Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.6.0
⭐ New Features
- DaoAuthenticationProviderTests#avg function doesn't return fraction #10426
- Docs Should Use Section Summary #10449
- MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #10436
- Revamp OAuth 2.0 Login/Client reactive documentation #8174
- Revamp Reactive OAuth 2.0 Login documentation #10479
- Split up Documentation Further #10367
- Support Structure 101 License Id in Package Tangle Check #10443
🪲 Bug Fixes
- Adding keyInfo section to LogoutRequest from RP side #10450
- In saml2 LogoutRequest from RP doesn't contain KeyInfo #10438
- Oauth2 Resource Server will not retry on first failure with Multi-tenancy #10444
- Port Missing Integration Docs #10465
- SAML 2.0 JUnit Tests are being skipped #10215
- Various build time javadoc warnings fix #10423
🔨 Dependency Upgrades
- Update aspectj-plugin to 6.2.0 #10445
- Update com.nimbusds to 9.19 #10491
- Update hibernate-entitymanager to 5.6.1.Final #10495
- Update hsqldb to 2.6.1 #10496
- Update io.projectreactor to 2020.0.13 #10493
- Update logback-classic to 1.2.7 #10490
- Update org.springframework to 5.3.13 #10497
- Update reactor-netty to 1.0.13 #10494
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.6.0-RC1
⏪ Breaking Changes
- Conditionally resolve bearer token from request parameters #10340
- DefaultBearerTokenResolver triggers processing of multipart content #10326
- getClaimAsBoolean should not be falsy #10148
- getClaimAsBoolean() should not be falsy #10356
⭐ New Features
- Add
saml2.ValidIssuersparameter into SAML 2.0 Assertion Validators #10335 - Add parameters converter support to AbstractWebClientReactiveOAuth2AccessTokenResponseClient #10336
- Add postProcess support to Saml2LogoutConfigurer, closes gh-10311 #10339
- Add saml2.ValidIssuers parameter into SAML 2.0 Assertion Validators #10341
- Add standard OAuth 2.0 error code invalid_redirect_uri #10370
- Add Supplier JwtDecoders #10310
- Allow Defining Custom SAML 2.0 Assertion Signature Validator #10264
- Allow setting custom BodyExtractor to the AbstractWebClientReactiveOAuth2AccessTokenResponseClient #10269
- AuthenticationPrincipal argument type cannot be primitive #10172
- Check for multiple access tokens per rfc 6750 #10302
- Deprecate Kotlin methods that have equivalents using reified types #10365
- Fix Antora cross-references that lead to other pages. #10345
- Fix typo in digest.adoc #10304
- Implement reactive support for JWT as an Authorization Grant #10327
- Implement reactive support for JWT as an Authorization Grant #10147
- Implement reactive support for JWT Client Authentication #10146
- Improve Method Security logging #10279
- Introduce JwtEncoder #9208
- JwtDecoders and NimbusJwtDecoder should use the same JWKSource #10312
- OAuth2LoginAuthenticationProvider information loss at exception handling #10228
- please support lazily doing issuer checks (and all other checks) on startup for oauth resource servers #9991
- Revamp OAuth 2.0 Client reactive documentation #10373
- Saml2WebSsoAuthenticationFilter adds authentication details #10306
- Saml2WebSsoAuthenticationFilter ignores the authentication details #7722
- Structure101 Build Plugin #9768
- Use Antora #5835
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.5.3
⭐ New Features
- Allow defining custom SAML 2.0 Assertion Signature Validator #10317
- Add Documentation for Static Methods Classes for
mockJwt()andjwt()#10265
🪲 Bug Fixes
- ClaimAccessor#getClaimAsMap doesn't return null as documented #10371
- 5.5.X only works with spring-security-5.4.xsd schema (XML-based config) #10369
- SecurityNamespaceHandler: update schema version to 5.5 #10348
- JwtTimeStampValidator uses wrong error on token expiration #10328
- Fix typo #10313
- Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type #10257
- ACL docs refer to nonexistent sample apps #10237
- SAML 2.0 Login should allow
loginProcessingUrlwithout{registrationId}when providing anAuthenticationConverter#10176
🔨 Dependency Upgrades
- Update org.springframework.data to 2021.0.6 #10417
- Update org.springframework to 5.3.11 #10416
- Update org.jetbrains.kotlinx to 1.5.2 #10415
- Update org.jetbrains.kotlin to 1.5.31 #10414
- Update org.eclipse.jetty to 9.4.44.v20210927 #10413
- Update io.spring.nohttp to 0.0.10 #10412
- Update r2dbc-spi-test to 0.8.6.RELEASE #10410
- Update reactor-netty to 1.0.12 #10409
- Update io.projectreactor to 2020.0.12 #10408
- Update jackson-datatype-jsr310 to 2.12.5 #10407
- Update jackson-databind to 2.12.5 #10406
- Update jackson-bom to 2.12.5 #10405
- Update logback-classic to 1.2.6 #10404
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.4.9
⭐ New Features
- Add Documentation for Static Methods Classes for
mockJwt()andjwt()#10266
🪲 Bug Fixes
- SAML 2.0 Login should allow
loginProcessingUrlwithout{registrationId}when providing anAuthenticationConverter#10342 - JwtTimeStampValidator uses wrong error on token expiration #10329
- Fix typo #10314
- Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type #10258
- MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented #10209
🔨 Dependency Upgrades
- Update to Spring Boot 2.4.11 #10418
5.3.12.RELEASE
⭐ New Features
- Add Documentation for Static Methods Classes for
mockJwt()andjwt()#10267
🪲 Bug Fixes
- JwtTimeStampValidator uses wrong error on token expiration #10330
- Fix typo #10315
- Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type #10259
- MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented #10179
🔨 Dependency Upgrades
5.2.13.RELEASE
5.6.0-M3
⭐ New Features
- Update Saml2LoginConfigurer to pick up Saml2AuthenticationTokenConverter bean #10275
- LDIF file in integration tests should be compatible with UnboundID #10274
- Minor documentation fixes #10271
- Add Saml2ParameterNames #10270
- Saml2LoginConfigurer should pick up Saml2AuthenticationTokenConverter bean #10268
- Rename SecurityContextChangedEvent.getCurrentContext() for better clarity #10249
- Replace SecurityContextHolder#addListener #10246
- Replace SecurityContextHolder#addListener with SecurityContextHolder#setSecurityContextHolderStrategy #10226
- Default principalClaimName to SUB #10217
- Principal claim name in JwtAuthenticationConverter is null but documented default #10214
- Fix oauth2 issuer treatment and exception handling #10175
- Make AuthorizationGrantTypeConverter support custom grant type #10155
- Replace static "ROLE_" with customized role prefix #10078
- Propagate TestSecurityContextHolder to SecurityContextHolder #9737
- Propagate TestSecurityContextHolder to SecurityContextHolder after MockMvc calls #9565
- Add SAML SLO DSL support #9497
- Saml2Authentication should have registration id #9487
- RelyingPartyRegistrationResolvers should allow for the registration id to be specified #9486
- Incomplete documentation about session management using java configuration #8979
- Support sending SAML 2.0 LogoutRequest to the IdP (Single Logout) #8731
🪲 Bug Fixes
- Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type #10245
- Fix typo in index.adoc #10244
- Added exception to error message #10224
- Update a broken link to Spring Boot documentation #10177
- Documentation should point to spring-security-samples #9784
🔨 Dependency Upgrades
- Update org.springframework to 5.3.10 #10297
- Update org.mockito to 3.12.4 #10296
- Update org.junit.jupiter to 5.8.0 #10295
- Update junit-bom to 5.8.0 #10294
- Update org.jetbrains.kotlinx to 1.5.2 #10293
- Update org.jetbrains.kotlin to 1.5.30 #10292
- Update hibernate-entitymanager to 5.5.7.Final #10291
- Update io.spring.nohttp to 0.0.10 #10290
- Update reactor-netty to 1.0.11 #10289
- Update io.projectreactor to 2020.0.11 #10288
- Update com.nimbusds to 9.15 #10287
- Update nebula-project-plugin to 8.2.0 #10286
- Update jackson-datatype-jsr310 to 2.12.5 #10285
- Update jackson-databind to 2.12.5 #10284
- Update jackson-bom to 2.12.5 #10283
- Update logback-classic to 1.2.6 #10282
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.6.0-M2
⭐ New Features
- Add converter for authentication result in OAuth2LoginAuthenticationFilter #10041
- Add Saml2AuthenticationRequestRepository #10060
- Add Saml2AuthenticationRequestRepository #9185
- Add SpringOpaqueTokenIntrospector #9354
- Document api changes to OAuth2AccessTokenResponseHttpMessageConverter #10063
- enable customization of headers in AbstractWebClientReactiveOAuth2AccessTokenResponseClient #10131
- Introducing WebSessionServerLogoutHandler #10046
- Move and rename OAuth2IntrospectionClaimAccessor/Names #9647
- OAuth2 - Support customizing OAuth2AuthenticationToken through a single AuthenticationProvider #10033
- Session is not invalidated on logout #8971
- Support customizing headers of a request in AbstractWebClientReactiveOAuth2AccessTokenResponseClient #10130
- Update deprecated usage in reference docs #10132
- Verify Samples in Build #10031
- Verify Samples in Build #9846
🔨 Dependency Upgrades
- Update com.nimbusds to 9.12 #10198
- Update hibernate-entitymanager to 5.5.6 #10202
- Update htmlunit to 2.52.0 #10201
- Update htmlunit-driver to 2.52.0 #10203
- Update io.projectreactor to 2020.0.10 #10199
- Update logback-classic to 1.2.5 #10196
- Update nebula-project-plugin to 8.1.0 #10197
- Update org.slf4j to 1.7.32 #10204
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.5.2
⭐ New Features
- Consider adding springFrameworkVersion property #10068
- Introduce samplesBranch property #10036
- Use the new springFrameworkVersion property in docs' links #10067
🔨 Dependency Upgrades
- Update com.nimbusds to 9.9.1 #10186
- Update io.projectreactor to 2020.0.10 #10187
- Update jackson-bom to 2.12.4 #10183
- Update jackson-databind to 2.12.4 #10184
- Update jackson-datatype-jsr310 to 2.12.4 #10185
- Update logback-classic to 1.2.5 #10182
- Update org.aspectj to 1.9.7 #10189
- Update org.eclipse.jetty to 9.4.43.v20210629 #10190
- Update org.jetbrains.kotlin to 1.5.21 #10191
- Update org.jetbrains.kotlinx to 1.5.1 #10192
- Update org.slf4j to 1.7.32 #10193
- Update org.springframework to 5.3.9 #10194
- Update org.springframework.data to 2021.0.4 #10195
- Update reactor-netty to 1.0.10 #10188
5.4.8
⭐ New Features
- Remove -PdeployDocsHost=docs-ip.spring.io from Build #10021
🪲 Bug Fixes
- Regression with URL encode client credentials #10126
- AuthenticationFailureEvent does not exist #10107
- Fix a typo in some class names in the oauth documentation #10052
- Fix Saml2WebSsoAuthenticationRequestFilter javadoc #10027
- Update to use s01.oss.sonatype.org Maven Publishing #10015
- Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher #10009
- logoutSuccessUrl in DefaultLoginPageGeneratingFilter is not set #9997