Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
6.0.4
⭐ New Features
- Add initial Native section to reference docs #12029
- Align Resource Server documentation with Boot's capabilities #13238
- Convert to Asciidoctor Tabs #13406
- Document How to Handle Method Security in Native Image #13226
- Error On Unsupported Client Authentication Methods #13240
- Make eclipse/vscode project import work #12930
- Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #13228
- mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #13253
- Use Antora name of security #13330
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13281
- AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #13086
- AOT Fails to proxy #13368
- AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #13153
- Clarify that Kotlin DSL needs an import #13102
- DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #13222
- Delete duplicate line from oauth2/client/core.adoc #13233
- Deprecated hint on BasicAuthenticationFilter #13278
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13192
- Fix Antora Warnings #13293
- Fix code snippets in Authorize HttpServletRequest #13125
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13220
- Fix Documentation Title #13317
- Fix legacy-websocket-configuration cross-reference #13205
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13208
- java.lang.IllegalArgumentException: Context does not have an entry for key [class io.micrometer.core.instrument.Timer$Sample] #13133
- Links between migration docs are out of date #13156
- Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #13217
- No longer maintained net.sourceforge.nekohtml with known security issues #13286
- Proxy Server section is not linked in nav #13323
- RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #13127
- rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #13079
- SAML login fails in Internet Explorer 11 #13141
- SimpleAroundFilterObservation.wrap calls scope.close() duplicated #12787
- Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #13084
- Spring Security SAML signature validation issue #13182
- The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added. #13008
- Use consistent list of micrometer tags in web observation handler #13179
- X-XSS-Protection is now disabled #13129
🔨 Dependency Upgrades
- Update com.nimbusds to 9.43.3 #13352
- Update hsqldb to 2.7.2 #13359
- Update io.projectreactor to 2022.0.8 #13355
- Update io.rsocket to 1.1.4 #13357
- Update io.spring.javaformat to 0.0.39 #13358
- Update jackson-bom to 2.14.3 #13349
- Update jackson-databind to 2.14.3 #13350
- Update jackson-datatype-jsr310 to 2.14.3 #13351
- Update junit-bom to 5.9.3 #13360
- Update junit-platform-launcher to 1.9.3 #13362
- Update logback-classic to 1.4.8 #13348
- Update micrometer-observation to 1.10.8 #13354
- Update org.junit.jupiter to 5.9.3 #13361
- Update org.springframework to 6.0.10 #13363
- Update org.springframework.data to 2022.0.7 #13364
- Update reactor-netty to 1.1.8 #13356
- Update spring-ldap-core to 3.0.4 #13365
- Update unboundid-ldapsdk to 6.0.9 #13353
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.4
⭐ New Features
- Convert to Asciidoctor Tabs #13405
- Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #13227
- mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #13252
- Use Antora name of security #13329
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13280
- AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #13069
- AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #13132
- Clarify that Kotlin DSL needs an import #13101
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13191
- Fix Antora Warnings #13292
- Fix code snippets in Authorize HttpServletRequest #11522
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13219
- Fix Documentation Title #13316
- Fix legacy-websocket-configuration cross-reference #12969
- Fix typo in authorization.adoc #13135
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13207
- Links between migration docs are out of date #12675
- Proxy Server section is not linked in nav #13322
- RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #13104
- SAML 2.0 HTTP Redirect Binding query params may appear in any order #12963
- SAML login fails in Internet Explorer 11 #13106
- Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #13160
🔨 Dependency Upgrades
- Address CVE-2023-1370 #13146
- Update com.nimbusds to 9.43.3 #13374
- Update hsqldb to 2.7.2 #13388
- Update io.projectreactor to 2020.0.33 #13377
- Update io.rsocket to 1.1.4 #13383
- Update io.spring.javaformat to 0.0.39 #13386
- Update junit-bom to 5.9.3 #13391
- Update org.junit.jupiter to 5.9.3 #13393
- Update org.springframework to 5.3.28 #13395
- Update org.springframework.data to 2021.2.13 #13397
- Update reactor-netty to 1.0.33 #13380
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.9
⭐ New Features
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13203
- Clarify that Kotlin DSL needs an import #13092
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13098
- Fix Antora Warnings #13291
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13155
- Fix Documentation Title #13315
- Fix javadoc for migration from WebSecurityConfigurerAdapter #12996
- Fix typo in SecurityMockMvcResultMatchers.java #12793
- fix typo of modules.adoc #12921
- Fix typo overview.adoc #13269
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13131
- Proxy Server section is not linked in nav #13313
- Typos in docs #13283
🔨 Dependency Upgrades
- Update io.projectreactor to 2020.0.33 #13373
- Update io.rsocket to 1.1.4 #13379
- Update org.springframework to 5.3.28 #13382
- Update org.springframework.data to 2021.2.13 #13385
- Update reactor-netty to 1.0.33 #13376
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.6.11
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
- Update blockhound to 1.0.8.RELEASE #13390
- Update hibernate-entitymanager to 5.6.15.Final #13400
- Update io.projectreactor to 2020.0.33 #13387
- Update io.rsocket to 1.1.4 #13392
- Update io.spring.nohttp to 0.0.11 #13394
- Update jackson-bom to 2.13.5 #13375
- Update jackson-databind to 2.13.5 #13378
- Update jackson-datatype-jsr310 to 2.13.5 #13381
- Update logback-classic to 1.2.12 #13372
- Update mockk to 1.12.8 #13384
- Update org.antora.gradle.plugin to 1.0.0 #13396
- Update org.aspectj to 1.9.19 #13398
- Update org.eclipse.jetty to 9.4.51.v20230217 #13399
- Update org.springframework to 5.3.28 #13401
- Update reactor-netty to 1.0.33 #13389
6.1.0
⭐ New Features
- Explain the rational about deprecating .and() and non-lambda DSL methods #13094
- Revisit CSRF Documentation #13089
🪲 Bug Fixes
- AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #13087
- AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #13154
- Clarify that Kotlin DSL needs an import #13103
- CookieCsrfTokenRepository overwrites previous Set-Cookie response headers #13075
- Fix code snippets in Authorize HttpServletRequest #13126
- Fix invalid link in ref doc #12573
- fix javadoc typo #12884
- Fix typo cas.adoc #13116
- Links between migration docs are out of date #13157
- RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #13128
- rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #13083
- SAML login fails in Internet Explorer 11 #13142
- SimpleAroundFilterObservation.wrap calls scope.close() duplicated #13150
- Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #13122
- Update acls.adoc #13078
- Update architecture.adoc #13077
- Web Security Expression section of Documentation is obsolete or it does not work #12974
🔨 Dependency Upgrades
- Update com.nimbusds to 9.43.2 #13165
- Update io.projectreactor to 2022.0.7 #13167
- Update jackson-bom to 2.14.3 #13162
- Update jackson-databind to 2.14.3 #13163
- Update jackson-datatype-jsr310 to 2.14.3 #13164
- Update junit-bom to 5.9.3 #13170
- Update junit-platform-launcher to 1.9.3 #13172
- Update logback-classic to 1.4.7 #13161
- Update micrometer-observation to 1.10.7 #13166
- Update org.jetbrains.kotlin to 1.8.21 #13169
- Update org.junit.jupiter to 5.9.3 #13171
- Update org.springframework to 6.0.9 #13173
- Update org.springframework.data to 2022.0.6 #13174
- Update reactor-netty to 1.1.7 #13168
- Update Spring Boot to 3.0.6 #13177
- Update spring-ldap-core to 3.0.3 #13175
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
6.1.0-RC1
⭐ New Features
- #12811 - compressing simple class name for observation #12955
- Add new DaoAuthenticationProvider constructor #12964
- Add NimbusJwtDecoder#withIssuerLocation #10309
- Clarify documentation code snippet(s) (unclear where static imported methods come from) #12993
- Deprecate shouldFilterAllDispatcherTypes #12138
- Document in the reference how to migrate to lambda #12628
- Documentation should mention that an empty SecurityContext should also be saved #12942
- Don't use raw xml saml authentication request for response validation #12962
- Ensure access token isn't resolved from query for form-encoded requests #12990
- Expression-Based Access Control do not working as explain in spring security document for 6.0.2 also tried 6.0.5 the issue persist #12933
- Remove OpenSaml deprecation warnings #12947
- Replace deprecated OpenSaml methods #12948
- We should deprecate .and() along with non lambda DSL methods #12629
🪲 Bug Fixes
- Fix a javadoc typo in ReactiveAuthorizationManager #13001
- Fix a javadoc typo in ReactiveAuthorizationManager #12984
- Fix documentation code block bug. #12981
- HttpSessionSecurityContextRepository fails to create a session because of the deferred security context support #12920
- MessageMatcherDelegatingAuthorizationManager not extracting path variables for authorization context #12924
- NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #13006
- Observation Spans are not nested correctly in Webflux #12934
- Saml2 RelyingPartyRegistration.nameIdFormat is ignored and not set in AuthnRequest from OpenSamlAuthenticationRequestResolver #12937
🔨 Dependency Upgrades
- Update reactor-netty to 1.1.6 #13047
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.3
⭐ New Features
- Add new DaoAuthenticationProvider constructor #12874
- Clarify documentation code snippet(s) (unclear where static imported methods come from) #12992
- Documentation should mention that an empty SecurityContext should also be saved #12941
- Expression-Based Access Control do not working as explain in spring security document for 6.0.2 also tried 6.0.5 the issue persist #12932
- Incomplete documentation regarding Hierarchical roles. #12766
- Remove deprecated
SecurityContextPersistenceFilter
from docs #12690
🪲 Bug Fixes
@EnableReactiveMethodSecurity
causes premature initialization of the ObservationRegistry and prevents it from being post-processed #12780- Broken links in form login section of docs #12822
- chore: typo, removed extra "s" in word implementationss #12882
- EntityId ignored in xml relying-party-registration #12777
- Fix a javadoc typo in ReactiveAuthorizationManager #13000
- Fix a javadoc typo in ReactiveAuthorizationManager #12983
- Fix broken links in form login section #12823
- Fix docs typo #12745
- Fix documentation code block bug. #12980
- Fix typo architecture.adoc #12851
- fix typo in RequestCacheResultMatcher #12814
- HttpSessionSecurityContextRepository fails to create a session because of the deferred security context support #12919
- JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12767
- MessageMatcherDelegatingAuthorizationManager not extracting path variables for authorization context #12540
- Missing spring-security-oauth2 xsds after release #12806
- NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #13005
- NoSuchElementException in org.springframework.security.web.server.ObservationWebFilterChainDecorator$AroundWebFilterObservation$SimpleAroundWebFilterObservation.start(ObservationWebFilterChainDecorator.java:274 #12829
- Observation Spans are not nested correctly in Webflux #12849
- RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #13055
- Saml2 RelyingPartyRegistration.nameIdFormat is ignored and not set in AuthnRequest from OpenSamlAuthenticationRequestResolver #12936
- Spring Security 6.0.2 ObservationFilterChainDecorator produce wrong instrument names #12811
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12836
🔨 Dependency Upgrades
- Update assertj-core to 3.24.2 #13038
- Update io.projectreactor to 2022.0.6 #13034
- Update io.spring.javaformat to 0.0.38 #13036
- Update logback-classic to 1.4.6 #13030
- Update maven-resolver-provider to 3.8.8 #13037
- Update micrometer-observation to 1.10.6 #13032
- Update mockk to 1.13.5 #13033
- Update org.eclipse.jetty to 11.0.15 #13039
- Update org.springframework to 6.0.8 #13041
- Update org.springframework.data to 2022.0.5 #13042
- Update reactor-netty to 1.1.6 #13035
- Update slf4j-api to 2.0.7 #13040
- Update spring-ldap-core to 3.0.2 #13043
- Update unboundid-ldapsdk to 6.0.8 #13031
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.3
⭐ New Features
- Clarify documentation code snippet(s) (unclear where static imported methods come from) #12991
- Document 5.8 Migration for DefaultMethodSecurityExpressionHandler #12356
- Documentation should mention that an empty SecurityContext should also be saved #12906
- Expression-Based Access Control do not working as explain in spring security document for 6.0.2 also tried 6.0.5 the issue persist #12928
- Fixed test in DefaultLoginPageGeneratingFilterTests #12694
🪲 Bug Fixes
- Bug in documentation of Storing the Authentication manually #12850
- DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #12873
- EntityId ignored in xml relying-party-registration #12776
- Fix .access(...) parameter #12676
- Fix a javadoc typo in ReactiveAuthorizationManager #12999
- Fix a javadoc typo in ReactiveAuthorizationManager #12982
- Fix ID of WebSocket Authorization section #12872
- HttpSessionSecurityContextRepository fails to create a session because of the deferred security context support #12314
- JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12472
- Missing spring-security-oauth2 xsds after release #12805
- NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #13004
- RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #13054
- Saml2 RelyingPartyRegistration.nameIdFormat is ignored and not set in AuthnRequest from OpenSamlAuthenticationRequestResolver #12935
- SecurityWebApplicationInitializer.getSecurityDispatcherTypes example is wrong in migration guide #12939
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12835
🔨 Dependency Upgrades
- Update blockhound to 1.0.8.RELEASE #13024
- Update io.projectreactor to 2020.0.31 #13022
- Update io.spring.javaformat to 0.0.38 #13025
- Update logback-classic to 1.2.12 #13021
- Update org.eclipse.jetty to 9.4.51.v20230217 #13026
- Update org.springframework to 5.3.27 #13027
- Update org.springframework.data to 2021.2.10 #13028
- Update org.springframework.data to 2021.2.11 #13029
- Update reactor-netty to 1.0.31 #13023
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.8
⭐ New Features
- Clarify documentation code snippet(s) (unclear where static imported methods come from) #6597
- Document relationship between registrationId, EntityID, and resolving a relying party #12764
🪲 Bug Fixes
- Add test to SimpleUrlAuthenticationSuccessHandlerTests #12740
- Avoid NPE in FilterInvocation #12922
- EntityId ignored in xml relying-party-registration #11898
- Fix a javadoc typo in ReactiveAuthorizationManager #12998
- Fix a javadoc typo in ReactiveAuthorizationManager #12978
- Fix typo in SessionManagementConfigurer javadoc #12820
- Missing spring-security-oauth2 xsds after release #12804
- NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #12960
- RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #12664
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12834
🔨 Dependency Upgrades
- Update blockhound to 1.0.8.RELEASE #13016
- Update io.projectreactor to 2020.0.31 #13014
- Update logback-classic to 1.2.12 #13013
- Update org.eclipse.jetty to 9.4.51.v20230217 #13017
- Update org.springframework to 5.3.27 #13018
- Update org.springframework.data to 2021.2.11 #13019
- Update reactor-netty to 1.0.31 #13015
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
6.1.0-M2
⭐ New Features
- Add RelayState Customizer to SAML Logout #12582
- Add saml2Metadata to the DSL #11828
- Allow configuring SecurityContextRepository for BasicAuthenticationFilter #12031
- Allow Relying Party to be Deduced from LogoutRequest #12843
- Allow UserBuilder to easily build a user without any authorities #12533
- Cookie no support for field 'version' and 'comment' #12454
- Copies of RelyingPartyRegistration should preserve custom fields #12841
- CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12684
- Extract placeholder resolution from DefaultRelyingPartyRegstrationResolver #12842
- Incomplete documentation regarding Hierarchical roles. #12784
- Move classpath checks to class member variable #12640
- move code comment to callout #12536
- NimbusReactiveJwtDecoder support mono chain #12521
- Polish DefaultLoginPageGeneratingFilter #12657
- Propagate match results in OrRequestMatcher and AndRequestMatcher #12847
- Re-add support for CAS #11674
- Relax final method implementations on AbstractRememberMeServices #12145
- RelyingPartyRegistrationRepository should support lookup by asserting party entity id #12848
- Remove deprecated
SecurityContextPersistenceFilter
from docs #12809 - Restore CAS module and update it for cas-client-core 4.0.0 #12362
- Revisit Session Management Documentation #12681
- Rewrite AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl logic for clarity #12468
- SAML 2.0 metadata endpoint should return all relying parties when none is given #12846
- Saml2MetadataResolver should accept multiple relying parties and create an EntitiesDescriptor #12844
- Support Device Authorization Response #12852
- Support LogoutRequest when already logged out #12845
- Update javadoc in EnableWebSecurity #12613
- Use a custom authentication type for CAS #12304
🪲 Bug Fixes
- 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12593
@EnableReactiveMethodSecurity
causes premature initialization of the ObservationRegistry and prevents it from being post-processed #12781- A typo in form login doc #12730
- Broken links in form login section of docs #12839
- Document XMLObject retreival for Asserting Party metadata #12800
- EntityId ignored in xml relying-party-registration #12778
- Fix CSRF protection provided by
@EnableWebSocketSecurity
/ Stomp #12594 - Fix image in servlet architecture docs section #12609
- Fix javadox typo #12643
- fix missing semi-colon java example in observability documentation #12761
- fix typo and update javadoc in AbstractAuthenticationFilterConfigurer #12634
- javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12621
- JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12768
- Missing spring-security-oauth2 xsds after release #12807
- No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12625
- NoSuchElementException in org.springframework.security.web.server.ObservationWebFilterChainDecorator$AroundWebFilterObservation$SimpleAroundWebFilterObservation.start(ObservationWebFilterChainDecorator.java:274 #12831
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12688
- SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12641
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12837
- Typo in Authentication Migrations page #12660
- WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12626
🔨 Dependency Upgrades
- Update Gradle Enterprise plugin #12669
- Update hibernate-core to 6.1.7.Final #12898
- Update httpclient to 4.5.14 #12894
- Update io.projectreactor to 2022.0.5 #12890
- Update io.spring.javaformat to 0.0.38 #12891
- Update io.spring.nohttp to 0.0.11 #12892
- Update jackson-bom to 2.14.2 #12886
- Update jakarta.servlet.jsp-api to 3.1.1 #12893
- Update junit-bom to 5.9.2 #12900
- Update logback-classic to 1.4.6 #12885
- Update maven-resolver-provider to 3.8.8 #12895
- Update micrometer-observation to 1.10.5 #12888
- Update mockk to 1.13.4 #12889
- Update org.aspectj to 1.9.19 #12896
- Update org.eclipse.jetty to 11.0.14 #12897
- Update org.jetbrains.kotlin to 1.8.20-RC #12899
- Update org.springframework to 6.0.7 #12902
- Update org.springframework.data to 2022.0.3 #12903
- Update slf4j-api to 2.0.7 #12901
- Update spring-ldap-core to 3.0.1 #12904
- Update spring-ldap-core to 3.0.1 #12727
- Update to Kotlin 1.8.10 #12788
- Update unboundid-ldapsdk to 6.0.8 #12887
❤️ Contributors
We'd like to thank all the contributors who worked on this release!