⭐ New Features
- Add RelayState Customizer to SAML Logout #12582
- Add saml2Metadata to the DSL #11828
- Allow configuring SecurityContextRepository for BasicAuthenticationFilter #12031
- Allow Relying Party to be Deduced from LogoutRequest #12843
- Allow UserBuilder to easily build a user without any authorities #12533
- Cookie no support for field 'version' and 'comment' #12454
- Copies of RelyingPartyRegistration should preserve custom fields #12841
- CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12684
- Extract placeholder resolution from DefaultRelyingPartyRegstrationResolver #12842
- Incomplete documentation regarding Hierarchical roles. #12784
- Move classpath checks to class member variable #12640
- move code comment to callout #12536
- NimbusReactiveJwtDecoder support mono chain #12521
- Polish DefaultLoginPageGeneratingFilter #12657
- Propagate match results in OrRequestMatcher and AndRequestMatcher #12847
- Re-add support for CAS #11674
- Relax final method implementations on AbstractRememberMeServices #12145
- RelyingPartyRegistrationRepository should support lookup by asserting party entity id #12848
- Remove deprecated
SecurityContextPersistenceFilter
from docs #12809 - Restore CAS module and update it for cas-client-core 4.0.0 #12362
- Revisit Session Management Documentation #12681
- Rewrite AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl logic for clarity #12468
- SAML 2.0 metadata endpoint should return all relying parties when none is given #12846
- Saml2MetadataResolver should accept multiple relying parties and create an EntitiesDescriptor #12844
- Support Device Authorization Response #12852
- Support LogoutRequest when already logged out #12845
- Update javadoc in EnableWebSecurity #12613
- Use a custom authentication type for CAS #12304
🪲 Bug Fixes
- 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12593
-
@EnableReactiveMethodSecurity
causes premature initialization of the ObservationRegistry and prevents it from being post-processed #12781 - A typo in form login doc #12730
- Broken links in form login section of docs #12839
- Document XMLObject retreival for Asserting Party metadata #12800
- EntityId ignored in xml relying-party-registration #12778
- Fix CSRF protection provided by
@EnableWebSocketSecurity
/ Stomp #12594 - Fix image in servlet architecture docs section #12609
- Fix javadox typo #12643
- fix missing semi-colon java example in observability documentation #12761
- fix typo and update javadoc in AbstractAuthenticationFilterConfigurer #12634
- javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12621
- JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12768
- Missing spring-security-oauth2 xsds after release #12807
- No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12625
- NoSuchElementException in org.springframework.security.web.server.ObservationWebFilterChainDecorator$AroundWebFilterObservation$SimpleAroundWebFilterObservation.start(ObservationWebFilterChainDecorator.java:274 #12831
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12688
- SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12641
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12837
- Typo in Authentication Migrations page #12660
- WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12626
🔨 Dependency Upgrades
- Update Gradle Enterprise plugin #12669
- Update hibernate-core to 6.1.7.Final #12898
- Update httpclient to 4.5.14 #12894
- Update io.projectreactor to 2022.0.5 #12890
- Update io.spring.javaformat to 0.0.38 #12891
- Update io.spring.nohttp to 0.0.11 #12892
- Update jackson-bom to 2.14.2 #12886
- Update jakarta.servlet.jsp-api to 3.1.1 #12893
- Update junit-bom to 5.9.2 #12900
- Update logback-classic to 1.4.6 #12885
- Update maven-resolver-provider to 3.8.8 #12895
- Update micrometer-observation to 1.10.5 #12888
- Update mockk to 1.13.4 #12889
- Update org.aspectj to 1.9.19 #12896
- Update org.eclipse.jetty to 11.0.14 #12897
- Update org.jetbrains.kotlin to 1.8.20-RC #12899
- Update org.springframework to 6.0.7 #12902
- Update org.springframework.data to 2022.0.3 #12903
- Update slf4j-api to 2.0.7 #12901
- Update spring-ldap-core to 3.0.1 #12904
- Update spring-ldap-core to 3.0.1 #12727
- Update to Kotlin 1.8.10 #12788
- Update unboundid-ldapsdk to 6.0.8 #12887
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
⭐ New Features
- Improve diagnostics in SpEL for
matches
operator #30145 - Improve diagnostics in SpEL for repeated text #30143
- Increase scope of regex pattern cache for the SpEL
matches
operator #30141 - Minor updates in HandlerMappingIntrospector #30128
- Allow SnakeYaml 2.0 runtime compatibility #30097
- Add missing
@Nullable
annotations toLogMessage.format
methods #30009 - ASM upgrade for JDK 20/21 support #29966
- Allow MockRest to match header/queryParam value list with one Matcher #29964
- Add
MockMvc.multipart()
Kotlin extensions withHttpMethod
#29941 - Release R2DBC connection when cleanup fails in transaction #29925
- org.springframework.web.context.ContextLoader should lazily load ContextLoader.properties #29909
- Improve generated default name for
@JmsListener
subscription #29902 - Include all Hibernate query methods in
SharedEntityManagerCreator
'squeryTerminatingMethods
set #29888 - SQL supplier in R2DBC
DatabaseClient
is eagerly invoked #29887 - Spring Framework 5.3.x is incompatible with Jetty 10 (Client) #29867
- Possible infinite forward loop with MockMvcWebConnection #29866
- Refine
Jackson2ObjectMapperBuilder#configureFeature
exception handling #29860 - Fix R2dbcTransactionManager debug log: don't log a Mono #29824
🐞 Bug Fixes
- RequestedContentTypeResolver does not ignore quality factor when filtering */* media types #30121
- SpEL: cannot call methods declared in
java.lang.Object
on a JDK proxy #30118 - CaffeineCacheManager getCache method cause thread block #30085
- Protect JMS connection creation against prepareConnection errors #30051
- ReactorServerHttpRequest does not reflect forwarded host and port when
forwarding-header-strategy=native
or cloud platform detected #29974 - WebSocket stats not updated correctly when sessions cleared #29947
- Explicit target ClassLoader for interface-based proxies in MvcUriComponentsBuilder #29914
- Closing an ApplicationContext leads to Exception at ExecutorServiceAdapter #29908
- Invalid Accept header results in IllegalStateException #29836
- JettyWebSocketCreator referenced from a method is not visible from class loader with
Jetty10RequestUpgradeStrategy
#29256
📔 Documentation
- Fix minor spacings in webflux docs #30095
-
@AspectJ
argument name resolution algorithm is outdated in reference manual #30057 - Fix "Configuring a Global Date and Time Format" example #30036
- Consistent
@Bean
method return type for equivalence with XML example #29970 - Update
@DynamicPropertySource
examples regarding changes in Testcontainers #29940 - Clarify semantics of
primitivesDefaultedForNullValue
inBeanPropertyRowMapper
#29926 - Clearly document that
DataClassRowMapper
supports Java records #29922 - Outdated Javadoc for AbstractApplicationContext.postProcessBeanFactory #29916
🔨 Dependency Upgrades
- Upgrade to Reactor Netty 2020.0.30 #30116
⭐ New Features
- Improve diagnostics in SpEL for
matches
operator #30144 - Improve diagnostics in SpEL for repeated text #30142
- Increase scope of regex pattern cache for the SpEL
matches
operator #30140 - Minor updates in HandlerMappingIntrospector #30127
- Skip parameter name resolution when not needed in
AbstractAutowireCapableBeanFactory
#30103 - Remove extra copy of headers/cookies in WebClient #30092
- Assert non-null arguments in
DefaultServerRequestBuilder
methods #30046 - Jetty 12 support in WebFlux #29575
🐞 Bug Fixes
- Gradle task
processAot
fails when Bean Validation API present but no provider found #30130 - ContentDisposition::parse does not support Windows paths #30111
- BindException raised instead of MethodArgumentNotValidException subclass #30100
- Ensure reactive transaction rollback on commit error #30096
- CaffeineCacheManager getCache method cause thread block #30066
- RequestedContentTypeResolver does not ignore quality factor when filtering */* media types #29915
-
@Autowired
/@Value
does not work on inner bean in native #29803 - Avoid rollback after a commit failure in
TransactionalOperator
#27572 - SpEL: cannot call methods declared in
java.lang.Object
on a JDK proxy #25316
📔 Documentation
- Add anchor rewrites in the reference documentation #30132
- Fix minor spacings in webflux docs #30078
- Add a list of observations produced by Spring Framework #30060
🔨 Dependency Upgrades
- Upgrade to Reactor 2022.0.5 #30133
❤️ Contributors
Thank you to all the contributors who worked on this release:
@EnricSala, @MrCoffee77, @abelsromero, @edyda99, @liupeng12345, @srivatsa-cfp, and @yuzawa-san
This is a security bugfix release containing PR #3133. This adds a limit to the depth of grammar rules, to prevent stack overflow. See the full details on the original PR: #3112.
This release also includes backported fixes to ensure MANIFEST.MF
is the first entry in the JAR file and removes sun.misc
from Import-Package
header. See the full details on the original PRs: #3091 and #3097.
What's Changed
- Backported the fix to remove sun.misc by @schaefa in https://github.com/graphql-java/graphql-java/pull/3099
- Backported #3112 into 19.x branch by @bbakerman in https://github.com/graphql-java/graphql-java/pull/3133
Full Changelog: https://github.com/graphql-java/graphql-java/compare/v19.3...v19.4
What's Changed
- Update dependency org.apache.maven.plugins:maven-compiler-plugin to v3.11.0 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3204
- Update dependency org.openjdk.jcstress:jcstress-core to v0.16 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3206
- Update dependency org.eclipse.jetty:jetty-bom to v10.0.14 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3208
- Update dependency org.eclipse.jetty:jetty-bom to v11.0.14 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3209
- Update jetty9.version to v9.4.51.v20230217 (release/4.2.x) (patch) by @renovate in https://github.com/dropwizard/metrics/pull/3210
- Update dependency org.checkerframework:checker-qual to v3.32.0 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3214
- Update dependency com.github.ben-manes.caffeine:caffeine to v3.1.5 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3216
- Update dependency net.bytebuddy:byte-buddy to v1.14.1 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3219
- Update actions/cache action to v3.3.0 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3223
- Update dependency org.mockito:mockito-core to v5.2.0 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3224
- Update actions/cache action to v3.3.1 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3227
- Update dependency maven-wrapper to v3.2.0 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3228
- Update dependency net.bytebuddy:byte-buddy to v1.14.2 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3231
- Update dependency org.apache.maven.plugins:maven-surefire-plugin to v3 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3233
- Update logback13.version to v1.3.6 (release/4.2.x) (patch) by @renovate in https://github.com/dropwizard/metrics/pull/3239
- Update actions/checkout digest to 24cb908 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3238
- Update logback14.version to v1.4.6 (release/4.2.x) (patch) by @renovate in https://github.com/dropwizard/metrics/pull/3240
- Update slf4j.version to v2.0.7 (release/4.2.x) (patch) by @renovate in https://github.com/dropwizard/metrics/pull/3247
Full Changelog: https://github.com/dropwizard/metrics/compare/v4.2.17...v4.2.18
What's Changed
🔨 Other Changes
- #4255 - Support rollback at engine level by @miguelruizdev in https://github.com/Activiti/Activiti/pull/4256
Full Changelog: https://github.com/Activiti/Activiti/compare/7.9.0-rc.40...7.10.0-rc.1