Changelog

New Features

  • Add RelayState Customizer to SAML Logout #12582
  • Add saml2Metadata to the DSL #11828
  • Allow configuring SecurityContextRepository for BasicAuthenticationFilter #12031
  • Allow Relying Party to be Deduced from LogoutRequest #12843
  • Allow UserBuilder to easily build a user without any authorities #12533
  • Cookie no support for field 'version' and 'comment' #12454
  • Copies of RelyingPartyRegistration should preserve custom fields #12841
  • CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12684
  • Extract placeholder resolution from DefaultRelyingPartyRegstrationResolver #12842
  • Incomplete documentation regarding Hierarchical roles. #12784
  • Move classpath checks to class member variable #12640
  • move code comment to callout #12536
  • NimbusReactiveJwtDecoder support mono chain #12521
  • Polish DefaultLoginPageGeneratingFilter #12657
  • Propagate match results in OrRequestMatcher and AndRequestMatcher #12847
  • Re-add support for CAS #11674
  • Relax final method implementations on AbstractRememberMeServices #12145
  • RelyingPartyRegistrationRepository should support lookup by asserting party entity id #12848
  • Remove deprecated SecurityContextPersistenceFilter from docs #12809
  • Restore CAS module and update it for cas-client-core 4.0.0 #12362
  • Revisit Session Management Documentation #12681
  • Rewrite AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl logic for clarity #12468
  • SAML 2.0 metadata endpoint should return all relying parties when none is given #12846
  • Saml2MetadataResolver should accept multiple relying parties and create an EntitiesDescriptor #12844
  • Support Device Authorization Response #12852
  • Support LogoutRequest when already logged out #12845
  • Update javadoc in EnableWebSecurity #12613
  • Use a custom authentication type for CAS #12304

🪲 Bug Fixes

  • 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12593
  • @EnableReactiveMethodSecurity causes premature initialization of the ObservationRegistry and prevents it from being post-processed #12781
  • A typo in form login doc #12730
  • Broken links in form login section of docs #12839
  • Document XMLObject retreival for Asserting Party metadata #12800
  • EntityId ignored in xml relying-party-registration #12778
  • Fix CSRF protection provided by @EnableWebSocketSecurity / Stomp #12594
  • Fix image in servlet architecture docs section #12609
  • Fix javadox typo #12643
  • fix missing semi-colon java example in observability documentation #12761
  • fix typo and update javadoc in AbstractAuthenticationFilterConfigurer #12634
  • javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12621
  • JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12768
  • Missing spring-security-oauth2 xsds after release #12807
  • No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12625
  • NoSuchElementException in org.springframework.security.web.server.ObservationWebFilterChainDecorator$AroundWebFilterObservation$SimpleAroundWebFilterObservation.start(ObservationWebFilterChainDecorator.java:274 #12831
  • NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12688
  • SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12641
  • SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12837
  • Typo in Authentication Migrations page #12660
  • WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12626

🔨 Dependency Upgrades

  • Update Gradle Enterprise plugin #12669
  • Update hibernate-core to 6.1.7.Final #12898
  • Update httpclient to 4.5.14 #12894
  • Update io.projectreactor to 2022.0.5 #12890
  • Update io.spring.javaformat to 0.0.38 #12891
  • Update io.spring.nohttp to 0.0.11 #12892
  • Update jackson-bom to 2.14.2 #12886
  • Update jakarta.servlet.jsp-api to 3.1.1 #12893
  • Update junit-bom to 5.9.2 #12900
  • Update logback-classic to 1.4.6 #12885
  • Update maven-resolver-provider to 3.8.8 #12895
  • Update micrometer-observation to 1.10.5 #12888
  • Update mockk to 1.13.4 #12889
  • Update org.aspectj to 1.9.19 #12896
  • Update org.eclipse.jetty to 11.0.14 #12897
  • Update org.jetbrains.kotlin to 1.8.20-RC #12899
  • Update org.springframework to 6.0.7 #12902
  • Update org.springframework.data to 2022.0.3 #12903
  • Update slf4j-api to 2.0.7 #12901
  • Update spring-ldap-core to 3.0.1 #12904
  • Update spring-ldap-core to 3.0.1 #12727
  • Update to Kotlin 1.8.10 #12788
  • Update unboundid-ldapsdk to 6.0.8 #12887

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

New Features

  • Improve diagnostics in SpEL for matches operator #30150
  • Improve diagnostics in SpEL for repeated text #30149
  • Increase scope of regex pattern cache for the SpEL matches operator #30148

New Features

  • Improve diagnostics in SpEL for matches operator #30145
  • Improve diagnostics in SpEL for repeated text #30143
  • Increase scope of regex pattern cache for the SpEL matches operator #30141
  • Minor updates in HandlerMappingIntrospector #30128
  • Allow SnakeYaml 2.0 runtime compatibility #30097
  • Add missing @Nullable annotations to LogMessage.format methods #30009
  • ASM upgrade for JDK 20/21 support #29966
  • Allow MockRest to match header/queryParam value list with one Matcher #29964
  • Add MockMvc.multipart() Kotlin extensions with HttpMethod #29941
  • Release R2DBC connection when cleanup fails in transaction #29925
  • org.springframework.web.context.ContextLoader should lazily load ContextLoader.properties #29909
  • Improve generated default name for @JmsListener subscription #29902
  • Include all Hibernate query methods in SharedEntityManagerCreator's queryTerminatingMethods set #29888
  • SQL supplier in R2DBC DatabaseClient is eagerly invoked #29887
  • Spring Framework 5.3.x is incompatible with Jetty 10 (Client) #29867
  • Possible infinite forward loop with MockMvcWebConnection #29866
  • Refine Jackson2ObjectMapperBuilder#configureFeature exception handling #29860
  • Fix R2dbcTransactionManager debug log: don't log a Mono #29824

🐞 Bug Fixes

  • RequestedContentTypeResolver does not ignore quality factor when filtering */* media types #30121
  • SpEL: cannot call methods declared in java.lang.Object on a JDK proxy #30118
  • CaffeineCacheManager getCache method cause thread block #30085
  • Protect JMS connection creation against prepareConnection errors #30051
  • ReactorServerHttpRequest does not reflect forwarded host and port when forwarding-header-strategy=native or cloud platform detected #29974
  • WebSocket stats not updated correctly when sessions cleared #29947
  • Explicit target ClassLoader for interface-based proxies in MvcUriComponentsBuilder #29914
  • Closing an ApplicationContext leads to Exception at ExecutorServiceAdapter #29908
  • Invalid Accept header results in IllegalStateException #29836
  • JettyWebSocketCreator referenced from a method is not visible from class loader with Jetty10RequestUpgradeStrategy #29256

📔 Documentation

  • Fix minor spacings in webflux docs #30095
  • @AspectJ argument name resolution algorithm is outdated in reference manual #30057
  • Fix "Configuring a Global Date and Time Format" example #30036
  • Consistent @Bean method return type for equivalence with XML example #29970
  • Update @DynamicPropertySource examples regarding changes in Testcontainers #29940
  • Clarify semantics of primitivesDefaultedForNullValue in BeanPropertyRowMapper #29926
  • Clearly document that DataClassRowMapper supports Java records #29922
  • Outdated Javadoc for AbstractApplicationContext.postProcessBeanFactory #29916

🔨 Dependency Upgrades

  • Upgrade to Reactor Netty 2020.0.30 #30116

New Features

  • Improve diagnostics in SpEL for matches operator #30144
  • Improve diagnostics in SpEL for repeated text #30142
  • Increase scope of regex pattern cache for the SpEL matches operator #30140
  • Minor updates in HandlerMappingIntrospector #30127
  • Skip parameter name resolution when not needed in AbstractAutowireCapableBeanFactory #30103
  • Remove extra copy of headers/cookies in WebClient #30092
  • Assert non-null arguments in DefaultServerRequestBuilder methods #30046
  • Jetty 12 support in WebFlux #29575

🐞 Bug Fixes

  • Gradle task processAot fails when Bean Validation API present but no provider found #30130
  • ContentDisposition::parse does not support Windows paths #30111
  • BindException raised instead of MethodArgumentNotValidException subclass #30100
  • Ensure reactive transaction rollback on commit error #30096
  • CaffeineCacheManager getCache method cause thread block #30066
  • RequestedContentTypeResolver does not ignore quality factor when filtering */* media types #29915
  • @Autowired/@Value does not work on inner bean in native #29803
  • Avoid rollback after a commit failure in TransactionalOperator #27572
  • SpEL: cannot call methods declared in java.lang.Object on a JDK proxy #25316

📔 Documentation

  • Add anchor rewrites in the reference documentation #30132
  • Fix minor spacings in webflux docs #30078
  • Add a list of observations produced by Spring Framework #30060

🔨 Dependency Upgrades

  • Upgrade to Reactor 2022.0.5 #30133

❤️ Contributors

Thank you to all the contributors who worked on this release:

@EnricSala, @MrCoffee77, @abelsromero, @edyda99, @liupeng12345, @srivatsa-cfp, and @yuzawa-san

This is a security bugfix release containing PR #3133. This adds a limit to the depth of grammar rules, to prevent stack overflow. See the full details on the original PR: #3112.

This release also includes backported fixes to ensure MANIFEST.MF is the first entry in the JAR file and removes sun.misc from Import-Package header. See the full details on the original PRs: #3091 and #3097.

What's Changed

Full Changelog: https://github.com/graphql-java/graphql-java/compare/v19.3...v19.4

What's Changed

Full Changelog: https://github.com/dropwizard/metrics/compare/v4.2.17...v4.2.18

What's Changed

🔨 Other Changes

Full Changelog: https://github.com/Activiti/Activiti/compare/7.9.0-rc.40...7.10.0-rc.1