Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.7.5
5.6.9
6.0.0-RC1
⏪ Breaking Changes
RequestMatcherDelegatingAuthorizationManagershould deny when no match #11958- Authentication(Web)Filter should return a 500 on AuthenticationServiceExceptions #9429
- BasicAuthenticationFilter skips re-authentication if username changes and Authentication object is not UsernamePasswordAuthenticationToken #10347
- Default to DelegatingSecurityContextRepository in SecurityContextConfigurer #12049
- Default to Xor CSRF protection #11960
- Default use of RequestAttributeSecurityContextRepository instead of NullSecurityContextRepository #11026
- OidcUserAuthority should not automatically include ROLE_USER authority #7856
- Remove deprecated constructors in PasswordEncoders #11985
- Remove deprecated CsrfSpec.tokenFromMultipartDataEnabled #12020
- Remove deprecated CsrfWebFilter.setTokenFromMultipartDataEnabled #12019
- Remove Deprecated OpenSAML 3 Support #11789
- Remove deprecated RequestMatcher methods from Java Configuration #11939
- Remove OpenSAML3 support #10556
- Remove WebSecurityConfigurerAdapter #11923
- Remove WebSecurityConfigurerAdapter #10902
- Resource Server Package Name Inconsistencies #7349
- SAML 2.0 filters should be in the web package #8819
- Update Defaults for Smarter Session Access #11454
- Use MvcRequestMatcher by default if Spring MVC is present #11899
- WebAuthenticationDetails#hashCode often returns zero #4133
- XSS protection should be set to 0 by default per updated OWASP recommendation #9631
⭐ New Features
- Add 'securityMatcher' as an alias of 'requestMatcher' #11945
- Add native hint for OAuth2 Client's schemas #11920
- Add native hint for the users JDBC schema #11907
- Add static factory methods to RequestMatcher implementations #11978
- Add XML support for
shouldFilterAllDispatcherTypes#11971 - automatically manage docs version (with collector) #11957
- Change XML default use-authorization-manager="true" #11929
- Default to shouldFilterAllDispatcherTypes=true in XML #11970
- Deprecate HPKP security header #11937
- Enabling authenticationIsRequired to be overridden for custom checks.… #10971
- HttpSecurityConfiguration should configure ContentNegotiationStrategy #11922
- Observability #11906
- SessionManagementDsl.requireExplicitAuthenticationStrategy #11928
- Simplify Java Configuration RequestMatcher Usage #11940
- Smarter HttpSession Access #6125
- Update What's New in 6.0 #12024
🪲 Bug Fixes
- Build fails with missing project property cloneOutputDirectory #11981
- Possible misconfiguration of SecurityContextRepository #12023
- SAML Logout move onload script to body tag #11881
- SecurityContextImpl does not have hints to resolve the Authentication #11987
🔨 Dependency Upgrades
- Update to Spring Data 2022.0.0-RC1 #12066
- Update to Spring LDAP 3.0.0-RC1 #12067
- Upgrade to Update hibernate-core to 6.1.4.Final #12038
- Upgrade to Update htmlunit to 2.65.1 #12039
- Upgrade to Update htmlunit-driver to 2.65.0 #12034
- Upgrade to Update io.spring.javaformat to 0.0.35 #12040
- Upgrade to Update jackson-bom to 2.13.4.20221013 #12042
- Upgrade to Update junit-bom to 5.9.1 #12036
- Upgrade to Update logback-classic to 1.4.4 #12043
- Upgrade to Update mockk to 1.13.2 #12041
- Upgrade to Update org.jetbrains.kotlin to 1.7.20 #12037
- Upgrade to Update org.mockito to 4.8.1 #12035
- Upgrade to Update org.slf4j to 2.0.3 #12033
- Upgrade to Update to Micrometer 1.10.0-RC1 #12046
- Upgrade to Update to Reactor 2022.0.0-RC1 #12045
- Upgrade to Update to Spring Framework 6.0.0-RC1 #12047
- Upgrade Unboundid to 6.0.6 #10210
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.0-RC1
⏪ Breaking Changes
- Make X-Xss-Protection header value configurable in ServerHttpSecurity #11908
⭐ New Features
- Add 'securityMatcher' as an alias of 'requestMatcher' #9159
- Add CsrfTokenRepository.loadDeferredToken(HttpServletRequest, HttpServletResponse) #11918
- Add csrfTokenRequestHandler to Kotlin DSL #11952
- Add DeferredSecurityContext and DelegatingSecurityContextRepository #12044
- Add opt-in strategy in for Authentication(Web)Filter should return a 500 on AuthenticationServiceExceptions #11932
- Add reactive support for BREACH to CsrfWebFilter #11959
- Add SecurityContextHolderStrategy to RequestAttributeSecurityContextRepository #11895
- Add static factory method to AntPathRequestMather and RegexRequestMather #11965
- Add static factory methods to RequestMatcher implementations #11938
- Add X-Xss-Protection headerValue to XML config #11936
- Add XML support for
shouldFilterAllDispatcherTypes#11492 - automatically manage docs version (with collector) #11956
- Cache Xor CSRF token in supplier #11988
- CSRF tokens are vulnerable to a BREACH attack #4001
- Deprecate AccessDecisionManager and related classes #11302
- Deprecate HPKP security header #10144
- HttpSecurityConfiguration should configure ContentNegotiationStrategy #11916
- ListeningSecurityContextHolderStrategy should work with deferred contexts #11817
- Oauth2 client: Allow deescalating logged ERROR for invalid client registration ID #11344
- Provide common super class for AuthorizationDeniedEvent and AuthorizationGrantedEvent #11972
- SessionManagementDsl.requireExplicitAuthenticationStrategy #11927
- Simplify AuthorizationManager composition #11625
- Simplify Java Configuration RequestMatcher Usage #11347
- Update default configuration for Pbkdf2PasswordEncoder #10489
- Update PasswordEncoder Minimums #10506
- Update What's New for 5.8 #12021
🪲 Bug Fixes
- Build fails with missing project property cloneOutputDirectory #11980
- SAML Logout move onload script to body tag #11879
🔨 Dependency Upgrades
- Update hibernate-entitymanager to 5.6.12.Final #12059
- Update htmlunit to 2.65.1 #12058
- Update htmlunit-driver to 2.65.0 #12064
- Update io.projectreactor to 2020.0.24 #12055
- Update io.spring.javaformat to 0.0.35 #12057
- Update jackson-bom to 2.13.4.20221013 #12052
- Update jackson-databind to 2.13.4.2 #12053
- Update junit-bom to 5.9.1 #12061
- Update mockk to 1.13.2 #12054
- Update org.jetbrains.kotlin to 1.7.20 #12060
- Update org.junit.jupiter to 5.9.1 #12062
- Update org.mockito to 4.8.1 #12063
- Update org.springframework.data to 2021.2.5 #12065
- Update reactor-netty to 1.1.0-M6 #12056
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.4
⭐ New Features
- automatically manage docs version (with collector) #11955
🪲 Bug Fixes
- AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #11729
- Build fails with missing project property cloneOutputDirectory #11979
- GitHubMilestoneApiTests due_on Should Use LocalDate #11707
- HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #11727
- NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #11711
- RemoteJwkSet is not refreshed when encountering an unknown KID #11723
- RequestRejectedHandler does not reliable prevent Internal Server Error #11744
🔨 Dependency Upgrades
- Update Gradle Enterprise plugin to 3.11.1 #11830
- Update hibernate-entitymanager to 5.6.10.Final #11745
- Update hibernate-entitymanager to 5.6.12.Final #12016
- Update io.projectreactor to 2020.0.22 #11743
- Update io.projectreactor to 2020.0.24 #12012
- Update io.rsocket to 1.1.3 #12014
- Update jackson-bom to 2.13.4.20221012 #12008
- Update jackson-databind to 2.13.4.1 #12009
- Update jackson-datatype-jsr310 to 2.13.4 #12010
- Update jsonassert to 1.5.1 #11741
- Update mockk to 1.12.8 #12011
- Update org.eclipse.jetty to 9.4.48.v20220622 #11740
- Update org.eclipse.jetty to 9.4.49.v20220914 #12015
- Update org.springframework to 5.3.22 #11739
- Update org.springframework to 5.3.23 #12017
- Update org.springframework.data to 2021.1.6 #11742
- Update org.springframework.data to 2021.2.4 #12018
- Update reactor-netty to 1.0.24 #12013
5.6.8
⭐ New Features
- automatically manage docs version (with collector) #11943
🪲 Bug Fixes
- Add rncToXsd task description to CONTRIBUTING.adoc #11935
- AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #11730
- Build fails with missing project property cloneOutputDirectory #11969
- GitHubMilestoneApiTests due_on Should Use LocalDate #11708
- HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #11728
- NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #11712
- RemoteJwkSet is not refreshed when encountering an unknown KID #11724
- Updated reference to architecture page #11778
🔨 Dependency Upgrades
- Update Gradle Enterprise plugin to 3.11.1 #11827
- Update hibernate-entitymanager to 5.6.12.Final #12005
- Update io.projectreactor to 2020.0.24 #12001
- Update io.rsocket to 1.1.3 #12003
- Update jackson-bom to 2.13.4.20221012 #11997
- Update jackson-databind to 2.13.4.1 #11998
- Update jackson-datatype-jsr310 to 2.13.4 #11999
- Update mockk to 1.12.8 #12000
- Update org.eclipse.jetty to 9.4.49.v20220914 #12004
- Update org.springframework to 5.3.23 #12006
- Update org.springframework.data to 2021.1.8 #12007
- Update reactor-netty to 1.0.24 #12002
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.0-M7
⏪ Breaking Changes
- csrfRequestAttributeName = _csrf #11764
- Remove Configuration meta-annotation from Enable* annotations #11653
- Remove unsafe/deprecated
Encryptors.querableText(CharSequence,CharSequence)#8980 - Use SHA256 by default in Remember Me #11520
⭐ New Features
- Add native hints for basic
@PostAuthorizeusage #11737 - Add native-image support for PreAuthorize #11446
- Performance enhancement in HttpSessionRequestCache #11750
- Remove FilterSecurityInterceptor from WebSecurity #11325
- Remove setAuthenticationManager from HttpSecurityConfiguration #11776
🪲 Bug Fixes
- Document in xsd security-context-explicit-save defaults to true #11773
- Fix IP address parse error message in IpAddressMatcher#parseAddress() #11713
- NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #11710
- org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11042
- Sources and javadocs missing in latest snapshots #10602
- Update javadoc of HttpSecurity, WebSecurityConfiguration and WebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #11288
🔨 Dependency Upgrades
- Update aspectj-plugin to 6.5.1 #11859
- Update com.nimbusds to 9.43.1 #11858
- Update Gradle Enterprise plugin to 3.11.1 #11832
- Update hibernate-core to 6.1.3.Final #11867
- Update hsqldb to 2.7.0 #11868
- Update htmlunit to 2.64.0 #11865
- Update htmlunit-driver to 2.64.0 #11872
- Update io.projectreactor to 3.5.0-M6 #11861
- Update io.rsocket to 1.1.3 #11863
- Update jackson-bom to 2.13.4 #11855
- Update jackson-databind to 2.13.4 #11856
- Update jackson-datatype-jsr310 to 2.13.4 #11857
- Update jakarta.inject to 2.0.1 #11864
- Update junit-bom to 5.9.0 #11870
- Update logback-classic to 1.4.1 #11854
- Update mockk to 1.12.8 #11860
- Update org.eclipse.jetty to 11.0.12 #11866
- Update org.mockito to 4.8.0 #11871
- Update org.springframework to 6.0.0-M6 #11833
- Update reactor-netty to 1.1.0-M6 #11862
- Update to mockito 4.7.0 #11749
- Upgrade to Spring LDAP 3.0.0-M3 #11718
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.0-M3
⭐ New Features
@WithMockUserSupported as Merged Annotation #11782- Add AspectJ support to
@EnableMethodSecurity#11326 - Add CsrfFilter.csrfAttributeName #11699
- add information to README describing how to build the reference docs #11876
- Add new interfaces for CSRF request processing #11781
- Add remaining methods from ExpressionUrlAuthorizationConfigurer to Me… #11667
- Add Support for LazyCsrfTokenRepository to Defer Loading CsrfTokens #11700
- Configurable authentication converter for resource-servers with token introspection #11661
- CsrfFilter Accesses Session on Every Request #11456
- Document that Method Security Co-routine Support Skips Downstream Interceptors #10920
- HttpSecurityDsl should support apply method #11754
- Javadoc typo 'sue' -> 'use' #11794
- Mistake in Kotlin code representation is fixed #11753
- ReactiveAuthorizationManager + Reactive Method Security #9867
- Update javadoc of Kotlin DSL to reflect the deprecation of WebSecurityConfigurerAdapter #11646
- webflux logout not working when project defines a context path (spring.webflux.base-path) #11716
🪲 Bug Fixes
- AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #11726
- GitHubMilestoneApiTests due_on Should Use LocalDate #11706
- HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #11449
- Modify words #11709
- SAML2 Login fails with CSP in chrome based browsers #11676
🔨 Dependency Upgrades
- Update aspectj-plugin to 6.5.1 #11839
- Update com.nimbusds to 9.43.1 #11838
- Update Gradle Enterprise plugin to 3.11.1 #11831
- Update hibernate-entitymanager to 5.6.11.Final #11846
- Update hsqldb to 2.7.0 #11847
- Update htmlunit to 2.64.0 #11844
- Update htmlunit-driver to 2.64.0 #11850
- Update io.projectreactor to 2020.0.23 #11841
- Update io.rsocket to 1.1.3 #11843
- Update jackson-bom to 2.13.4 #11835
- Update jackson-databind to 2.13.4 #11836
- Update jackson-datatype-jsr310 to 2.13.4 #11837
- Update junit-bom to 5.9.0 #11848
- Update logback-classic to 1.4.1 #11834
- Update mockk to 1.12.8 #11840
- Update org.eclipse.jetty to 9.4.49.v20220914 #11845
- Update org.mockito to 4.8.0 #11849
- Update org.springframework to 5.3.23 #11851
- Update reactor-netty to 1.1.0-M6 #11842
- Update to mockito 4.7.0 #11748
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.0-M2
⭐ New Features
- Add hash-based Content-Security-Policy for SAML post pages #11631
- Allow customization of redirect strategy #11387
- Receive AuthnRequest Id and Response InResponseTo in Saml2AuthenticationRequestRepository #11468
- Set permissions for GitHub actions #11367
🪲 Bug Fixes
- "Well-Know" should be "Well-Known" #11613
- Add Deprecated annotation to WebSecurity#securityInterceptor #11634
- RequestRejectedHandler does not reliable prevent Internal Server Error #11645
- Spring Security SAML fails in Chrome because of favicon request #11657
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.3
⭐ New Features
- Add Kotlin example showing integration with WebTestClient #9998
- Set permissions for GitHub actions #11642
- Update javadoc of EnableWebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #11650
🪲 Bug Fixes
- Add Deprecated annotation to WebSecurity#securityInterceptor #11637
- Check saganCreateRelease saganDeleteRelease Required Permissions #11425
- org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11605
- RequestAttributeSecurityContextRepository.loadContext(HttpServletRequest) should never return null SecurityContext #11606
- RequestRejectedHandler does not reliable prevent Internal Server Error #11672
- Sources and javadocs missing in latest snapshots #11628
- Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11484
- Update javadoc of HttpSecurity, WebSecurityConfiguration and WebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #11651
🔨 Dependency Upgrades
- Update hibernate-entitymanager to 5.6.10.Final #11694
- Update io.projectreactor to 2020.0.22 #11691
- Update jsonassert to 1.5.1 #11696
- Update mockk to 1.12.5 #11690
- Update org.eclipse.jetty to 9.4.48.v20220622 #11693
- Update org.jetbrains.kotlinx to 1.6.4 #11695
- Update org.springframework to 5.3.22 #11697
- Update org.springframework.data to 2021.2.2 #11698