Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.8.5
5.7.10
5.6.12
6.1.1
⭐ New Features
- Add initial Native section to reference docs #13236
- Align Resource Server documentation with Boot's capabilities #13239
- Convert to Asciidoctor Tabs #13407
- Document How to Handle Method Security in Native Image #13237
- Improve javadoc about deprecation of .and() and non-Customizer methods #13273
- Make eclipse/vscode project import work #13284
- Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #13229
- mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #13254
- Use Antora name of security #13331
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13282
- AOT Fails to proxy #13369
- CasAuthenticationFilter.successfulAuthentication missing call to securityContextRepository.saveContext #13243
- DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #13223
- Deprecated hint on BasicAuthenticationFilter #13279
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13193
- Fix Antora Warnings #13294
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13221
- Fix Documentation Title #13318
- Fix legacy-websocket-configuration cross-reference #13206
- Fix type on method-security.adoc #13212
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13209
- Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #13218
- No longer maintained net.sourceforge.nekohtml with known security issues #13287
- Provide meaningful error when invalid client-authentication-method is provided #13309
- Proxy Server section is not linked in nav #13324
- Use consistent list of micrometer tags in web observation handler #13190
- UserBuilder does not allow authorities to be overridden #13290
🔨 Dependency Upgrades
- Update cas-client-core to 4.0.2 #13342
- Update com.nimbusds to 9.43.3 #13335
- Update hsqldb to 2.7.2 #13343
- Update io.projectreactor to 2022.0.8 #13338
- Update io.rsocket to 1.1.4 #13340
- Update io.spring.javaformat to 0.0.39 #13341
- Update logback-classic to 1.4.8 #13334
- Update micrometer-observation to 1.10.8 #13337
- Update org.jetbrains.kotlin to 1.8.22 #13344
- Update org.springframework to 6.0.10 #13345
- Update org.springframework.data to 2022.0.7 #13346
- Update reactor-netty to 1.1.8 #13339
- Update spring-ldap-core to 3.0.4 #13347
- Update unboundid-ldapsdk to 6.0.9 #13336
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.4
⭐ New Features
- Add initial Native section to reference docs #12029
- Align Resource Server documentation with Boot's capabilities #13238
- Convert to Asciidoctor Tabs #13406
- Document How to Handle Method Security in Native Image #13226
- Error On Unsupported Client Authentication Methods #13240
- Make eclipse/vscode project import work #12930
- Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #13228
- mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #13253
- Use Antora name of security #13330
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13281
- AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #13086
- AOT Fails to proxy #13368
- AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #13153
- Clarify that Kotlin DSL needs an import #13102
- DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #13222
- Delete duplicate line from oauth2/client/core.adoc #13233
- Deprecated hint on BasicAuthenticationFilter #13278
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13192
- Fix Antora Warnings #13293
- Fix code snippets in Authorize HttpServletRequest #13125
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13220
- Fix Documentation Title #13317
- Fix legacy-websocket-configuration cross-reference #13205
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13208
- java.lang.IllegalArgumentException: Context does not have an entry for key [class io.micrometer.core.instrument.Timer$Sample] #13133
- Links between migration docs are out of date #13156
- Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #13217
- No longer maintained net.sourceforge.nekohtml with known security issues #13286
- Proxy Server section is not linked in nav #13323
- RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #13127
- rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #13079
- SAML login fails in Internet Explorer 11 #13141
- SimpleAroundFilterObservation.wrap calls scope.close() duplicated #12787
- Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #13084
- Spring Security SAML signature validation issue #13182
- The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added. #13008
- Use consistent list of micrometer tags in web observation handler #13179
- X-XSS-Protection is now disabled #13129
🔨 Dependency Upgrades
- Update com.nimbusds to 9.43.3 #13352
- Update hsqldb to 2.7.2 #13359
- Update io.projectreactor to 2022.0.8 #13355
- Update io.rsocket to 1.1.4 #13357
- Update io.spring.javaformat to 0.0.39 #13358
- Update jackson-bom to 2.14.3 #13349
- Update jackson-databind to 2.14.3 #13350
- Update jackson-datatype-jsr310 to 2.14.3 #13351
- Update junit-bom to 5.9.3 #13360
- Update junit-platform-launcher to 1.9.3 #13362
- Update logback-classic to 1.4.8 #13348
- Update micrometer-observation to 1.10.8 #13354
- Update org.junit.jupiter to 5.9.3 #13361
- Update org.springframework to 6.0.10 #13363
- Update org.springframework.data to 2022.0.7 #13364
- Update reactor-netty to 1.1.8 #13356
- Update spring-ldap-core to 3.0.4 #13365
- Update unboundid-ldapsdk to 6.0.9 #13353
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.4
⭐ New Features
- Convert to Asciidoctor Tabs #13405
- Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #13227
- mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #13252
- Use Antora name of security #13329
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13280
- AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #13069
- AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #13132
- Clarify that Kotlin DSL needs an import #13101
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13191
- Fix Antora Warnings #13292
- Fix code snippets in Authorize HttpServletRequest #11522
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13219
- Fix Documentation Title #13316
- Fix legacy-websocket-configuration cross-reference #12969
- Fix typo in authorization.adoc #13135
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13207
- Links between migration docs are out of date #12675
- Proxy Server section is not linked in nav #13322
- RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #13104
- SAML 2.0 HTTP Redirect Binding query params may appear in any order #12963
- SAML login fails in Internet Explorer 11 #13106
- Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #13160
🔨 Dependency Upgrades
- Address CVE-2023-1370 #13146
- Update com.nimbusds to 9.43.3 #13374
- Update hsqldb to 2.7.2 #13388
- Update io.projectreactor to 2020.0.33 #13377
- Update io.rsocket to 1.1.4 #13383
- Update io.spring.javaformat to 0.0.39 #13386
- Update junit-bom to 5.9.3 #13391
- Update org.junit.jupiter to 5.9.3 #13393
- Update org.springframework to 5.3.28 #13395
- Update org.springframework.data to 2021.2.13 #13397
- Update reactor-netty to 1.0.33 #13380
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.9
⭐ New Features
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13203
- Clarify that Kotlin DSL needs an import #13092
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13098
- Fix Antora Warnings #13291
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13155
- Fix Documentation Title #13315
- Fix javadoc for migration from WebSecurityConfigurerAdapter #12996
- Fix typo in SecurityMockMvcResultMatchers.java #12793
- fix typo of modules.adoc #12921
- Fix typo overview.adoc #13269
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13131
- Proxy Server section is not linked in nav #13313
- Typos in docs #13283
🔨 Dependency Upgrades
- Update io.projectreactor to 2020.0.33 #13373
- Update io.rsocket to 1.1.4 #13379
- Update org.springframework to 5.3.28 #13382
- Update org.springframework.data to 2021.2.13 #13385
- Update reactor-netty to 1.0.33 #13376
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.6.11
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
- Update blockhound to 1.0.8.RELEASE #13390
- Update hibernate-entitymanager to 5.6.15.Final #13400
- Update io.projectreactor to 2020.0.33 #13387
- Update io.rsocket to 1.1.4 #13392
- Update io.spring.nohttp to 0.0.11 #13394
- Update jackson-bom to 2.13.5 #13375
- Update jackson-databind to 2.13.5 #13378
- Update jackson-datatype-jsr310 to 2.13.5 #13381
- Update logback-classic to 1.2.12 #13372
- Update mockk to 1.12.8 #13384
- Update org.antora.gradle.plugin to 1.0.0 #13396
- Update org.aspectj to 1.9.19 #13398
- Update org.eclipse.jetty to 9.4.51.v20230217 #13399
- Update org.springframework to 5.3.28 #13401
- Update reactor-netty to 1.0.33 #13389
6.1.0
⭐ New Features
- Explain the rational about deprecating .and() and non-lambda DSL methods #13094
- Revisit CSRF Documentation #13089
🪲 Bug Fixes
- AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #13087
- AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #13154
- Clarify that Kotlin DSL needs an import #13103
- CookieCsrfTokenRepository overwrites previous Set-Cookie response headers #13075
- Fix code snippets in Authorize HttpServletRequest #13126
- Fix invalid link in ref doc #12573
- fix javadoc typo #12884
- Fix typo cas.adoc #13116
- Links between migration docs are out of date #13157
- RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #13128
- rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #13083
- SAML login fails in Internet Explorer 11 #13142
- SimpleAroundFilterObservation.wrap calls scope.close() duplicated #13150
- Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #13122
- Update acls.adoc #13078
- Update architecture.adoc #13077
- Web Security Expression section of Documentation is obsolete or it does not work #12974
🔨 Dependency Upgrades
- Update com.nimbusds to 9.43.2 #13165
- Update io.projectreactor to 2022.0.7 #13167
- Update jackson-bom to 2.14.3 #13162
- Update jackson-databind to 2.14.3 #13163
- Update jackson-datatype-jsr310 to 2.14.3 #13164
- Update junit-bom to 5.9.3 #13170
- Update junit-platform-launcher to 1.9.3 #13172
- Update logback-classic to 1.4.7 #13161
- Update micrometer-observation to 1.10.7 #13166
- Update org.jetbrains.kotlin to 1.8.21 #13169
- Update org.junit.jupiter to 5.9.3 #13171
- Update org.springframework to 6.0.9 #13173
- Update org.springframework.data to 2022.0.6 #13174
- Update reactor-netty to 1.1.7 #13168
- Update Spring Boot to 3.0.6 #13177
- Update spring-ldap-core to 3.0.3 #13175
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
6.1.0-RC1
⭐ New Features
- #12811 - compressing simple class name for observation #12955
- Add new DaoAuthenticationProvider constructor #12964
- Add NimbusJwtDecoder#withIssuerLocation #10309
- Clarify documentation code snippet(s) (unclear where static imported methods come from) #12993
- Deprecate shouldFilterAllDispatcherTypes #12138
- Document in the reference how to migrate to lambda #12628
- Documentation should mention that an empty SecurityContext should also be saved #12942
- Don't use raw xml saml authentication request for response validation #12962
- Ensure access token isn't resolved from query for form-encoded requests #12990
- Expression-Based Access Control do not working as explain in spring security document for 6.0.2 also tried 6.0.5 the issue persist #12933
- Remove OpenSaml deprecation warnings #12947
- Replace deprecated OpenSaml methods #12948
- We should deprecate .and() along with non lambda DSL methods #12629
🪲 Bug Fixes
- Fix a javadoc typo in ReactiveAuthorizationManager #13001
- Fix a javadoc typo in ReactiveAuthorizationManager #12984
- Fix documentation code block bug. #12981
- HttpSessionSecurityContextRepository fails to create a session because of the deferred security context support #12920
- MessageMatcherDelegatingAuthorizationManager not extracting path variables for authorization context #12924
- NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #13006
- Observation Spans are not nested correctly in Webflux #12934
- Saml2 RelyingPartyRegistration.nameIdFormat is ignored and not set in AuthnRequest from OpenSamlAuthenticationRequestResolver #12937
🔨 Dependency Upgrades
- Update reactor-netty to 1.1.6 #13047
❤️ Contributors
We'd like to thank all the contributors who worked on this release!