6.5.0-RC1

⭐ New Features

• Add AuthenticationEntryPoint for DPoP #16900
• Add DestinationPathPatternMessageMatcher #16635
• Add link to docs zip file to the reference #16800
• Add MatchResult to MessageMatcher #16766
• Add not null validation for UserDetailsChecker in AbstractUserDetailsAuthenticationProvider #16710
• Add RelayState-based Authentication Request Respository #14793
• Add request_uri in OAuth2ParameterNames #16947
• Add support for access token in body parameter as per rfc 6750 Sec. 2.2 #15819
• Add Support Postgres To JdbcUserCredentialRepository #16839
• Add support ResolvableTypeProvider to AuthorizationEvent #16762
• Add toString to IpAddressMatcher #16818
• Add XML support for HttpsRedirectFilter #16775
• Allow retrieving username from SAML Assertion Attributes #12136
• Deprecate ConfigAttribute #16774
• Deprecate SecurityConfig #16773
• Deprecate SecurityMetadataSource and implementations #16772
• Deprecate usages of PathMatcher in Web Socket support #16500
• Ensure ID Token is updated after refresh token #16589
• Explain behaviour with XMLHttpRequest on 401 response #16280
• Fix attribute name in http.adoc #16790
• Improve entity fetching from db #16727
• Include AuthenticationRequest in AuthenticationException #16505
• Jackson deserialization of ClientAuthenticationMethods should recognize all values #16826
• Make DPoP IatClaimValidator public to allow configuring clock and clockSkew #16921
• Method Security templates support use deep non-aliased attributes #16550
• OAuth2 Client Authentication section of docs uses deprecated classes #16925
• PathPatternRequestMatcher Include Optional Servlet Path in the pattern #16765
• Polish Pattern Matching Usage #16493
• Prepare oauth2-client deprecations for removal in Spring Security 7 #16913
• Prepare Request Matching for Spring Framework Changes #16417
• Prevent downgraded usage of DPoP-bound access tokens #16937
• Removed Unnecessary Code in Documentation #16739
• Replace dynamic error message with static "Access Denied" #16528
• Saml2WebSsoAuthenticationFilter should allow requests through when SAMLResponse is absent #16000
• Simplify Response Validation in OpenSaml5AuthenticationProvider #16915
• Support Customizing Set of OpenSAML Validators #15578
• Update HandlerMappingIntrospector Usage in Cache filter support #16536
• Update DeferredCsrfToken to implement Supplier #16905
• Update HandlerMappingIntrospector Usage in CORS support #16657
• Update HandlerMappingIntrospector Usage in CORS support #16501
• Update ServerOAuth2AuthorizedClientExchangeFilterFunction javadoc #16789
• Update test object factories to Tests naming convention #16686
• Use SpringCacheBasedTicketCache in cas.adoc #16847
• Use Tests naming convention for WebAuthn test object factories #16865

  🪲 Bug Fixes

  • [Docs] Broken link on Spring MVC Test Integration page #16791
  • ServerBearerTokenAuthenticationConverter validates parameters when not enabled #16902
  • Annotation templates should pick up deep non-aliased attributes #16312
  • Clarify WebInvocationPrivilegeEvaluator JavaDoc #16788
  • Fix typo and inline code formatting in documentation #16717
  • Fix typo code tag #16740
  • Fix typos Open SAML 5 Javadoc referencing Open SAML 4 #16729
  • Fix WebAuthn saves Anonymous PublicKeyCredentialUserEntity #16821
  • PathPatternRequestMatcher should not fail when the RequestPath cache is empty #16796
  • Polish Documentation #16835
  • Polish javadoc #16908
  • RequestMatcherDelegatingWebInvocationPrivilegeEvaluator fails with PathPatternRequestMatcher #16771
  • Restore Migration and Preparation Steps #16873
  • Typo in Base64StringKeyGenerator exception message #16868
  • Update kotlin.adoc to add required spread operator(*) #16859
  • WebFlux reference links to Servlet docs #16792
  • XML config does not apply request-handler-ref to CsrfAuthenticationStrategy #16845

  🔨 Dependency Upgrades

  • Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 #16768
  • Bump com.google.code.gson:gson from 2.12.1 to 2.13.0 #16930
  • Bump com.webauthn4j:webauthn4j-core from 0.28.6.RELEASE to 0.29.0.RELEASE #16864
  • Bump Gradle Wrapper from 8.10.2 to 8.13 #16648
  • Bump io.freefair.gradle:aspectj-plugin from 8.13 to 8.13.1 #16823
  • Bump io.micrometer:context-propagation from 1.1.2 to 1.1.3 #16932
  • Bump io.micrometer:micrometer-observation from 1.14.5 to 1.14.6 #16933
  • Bump io.mockk:mockk from 1.13.17 to 1.14.0 #16917
  • Bump io.projectreactor:reactor-bom from 2023.0.16 to 2023.0.17 #16943
  • Bump io.spring.gradle:spring-security-release-plugin from 1.0.3 to 1.0.4 #16918
  • Bump org-aspectj from 1.9.22.1 to 1.9.23 #16737
  • Bump org-aspectj from 1.9.22.1 to 1.9.24 #16931
  • Bump org.hibernate.orm:hibernate-core from 6.6.12.Final to 6.6.13.Final #16897
  • Bump org.htmlunit:htmlunit from 4.11.0 to 4.11.1 #16831
  • Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.10.1 to 1.10.2 #16910
  • Bump org.junit:junit-bom from 5.12.1 to 5.12.2 #16929
  • Bump org.mockito:mockito-bom from 5.16.1 to 5.17.0 #16898
  • Bump org.seleniumhq.selenium:htmlunit3-driver from 4.29.0 to 4.30.0 #16830
  • Bump org.seleniumhq.selenium:selenium-java from 4.30.0 to 4.31.0 #16896
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.11 to 3.2.12 #16956
  • Bump org.springframework:spring-framework-bom from 6.2.5 to 6.2.6 #16955

  🔩 Build Updates

  • Bump @springio/asciidoctor-extensions from 1.0.0-alpha.16 to 1.0.0-alpha.17 in /docs #16807
  • Bump spring-io/spring-doc-actions from 0.0.19 to 0.0.20 #16893
  • Release 6.5.0-RC1 #16974

  ❤️ Contributors

  Thank you to all the contributors who worked on this release:

  @Chu3laMan, @MartinEmrich, @OrangeDog, @amm0124, @ayoubAnbara, @evgeniycheban, @filiphr, @franticticktick, @jonah1und1, @kse-music, @kwondh5217, @mapsu, @msamborski-orbis, @ngocnhan-tran1996, @pat-mccusker, @pogihae, @vasanth-79, @wtigerhyunsu, and @yhao3