2 days ago
⭐ New Features
- Add RelayState Customizer to SAML Logout #12582
- Add saml2Metadata to the DSL #11828
- Allow configuring SecurityContextRepository for BasicAuthenticationFilter #12031
- Allow Relying Party to be Deduced from LogoutRequest #12843
- Allow UserBuilder to easily build a user without any authorities #12533
- Cookie no support for field 'version' and 'comment' #12454
- Copies of RelyingPartyRegistration should preserve custom fields #12841
- CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12684
- Extract placeholder resolution from DefaultRelyingPartyRegstrationResolver #12842
- Incomplete documentation regarding Hierarchical roles. #12784
- Move classpath checks to class member variable #12640
- move code comment to callout #12536
- NimbusReactiveJwtDecoder support mono chain #12521
- Polish DefaultLoginPageGeneratingFilter #12657
- Propagate match results in OrRequestMatcher and AndRequestMatcher #12847
- Re-add support for CAS #11674
- Relax final method implementations on AbstractRememberMeServices #12145
- RelyingPartyRegistrationRepository should support lookup by asserting party entity id #12848
- Remove deprecated
SecurityContextPersistenceFilter
from docs #12809 - Restore CAS module and update it for cas-client-core 4.0.0 #12362
- Revisit Session Management Documentation #12681
- Rewrite AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl logic for clarity #12468
- SAML 2.0 metadata endpoint should return all relying parties when none is given #12846
- Saml2MetadataResolver should accept multiple relying parties and create an EntitiesDescriptor #12844
- Support Device Authorization Response #12852
- Support LogoutRequest when already logged out #12845
- Update javadoc in EnableWebSecurity #12613
- Use a custom authentication type for CAS #12304
🪲 Bug Fixes
- 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12593
-
@EnableReactiveMethodSecurity
causes premature initialization of the ObservationRegistry and prevents it from being post-processed #12781 - A typo in form login doc #12730
- Broken links in form login section of docs #12839
- Document XMLObject retreival for Asserting Party metadata #12800
- EntityId ignored in xml relying-party-registration #12778
- Fix CSRF protection provided by
@EnableWebSocketSecurity
/ Stomp #12594 - Fix image in servlet architecture docs section #12609
- Fix javadox typo #12643
- fix missing semi-colon java example in observability documentation #12761
- fix typo and update javadoc in AbstractAuthenticationFilterConfigurer #12634
- javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12621
- JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12768
- Missing spring-security-oauth2 xsds after release #12807
- No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12625
- NoSuchElementException in org.springframework.security.web.server.ObservationWebFilterChainDecorator$AroundWebFilterObservation$SimpleAroundWebFilterObservation.start(ObservationWebFilterChainDecorator.java:274 #12831
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12688
- SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12641
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12837
- Typo in Authentication Migrations page #12660
- WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12626
🔨 Dependency Upgrades
- Update Gradle Enterprise plugin #12669
- Update hibernate-core to 6.1.7.Final #12898
- Update httpclient to 4.5.14 #12894
- Update io.projectreactor to 2022.0.5 #12890
- Update io.spring.javaformat to 0.0.38 #12891
- Update io.spring.nohttp to 0.0.11 #12892
- Update jackson-bom to 2.14.2 #12886
- Update jakarta.servlet.jsp-api to 3.1.1 #12893
- Update junit-bom to 5.9.2 #12900
- Update logback-classic to 1.4.6 #12885
- Update maven-resolver-provider to 3.8.8 #12895
- Update micrometer-observation to 1.10.5 #12888
- Update mockk to 1.13.4 #12889
- Update org.aspectj to 1.9.19 #12896
- Update org.eclipse.jetty to 11.0.14 #12897
- Update org.jetbrains.kotlin to 1.8.20-RC #12899
- Update org.springframework to 6.0.7 #12902
- Update org.springframework.data to 2022.0.3 #12903
- Update slf4j-api to 2.0.7 #12901
- Update spring-ldap-core to 3.0.1 #12904
- Update spring-ldap-core to 3.0.1 #12727
- Update to Kotlin 1.8.10 #12788
- Update unboundid-ldapsdk to 6.0.8 #12887
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
29 days ago
⭐ New Features
🪲 Bug Fixes
- AuthorizationManager method security documentation should use AnnotationMatchingPointcut #11095
- Document XMLObject retreival for Asserting Party metadata #12667
- Fix typo in OAuth 2.0 testing docs #12437
- Jackson serialization of
DefaultSaml2AuthenticatedPrincipal
:LinkedMultiValueMap is not in the allowlist
#11785 - NimbusJwtDecoder unknown KID scenario is not correctly tested #12238
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12637
- SwitchUserFilter not working in Spring Security 6 #12504
- Wrong name of the filter in the SecurityContextHolderFilter diagram #11800
🔨 Dependency Upgrades
- Update blockhound to 1.0.7.RELEASE #12733
- Update hibernate-entitymanager to 5.6.15.Final #12736
- Update io.projectreactor to 2020.0.28 #12732
- Update io.spring.nohttp to 0.0.11 #12734
- Update jackson-bom to 2.13.5 #12731
- Update org.aspectj to 1.9.19 #12735
- Update org.springframework to 5.3.25 #12737
- Update org.springframework.data to 2021.2.8 #12738
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
2023-02-20 23:22:34
⭐ New Features
- Add XorCsrfChannelInterceptor #12562
- Document
@EnableWebFluxSecurity
requiring@Configuration
in 6.0.0 #12434 - fix unclosed block in docs #12553
- Improve documentation on what changed in the default behaviour in version 6 vs 5.7 #12462
- Spring Security 6.0 Migration Guide Should Mention
@Configuration
Meta-Annotation Removal From Configuration Annotations #12486
🪲 Bug Fixes
- AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12516
- DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #12665
- Document XMLObject retreival for Asserting Party metadata #12693
- Jackson serialization of
DefaultSaml2AuthenticatedPrincipal
:LinkedMultiValueMap is not in the allowlist
#12458 - NimbusJwtDecoder unknown KID scenario is not correctly tested #12494
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12686
- SwitchUserFilter not working in Spring Security 6 #12510
- Wrong name of the filter in the SecurityContextHolderFilter diagram #12526
🔨 Dependency Upgrades
- Update blockhound to 1.0.7.RELEASE #12719
- Update hibernate-entitymanager to 5.6.15.Final #12722
- Update io.projectreactor to 2020.0.28 #12717
- Update io.spring.nohttp to 0.0.11 #12720
- Update jackson-bom to 2.13.5 #12714
- Update jackson-databind to 2.13.5 #12715
- Update jackson-datatype-jsr310 to 2.13.5 #12716
- Update junit-bom to 5.9.2 #12723
- Update org.aspectj to 1.9.19 #12721
- Update org.junit.jupiter to 5.9.2 #12724
- Update org.springframework to 5.3.25 #12725
- Update org.springframework.data to 2021.2.8 #12739
- Update org.springframework.data to 2021.2.8 #12726
- Update reactor-netty to 1.0.28 #12718
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
2023-02-20 23:22:27
⭐ New Features
- CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12651
- Document
@EnableWebFluxSecurity
requiring@Configuration
in 6.0.0 #12444 - Move classpath checks to class member variable #11437
- Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12339
- Revisit Session Management Documentation #12680
- Spring Security 6.0 Migration Guide Should Mention
@Configuration
Meta-Annotation Removal From Configuration Annotations #12498 - Update broken links, correct gradle command for Windows OS. #12336
🪲 Bug Fixes
- 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12548
-
@EnableReactiveMethodSecurity
#useAuthorizationManager should be true #12506 - A typo in form login doc #12678
- Adjusts setRequestHandler javadoc in CsrfWebFilter #12467
- AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12517
- DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #12671
- Document XMLObject retreival for Asserting Party metadata #12729
- Document XMLObject retreival for Asserting Party metadata #12728
- Duplicate words. #12471
- Fix CSRF protection provided by
@EnableWebSocketSecurity
/ Stomp #12378 - gradlew nativeTest fails with Failed to instantiate [org.springframework.security.test.context.support.WithUserDetailsSecurityContextFactory]: No default constructor found #12614
- Jackson serialization of
DefaultSaml2AuthenticatedPrincipal
:LinkedMultiValueMap is not in the allowlist
#12459 - javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12616
- NimbusJwtDecoder unknown KID scenario is not correctly tested #12495
- No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12615
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12687
- Security observations are not setting their parent osbervation #12524
- SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12579
- Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12490
- SwitchUserFilter not working in Spring Security 6 #12511
- Update expression-based.adoc #12363
- Update multitenancy.adoc #12474
- WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12622
- Wrong name of the filter in the SecurityContextHolderFilter diagram #12527
🔨 Dependency Upgrades
- Update hibernate-core to 6.1.7.Final #12707
- Update io.projectreactor to 2022.0.3 #12701
- Update io.spring.nohttp to 0.0.11 #12703
- Update jackson-bom to 2.14.2 #12696
- Update jackson-databind to 2.14.2 #12697
- Update jackson-datatype-jsr310 to 2.14.2 #12698
- Update jakarta.servlet.jsp-api to 3.1.1 #12704
- Update junit-bom to 5.9.2 #12708
- Update junit-platform-launcher to 1.9.2 #12710
- Update maven-resolver-provider to 3.8.7 #12705
- Update micrometer-observation to 1.10.4 #12699
- Update mockk to 1.13.4 #12700
- Update org.aspectj to 1.9.19 #12706
- Update org.junit.jupiter to 5.9.2 #12709
- Update org.springframework to 6.0.5 #12711
- Update org.springframework.data to 2022.0.2 #12712
- Update reactor-netty to 1.1.3 #12702
- Update spring-ldap-core to 3.0.1 #12713
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
2023-01-17 00:10:49
⏪ Breaking Changes
-
JwtAuthenticationProvider
should not aggressively set authentication details #11822
⭐ New Features
- Add
EnableWebSecurity
migration steps to 5.8 guide #12355 - Add a RelyingPartyRegistrationRepository constructor to Saml2MetadataFilter #11815
- Add an option to set the SameSite policy in the CookieCsrfTokenRepository #12086
- Add Authority String AuthorizationManager #12231
- Add configurable authorities split regex #12124
- Add configurable authorities split regex #12073
- add packages (dependencies) to playbook template in docs-build branch #12522
- Add the ability to set the SameSite policy to the CRSF Cookie #12109
- Allow authorization request resolver to be changed for the OAuth2 client configuration #12430
- AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up for a RoleHierarchy bean in the context #12505
- Consider replacing SecurityExpressionRoot.AuthenticationSupplier with SingletonSupplier #12489
- Document
@EnableWebFluxSecurity
requiring@Configuration
in 6.0.0 #12445 - Inaccurate javadoc text in setRequestHandler method from CsrfWebFilter class #12484
- Inaccurate javadoc text in setRequestHandler method of CsrfFilter class #12515
- Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12441
- Replace deprecated set-state set-output GitHub Action's commands #12300
- SecuredAuthorizationManager should allow customizing underlying authorization manager #12233
- SecuredAuthorizationManager should cache annotation's value #12232
- Spring Security 6.0 Migration Guide Should Mention
@Configuration
Meta-Annotation Removal From Configuration Annotations #12499
🪲 Bug Fixes
- AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12518
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12410
- Error in ACLS document #12406
- Fix AuthorizationFilter diagram in docs #12287
- Incorrect Javadoc for class ExpressionAuthorizationDecision #12436
- Jackson serialization of
DefaultSaml2AuthenticatedPrincipal
:LinkedMultiValueMap is not in the allowlist
#12460 - NimbusJwtDecoder unknown KID scenario is not correctly tested #12496
- ProxyFactoryBean on AuthenticationManager does not work in native mode #12372
- Reactive migration documentation for
@EnableReactiveMethodSecurity
is wrong (or implementation is wrong) #12514 - Security observations are not setting their parent osbervation #12525
- Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12493
- SwitchUserFilter not working in Spring Security 6 #12512
- Wrong name of the filter in the SecurityContextHolderFilter diagram #12528
🔨 Dependency Upgrades
- Update org.gretty:gretty to 4.0.3 #12277
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
2022-12-19 23:23:12
⭐ New Features
- Replace deprecated set-state set-output GitHub Action's commands #12032
- update generateAntora task to make prereleases unique #12083
🪲 Bug Fixes
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12090
- docs: fix realm typo #12120
- Fix AuthorizationFilter diagram in docs #12274
- Fix typo in DefaultLoginPageConfigurer Javadoc #12311
- Fix typo on opaque-token.adoc #12114
- Fix: Replace tenantRepository with tenants #12269
- Incorrect scope map fix #12144
- OAuth 2.0 Resource Server Multi-tenancy - documentation improvement #12295
- Outdated example in Javadoc of UrlAuthorizationConfigurer #11487
- Saml2MetadataFilter response should configure writer to UTF-8 #12026
- SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #3065
- Update the RP-initiated Logout links #12081
🔨 Dependency Upgrades
- Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12152
- Update Gradle to 7.5.1 #11779
- Update hibernate-entitymanager to 5.6.14.Final #12388
- Update httpclient to 4.5.14 #12386
- Update io.projectreactor to 2020.0.26 #12384
- Update jackson-bom to 2.13.4.20221013 #12381
- Update jackson-databind to 2.13.4.2 #12382
- Update mockk to 1.12.8 #12383
- Update org.eclipse.jetty to 9.4.50.v20221201 #12387
- Update org.springframework to 5.3.24 #12389
- Update org.springframework.data to 2021.1.10 #12390
- Update reactor-netty to 1.0.26 #12385
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
2022-12-19 23:22:50
⭐ New Features
- Add
EnableWebSecurity
migration steps to 5.8 guide #12354 - Replace deprecated set-state set-output GitHub Action's commands #12299
🪲 Bug Fixes
- codes in spring security docs fail to work #12342
- codes in spring security docs fail to work #12341
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12409
- Error in ACLS document #12270
- Fix AuthorizationFilter diagram in docs #12288
- Incorrect Javadoc for class ExpressionAuthorizationDecision #12435
- Incorrect sample code in securityMatcher migration docs #12303
- Incorrect sample code in securityMatcher migration docs #12302
- It's not possible to disable micrometer obversability #12268
- ProxyFactoryBean on AuthenticationManager does not work in native mode #12367
- SecurityContextHolderFilter does not apply to async dispatch #12369
- SecurityContextHolderFilter does not apply to async dispatch #12368
🔨 Dependency Upgrades
- Update hibernate-core to 6.1.6.Final #12423
- Update httpclient to 4.5.14 #12421
- Update io.projectreactor to 2022.0.1 #12419
- Update jackson-bom to 2.14.1 #12413
- Update jackson-databind to 2.14.1 #12414
- Update jackson-datatype-jsr310 to 2.14.1 #12415
- Update logback-classic to 1.4.5 #12412
- Update micrometer-observation to 1.10.2 #12417
- Update mockk to 1.13.3 #12418
- Update org.eclipse.jetty to 11.0.13 #12422
- Update org.jetbrains.kotlin to 1.7.22 #12424
- Update org.springframework to 6.0.3 #12426
- Update reactor-netty to 1.1.1 #12420
- Update slf4j-api to 2.0.6 #12425
- Update unboundid-ldapsdk to 6.0.7 #12416
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
2022-12-19 23:22:42
⭐ New Features
- Add
EnableWebSecurity
migration steps to 5.8 guide #12334 - Replace deprecated set-state set-output GitHub Action's commands #12298
🪲 Bug Fixes
- codes in spring security docs fail to work #11396
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12408
- Fix AuthorizationFilter diagram in docs #12286
- Fix password encoder migration guide #12318
- Fix typo #12316
- Incorrect Javadoc for class ExpressionAuthorizationDecision #12411
- Incorrect sample code in securityMatcher migration docs #12296
- SecurityContextHolderFilter does not apply to async dispatch #11962
🔨 Dependency Upgrades
- Update httpclient to 4.5.14 #12403
- Update io.projectreactor to 2020.0.26 #12401
- Update mockk to 1.13.3 #12400
- Update org.eclipse.jetty to 9.4.50.v20221201 #12404
- Update org.jetbrains.kotlin to 1.7.22 #12405
- Update reactor-netty to 1.0.26 #12402
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
2022-12-19 23:22:32
⭐ New Features
- Improve deprecation notice in WebSecurityConfigurerAdapter #12260
- Replace deprecated set-state set-output GitHub Action's commands #12297
🪲 Bug Fixes
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12407
- Fix AuthorizationFilter diagram in docs #12285
- Incorrect scope map fix #12205
- SAML logout: Incorrect log messages #12208
- Saml2MetadataFilter response should configure writer to UTF-8 #12221
- SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12125
- Update the RP-initiated Logout links #12121
🔨 Dependency Upgrades
- Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12153
- Update Gradle to 7.5.1 #12157
- Update hibernate-entitymanager to 5.6.14.Final #12397
- Update httpclient to 4.5.14 #12395
- Update io.projectreactor to 2020.0.26 #12393
- Update jackson-bom to 2.13.4.20221013 #12391
- Update jackson-databind to 2.13.4.2 #12392
- Update org.eclipse.jetty to 9.4.50.v20221201 #12396
- Update org.springframework to 5.3.24 #12398
- Update org.springframework.data to 2021.2.6 #12399
- Update reactor-netty to 1.0.26 #12394
2022-11-21 23:23:19
⏪ Breaking Changes
- CsrfAuthenticationStrategy is not consistent with CsrfFilter #12235
- Register FilterChainProxy for all dispatcher types #12180
⭐ New Features
- Add test runtime hints for annotations using
@WithSecurityContext
#12215 - Add WebTestUtils test runtime hints #12216
- Align with Servlet API 6 #12146
- Document Configure Default SessionAuthenticationStrategy #12192
- Document DelegatingSecurityContextRepository #12185
- Improve deprecation notice in WebSecurityConfigurerAdapter #12262
- Log a warning when
AuthorizationGrantType
does not exactly match a pre-defined constant #12234 - Migration guide for the removal of CAS #12163
- Polish Span and Meter Names #12225
- Register FilterChainProxy for All Dispatcher Types Migration Steps #12212
- Restructure 6.0 Migration Guide #12242
- Support Jakarta WebSocket 2.1 #12148
🪲 Bug Fixes
- CsrfAuthenticationStrategy does not check for existing token #12241
- Ensure instrumentation names align with semantic conventions #12156
- Incorrect scope map fix #12207
- SAML logout: Incorrect log messages #12210
- Saml2MetadataFilter response should configure writer to UTF-8 #12223
🔨 Dependency Upgrades
- Update micrometer-observation to 1.10.1 #12250
- Update org.springframework to 6.0.0 #12255
- Update org.springframework.data to 2022.0.0 #12256
- Update r2dbc-h2 to 1.0.0.RELEASE #12251
- Update slf4j-api to 2.0.4 #12254
- Update spring-ldap-core to 3.0.0 #12257
❤️ Contributors
We'd like to thank all the contributors who worked on this release!