Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.6.2
⏪ Breaking Changes
- Saml2 metadata includes SingleLogoutService even if saml2 logout is disabled / not configured #10734
⭐ New Features
- Document Authorize HTTP Requests for Reactive Security #10801
- Introduce
AuthorizationManagerWebInvocationPrivilegeEvaluator#10682
🪲 Bug Fixes
- add Kotlin examples for Spring Data Integration of servlet application #10848
- commons-logging:commons-logging is a transitive dependency of some modules #10772
- Do not rely on javax. group ids #10770
- Fix broken link to SAML2 login example #10806
- Getting Spring Security Reference Docs have a error #10796
- Make source code compatible with JDK 8 #10699
- Replace StringUtils class of oauth2-oidc-sdk completely #10824
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext #10792
- WebInvocationPrivilegeEvaluator Bean should support multiple
SecurityFilterChains #10680
🔨 Dependency Upgrades
- Update hibernate-entitymanager to 5.6.5.Final #10873
- Update io.projectreactor to 2020.0.16 #10867
- Update io.spring.javaformat to 0.0.31 #10870
- Update logback-classic to 1.2.10 #10865
- Update mockk to 1.12.2 #10866
- Update org.aspectj to 1.9.8 #10871
- Update org.eclipse.jetty to 9.4.45.v20220203 #10872
- Update org.slf4j to 1.7.36 #10874
- Update org.springframework to 5.3.16 #10875
- Update org.springframework.data to 2021.1.2 #10876
- Update r2dbc-h2 to 0.8.5.RELEASE #10869
- Update reactor-netty to 1.0.16 #10868
- Update spring-ldap-core to 2.3.6.RELEASE #10877
5.5.5
⭐ New Features
- Introduce
AuthorizationManagerWebInvocationPrivilegeEvaluator#10683
🪲 Bug Fixes
- Add Kotlin examples for Spring Data Integration of servlet application #10847
- Replace StringUtils class of oauth2-oidc-sdk completely #10825
- Getting Spring Security Reference Docs have a error #10797
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext #10791
- Make source code compatible with JDK 8 #10700
WebInvocationPrivilegeEvaluatorBean should support multipleSecurityFilterChains #10681
🔨 Dependency Upgrades
- Update spring-ldap-core to 2.3.6.RELEASE #10863
- Update org.springframework.data to 2021.0.9 #10862
- Update org.springframework to 5.3.16 #10861
- Update org.slf4j to 1.7.36 #10860
- Update org.eclipse.jetty to 9.4.45.v20220203 #10859
- Update org.aspectj to 1.9.8 #10858
- Update io.spring.javaformat to 0.0.31 #10857
- Update r2dbc-h2 to 0.8.5.RELEASE #10856
- Update reactor-netty to 1.0.16 #10855
- Update io.projectreactor to 2020.0.16 #10854
- Update logback-classic to 1.2.10 #10851
6.0.0-M1
⏪ Breaking Changes
- move HttpSecurityDsl and common files to annotation package #10474
- Resolve HttpSecurityDsl Package Tangle #10333
⭐ New Features
- Add NameIdFormat support to RelyingPartyRegistration #9115
- Clean up Reference Documentation #9668
- Clear null authentication to fix ThreadLocal leak #9877
- Gh-10333 move HttpSecurityDsl to another package #10429
- LdapAuthoritiesPopulator should be postProcessed #9276
- make SP NameIDPolicy configurable in RelyingPartyRegistration #9227
- PermitAllSupport supports AuthorizeHttpRequestsConfigurer #10543
- Update Authorization Documentation #10442
🪲 Bug Fixes
- #10504 Replace setJWTClaimSetJWSKeySelector in example code #10508
- Documentation fix in Customizing OpenSAML’s AuthnRequest Instance section #10463
- Fix JwtClaimValidator error type #10500
- Structure101 Plugin uses a dead repository link #10697
- Test fails due to HttpMethod changes #10569
🔨 Dependency Upgrades
- Switch workflows to use a JDK17 baseline #10353
- Update aspectj-plugin to 6.3.0 #10498
- Update assertj-core to 3.22.0 #10748
- Update cas-client-core to 3.6.4 #10753
- Update com.nimbusds to 9.22 #10741
- Update hibernate-core-jakarta to 5.6.3.Final #10751
- Update hsqldb to 2.6.1 #10752
- Update htmlunit to 2.56.0 #10747
- Update htmlunit-driver to 2.56.0 #10756
- Update io.projectreactor to 2020.0.15 #10743
- Update io.r2dbc to 0.9.0.RELEASE #10745
- Update jackson-bom to 2.13.1 #10738
- Update jackson-databind to 2.13.1 #10739
- Update jackson-datatype-jsr310 to 2.13.1 #10740
- Update jakarta.annotation-api to 2.1.0-B1 #10746
- Update junit-bom to 5.8.2 #10754
- Update logback-classic to 1.2.10 #10737
- Update mockk to 1.12.2 #10742
- Update org.bouncycastle to 1.70 #10749
- Update org.eclipse.jetty to 11.0.7 #10750
- Update org.junit.jupiter to 5.8.2 #10755
- Update org.slf4j to 1.7.33 #10757
- Update reactor-netty to 1.0.15 #10744
- Update spring-data-bom to 2022.0.0-M1 #10759
- Update spring-ldap-core to 2.3.5.RELEASE #10758
- Update to Gradle 7.3 #10480
- Update to Spring Framework 6.0 #10360
- Upgrade to JDK 17 #10343
- Upgrade to Kotlin Coroutines 1.6.0 #10707
- Upgrade to Spring Framework 6.0.0-M2 #10706
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.0-M1
⏪ Breaking Changes
- Saml2 metadata includes SingleLogoutService even if saml2 logout is disabled / not configured #10607
⭐ New Features
- Add
Cross-Origin-Opener-PolicyandCross-Origin-Embedder-Policysecurity headers #9385 - Add
Cross-Origin-Resource-Policysecurity header #10118 - Add Cross Origin Policies headers DSL support #10141
- Add hasIpAddress to Reactive Kotlin DSL #10571
- Add ObjectIdentityGenerator customization to JdbcAclService #10081
- Add RedirectStrategy customization to ChannelSecurityConfigurer for R… #10161
- Allow custom OAuth2ErrorHttpMessageConverter with OAuth2ErrorResponseErrorHandler #10425
- Allow custom OAuth2ErrorHttpMessageConverter with OAuth2ErrorResponse… #10432
- Avoid using SpEL to change the meaning of the injection point #10075
- BasicLookupStrategy for ACL defines the ObjectIdentity as not interchangable #10079
- Clarify behaviour of enableSessionUrlRewriting #7644
- Client JwtBearer grant type should support non Jwt principal #9812
- Fix CsrfConfigurer default AccessDeniedHandler consistency #10154
- Fix Gradle Deprecation Warnings #10446
- Fix typo in Expression matcher Javadocs #10688
- HttpServlet3RequestFactory should set 'details' when creating the authentication token. #9579
- Introduce
AuthorizationManagerWebInvocationPrivilegeEvaluator#10590 - Prevent using both
authorizeRequestsandauthorizeHttpRequests#10574 - Prevent using both
authorizeRequestsandauthorizeHttpRequests#10573 - Provide Jackson serialization support for LDAP classes #9263
- Set 'details' on authentication token created by HttpServlet3RequestFactory #9597
- Spring Security WebFlux IP Whitelist #7765
- Structure101 plugin should retrive most recent binary #10696
- Support for changing prefix and suffix in
DelegatingPasswordEncoder#10278 - Support IP whitelist for Spring Security Webflux #10007
- Update Spring Security to 5.7 #10509
🪲 Bug Fixes
- #10505 Fixed jwtDecoder example code #10510
AuthorityAuthorizationManagerincorrectly comparesGrantedAuthority#10566WebInvocationPrivilegeEvaluatorBean should support multipleSecurityFilterChains #10554- A null SingleLogoutServiceLocation should not cause a NullPointerException #10674
- clockSkew Javadoc is not consistent with implementation #10174
- Configure WebInvocationPrivilegeEvaluator for multiple
SecurityFilterChains #10575 - Fix case sensitive headers comparison #10578
- Fix Reactive OAuth2 Kotlin DSL examples #10586
- Fix the bug that the custom GrantedAuthority comparison fails #10588
- Kotlin DSL examples in reactive oauth2 docs call build twice #10580
- Make source code compatible with JDK 8 #10695
- Multi-tenancy Documentation - JwtDecoder sample has multiple errors #10505
- Prevent Save
@TransientAuthentication with existing HttpSession #9993 - StaticServerHttpHeadersWriter should work with case-insensitive header names #10557
- Update clockSkew javadoc according to implementation #10358
🔨 Dependency Upgrades
- Update aspectj-plugin to 6.3.0 #10514
- Update aspectj-plugin to 6.3.0 #10492
- Update assertj-core to 3.22.0 #10720
- Update cas-client-core to 3.6.4 #10723
- Update com.nimbusds to 9.22 #10713
- Update hibernate-entitymanager to 5.6.3.Final #10722
- Update htmlunit to 2.56.0 #10718
- Update htmlunit-driver to 2.56.0 #10728
- Update io.projectreactor to 2020.0.15 #10715
- Update io.r2dbc to 0.9.0.RELEASE #10717
- Update jackson-bom to 2.13.1 #10710
- Update jackson-databind to 2.13.1 #10711
- Update jackson-datatype-jsr310 to 2.13.1 #10712
- Update junit-bom to 5.8.2 #10726
- Update logback-classic to 1.2.10 #10709
- Update mockk to 1.12.2 #10714
- Update org.aspectj to 1.9.8.RC3 #10719
- Update org.bouncycastle to 1.70 #10721
- Update org.jetbrains.kotlin to 1.6.10 #10724
- Update org.jetbrains.kotlinx to 1.6.0 #10725
- Update org.junit.jupiter to 5.8.2 #10727
- Update org.slf4j to 1.7.33 #10729
- Update org.springframework to 5.3.15 #10730
- Update org.springframework.data to 2021.2.0-M1 #10731
- Update reactor-netty to 1.0.15 #10716
- Update spring-ldap-core to 2.4.0-M1 #10732
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.6.1
⭐ New Features
- Document authentication helper method in WebClient integration #10468
- Document authentication helper method in WebClient integration for Servlet Environments #10120
- Document parameters converter in oauth2 client servlet docs #10469
- Document parameters converter in oauth2 client servlet docs #10467
🪲 Bug Fixes
AuthorityAuthorizationManagerincorrectly comparesGrantedAuthority#10595- clockSkew Javadoc is not consistent with implementation #10535
- Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #10560
- Kotlin DSL examples in reactive oauth2 docs call build twice #10591
- StaticServerHttpHeadersWriter should work with case-insensitive header names #10581
🔨 Dependency Upgrades
- Update cas-client-core to 3.6.4 #10654
- Update hibernate-entitymanager to 5.6.3.Final #10653
- Update io.projectreactor to 2020.0.14 #10651
- Update jackson-bom to 2.13.1 #10647
- Update jackson-databind to 2.13.1 #10648
- Update jackson-datatype-jsr310 to 2.13.1 #10649
- Update junit-bom to 5.8.2 #10656
- Update logback-classic to 1.2.9 #10646
- Update mockk to 1.12.1 #10650
- Update org.jetbrains.kotlin to 1.5.32 #10655
- Update org.junit.jupiter to 5.8.2 #10657
- Update org.springframework to 5.3.14 #10658
- Update reactor-netty to 1.0.14 #10652
- Update spring-ldap-core to 2.3.5.RELEASE #10659
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.5.4
🪲 Bug Fixes
- Documentation has wrong code example in the 'Customizing OpenSAML’s AuthnRequest Instance' section #10527
- Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #10561
- MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #10531
- Multi-tenancy Documentation -
com.nimbusds.jwt.proc.JWTProcessordoes not have asetJWTClaimSetJWSKeySelectormethod #10520 - Multi-tenancy Documentation - JwtDecoder sample has multiple errors #10516
- Oauth2 Resource Server will not retry on first failure with Multi-tenancy #10484
- StaticServerHttpHeadersWriter should work with case-insensitive header names #10582
- WebInvocationPrivilegeEvaluator does not provide a way to pass a ServletContext #10435
🔨 Dependency Upgrades
- Update cas-client-core to 3.6.4 #10637
- Update hibernate-entitymanager to 5.4.33 #10635
- Update hsqldb to 2.6.1 #10636
- Update io.projectreactor to 2020.0.14 #10633
- Update io.spring.javaformat to 0.0.29 #10411
- Update jackson-bom to 2.12.6 #10630
- Update jackson-databind to 2.12.6 #10631
- Update jackson-datatype-jsr310 to 2.12.6 #10632
- Update logback-classic to 1.2.9 #10629
- Update org.jetbrains.kotlin to 1.5.32 #10638
- Update org.springframework to 5.3.14 #10639
- Update org.springframework.data to 2021.0.7 #10640
- Update reactor-netty to 1.0.14 #10634
- Update spring-ldap-core to 2.3.5.RELEASE #10641
5.4.10
🪲 Bug Fixes
- StaticServerHttpHeadersWriter should work with case-insensitive header names #10583
- Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #10562
- MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #10532
- Documentation has wrong code example in the 'Customizing OpenSAML’s AuthnRequest Instance' section #10528
- Multi-tenancy Documentation -
com.nimbusds.jwt.proc.JWTProcessordoes not have asetJWTClaimSetJWSKeySelectormethod #10521 - Multi-tenancy Documentation - JwtDecoder sample has multiple errors #10517
- Oauth2 Resource Server will not retry on first failure with Multi-tenancy #10485
- WebInvocationPrivilegeEvaluator does not provide a way to pass a ServletContext #10437
5.3.13.RELEASE
🪲 Bug Fixes
- Reactive resource server tests failing #10660
- Gretty samples fail when using logback 1.2.9 #10643
- StaticServerHttpHeadersWriter should work with case-insensitive header names #10584
- Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #10563
- MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #10533
- Multi-tenancy Documentation -
com.nimbusds.jwt.proc.JWTProcessordoes not have asetJWTClaimSetJWSKeySelectormethod #10522 - Multi-tenancy Documentation - JwtDecoder sample has multiple errors #10518
- Oauth2 Resource Server will not retry on first failure with Multi-tenancy #10486
🔨 Dependency Upgrades
5.2.15.RELEASE
🔨 Dependency Upgrades
- Update logback to 1.2.9 #10642
5.2.14.RELEASE
🪲 Bug Fixes
- StaticServerHttpHeadersWriter should work with case-insensitive header names #10585
- MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #10534
- Multi-tenancy Documentation -
com.nimbusds.jwt.proc.JWTProcessordoes not have asetJWTClaimSetJWSKeySelectormethod #10523 - Multi-tenancy Documentation - JwtDecoder sample has multiple errors #10519
🔨 Dependency Upgrades
- Update to GAE 1.9.93 #10628
- Upgrade httpmime to 4.5.13 #10627
- Upgrade httpcore to 4.4.15 #10626
- Upgrade attoparser to 2.0.5.RELEASE #10625
- Update to hibernate-entitymanager 5.4.33 #10624
- Upgrade jboss logging to 3.3.3.Final #10623
- Upgrade jboss jandex to 2.0.5.Final #10622
- Upgrade Unbescape to 1.1.6.RELEASE #10621
- Update to thymeleaf-spring5 3.0.14 #10620
- Update to embedded Tomcat websocket 8.5.73 #10619
- Upgrade to embedded Apache Tomcat 9.0.56 #10618
- Upgrade Reactor to Dysprosium-SR25 #10617
- Upgrade Spring Framework to 5.2.19.RELEASE #10616