spring-projects/spring-security

New Features

  • Add RelayState Customizer to SAML Logout #12582
  • Add saml2Metadata to the DSL #11828
  • Allow configuring SecurityContextRepository for BasicAuthenticationFilter #12031
  • Allow Relying Party to be Deduced from LogoutRequest #12843
  • Allow UserBuilder to easily build a user without any authorities #12533
  • Cookie no support for field 'version' and 'comment' #12454
  • Copies of RelyingPartyRegistration should preserve custom fields #12841
  • CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12684
  • Extract placeholder resolution from DefaultRelyingPartyRegstrationResolver #12842
  • Incomplete documentation regarding Hierarchical roles. #12784
  • Move classpath checks to class member variable #12640
  • move code comment to callout #12536
  • NimbusReactiveJwtDecoder support mono chain #12521
  • Polish DefaultLoginPageGeneratingFilter #12657
  • Propagate match results in OrRequestMatcher and AndRequestMatcher #12847
  • Re-add support for CAS #11674
  • Relax final method implementations on AbstractRememberMeServices #12145
  • RelyingPartyRegistrationRepository should support lookup by asserting party entity id #12848
  • Remove deprecated SecurityContextPersistenceFilter from docs #12809
  • Restore CAS module and update it for cas-client-core 4.0.0 #12362
  • Revisit Session Management Documentation #12681
  • Rewrite AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl logic for clarity #12468
  • SAML 2.0 metadata endpoint should return all relying parties when none is given #12846
  • Saml2MetadataResolver should accept multiple relying parties and create an EntitiesDescriptor #12844
  • Support Device Authorization Response #12852
  • Support LogoutRequest when already logged out #12845
  • Update javadoc in EnableWebSecurity #12613
  • Use a custom authentication type for CAS #12304

🪲 Bug Fixes

  • 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12593
  • @EnableReactiveMethodSecurity causes premature initialization of the ObservationRegistry and prevents it from being post-processed #12781
  • A typo in form login doc #12730
  • Broken links in form login section of docs #12839
  • Document XMLObject retreival for Asserting Party metadata #12800
  • EntityId ignored in xml relying-party-registration #12778
  • Fix CSRF protection provided by @EnableWebSocketSecurity / Stomp #12594
  • Fix image in servlet architecture docs section #12609
  • Fix javadox typo #12643
  • fix missing semi-colon java example in observability documentation #12761
  • fix typo and update javadoc in AbstractAuthenticationFilterConfigurer #12634
  • javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12621
  • JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12768
  • Missing spring-security-oauth2 xsds after release #12807
  • No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12625
  • NoSuchElementException in org.springframework.security.web.server.ObservationWebFilterChainDecorator$AroundWebFilterObservation$SimpleAroundWebFilterObservation.start(ObservationWebFilterChainDecorator.java:274 #12831
  • NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12688
  • SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12641
  • SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12837
  • Typo in Authentication Migrations page #12660
  • WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12626

🔨 Dependency Upgrades

  • Update Gradle Enterprise plugin #12669
  • Update hibernate-core to 6.1.7.Final #12898
  • Update httpclient to 4.5.14 #12894
  • Update io.projectreactor to 2022.0.5 #12890
  • Update io.spring.javaformat to 0.0.38 #12891
  • Update io.spring.nohttp to 0.0.11 #12892
  • Update jackson-bom to 2.14.2 #12886
  • Update jakarta.servlet.jsp-api to 3.1.1 #12893
  • Update junit-bom to 5.9.2 #12900
  • Update logback-classic to 1.4.6 #12885
  • Update maven-resolver-provider to 3.8.8 #12895
  • Update micrometer-observation to 1.10.5 #12888
  • Update mockk to 1.13.4 #12889
  • Update org.aspectj to 1.9.19 #12896
  • Update org.eclipse.jetty to 11.0.14 #12897
  • Update org.jetbrains.kotlin to 1.8.20-RC #12899
  • Update org.springframework to 6.0.7 #12902
  • Update org.springframework.data to 2022.0.3 #12903
  • Update slf4j-api to 2.0.7 #12901
  • Update spring-ldap-core to 3.0.1 #12904
  • Update spring-ldap-core to 3.0.1 #12727
  • Update to Kotlin 1.8.10 #12788
  • Update unboundid-ldapsdk to 6.0.8 #12887

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

29 days ago

New Features

  • chore: Use cache in continuous-integration-workflow.yml #12503
  • fix unclosed block in docs #12542

🪲 Bug Fixes

  • AuthorizationManager method security documentation should use AnnotationMatchingPointcut #11095
  • Document XMLObject retreival for Asserting Party metadata #12667
  • Fix typo in OAuth 2.0 testing docs #12437
  • Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #11785
  • NimbusJwtDecoder unknown KID scenario is not correctly tested #12238
  • NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12637
  • SwitchUserFilter not working in Spring Security 6 #12504
  • Wrong name of the filter in the SecurityContextHolderFilter diagram #11800

🔨 Dependency Upgrades

  • Update blockhound to 1.0.7.RELEASE #12733
  • Update hibernate-entitymanager to 5.6.15.Final #12736
  • Update io.projectreactor to 2020.0.28 #12732
  • Update io.spring.nohttp to 0.0.11 #12734
  • Update jackson-bom to 2.13.5 #12731
  • Update org.aspectj to 1.9.19 #12735
  • Update org.springframework to 5.3.25 #12737
  • Update org.springframework.data to 2021.2.8 #12738

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

2023-02-20 23:22:34

New Features

  • Add XorCsrfChannelInterceptor #12562
  • Document @EnableWebFluxSecurity requiring @Configuration in 6.0.0 #12434
  • fix unclosed block in docs #12553
  • Improve documentation on what changed in the default behaviour in version 6 vs 5.7 #12462
  • Spring Security 6.0 Migration Guide Should Mention @Configuration Meta-Annotation Removal From Configuration Annotations #12486

🪲 Bug Fixes

  • AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12516
  • DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #12665
  • Document XMLObject retreival for Asserting Party metadata #12693
  • Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #12458
  • NimbusJwtDecoder unknown KID scenario is not correctly tested #12494
  • NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12686
  • SwitchUserFilter not working in Spring Security 6 #12510
  • Wrong name of the filter in the SecurityContextHolderFilter diagram #12526

🔨 Dependency Upgrades

  • Update blockhound to 1.0.7.RELEASE #12719
  • Update hibernate-entitymanager to 5.6.15.Final #12722
  • Update io.projectreactor to 2020.0.28 #12717
  • Update io.spring.nohttp to 0.0.11 #12720
  • Update jackson-bom to 2.13.5 #12714
  • Update jackson-databind to 2.13.5 #12715
  • Update jackson-datatype-jsr310 to 2.13.5 #12716
  • Update junit-bom to 5.9.2 #12723
  • Update org.aspectj to 1.9.19 #12721
  • Update org.junit.jupiter to 5.9.2 #12724
  • Update org.springframework to 5.3.25 #12725
  • Update org.springframework.data to 2021.2.8 #12739
  • Update org.springframework.data to 2021.2.8 #12726
  • Update reactor-netty to 1.0.28 #12718

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

2023-02-20 23:22:27

New Features

  • CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12651
  • Document @EnableWebFluxSecurity requiring @Configuration in 6.0.0 #12444
  • Move classpath checks to class member variable #11437
  • Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12339
  • Revisit Session Management Documentation #12680
  • Spring Security 6.0 Migration Guide Should Mention @Configuration Meta-Annotation Removal From Configuration Annotations #12498
  • Update broken links, correct gradle command for Windows OS. #12336

🪲 Bug Fixes

  • 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12548
  • @EnableReactiveMethodSecurity#useAuthorizationManager should be true #12506
  • A typo in form login doc #12678
  • Adjusts setRequestHandler javadoc in CsrfWebFilter #12467
  • AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12517
  • DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #12671
  • Document XMLObject retreival for Asserting Party metadata #12729
  • Document XMLObject retreival for Asserting Party metadata #12728
  • Duplicate words. #12471
  • Fix CSRF protection provided by @EnableWebSocketSecurity / Stomp #12378
  • gradlew nativeTest fails with Failed to instantiate [org.springframework.security.test.context.support.WithUserDetailsSecurityContextFactory]: No default constructor found #12614
  • Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #12459
  • javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12616
  • NimbusJwtDecoder unknown KID scenario is not correctly tested #12495
  • No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12615
  • NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12687
  • Security observations are not setting their parent osbervation #12524
  • SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12579
  • Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12490
  • SwitchUserFilter not working in Spring Security 6 #12511
  • Update expression-based.adoc #12363
  • Update multitenancy.adoc #12474
  • WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12622
  • Wrong name of the filter in the SecurityContextHolderFilter diagram #12527

🔨 Dependency Upgrades

  • Update hibernate-core to 6.1.7.Final #12707
  • Update io.projectreactor to 2022.0.3 #12701
  • Update io.spring.nohttp to 0.0.11 #12703
  • Update jackson-bom to 2.14.2 #12696
  • Update jackson-databind to 2.14.2 #12697
  • Update jackson-datatype-jsr310 to 2.14.2 #12698
  • Update jakarta.servlet.jsp-api to 3.1.1 #12704
  • Update junit-bom to 5.9.2 #12708
  • Update junit-platform-launcher to 1.9.2 #12710
  • Update maven-resolver-provider to 3.8.7 #12705
  • Update micrometer-observation to 1.10.4 #12699
  • Update mockk to 1.13.4 #12700
  • Update org.aspectj to 1.9.19 #12706
  • Update org.junit.jupiter to 5.9.2 #12709
  • Update org.springframework to 6.0.5 #12711
  • Update org.springframework.data to 2022.0.2 #12712
  • Update reactor-netty to 1.1.3 #12702
  • Update spring-ldap-core to 3.0.1 #12713

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

2023-01-17 00:10:49

Breaking Changes

  • JwtAuthenticationProvider should not aggressively set authentication details #11822

New Features

  • Add EnableWebSecurity migration steps to 5.8 guide #12355
  • Add a RelyingPartyRegistrationRepository constructor to Saml2MetadataFilter #11815
  • Add an option to set the SameSite policy in the CookieCsrfTokenRepository #12086
  • Add Authority String AuthorizationManager #12231
  • Add configurable authorities split regex #12124
  • Add configurable authorities split regex #12073
  • add packages (dependencies) to playbook template in docs-build branch #12522
  • Add the ability to set the SameSite policy to the CRSF Cookie #12109
  • Allow authorization request resolver to be changed for the OAuth2 client configuration #12430
  • AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up for a RoleHierarchy bean in the context #12505
  • Consider replacing SecurityExpressionRoot.AuthenticationSupplier with SingletonSupplier #12489
  • Document @EnableWebFluxSecurity requiring @Configuration in 6.0.0 #12445
  • Inaccurate javadoc text in setRequestHandler method from CsrfWebFilter class #12484
  • Inaccurate javadoc text in setRequestHandler method of CsrfFilter class #12515
  • Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12441
  • Replace deprecated set-state set-output GitHub Action's commands #12300
  • SecuredAuthorizationManager should allow customizing underlying authorization manager #12233
  • SecuredAuthorizationManager should cache annotation's value #12232
  • Spring Security 6.0 Migration Guide Should Mention @Configuration Meta-Annotation Removal From Configuration Annotations #12499

🪲 Bug Fixes

  • AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12518
  • DefaultLdapAuthoritiesPopulator throws NullPointerException #12410
  • Error in ACLS document #12406
  • Fix AuthorizationFilter diagram in docs #12287
  • Incorrect Javadoc for class ExpressionAuthorizationDecision #12436
  • Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #12460
  • NimbusJwtDecoder unknown KID scenario is not correctly tested #12496
  • ProxyFactoryBean on AuthenticationManager does not work in native mode #12372
  • Reactive migration documentation for @EnableReactiveMethodSecurity is wrong (or implementation is wrong) #12514
  • Security observations are not setting their parent osbervation #12525
  • Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12493
  • SwitchUserFilter not working in Spring Security 6 #12512
  • Wrong name of the filter in the SecurityContextHolderFilter diagram #12528

🔨 Dependency Upgrades

  • Update org.gretty:gretty to 4.0.3 #12277

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

2022-12-19 23:23:12

New Features

  • Replace deprecated set-state set-output GitHub Action's commands #12032
  • update generateAntora task to make prereleases unique #12083

🪲 Bug Fixes

  • DefaultLdapAuthoritiesPopulator throws NullPointerException #12090
  • docs: fix realm typo #12120
  • Fix AuthorizationFilter diagram in docs #12274
  • Fix typo in DefaultLoginPageConfigurer Javadoc #12311
  • Fix typo on opaque-token.adoc #12114
  • Fix: Replace tenantRepository with tenants #12269
  • Incorrect scope map fix #12144
  • OAuth 2.0 Resource Server Multi-tenancy - documentation improvement #12295
  • Outdated example in Javadoc of UrlAuthorizationConfigurer #11487
  • Saml2MetadataFilter response should configure writer to UTF-8 #12026
  • SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #3065
  • Update the RP-initiated Logout links #12081

🔨 Dependency Upgrades

  • Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12152
  • Update Gradle to 7.5.1 #11779
  • Update hibernate-entitymanager to 5.6.14.Final #12388
  • Update httpclient to 4.5.14 #12386
  • Update io.projectreactor to 2020.0.26 #12384
  • Update jackson-bom to 2.13.4.20221013 #12381
  • Update jackson-databind to 2.13.4.2 #12382
  • Update mockk to 1.12.8 #12383
  • Update org.eclipse.jetty to 9.4.50.v20221201 #12387
  • Update org.springframework to 5.3.24 #12389
  • Update org.springframework.data to 2021.1.10 #12390
  • Update reactor-netty to 1.0.26 #12385

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

2022-12-19 23:22:50

New Features

  • Add EnableWebSecurity migration steps to 5.8 guide #12354
  • Replace deprecated set-state set-output GitHub Action's commands #12299

🪲 Bug Fixes

  • codes in spring security docs fail to work #12342
  • codes in spring security docs fail to work #12341
  • DefaultLdapAuthoritiesPopulator throws NullPointerException #12409
  • Error in ACLS document #12270
  • Fix AuthorizationFilter diagram in docs #12288
  • Incorrect Javadoc for class ExpressionAuthorizationDecision #12435
  • Incorrect sample code in securityMatcher migration docs #12303
  • Incorrect sample code in securityMatcher migration docs #12302
  • It's not possible to disable micrometer obversability #12268
  • ProxyFactoryBean on AuthenticationManager does not work in native mode #12367
  • SecurityContextHolderFilter does not apply to async dispatch #12369
  • SecurityContextHolderFilter does not apply to async dispatch #12368

🔨 Dependency Upgrades

  • Update hibernate-core to 6.1.6.Final #12423
  • Update httpclient to 4.5.14 #12421
  • Update io.projectreactor to 2022.0.1 #12419
  • Update jackson-bom to 2.14.1 #12413
  • Update jackson-databind to 2.14.1 #12414
  • Update jackson-datatype-jsr310 to 2.14.1 #12415
  • Update logback-classic to 1.4.5 #12412
  • Update micrometer-observation to 1.10.2 #12417
  • Update mockk to 1.13.3 #12418
  • Update org.eclipse.jetty to 11.0.13 #12422
  • Update org.jetbrains.kotlin to 1.7.22 #12424
  • Update org.springframework to 6.0.3 #12426
  • Update reactor-netty to 1.1.1 #12420
  • Update slf4j-api to 2.0.6 #12425
  • Update unboundid-ldapsdk to 6.0.7 #12416

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

2022-12-19 23:22:42

New Features

  • Add EnableWebSecurity migration steps to 5.8 guide #12334
  • Replace deprecated set-state set-output GitHub Action's commands #12298

🪲 Bug Fixes

  • codes in spring security docs fail to work #11396
  • DefaultLdapAuthoritiesPopulator throws NullPointerException #12408
  • Fix AuthorizationFilter diagram in docs #12286
  • Fix password encoder migration guide #12318
  • Fix typo #12316
  • Incorrect Javadoc for class ExpressionAuthorizationDecision #12411
  • Incorrect sample code in securityMatcher migration docs #12296
  • SecurityContextHolderFilter does not apply to async dispatch #11962

🔨 Dependency Upgrades

  • Update httpclient to 4.5.14 #12403
  • Update io.projectreactor to 2020.0.26 #12401
  • Update mockk to 1.13.3 #12400
  • Update org.eclipse.jetty to 9.4.50.v20221201 #12404
  • Update org.jetbrains.kotlin to 1.7.22 #12405
  • Update reactor-netty to 1.0.26 #12402

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

2022-12-19 23:22:32

New Features

  • Improve deprecation notice in WebSecurityConfigurerAdapter #12260
  • Replace deprecated set-state set-output GitHub Action's commands #12297

🪲 Bug Fixes

  • DefaultLdapAuthoritiesPopulator throws NullPointerException #12407
  • Fix AuthorizationFilter diagram in docs #12285
  • Incorrect scope map fix #12205
  • SAML logout: Incorrect log messages #12208
  • Saml2MetadataFilter response should configure writer to UTF-8 #12221
  • SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12125
  • Update the RP-initiated Logout links #12121

🔨 Dependency Upgrades

  • Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12153
  • Update Gradle to 7.5.1 #12157
  • Update hibernate-entitymanager to 5.6.14.Final #12397
  • Update httpclient to 4.5.14 #12395
  • Update io.projectreactor to 2020.0.26 #12393
  • Update jackson-bom to 2.13.4.20221013 #12391
  • Update jackson-databind to 2.13.4.2 #12392
  • Update org.eclipse.jetty to 9.4.50.v20221201 #12396
  • Update org.springframework to 5.3.24 #12398
  • Update org.springframework.data to 2021.2.6 #12399
  • Update reactor-netty to 1.0.26 #12394
2022-11-21 23:23:19

Breaking Changes

  • CsrfAuthenticationStrategy is not consistent with CsrfFilter #12235
  • Register FilterChainProxy for all dispatcher types #12180

New Features

  • Add test runtime hints for annotations using @WithSecurityContext #12215
  • Add WebTestUtils test runtime hints #12216
  • Align with Servlet API 6 #12146
  • Document Configure Default SessionAuthenticationStrategy #12192
  • Document DelegatingSecurityContextRepository #12185
  • Improve deprecation notice in WebSecurityConfigurerAdapter #12262
  • Log a warning when AuthorizationGrantType does not exactly match a pre-defined constant #12234
  • Migration guide for the removal of CAS #12163
  • Polish Span and Meter Names #12225
  • Register FilterChainProxy for All Dispatcher Types Migration Steps #12212
  • Restructure 6.0 Migration Guide #12242
  • Support Jakarta WebSocket 2.1 #12148

🪲 Bug Fixes

  • CsrfAuthenticationStrategy does not check for existing token #12241
  • Ensure instrumentation names align with semantic conventions #12156
  • Incorrect scope map fix #12207
  • SAML logout: Incorrect log messages #12210
  • Saml2MetadataFilter response should configure writer to UTF-8 #12223

🔨 Dependency Upgrades

  • Update micrometer-observation to 1.10.1 #12250
  • Update org.springframework to 6.0.0 #12255
  • Update org.springframework.data to 2022.0.0 #12256
  • Update r2dbc-h2 to 1.0.0.RELEASE #12251
  • Update slf4j-api to 2.0.4 #12254
  • Update spring-ldap-core to 3.0.0 #12257

❤️ Contributors

We'd like to thank all the contributors who worked on this release!