⭐ New Features

• Add RelayState Customizer to SAML Logout #12582
• Add saml2Metadata to the DSL #11828
• Allow configuring SecurityContextRepository for BasicAuthenticationFilter #12031
• Allow Relying Party to be Deduced from LogoutRequest #12843
• Allow UserBuilder to easily build a user without any authorities #12533
• Cookie no support for field 'version' and 'comment' #12454
• Copies of RelyingPartyRegistration should preserve custom fields #12841
• CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12684
• Extract placeholder resolution from DefaultRelyingPartyRegstrationResolver #12842
• Incomplete documentation regarding Hierarchical roles. #12784
• Move classpath checks to class member variable #12640
• move code comment to callout #12536
• NimbusReactiveJwtDecoder support mono chain #12521
• Polish DefaultLoginPageGeneratingFilter #12657
• Propagate match results in OrRequestMatcher and AndRequestMatcher #12847
• Re-add support for CAS #11674
• Relax final method implementations on AbstractRememberMeServices #12145
• RelyingPartyRegistrationRepository should support lookup by asserting party entity id #12848
• Remove deprecated SecurityContextPersistenceFilter from docs #12809
• Restore CAS module and update it for cas-client-core 4.0.0 #12362
• Revisit Session Management Documentation #12681
• Rewrite AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl logic for clarity #12468
• SAML 2.0 metadata endpoint should return all relying parties when none is given #12846
• Saml2MetadataResolver should accept multiple relying parties and create an EntitiesDescriptor #12844
• Support Device Authorization Response #12852
• Support LogoutRequest when already logged out #12845
• Update javadoc in EnableWebSecurity #12613
• Use a custom authentication type for CAS #12304

🪲 Bug Fixes

• 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12593
• @EnableReactiveMethodSecurity causes premature initialization of the ObservationRegistry and prevents it from being post-processed #12781
• A typo in form login doc #12730
• Broken links in form login section of docs #12839
• Document XMLObject retreival for Asserting Party metadata #12800
• EntityId ignored in xml relying-party-registration #12778
• Fix CSRF protection provided by @EnableWebSocketSecurity / Stomp #12594
• Fix image in servlet architecture docs section #12609
• Fix javadox typo #12643
• fix missing semi-colon java example in observability documentation #12761
• fix typo and update javadoc in AbstractAuthenticationFilterConfigurer #12634
• javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12621
• JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12768
• Missing spring-security-oauth2 xsds after release #12807
• No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12625
• NoSuchElementException in org.springframework.security.web.server.ObservationWebFilterChainDecorator$AroundWebFilterObservation$SimpleAroundWebFilterObservation.start(ObservationWebFilterChainDecorator.java:274 #12831
• NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12688
• SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12641
• SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12837
• Typo in Authentication Migrations page #12660
• WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12626

🔨 Dependency Upgrades

• Update Gradle Enterprise plugin #12669
• Update hibernate-core to 6.1.7.Final #12898
• Update httpclient to 4.5.14 #12894
• Update io.projectreactor to 2022.0.5 #12890
• Update io.spring.javaformat to 0.0.38 #12891
• Update io.spring.nohttp to 0.0.11 #12892
• Update jackson-bom to 2.14.2 #12886
• Update jakarta.servlet.jsp-api to 3.1.1 #12893
• Update junit-bom to 5.9.2 #12900
• Update logback-classic to 1.4.6 #12885
• Update maven-resolver-provider to 3.8.8 #12895
• Update micrometer-observation to 1.10.5 #12888
• Update mockk to 1.13.4 #12889
• Update org.aspectj to 1.9.19 #12896
• Update org.eclipse.jetty to 11.0.14 #12897
• Update org.jetbrains.kotlin to 1.8.20-RC #12899
• Update org.springframework to 6.0.7 #12902
• Update org.springframework.data to 2022.0.3 #12903
• Update slf4j-api to 2.0.7 #12901
• Update spring-ldap-core to 3.0.1 #12904
• Update spring-ldap-core to 3.0.1 #12727
• Update to Kotlin 1.8.10 #12788
• Update unboundid-ldapsdk to 6.0.8 #12887

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @dkodippily
• @Park9eon
• @An1s9n
• @twosom
• @hdeadman
• @jprinet
• @mojavelinux
• @wyfrel
• @ghaege
• @natrem

⭐ New Features

• Improve diagnostics in SpEL for matches operator #30150
• Improve diagnostics in SpEL for repeated text #30149
• Increase scope of regex pattern cache for the SpEL matches operator #30148

⭐ New Features

• Improve diagnostics in SpEL for matches operator #30145
• Improve diagnostics in SpEL for repeated text #30143
• Increase scope of regex pattern cache for the SpEL matches operator #30141
• Minor updates in HandlerMappingIntrospector #30128
• Allow SnakeYaml 2.0 runtime compatibility #30097
• Add missing @Nullable annotations to LogMessage.format methods #30009
• ASM upgrade for JDK 20/21 support #29966
• Allow MockRest to match header/queryParam value list with one Matcher #29964
• Add MockMvc.multipart() Kotlin extensions with HttpMethod #29941
• Release R2DBC connection when cleanup fails in transaction #29925
• org.springframework.web.context.ContextLoader should lazily load ContextLoader.properties #29909
• Improve generated default name for @JmsListener subscription #29902
• Include all Hibernate query methods in SharedEntityManagerCreator's queryTerminatingMethods set #29888
• SQL supplier in R2DBC DatabaseClient is eagerly invoked #29887
• Spring Framework 5.3.x is incompatible with Jetty 10 (Client) #29867
• Possible infinite forward loop with MockMvcWebConnection #29866
• Refine Jackson2ObjectMapperBuilder#configureFeature exception handling #29860
• Fix R2dbcTransactionManager debug log: don't log a Mono #29824

🐞 Bug Fixes

• RequestedContentTypeResolver does not ignore quality factor when filtering */* media types #30121
• SpEL: cannot call methods declared in java.lang.Object on a JDK proxy #30118
• CaffeineCacheManager getCache method cause thread block #30085
• Protect JMS connection creation against prepareConnection errors #30051
• ReactorServerHttpRequest does not reflect forwarded host and port when forwarding-header-strategy=native or cloud platform detected #29974
• WebSocket stats not updated correctly when sessions cleared #29947
• Explicit target ClassLoader for interface-based proxies in MvcUriComponentsBuilder #29914
• Closing an ApplicationContext leads to Exception at ExecutorServiceAdapter #29908
• Invalid Accept header results in IllegalStateException #29836
• JettyWebSocketCreator referenced from a method is not visible from class loader with Jetty10RequestUpgradeStrategy #29256

📔 Documentation

• Fix minor spacings in webflux docs #30095
• @AspectJ argument name resolution algorithm is outdated in reference manual #30057
• Fix "Configuring a Global Date and Time Format" example #30036
• Consistent @Bean method return type for equivalence with XML example #29970
• Update @DynamicPropertySource examples regarding changes in Testcontainers #29940
• Clarify semantics of primitivesDefaultedForNullValue in BeanPropertyRowMapper #29926
• Clearly document that DataClassRowMapper supports Java records #29922
• Outdated Javadoc for AbstractApplicationContext.postProcessBeanFactory #29916

🔨 Dependency Upgrades

• Upgrade to Reactor Netty 2020.0.30 #30116

⭐ New Features

• Improve diagnostics in SpEL for matches operator #30144
• Improve diagnostics in SpEL for repeated text #30142
• Increase scope of regex pattern cache for the SpEL matches operator #30140
• Minor updates in HandlerMappingIntrospector #30127
• Skip parameter name resolution when not needed in AbstractAutowireCapableBeanFactory #30103
• Remove extra copy of headers/cookies in WebClient #30092
• Assert non-null arguments in DefaultServerRequestBuilder methods #30046
• Jetty 12 support in WebFlux #29575

🐞 Bug Fixes

• Gradle task processAot fails when Bean Validation API present but no provider found #30130
• ContentDisposition::parse does not support Windows paths #30111
• BindException raised instead of MethodArgumentNotValidException subclass #30100
• Ensure reactive transaction rollback on commit error #30096
• CaffeineCacheManager getCache method cause thread block #30066
• RequestedContentTypeResolver does not ignore quality factor when filtering */* media types #29915
• @Autowired/@Value does not work on inner bean in native #29803
• Avoid rollback after a commit failure in TransactionalOperator #27572
• SpEL: cannot call methods declared in java.lang.Object on a JDK proxy #25316

📔 Documentation

• Add anchor rewrites in the reference documentation #30132
• Fix minor spacings in webflux docs #30078
• Add a list of observations produced by Spring Framework #30060

🔨 Dependency Upgrades

• Upgrade to Reactor 2022.0.5 #30133

❤️ Contributors

Thank you to all the contributors who worked on this release:

@EnricSala, @MrCoffee77, @abelsromero, @edyda99, @liupeng12345, @srivatsa-cfp, and @yuzawa-san

This is a security bugfix release containing PR #3133. This adds a limit to the depth of grammar rules, to prevent stack overflow. See the full details on the original PR: #3112.

This release also includes backported fixes to ensure MANIFEST.MF is the first entry in the JAR file and removes sun.misc from Import-Package header. See the full details on the original PRs: #3091 and #3097.

What's Changed

• Backported the fix to remove sun.misc by @schaefa in https://github.com/graphql-java/graphql-java/pull/3099
• Backported #3112 into 19.x branch by @bbakerman in https://github.com/graphql-java/graphql-java/pull/3133

Full Changelog: https://github.com/graphql-java/graphql-java/compare/v19.3...v19.4

What's Changed

• Update dependency org.apache.maven.plugins:maven-compiler-plugin to v3.11.0 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3204
• Update dependency org.openjdk.jcstress:jcstress-core to v0.16 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3206
• Update dependency org.eclipse.jetty:jetty-bom to v10.0.14 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3208
• Update dependency org.eclipse.jetty:jetty-bom to v11.0.14 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3209
• Update jetty9.version to v9.4.51.v20230217 (release/4.2.x) (patch) by @renovate in https://github.com/dropwizard/metrics/pull/3210
• Update dependency org.checkerframework:checker-qual to v3.32.0 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3214
• Update dependency com.github.ben-manes.caffeine:caffeine to v3.1.5 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3216
• Update dependency net.bytebuddy:byte-buddy to v1.14.1 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3219
• Update actions/cache action to v3.3.0 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3223
• Update dependency org.mockito:mockito-core to v5.2.0 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3224
• Update actions/cache action to v3.3.1 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3227
• Update dependency maven-wrapper to v3.2.0 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3228
• Update dependency net.bytebuddy:byte-buddy to v1.14.2 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3231
• Update dependency org.apache.maven.plugins:maven-surefire-plugin to v3 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3233
• Update logback13.version to v1.3.6 (release/4.2.x) (patch) by @renovate in https://github.com/dropwizard/metrics/pull/3239
• Update actions/checkout digest to 24cb908 (release/4.2.x) by @renovate in https://github.com/dropwizard/metrics/pull/3238
• Update logback14.version to v1.4.6 (release/4.2.x) (patch) by @renovate in https://github.com/dropwizard/metrics/pull/3240
• Update slf4j.version to v2.0.7 (release/4.2.x) (patch) by @renovate in https://github.com/dropwizard/metrics/pull/3247

Full Changelog: https://github.com/dropwizard/metrics/compare/v4.2.17...v4.2.18

Full Changelog: https://github.com/Activiti/Activiti/compare/7.10.0-rc.1...7.10.0-rc.2

What's Changed

🔨 Other Changes

• #4255 - Support rollback at engine level by @miguelruizdev in https://github.com/Activiti/Activiti/pull/4256

Full Changelog: https://github.com/Activiti/Activiti/compare/7.9.0-rc.40...7.10.0-rc.1