Releases: spring-projects/spring-security
Releases Β· spring-projects/spring-security
6.0.3
β New Features
- Add new DaoAuthenticationProvider constructor #12874
- Clarify documentation code snippet(s) (unclear where static imported methods come from) #12992
- Documentation should mention that an empty SecurityContext should also be saved #12941
- Expression-Based Access Control do not working as explain in spring security document for 6.0.2 also tried 6.0.5 the issue persist #12932
- Incomplete documentation regarding Hierarchical roles. #12766
- Remove deprecated
SecurityContextPersistenceFilterfrom docs #12690
πͺ² Bug Fixes
@EnableReactiveMethodSecuritycauses premature initialization of the ObservationRegistry and prevents it from being post-processed #12780- Broken links in form login section of docs #12822
- chore: typo, removed extra "s" in word implementationss #12882
- EntityId ignored in xml relying-party-registration #12777
- Fix a javadoc typo in ReactiveAuthorizationManager #13000
- Fix a javadoc typo in ReactiveAuthorizationManager #12983
- Fix broken links in form login section #12823
- Fix docs typo #12745
- Fix documentation code block bug. #12980
- Fix typo architecture.adoc #12851
- fix typo in RequestCacheResultMatcher #12814
- HttpSessionSecurityContextRepository fails to create a session because of the deferred security context support #12919
- JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12767
- MessageMatcherDelegatingAuthorizationManager not extracting path variables for authorization context #12540
- Missing spring-security-oauth2 xsds after release #12806
- NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #13005
- NoSuchElementException in org.springframework.security.web.server.ObservationWebFilterChainDecorator$AroundWebFilterObservation$SimpleAroundWebFilterObservation.start(ObservationWebFilterChainDecorator.java:274 #12829
- Observation Spans are not nested correctly in Webflux #12849
- RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #13055
- Saml2 RelyingPartyRegistration.nameIdFormat is ignored and not set in AuthnRequest from OpenSamlAuthenticationRequestResolver #12936
- Spring Security 6.0.2 ObservationFilterChainDecorator produce wrong instrument names #12811
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12836
π¨ Dependency Upgrades
- Update assertj-core to 3.24.2 #13038
- Update io.projectreactor to 2022.0.6 #13034
- Update io.spring.javaformat to 0.0.38 #13036
- Update logback-classic to 1.4.6 #13030
- Update maven-resolver-provider to 3.8.8 #13037
- Update micrometer-observation to 1.10.6 #13032
- Update mockk to 1.13.5 #13033
- Update org.eclipse.jetty to 11.0.15 #13039
- Update org.springframework to 6.0.8 #13041
- Update org.springframework.data to 2022.0.5 #13042
- Update reactor-netty to 1.1.6 #13035
- Update slf4j-api to 2.0.7 #13040
- Update spring-ldap-core to 3.0.2 #13043
- Update unboundid-ldapsdk to 6.0.8 #13031
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.3
β New Features
- Clarify documentation code snippet(s) (unclear where static imported methods come from) #12991
- Document 5.8 Migration for DefaultMethodSecurityExpressionHandler #12356
- Documentation should mention that an empty SecurityContext should also be saved #12906
- Expression-Based Access Control do not working as explain in spring security document for 6.0.2 also tried 6.0.5 the issue persist #12928
- Fixed test in DefaultLoginPageGeneratingFilterTests #12694
πͺ² Bug Fixes
- Bug in documentation of Storing the Authentication manually #12850
- DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #12873
- EntityId ignored in xml relying-party-registration #12776
- Fix .access(...) parameter #12676
- Fix a javadoc typo in ReactiveAuthorizationManager #12999
- Fix a javadoc typo in ReactiveAuthorizationManager #12982
- Fix ID of WebSocket Authorization section #12872
- HttpSessionSecurityContextRepository fails to create a session because of the deferred security context support #12314
- JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12472
- Missing spring-security-oauth2 xsds after release #12805
- NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #13004
- RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #13054
- Saml2 RelyingPartyRegistration.nameIdFormat is ignored and not set in AuthnRequest from OpenSamlAuthenticationRequestResolver #12935
- SecurityWebApplicationInitializer.getSecurityDispatcherTypes example is wrong in migration guide #12939
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12835
π¨ Dependency Upgrades
- Update blockhound to 1.0.8.RELEASE #13024
- Update io.projectreactor to 2020.0.31 #13022
- Update io.spring.javaformat to 0.0.38 #13025
- Update logback-classic to 1.2.12 #13021
- Update org.eclipse.jetty to 9.4.51.v20230217 #13026
- Update org.springframework to 5.3.27 #13027
- Update org.springframework.data to 2021.2.10 #13028
- Update org.springframework.data to 2021.2.11 #13029
- Update reactor-netty to 1.0.31 #13023
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.8
β New Features
- Clarify documentation code snippet(s) (unclear where static imported methods come from) #6597
- Document relationship between registrationId, EntityID, and resolving a relying party #12764
πͺ² Bug Fixes
- Add test to SimpleUrlAuthenticationSuccessHandlerTests #12740
- Avoid NPE in FilterInvocation #12922
- EntityId ignored in xml relying-party-registration #11898
- Fix a javadoc typo in ReactiveAuthorizationManager #12998
- Fix a javadoc typo in ReactiveAuthorizationManager #12978
- Fix typo in SessionManagementConfigurer javadoc #12820
- Missing spring-security-oauth2 xsds after release #12804
- NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #12960
- RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #12664
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12834
π¨ Dependency Upgrades
- Update blockhound to 1.0.8.RELEASE #13016
- Update io.projectreactor to 2020.0.31 #13014
- Update logback-classic to 1.2.12 #13013
- Update org.eclipse.jetty to 9.4.51.v20230217 #13017
- Update org.springframework to 5.3.27 #13018
- Update org.springframework.data to 2021.2.11 #13019
- Update reactor-netty to 1.0.31 #13015
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.1.0-M2
β New Features
- Add RelayState Customizer to SAML Logout #12582
- Add saml2Metadata to the DSL #11828
- Allow configuring SecurityContextRepository for BasicAuthenticationFilter #12031
- Allow Relying Party to be Deduced from LogoutRequest #12843
- Allow UserBuilder to easily build a user without any authorities #12533
- Cookie no support for field 'version' and 'comment' #12454
- Copies of RelyingPartyRegistration should preserve custom fields #12841
- CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12684
- Extract placeholder resolution from DefaultRelyingPartyRegstrationResolver #12842
- Incomplete documentation regarding Hierarchical roles. #12784
- Move classpath checks to class member variable #12640
- move code comment to callout #12536
- NimbusReactiveJwtDecoder support mono chain #12521
- Polish DefaultLoginPageGeneratingFilter #12657
- Propagate match results in OrRequestMatcher and AndRequestMatcher #12847
- Re-add support for CAS #11674
- Relax final method implementations on AbstractRememberMeServices #12145
- RelyingPartyRegistrationRepository should support lookup by asserting party entity id #12848
- Remove deprecated
SecurityContextPersistenceFilterfrom docs #12809 - Restore CAS module and update it for cas-client-core 4.0.0 #12362
- Revisit Session Management Documentation #12681
- Rewrite AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl logic for clarity #12468
- SAML 2.0 metadata endpoint should return all relying parties when none is given #12846
- Saml2MetadataResolver should accept multiple relying parties and create an EntitiesDescriptor #12844
- Support Device Authorization Response #12852
- Support LogoutRequest when already logged out #12845
- Update javadoc in EnableWebSecurity #12613
- Use a custom authentication type for CAS #12304
πͺ² Bug Fixes
- 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12593
@EnableReactiveMethodSecuritycauses premature initialization of the ObservationRegistry and prevents it from being post-processed #12781- A typo in form login doc #12730
- Broken links in form login section of docs #12839
- Document XMLObject retreival for Asserting Party metadata #12800
- EntityId ignored in xml relying-party-registration #12778
- Fix CSRF protection provided by
@EnableWebSocketSecurity/ Stomp #12594 - Fix image in servlet architecture docs section #12609
- Fix javadox typo #12643
- fix missing semi-colon java example in observability documentation #12761
- fix typo and update javadoc in AbstractAuthenticationFilterConfigurer #12634
- javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12621
- JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12768
- Missing spring-security-oauth2 xsds after release #12807
- No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12625
- NoSuchElementException in org.springframework.security.web.server.ObservationWebFilterChainDecorator$AroundWebFilterObservation$SimpleAroundWebFilterObservation.start(ObservationWebFilterChainDecorator.java:274 #12831
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12688
- SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12641
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12837
- Typo in Authentication Migrations page #12660
- WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12626
π¨ Dependency Upgrades
- Update Gradle Enterprise plugin #12669
- Update hibernate-core to 6.1.7.Final #12898
- Update httpclient to 4.5.14 #12894
- Update io.projectreactor to 2022.0.5 #12890
- Update io.spring.javaformat to 0.0.38 #12891
- Update io.spring.nohttp to 0.0.11 #12892
- Update jackson-bom to 2.14.2 #12886
- Update jakarta.servlet.jsp-api to 3.1.1 #12893
- Update junit-bom to 5.9.2 #12900
- Update logback-classic to 1.4.6 #12885
- Update maven-resolver-provider to 3.8.8 #12895
- Update micrometer-observation to 1.10.5 #12888
- Update mockk to 1.13.4 #12889
- Update org.aspectj to 1.9.19 #12896
- Update org.eclipse.jetty to 11.0.14 #12897
- Update org.jetbrains.kotlin to 1.8.20-RC #12899
- Update org.springframework to 6.0.7 #12902
- Update org.springframework.data to 2022.0.3 #12903
- Update slf4j-api to 2.0.7 #12901
- Update spring-ldap-core to 3.0.1 #12904
- Update spring-ldap-core to 3.0.1 #12727
- Update to Kotlin 1.8.10 #12788
- Update unboundid-ldapsdk to 6.0.8 #12887
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.7
β New Features
πͺ² Bug Fixes
- AuthorizationManager method security documentation should use AnnotationMatchingPointcut #11095
- Document XMLObject retreival for Asserting Party metadata #12667
- Fix typo in OAuth 2.0 testing docs #12437
- Jackson serialization of
DefaultSaml2AuthenticatedPrincipal:LinkedMultiValueMap is not in the allowlist#11785 - NimbusJwtDecoder unknown KID scenario is not correctly tested #12238
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12637
- SwitchUserFilter not working in Spring Security 6 #12504
- Wrong name of the filter in the SecurityContextHolderFilter diagram #11800
π¨ Dependency Upgrades
- Update blockhound to 1.0.7.RELEASE #12733
- Update hibernate-entitymanager to 5.6.15.Final #12736
- Update io.projectreactor to 2020.0.28 #12732
- Update io.spring.nohttp to 0.0.11 #12734
- Update jackson-bom to 2.13.5 #12731
- Update org.aspectj to 1.9.19 #12735
- Update org.springframework to 5.3.25 #12737
- Update org.springframework.data to 2021.2.8 #12738
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.2
β New Features
- CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12651
- Document
@EnableWebFluxSecurityrequiring@Configurationin 6.0.0 #12444 - Move classpath checks to class member variable #11437
- Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12339
- Revisit Session Management Documentation #12680
- Spring Security 6.0 Migration Guide Should Mention
@ConfigurationMeta-Annotation Removal From Configuration Annotations #12498 - Update broken links, correct gradle command for Windows OS. #12336
πͺ² Bug Fixes
- 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12548
@EnableReactiveMethodSecurity#useAuthorizationManager should be true #12506- A typo in form login doc #12678
- Adjusts setRequestHandler javadoc in CsrfWebFilter #12467
- AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12517
- DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #12671
- Document XMLObject retreival for Asserting Party metadata #12729
- Document XMLObject retreival for Asserting Party metadata #12728
- Duplicate words. #12471
- Fix CSRF protection provided by
@EnableWebSocketSecurity/ Stomp #12378 - gradlew nativeTest fails with Failed to instantiate [org.springframework.security.test.context.support.WithUserDetailsSecurityContextFactory]: No default constructor found #12614
- Jackson serialization of
DefaultSaml2AuthenticatedPrincipal:LinkedMultiValueMap is not in the allowlist#12459 - javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12616
- NimbusJwtDecoder unknown KID scenario is not correctly tested #12495
- No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12615
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12687
- Security observations are not setting their parent osbervation #12524
- SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12579
- Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12490
- SwitchUserFilter not working in Spring Security 6 #12511
- Update expression-based.adoc #12363
- Update multitenancy.adoc #12474
- WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12622
- Wrong name of the filter in the SecurityContextHolderFilter diagram #12527
π¨ Dependency Upgrades
- Update hibernate-core to 6.1.7.Final #12707
- Update io.projectreactor to 2022.0.3 #12701
- Update io.spring.nohttp to 0.0.11 #12703
- Update jackson-bom to 2.14.2 #12696
- Update jackson-databind to 2.14.2 #12697
- Update jackson-datatype-jsr310 to 2.14.2 #12698
- Update jakarta.servlet.jsp-api to 3.1.1 #12704
- Update junit-bom to 5.9.2 #12708
- Update junit-platform-launcher to 1.9.2 #12710
- Update maven-resolver-provider to 3.8.7 #12705
- Update micrometer-observation to 1.10.4 #12699
- Update mockk to 1.13.4 #12700
- Update org.aspectj to 1.9.19 #12706
- Update org.junit.jupiter to 5.9.2 #12709
- Update org.springframework to 6.0.5 #12711
- Update org.springframework.data to 2022.0.2 #12712
- Update reactor-netty to 1.1.3 #12702
- Update spring-ldap-core to 3.0.1 #12713
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.2
β New Features
- Add XorCsrfChannelInterceptor #12562
- Document
@EnableWebFluxSecurityrequiring@Configurationin 6.0.0 #12434 - fix unclosed block in docs #12553
- Improve documentation on what changed in the default behaviour in version 6 vs 5.7 #12462
- Spring Security 6.0 Migration Guide Should Mention
@ConfigurationMeta-Annotation Removal From Configuration Annotations #12486
πͺ² Bug Fixes
- AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12516
- DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #12665
- Document XMLObject retreival for Asserting Party metadata #12693
- Jackson serialization of
DefaultSaml2AuthenticatedPrincipal:LinkedMultiValueMap is not in the allowlist#12458 - NimbusJwtDecoder unknown KID scenario is not correctly tested #12494
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12686
- SwitchUserFilter not working in Spring Security 6 #12510
- Wrong name of the filter in the SecurityContextHolderFilter diagram #12526
π¨ Dependency Upgrades
- Update blockhound to 1.0.7.RELEASE #12719
- Update hibernate-entitymanager to 5.6.15.Final #12722
- Update io.projectreactor to 2020.0.28 #12717
- Update io.spring.nohttp to 0.0.11 #12720
- Update jackson-bom to 2.13.5 #12714
- Update jackson-databind to 2.13.5 #12715
- Update jackson-datatype-jsr310 to 2.13.5 #12716
- Update junit-bom to 5.9.2 #12723
- Update org.aspectj to 1.9.19 #12721
- Update org.junit.jupiter to 5.9.2 #12724
- Update org.springframework to 5.3.25 #12725
- Update org.springframework.data to 2021.2.8 #12739
- Update org.springframework.data to 2021.2.8 #12726
- Update reactor-netty to 1.0.28 #12718
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.1.0-M1
β New Features
- Add
EnableWebSecuritymigration steps to 5.8 guide #12355 - Add a RelyingPartyRegistrationRepository constructor to Saml2MetadataFilter #11815
- Add an option to set the SameSite policy in the CookieCsrfTokenRepository #12086
- Add Authority String AuthorizationManager #12231
- Add configurable authorities split regex #12124
- Add configurable authorities split regex #12073
- add packages (dependencies) to playbook template in docs-build branch #12522
- Add the ability to set the SameSite policy to the CRSF Cookie #12109
- Allow authorization request resolver to be changed for the OAuth2 client configuration #12430
- AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up for a RoleHierarchy bean in the context #12505
- Consider replacing SecurityExpressionRoot.AuthenticationSupplier with SingletonSupplier #12489
- Document
@EnableWebFluxSecurityrequiring@Configurationin 6.0.0 #12445 - Inaccurate javadoc text in setRequestHandler method from CsrfWebFilter class #12484
- Inaccurate javadoc text in setRequestHandler method of CsrfFilter class #12515
- Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12441
- Replace deprecated set-state set-output GitHub Action's commands #12300
- SecuredAuthorizationManager should allow customizing underlying authorization manager #12233
- SecuredAuthorizationManager should cache annotation's value #12232
- Spring Security 6.0 Migration Guide Should Mention
@ConfigurationMeta-Annotation Removal From Configuration Annotations #12499
πͺ² Bug Fixes
- AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12518
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12410
- Error in ACLS document #12406
- Fix AuthorizationFilter diagram in docs #12287
- Incorrect Javadoc for class ExpressionAuthorizationDecision #12436
- Jackson serialization of
DefaultSaml2AuthenticatedPrincipal:LinkedMultiValueMap is not in the allowlist#12460 JwtAuthenticationProvidershould use provided authentication details #11822- NimbusJwtDecoder unknown KID scenario is not correctly tested #12496
- ProxyFactoryBean on AuthenticationManager does not work in native mode #12372
- Reactive migration documentation for
@EnableReactiveMethodSecurityis wrong (or implementation is wrong) #12514 - Security observations are not setting their parent osbervation #12525
- Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12493
- SwitchUserFilter not working in Spring Security 6 #12512
- Wrong name of the filter in the SecurityContextHolderFilter diagram #12528
π¨ Dependency Upgrades
- Update org.gretty:gretty to 4.0.3 #12277
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.1
β New Features
- Add
EnableWebSecuritymigration steps to 5.8 guide #12354 - Replace deprecated set-state set-output GitHub Action's commands #12299
πͺ² Bug Fixes
- codes in spring security docs fail to work #12342
- codes in spring security docs fail to work #12341
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12409
- Error in ACLS document #12270
- Fix AuthorizationFilter diagram in docs #12288
- Incorrect Javadoc for class ExpressionAuthorizationDecision #12435
- Incorrect sample code in securityMatcher migration docs #12303
- Incorrect sample code in securityMatcher migration docs #12302
- It's not possible to disable micrometer obversability #12268
- ProxyFactoryBean on AuthenticationManager does not work in native mode #12367
- SecurityContextHolderFilter does not apply to async dispatch #12369
- SecurityContextHolderFilter does not apply to async dispatch #12368
π¨ Dependency Upgrades
- Update hibernate-core to 6.1.6.Final #12423
- Update httpclient to 4.5.14 #12421
- Update io.projectreactor to 2022.0.1 #12419
- Update jackson-bom to 2.14.1 #12413
- Update jackson-databind to 2.14.1 #12414
- Update jackson-datatype-jsr310 to 2.14.1 #12415
- Update logback-classic to 1.4.5 #12412
- Update micrometer-observation to 1.10.2 #12417
- Update mockk to 1.13.3 #12418
- Update org.eclipse.jetty to 11.0.13 #12422
- Update org.jetbrains.kotlin to 1.7.22 #12424
- Update org.springframework to 6.0.3 #12426
- Update reactor-netty to 1.1.1 #12420
- Update slf4j-api to 2.0.6 #12425
- Update unboundid-ldapsdk to 6.0.7 #12416
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.1
β New Features
- Add
EnableWebSecuritymigration steps to 5.8 guide #12334 - Replace deprecated set-state set-output GitHub Action's commands #12298
πͺ² Bug Fixes
- codes in spring security docs fail to work #11396
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12408
- Fix AuthorizationFilter diagram in docs #12286
- Fix password encoder migration guide #12318
- Fix typo #12316
- Incorrect Javadoc for class ExpressionAuthorizationDecision #12411
- Incorrect sample code in securityMatcher migration docs #12296
- SecurityContextHolderFilter does not apply to async dispatch #11962
π¨ Dependency Upgrades
- Update httpclient to 4.5.14 #12403
- Update io.projectreactor to 2020.0.26 #12401
- Update mockk to 1.13.3 #12400
- Update org.eclipse.jetty to 9.4.50.v20221201 #12404
- Update org.jetbrains.kotlin to 1.7.22 #12405
- Update reactor-netty to 1.0.26 #12402
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!