023.1.0-RC1 to 2023.1.0 #14172
• Bump org.springframework.ldap:spring-ldap-core from 3.2.0-RC1 to 3.2.0 #14155
• Bump org.springframework:spring-framework-bom from 6.1.0-RC1 to 6.1.0-RC2 #14055
• Bump org.springframework:spring-framework-bom from 6.1.0-RC2 to 6.1.0 #14157

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @nico-ortiz
• @dependabot[bot]
• @martin-lukas

6.2.0-RC2

⭐ New Features

• Propagate security context via channel interceptor #12532
• RequestedUrlRedirectInvalidSessionStrategy can cause the HTTP method to change depending on the user agent #12797
• RequestedUrlRedirectInvalidSessionStrategy doesn't take servlet context path into account #12795

🪲 Bug Fixes

• Added a note about the fact that if the CSRF protection is disabled in configuration, no logout confirmation page is shown to the user and the logout is performed directly. #13442
• Use same case for all fields in toString #13917

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @abramofranchetti
• @artembilan
• @valery1707

6.2.0-RC1

⭐ New Features

• Add servletPath support to AuthorizeHttpRequests #13857
• Allow AuthenticationConverter to be settable in BasicAuthenticationFilter #13989
• Dependabot should consider minor versions for org.springframework* on main #14029
• Document how to publish an AuthenticationManager @Bean without WebSecurityConfigurerAdapter #14016
• Update doc references for forwarded headers support #13880
• Use Gradle's Version Catalog #13872

🪲 Bug Fixes

• Breaking change in AuthorizeHttpRequestsConfigurer #14012
• Dependency convergence failed: nimbus-jose-jwt #13972
• Fix snapshot_tests on CI workflow #13879
• Fix parsing of GET SAML logout requests #14024
• Saml-Metadata with special characters is corrupted #13862
• Saml2LogoutRequestMixin relayState property should be binding #13943
• Update http.adoc: IP number does not follow IP number format #13969

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.15.2 to 2.15.3 #14005
• Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #13983
• Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #13929
• Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #13962
• Bump com.gradle.enterprise from 3.12.3 to 3.12.6 #13960
• Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #13932
• Bump Gradle Wrapper from 8.3 to 8.4 #13975
• Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #13933
• Bump io.mockk:mockk from 1.13.7 to 1.13.8 #13902
• Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #13931
• Bump org-apache-maven-resolver from 1.9.15 to 1.9.16 #13894
• Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #14002
• Bump org.apache.maven:maven-resolver-provider from 3.9.4 to 3.9.5 #13963
• Bump org.hibernate.orm:hibernate-core from 6.3.0.CR1 to 6.3.1.Final #13905
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #13964
• Update io.micrometer:micrometer-observation to 1.12.0-RC1 #14027
• Update io.projectreactor:reactor-bom to 2023.0.0-RC1 #14028
• Update org.springframework.data:spring-data-bom to 2023.1.0-RC1 #14025
• Update org.springframework.ldap:spring-ldap-core to 3.2.0-RC1 #14026
• Update org.springframework:spring-framework-bom to 6.1.0-RC1 #14023
• Update to io.freefair.aspectj 8.4 #14017
• Update to org.apereo.cas.client:cas-client-core 4.0.3 #13948

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @larsgrefer
• @ParkerM
• @jzheaux
• @mmoayyed
• @GeniusDP
• @github-actions[bot]
• @dependabot[bot]

6.1.5

⭐ New Features

• Document how to publish an AuthenticationManager @Bean without WebSecurityConfigurerAdapter #14015
• Replace deprecated method #13649
• Use Gradle's Version Catalog #13871

🪲 Bug Fixes

• Dependency convergence failed: nimbus-jose-jwt #13843
• Docs custom AuthorizationManager fix #13991
• Fix snapshot_tests on CI workflow #13878
• Fix parsing of GET SAML logout requests #13970
• Saml-Metadata with special characters is corrupted #13861
• Saml2LogoutRequestMixin relayState property should be binding #13942

🔨 Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #13984
• Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #13891
• Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #13950
• Bump com.gradle.enterprise from 3.12.3 to 3.12.6 #13934
• Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #13903
• Bump Gradle Wrapper from 8.3 to 8.4 #13974
• Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #13935
• Bump io.micrometer:micrometer-observation from 1.10.10 to 1.10.11 #13945
• Bump io.micrometer:micrometer-observation from 1.10.11 to 1.10.12 #14001
• Bump io.mockk:mockk from 1.13.7 to 1.13.8 #13952
• Bump io.projectreactor:reactor-bom from 2022.0.10 to 2022.0.11 #13937
• Bump io.projectreactor:reactor-bom from 2022.0.11 to 2022.0.12 #14000
• Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #13985
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.1 #13949
• Bump org-aspectj from 1.9.20 to 1.9.20.1 #13896
• Bump org-eclipse-jetty from 11.0.15 to 11.0.16 #13901
• Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #13999
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #13953
• Bump org.slf4j:slf4j-api from 2.0.7 to 2.0.9 #13938
• Bump org.springframework.data:spring-data-bom from 2022.0.10 to 2022.0.11 #14019
• Bump org.springframework.data:spring-data-bom from 2022.0.9 to 2022.0.10 #13951
• Bump org.springframework.ldap:spring-ldap-core from 3.0.5 to 3.0.6 #14007
• Bump org.springframework:spring-framework-bom from 6.0.11 to 6.0.12 #13904
• Bump org.springframework:spring-framework-bom from 6.0.12 to 6.0.13 #14006
• Update to org.apereo.cas.client:cas-client-core 4.0.3 #13947

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @Dyndyn
• @limvik
• @github-actions[bot]
• @dependabot[bot]
• @pbborisov18

6.0.8

⭐ New Features

• Document how to publish an AuthenticationManager @Bean without WebSecurityConfigurerAdapter #14014
• Use Gradle's Version Catalog #13870

🪲 Bug Fixes

• Fix snapshot_tests on CI workflow #13877
• Saml-Metadata with special characters is corrupted #13860
• Saml2LogoutRequestMixin relayState property should be binding #13939

🔨 Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #13981
• Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #13886
• Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #13898
• Bump com.gradle.enterprise from 3.11.1 to 3.11.4 #13957
• Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #13895
• Bump Gradle Wrapper from 8.3 to 8.4 #13973
• Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #13980
• Bump io.micrometer:micrometer-observation from 1.10.10 to 1.10.11 #13921
• Bump io.micrometer:micrometer-observation from 1.10.11 to 1.10.12 #13995
• Bump io.projectreactor.netty:reactor-netty from 1.1.10 to 1.1.11 #13958
• Bump io.projectreactor.netty:reactor-netty from 1.1.11 to 1.1.12 #13994
• Bump io.projectreactor:reactor-bom from 2022.0.10 to 2022.0.12 #13992
• Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #13919
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.1 #13906
• Bump org-aspectj from 1.9.20 to 1.9.20.1 #13979
• Bump org-eclipse-jetty from 11.0.15 to 11.0.16 #13922
• Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #13993
• Bump org.apache.logging.log4j:log4j-core from 2.17.1 to 2.17.2 #13923
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #13955
• Bump org.slf4j:slf4j-api from 2.0.7 to 2.0.9 #13920
• Bump org.springframework.data:spring-data-bom from 2022.0.10 to 2022.0.11 #14020
• Bump org.springframework.data:spring-data-bom from 2022.0.9 to 2022.0.10 #13892
• Bump org.springframework.ldap:spring-ldap-core from 3.0.5 to 3.0.6 #14009
• Bump org.springframework:spring-framework-bom from 6.0.11 to 6.0.12 #13978
• Bump org.springframework:spring-framework-bom from 6.0.12 to 6.0.13 #14008

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @github-actions[bot]
• @dependabot[bot]

5.8.8

⭐ New Features

• Document how to publish an AuthenticationManager @Bean without WebSecurityConfigurerAdapter #11926
• Use Gradle's Version Catalog #13868

🪲 Bug Fixes

• Fix snapshot_tests on CI workflow #13876
• fix corrupted saml2 metadata once special characters are present #13777
• Saml-Metadata with special characters is corrupted #13776
• Saml2LogoutRequestMixin relayState property should be binding #12539

🔨 Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #13982
• Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #13927
• Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #13890
• Bump com.gradle.enterprise from 3.11.1 to 3.11.4 #13928
• Bump io.projectreactor.netty:reactor-netty from 1.0.35 to 1.0.36 #13885
• Bump io.projectreactor.netty:reactor-netty from 1.0.36 to 1.0.38 #13998
• Bump io.projectreactor:reactor-bom from 2020.0.35 to 2020.0.36 #13944
• Bump io.projectreactor:reactor-bom from 2020.0.36 to 2020.0.37 #13997
• Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #13925
• Bump org-aspectj from 1.9.20 to 1.9.20.1 #13893
• Bump org-eclipse-jetty from 9.4.51.v20230217 to 9.4.52.v20230823 #13909
• Bump org-eclipse-jetty from 9.4.52.v20230823 to 9.4.53.v20231009 #13996
• Bump org.apache.logging.log4j:log4j-core from 2.17.1 to 2.17.2 #13926
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #13954
• Bump org.springframework.data:spring-data-bom from 2021.2.15 to 2021.2.16 #13907
• Bump org.springframework.data:spring-data-bom from 2021.2.16 to 2021.2.17 #14018
• Bump org.springframework:spring-framework-bom from 5.3.29 to 5.3.30 #13908

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @JannickWeisshaupt
• @erichaagdev
• @dependabot[bot]

6.2.0-M3

⭐ New Features

• Adopt dedicated AssertJ assertions for more expressive test failure messages #13619
• Automate spring-security.xsd #13826
• Correct mentioned HTTP Method in Documentation #13751
• Fix grammar on logout page of the docs #13750
• Fix untitled page title in documentation #13575
• Improve StrictHttpFirewall error messaging #13615
• Improve StrictHttpFirewall error messaging #13614
• Replace wildcard type ? with * in Kotlin and fix typo in Spring docs #13719
• Support nested suspend calls for Kotlin coroutines #13766
• Update OAuth2 docs landing page with examples #13784
• Add OIDC Back-channel Logout Support #7845

🪲 Bug Fixes

• CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set #13748
• CookieRequestCache ignores user Locale #13797
• Default Security Configuration adds WWW-Authenticate Twice #13760
• OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #13802
• Problem uploading multipart file after migrating to latest Spring Security. #13821
• Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #13807
• Spring ACL and native compilation fail to process datasource properties #13815

🔨 Dependency Upgrades

• Update io.projectreactor to 2023.0.0-M3 #13829
• Update jakarta.xml.bind-api to 4.0.1 #13831
• Update micrometer-observation to 1.12.0-M3 #13828
• Update org.aspectj to 1.9.20.1 #13832
• Update org.eclipse.jetty to 11.0.16 #13833
• Update org.jetbrains.kotlin to 1.9.10 #13835
• Update org.springframework to 6.1.0-M5 #13837
• Update org.springframework.data to 2023.1.0-M3 #13838
• Update reactor-netty to 1.1.11 #13830
• Update slf4j-api to 2.0.9 #13836
• Update Spring Framework to 6.1.0-SNAPSHOT #13765
• Update spring-ldap-core to 3.2.0-M3 #13839

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @deniz-husaj
• @sjohnr
• @man-moon
• @timtebeek
• @kevin2jordan
• @bjornharvold
• @ben-larson

6.1.4

⭐ New Features

• Automate spring-security.xsd #13825

🪲 Bug Fixes

• CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set #13659
• CookieRequestCache ignores user Locale #13796
• Default Security Configuration adds WWW-Authenticate Twice #13759
• Fix inaccurate information about permitting the FORWARD dispatcher in Kotlin #13729
• OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #13800
• Problem uploading multipart file after migrating to latest Spring Security. #13820
• Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #13806
• Spring ACL and native compilation fail to process datasource properties #13814

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @username1103