Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.6.7
⭐ New Features
- Add Kotlin example showing integration with WebTestClient #11612
- Set permissions for GitHub actions #11644
🪲 Bug Fixes
- Add Deprecated annotation to WebSecurity#securityInterceptor #11636
- Fix saganCreateRelease saganDeleteRelease Required Permissions #11426
- org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11608
- RequestRejectedHandler does not reliable prevent Internal Server Error #11673
- Sources and javadocs missing in latest snapshots #11629
- Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11485
🔨 Dependency Upgrades
- Update hibernate-entitymanager to 5.6.10.Final #11683
- Update io.projectreactor to 2020.0.22 #11680
- Update jsonassert to 1.5.1 #11684
- Update mockk to 1.12.5 #11679
- Update org.eclipse.jetty to 9.4.48.v20220622 #11682
- Update org.springframework to 5.3.22 #11685
- Update org.springframework.data to 2021.1.6 #11686
- Update reactor-netty to 1.0.22 #11681
6.0.0-M6
⏪ Breaking Changes
- Change interface with constants to final class #10960
- Claims contain an instance of java.net.URL and are used in hash-based containers #10673
- Consider using OAuth2Token instead of AbstractOAuth2Token #10959
- FilterSecurityInterceptor applies to every request by default #11466
- Remove deprecated allowMultipleAuthorizationRequests #11564
- Remove deprecated converters in OAuth2AccessTokenResponseHttpMessageConverter #11513
- Remove deprecated CustomUserTypesOAuth2UserService #11511
- Remove deprecated implicit authorization grant type #11506
- Remove deprecated NimbusAuthorizationCodeTokenResponseClient #11512
- Remove deprecated NimbusJwtDecoderJwkSupport #11507
- Remove deprecated OAuth2IntrospectionClaimAccessor #11499
- Remove deprecated UnAuthenticatedServerOAuth2AuthorizedClientRepository #11508
- Remove deprecations in AbstractOAuth2AuthorizationGrantRequest #11517
- Remove deprecations in AuthorizationRequestRepository #11519
- Remove deprecations in ClaimAccessor #11585
- Remove deprecations in ClientAuthenticationMethod #11516
- Remove deprecations in ClientRegistration #11518
- Remove deprecations in JwtAuthenticationConverter #11587
- Remove deprecations in OAuth2AuthorizedClientArgumentResolver #11584
- Remove deprecations in OidcClientInitiatedLogoutSuccessHandler #11565
- Remove deprecations in OidcUserInfo #11586
- Remove deprecations in ServerOAuth2AuthorizedClientExchangeFilterFunction #11589
- Remove deprecations in ServletOAuth2AuthorizedClientExchangeFilterFunction #11588
⭐ New Features
- Add LDAP runtime hints #11438
- Add Runtime Hints for basic setup #11431
- AnonymousAuthenticationFilter Accesses Session on Every Request #11465
- Consider updating testing examples to use JUnit Jupiter #10934
- CookieServerCsrfTokenRepository doesn't support setting MaxAge #11432
- Remove dependency on conmmons-codec by using java.util.Base64 #11319
- SAML2 customizable URLs #8873
- Update DelegatingSecurityContextTaskScheduler to implement new Required Methods #11474
- Update java version to 17.0.3-tem #11370
- Update javadoc in CommonOAuth2Provider #11490
- Use JDK 17 on build #11324
🪲 Bug Fixes
- CsrfWebFilter null save content-type check #11205
- Docs example uses
access(String)withauthorizeHttpRequests()#11280 - Fix method call example on documentation #11380
- Fix saganCreateRelease saganDeleteRelease Required Permissions #11423
- Fix tests using root cause for exception messages #11372
- Fix title render issue of Digest Authentication document #11291
- Fix typo in BasicLookupStrategy Javadoc #11336
- Fix typo on NimbusJwtDecoderTests #11394
- Fixed typo in comment for changePassword method #11274
- KeyInfo missing in AuthnRequest when using OpenSaml4AuthenticationRequestResolver #11354
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11379
- Should SAML metadata EntityDescriptor tag have the
md:prefix? #11283 - Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11470
- Update usage of deprecated reactor.util.context.Context.putAll method #11476
- Use Collection in examples #11478
🔨 Dependency Upgrades
- Update aspectj-plugin to 6.5.0.3 #11524
- Update assertj-core to 3.23.1 #11531
- Update com.nimbusds to 9.38.1 #11523
- Update Gradle Enterprise plugin #11398
- Update hibernate-core-jakarta to 5.6.10.Final #11533
- Update htmlunit to 2.63.0 #11530
- Update htmlunit-driver to 2.63.0 #11538
- Update io.projectreactor to 3.5.0-M4 #11525
- Update io.r2dbc:r2dbc-h2 to 1.0.0.RC1 #11479
- Update io.spring.javaformat to 0.0.34 #11527
- Update jakarta.annotation-api to 2.1.1 #11528
- Update jakarta.servlet.jsp-api to 3.1.0 #11529
- Update jsonassert to 1.5.1 #11539
- Update junit-bom to 5.9.0-RC1 #11536
- Update org.eclipse.jetty to 11.0.11 #11532
- Update org.jetbrains.kotlin to 1.7.10 #11534
- Update org.jetbrains.kotlinx to 1.6.4 #11535
- Update org.junit.jupiter to 5.9.0-RC1 #11537
- Update org.springframework to 6.0.0-M5 #11594
- Update reactor-netty to 1.1.0-M4 #11526
- Update spring-data-jpa to 3.0.0-M5 #11540
- Update spring-ldap-core to 2.4.1 #11541
- Update to Kotlin 1.7 #11374
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.0-M1
⏪ Breaking Changes
- SecurityExpressionHandler#createEvaluationContext should defer lookup of Authentication #9667
⭐ New Features
- Add AuthorizationManager that uses ExpressionHandler #11105
- Add AuthorizationManager XML Support for Filter Security #11305
- Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri #11383
- Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri #11229
- Add Jackson Support for Saml2AuthenticationException #11176
- Add MethodExpressionAuthorizationManager #11493
- Add relyingPartyRegistrationId to AbstractSaml2AuthenticationRequest #11195
- Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer #11393
- Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer #11360
- Add RoleHierarchyAuthorizationManager #11304
- Add support AuthorizationManager + #11323
- AnonymousAuthenticationFilter Accesses Session on Every Request #11457
- AuthorizationManager for WebSocket Security #11076
- Branch 5.8.x should point to samples branch 5.8.x #11203
- Build modules using Java 8 #10816
- Check Samples should run against the current artifacts #10344
- Consider updating testing examples to use JUnit Jupiter #11294
- Deprecate Resource Owner Password Credentials grant #11590
- Ensure that SecurityContext is correctly preserved in MockMvc tests when using SecurityContextHolderStrategy
@Bean#11444 - HttpSessionRequestCache Causes Session Access on Every Request #11453
- Improve docs on dispatcherTypeMatcher #11505
- Improve docs on dispatcherTypeMatcher #11467
- InterceptMethodsBeanDefinitionDecorator should allow using AuthorizationManager #11328
- Missing reactive DelegatingRequestMatcherHeaderWriter #11073
- OidcClientInitiatedServerLogoutSuccessHandler should understand redirect uri placeholders #11381
- OidcClientInitiatedServerLogoutSuccessHandler should understand redirect uri placeholders #11378
- OpenSaml4AuthenticationRequestResolver should have a customizable URI #10840
- Password Encoding Improvements #11482
- phoneNumberVerified field is Boolean type #11315
- Provide alternative for MD5 hashing in remember me token #8549
- Remove dependency on commons-codec by using java.util.Base64 (for 5.8.x) #11322
- Support multiple SingleLogoutService bindings #11286
- Update Saml2WebSsoAuthenticationFilter requestAuthentication for SAMLart #11192
- Use SecurityContextHolderStrategy for defaults #11062
🪲 Bug Fixes
- Docs example uses access(String) with authorizeHttpRequests() #11295
- Failed signature verification on SAML2 LogoutRequest #11235
- Fix
OAuth2ResourceServerConfigurermember variable using Java 9+ feature #10695 - Form Login not possible when a single OAuth2 Provider is configured #11375
- Multiple .requestMatchers().mvcMatchers() override previous one #10956
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11382
- SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11262
- ServerRequestCacheWebFilter causes WebSession to be read every request #7157
- Should SAML metadata EntityDescriptor tag have the md: prefix? #11312
- Some Security Expressions cause NPE when used within
@Query#11196 - Spring Security SAML2 Single Logout After Session Expiration Not Working from External App #11389
- Use Base64 encoder with no CRLF in output for SAML 2.0 messages #11270
🔨 Dependency Upgrades
- Update aspectj-plugin to 6.5.0.3 #11546
- Update assertj-core to 3.23.1 #11552
- Update com.nimbusds to 9.38.1 #11545
- Update hibernate-entitymanager to 5.6.10.Final #11554
- Update htmlunit to 2.63.0 #11551
- Update htmlunit-driver to 2.63.0 #11559
- Update io.projectreactor to 2020.0.21 #11548
- Update io.spring.javaformat to 0.0.34 #11550
- Update jackson-bom to 2.13.3 #11542
- Update jackson-databind to 2.13.3 #11543
- Update jackson-datatype-jsr310 to 2.13.3 #11544
- Update jsonassert to 1.5.1 #11560
- Update junit-bom to 5.9.0-RC1 #11557
- Update mockk to 1.12.4 #11547
- Update org.eclipse.jetty to 9.4.48.v20220622 #11553
- Update org.jetbrains.kotlin to 1.7.10 #11555
- Update org.jetbrains.kotlinx to 1.6.4 #11556
- Update org.junit.jupiter to 5.9.0-RC1 #11558
- Update org.springframework to 5.3.22 #11561
- Update org.springframework.data to 2021.2.2 #11562
- Update reactor-netty to 1.1.0-M4 #11549
- Update spring-ldap-core to 2.4.1 #11563
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.2
⭐ New Features
- Consider updating testing examples to use JUnit Jupiter #11293
🪲 Bug Fixes
- Some Security Expressions cause NPE when used within
@Query#11289 - CsrfWebFilter null save content-type check #11341
- Docs example uses access(String) with authorizeHttpRequests() #11296
- Fix typo in BasicLookupStrategy Javadoc #11339
- KeyInfo missing in AuthnRequest when using OpenSaml4AuthenticationRequestResolver #11358
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11384
- SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11284
- SecurityContextRepository.loadContext(HttpServletRequest) cache result #11390
- Should SAML metadata EntityDescriptor tag have the md: prefix? #11311
- Update opaque-token.adoc #11303
🔨 Dependency Upgrades
- Update aspectj-plugin to 6.4.3.1 #11402
- Update hibernate-entitymanager to 5.6.9.Final #11405
- Update io.projectreactor to 2020.0.20 #11403
- Update jackson-bom to 2.13.3 #11399
- Update jackson-databind to 2.13.3 #11400
- Update jackson-datatype-jsr310 to 2.13.3 #11401
- Update org.jetbrains.kotlinx to 1.6.3 #11406
- Update org.opensaml:opensaml-core4 to 4.1.1 #11410
- Update org.springframework to 5.3.21 #11407
- Update org.springframework.data to 2021.2.1 #11408
- Update reactor-netty to 1.0.20 #11404
- Update spring-ldap-core to 2.4.1 #11409
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.6.6
⭐ New Features
- Consider updating testing examples to use JUnit Jupiter #11292
🪲 Bug Fixes
- CsrfWebFilter null save content-type check #11342
- Docs example uses access(String) with authorizeHttpRequests() #11297
- Fix typo in BasicLookupStrategy Javadoc #11340
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11385
- SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11285
- Should SAML metadata EntityDescriptor tag have the md: prefix? #11310
- Some Security Expressions cause NPE when used within
@Query#11290
🔨 Dependency Upgrades
- Update hibernate-entitymanager to 5.6.9.Final #11416
- Update io.projectreactor to 2020.0.20 #11414
- Update jackson-bom to 2.13.3 #11411
- Update jackson-databind to 2.13.3 #11412
- Update jackson-datatype-jsr310 to 2.13.3 #11413
- Update org.opensaml:opensaml-core4 to 4.1.1 #11420
- Update org.springframework to 5.3.21 #11417
- Update org.springframework.data to 2021.1.5 #11418
- Update reactor-netty to 1.0.20 #11415
- Update spring-ldap-core to 2.3.8.RELEASE #11419
6.0.0-M5
5.7.1
5.6.5
5.5.8
6.0.0-M4
⏪ Breaking Changes
- Authorization on Every Dispatch Type #11027
- Change the default of shouldFilterAllDispatchTypes to true #11107
- Default to SecurityContextHolderFilter instead of SecurityContextPersistenceFilter #11110
- Remove MessageSourceAware from ExceptionTranslationWebFilter #11057
- RequestRejectedException should be 400 by default #7568
⭐ New Features
- Fix tests in AntPathRequestMatcherTests #11090
- messages.properties cleanup #11172
- Optimize AntRegexRequestMatcher #11234
- Remove SAML Deprecations #11077
- Replace removed Reactor context-related operators #11194
🪲 Bug Fixes
🔨 Dependency Upgrades
- Update aspectj-plugin to 6.4.3 #11240
- Update com.nimbusds to 9.35 #11239
- Update Gradle Enterprise plugin to 3.9 #11104
- Update hibernate-core-jakarta to 5.6.9.Final #11249
- Update htmlunit to 2.61.0 #11246
- Update htmlunit-driver to 2.61.0 #11254
- Update io.projectreactor to 2020.0.19 #11242
- Update jackson-bom to 2.13.3 #11236
- Update jackson-databind to 2.13.3 #11237
- Update jackson-datatype-jsr310 to 2.13.3 #11238
- Update jakarta.annotation-api to 2.1.0 #11244
- Update jakarta.persistence-api to 3.1.0 #11245
- Update junit-bom to 5.9.0-M1 #11252
- Update mockk to 1.12.4 #11241
- Update org.aspectj to 1.9.9.1 #11247
- Update org.eclipse.jetty to 11.0.9 #11248
- Update org.jetbrains.kotlin to 1.6.21 #11250
- Update org.jetbrains.kotlinx to 1.6.1 #11251
- Update org.junit.jupiter to 5.9.0-M1 #11253
- Update reactor-netty to 1.1.0-M2 #11243
- Update Spring Framework to 6.0.0-M4 #11260
- Update spring-data-jpa to 3.0.0-M4 #11255
- Update spring-ldap-core to 2.4.0 #11256
- Update to Gradle 7.4.2 #11101
❤️ Contributors
We'd like to thank all the contributors who worked on this release!