6.5.0

⭐ New Features

• Add documentation for DPoP support #17072
• Add logging to CsrfTokenRequestHandler implementations #16994
• Add mapping for DPoP in DefaultMapOAuth2AccessTokenResponseConverter #16806
• Bump Gradle Wrapper from 8.13 to 8.14 #17018
• ClientRegistrations.fromIssuerLocation does not include failure information #17015
• Fix Typo In SubjectDnX509PrincipalExtractorTests #16997
• Implement internal cache in JtiClaimValidator #17107
• Polish javadoc #16924
• Remove unused classes #16935
• Replace NimbusOpaqueTokenIntrospector with SpringOpaqueTokenIntrospector in Documentation #16962
• RequestHeaderAuthenticationFilter creates a session even if not configured to do so #17147

🪲 Bug Fixes

• Add FunctionalInterface To X509PrincipalExtractor #16952
• Change NonNull import from reactor to spring #16571
• Fix DPoP jkt claim to be JWK SHA-256 thumbprint #17080
• Minor error in the Handling Logouts documentation #17049
• SecurityAnnotationScanner's method comparison should use .equals #17145
• Use proper configuration key in Opaque Token documentation #17014

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.18.4 #17069
• Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.19.0 #16995
• Bump com.google.code.gson:gson from 2.13.0 to 2.13.1 #16990
• Bump com.webauthn4j:webauthn4j-core from 0.29.0.RELEASE to 0.29.1.RELEASE #17024
• Bump com.webauthn4j:webauthn4j-core from 0.29.1.RELEASE to 0.29.2.RELEASE #17095
• Bump io.micrometer:micrometer-observation from 1.14.6 to 1.14.7 #17096
• Bump io.mockk:mockk from 1.14.0 to 1.14.2 #17019
• Bump io.projectreactor:reactor-bom from 2023.0.17 to 2023.0.18 #17111
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.5 to 1.0.6 #17040
• Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 #17088
• Bump org-eclipse-jetty from 11.0.24 to 11.0.25 #16761
• Bump org.hibernate.orm:hibernate-core from 6.6.13.Final to 6.6.14.Final #17089
• Bump org.hibernate.orm:hibernate-core from 6.6.14.Final to 6.6.15.Final #17105
• Bump org.seleniumhq.selenium:selenium-java from 4.31.0 to 4.32.0 #17037
• Bump org.springframework.data:spring-data-bom from 2024.1.4 to 2024.1.5 #16981
• Bump org.springframework.data:spring-data-bom from 2024.1.5 to 2024.1.6 #17137
• Bump org.springframework:spring-framework-bom from 6.2.6 to 6.2.7 #17124

🔩 Build Updates

• Release 6.5.0 #17138

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dkowis, @franticticktick, @hammadirshad, @jearton, @ngocnhan-tran1996, @quaff, and @yybmion

6.4.6

⭐ New Features

• Bump Gradle Wrapper from 8.13 to 8.14 #17017
• ClientRegistrations.fromIssuerLocation does not include failure information #17016
• RequestHeaderAuthenticationFilter creates a session even if not configured to do so #17146

🪲 Bug Fixes

• Clear Site Data references non-existent constructor #17034
• Ensure Serializable Components Have Serialization Sample #17038
• Minor error in the Handling Logouts documentation #17048
• NPE in BaseOpenSamlAuthenticationProvider #17008
• SecurityAnnotationScanner's method comparison should use .equals #17143
• StrictFirewallServerWebExchange should still protect when request is mutated #17032
• Use proper configuration key in Opaque Token documentation #17013

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.18.4 #17065
• Bump io.micrometer:micrometer-observation from 1.14.6 to 1.14.7 #17094
• Bump io.projectreactor:reactor-bom from 2023.0.17 to 2023.0.18 #17110
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.5 to 1.0.6 #17042
• Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 #17086
• Bump org.hibernate.orm:hibernate-core from 6.6.13.Final to 6.6.14.Final #17087
• Bump org.hibernate.orm:hibernate-core from 6.6.14.Final to 6.6.15.Final #17103
• Bump org.springframework.data:spring-data-bom from 2024.1.4 to 2024.1.5 #16983
• Bump org.springframework:spring-framework-bom from 6.2.6 to 6.2.7 #17121

🔩 Build Updates

• Release Security 6.4.6 #17139

6.5.0-RC1

⭐ New Features

• Add AuthenticationEntryPoint for DPoP #16900
• Add DestinationPathPatternMessageMatcher #16635
• Add link to docs zip file to the reference #16800
• Add MatchResult to MessageMatcher #16766
• Add not null validation for UserDetailsChecker in AbstractUserDetailsAuthenticationProvider #16710
• Add RelayState-based Authentication Request Respository #14793
• Add request_uri in OAuth2ParameterNames #16947
• Add support for access token in body parameter as per rfc 6750 Sec. 2.2 #15819
• Add Support Postgres To JdbcUserCredentialRepository #16839
• Add support ResolvableTypeProvider to AuthorizationEvent #16762
• Add toString to IpAddressMatcher #16818
• Add XML support for HttpsRedirectFilter #16775
• Allow retrieving username from SAML Assertion Attributes #12136
• Deprecate ConfigAttribute #16774
• Deprecate SecurityConfig #16773
• Deprecate SecurityMetadataSource and implementations #16772
• Deprecate usages of PathMatcher in Web Socket support #16500
• Ensure ID Token is updated after refresh token #16589
• Explain behaviour with XMLHttpRequest on 401 response #16280
• Fix attribute name in http.adoc #16790
• Improve entity fetching from db #16727
• Include AuthenticationRequest in AuthenticationException #16505
• Jackson deserialization of ClientAuthenticationMethods should recognize all values #16826
• Make DPoP IatClaimValidator public to allow configuring clock and clockSkew #16921
• Method Security templates support use deep non-aliased attributes #16550
• OAuth2 Client Authentication section of docs uses deprecated classes #16925
• PathPatternRequestMatcher Include Optional Servlet Path in the pattern #16765
• Polish Pattern Matching Usage #16493
• Prepare oauth2-client deprecations for removal in Spring Security 7 #16913
• Prepare Request Matching for Spring Framework Changes #16417
• Prevent downgraded usage of DPoP-bound access tokens #16937
• Removed Unnecessary Code in Documentation #16739
• Replace dynamic error message with static "Access Denied" #16528
• Saml2WebSsoAuthenticationFilter should allow requests through when SAMLResponse is absent #16000
• Simplify Response Validation in OpenSaml5AuthenticationProvider #16915
• Support Customizing Set of OpenSAML Validators #15578
• Update HandlerMappingIntrospector Usage in Cache filter support #16536
• Update DeferredCsrfToken to implement Supplier #16905
• Update HandlerMappingIntrospector Usage in CORS support #16657
• Update HandlerMappingIntrospector Usage in CORS support #16501
• Update ServerOAuth2AuthorizedClientExchangeFilterFunction javadoc #16789
• Update test object factories to Tests naming convention #16686
• Use SpringCacheBasedTicketCache in cas.adoc #16847
• Use Tests naming convention for WebAuthn test object factories #16865

  🪲 Bug Fixes

  • [Docs] Broken link on Spring MVC Test Integration page #16791
  • ServerBearerTokenAuthenticationConverter validates parameters when not enabled #16902
  • Annotation templates should pick up deep non-aliased attributes #16312
  • Clarify WebInvocationPrivilegeEvaluator JavaDoc #16788
  • Fix typo and inline code formatting in documentation #16717
  • Fix typo code tag #16740
  • Fix typos Open SAML 5 Javadoc referencing Open SAML 4 #16729
  • Fix WebAuthn saves Anonymous PublicKeyCredentialUserEntity #16821
  • PathPatternRequestMatcher should not fail when the RequestPath cache is empty #16796
  • Polish Documentation #16835
  • Polish javadoc #16908
  • RequestMatcherDelegatingWebInvocationPrivilegeEvaluator fails with PathPatternRequestMatcher #16771
  • Restore Migration and Preparation Steps #16873
  • Typo in Base64StringKeyGenerator exception message #16868
  • Update kotlin.adoc to add required spread operator(*) #16859
  • WebFlux reference links to Servlet docs #16792
  • XML config does not apply request-handler-ref to CsrfAuthenticationStrategy #16845

  🔨 Dependency Upgrades

  • Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 #16768
  • Bump com.google.code.gson:gson from 2.12.1 to 2.13.0 #16930
  • Bump com.webauthn4j:webauthn4j-core from 0.28.6.RELEASE to 0.29.0.RELEASE #16864
  • Bump Gradle Wrapper from 8.10.2 to 8.13 #16648
  • Bump io.freefair.gradle:aspectj-plugin from 8.13 to 8.13.1 #16823
  • Bump io.micrometer:context-propagation from 1.1.2 to 1.1.3 #16932
  • Bump io.micrometer:micrometer-observation from 1.14.5 to 1.14.6 #16933
  • Bump io.mockk:mockk from 1.13.17 to 1.14.0 #16917
  • Bump io.projectreactor:reactor-bom from 2023.0.16 to 2023.0.17 #16943
  • Bump io.spring.gradle:spring-security-release-plugin from 1.0.3 to 1.0.4 #16918
  • Bump org-aspectj from 1.9.22.1 to 1.9.23 #16737
  • Bump org-aspectj from 1.9.22.1 to 1.9.24 #16931
  • Bump org.hibernate.orm:hibernate-core from 6.6.12.Final to 6.6.13.Final #16897
  • Bump org.htmlunit:htmlunit from 4.11.0 to 4.11.1 #16831
  • Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.10.1 to 1.10.2 #16910
  • Bump org.junit:junit-bom from 5.12.1 to 5.12.2 [#16929](https://git...

6.4.5

⭐ New Features

• Add link to docs zip file to the reference #16799
• Fix attribute name in http.adoc #16784
• Update ServerOAuth2AuthorizedClientExchangeFilterFunction javadoc #16783

🪲 Bug Fixes

• [Docs] Broken link on Spring MVC Test Integration page #16785
• ServerBearerTokenAuthenticationConverter validates parameters when not enabled #16901
• Clarify WebInvocationPrivilegeEvaluator JavaDoc #16782
• CookieServerCsrfTokenRepository.withHttpOnlyFalse() ineffective if setCookieCustomizer() is used #16862
• Correct closing tag in default PassKey HTML form #16601
• Fix WebAuthn saves Anonymous PublicKeyCredentialUserEntity #16606
• OpenSaml support should preserve encrypted elements for further analysis #16367
• Sorting in AuthorizationAdvisorProxyFactory should be thread-safe #16837
• WebFlux reference links to Servlet docs #16786
• XML config does not apply request-handler-ref to CsrfAuthenticationStrategy #16844

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 #16767
• Bump io.micrometer:micrometer-observation from 1.14.5 to 1.14.6 #16938
• Bump io.projectreactor:reactor-bom from 2023.0.16 to 2023.0.17 #16944
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.3 to 1.0.4 #16919
• Bump org-aspectj from 1.9.22.1 to 1.9.24 #16928
• Bump org-eclipse-jetty from 11.0.24 to 11.0.25 #16758
• Bump org.hibernate.orm:hibernate-core from 6.6.12.Final to 6.6.13.Final #16895
• Bump org.springframework.ldap:spring-ldap-core from 3.2.11 to 3.2.12 #16960
• Bump org.springframework:spring-framework-bom from 6.2.5 to 6.2.6 #16959

🔩 Build Updates

• Bump spring-io/spring-doc-actions from 0.0.19 to 0.0.20 #16894
• Release 6.4.5 #16972

❤️ Contributors

Thank you to all the contributors who worked on this release:

@AB-xdev, @Borghii, and @dependabot[bot]

6.3.9

⭐ New Features

• Add link to docs zip file to the reference #16798
• Clarify WebInvocationPrivilegeEvaluator JavaDoc #16548
• Fix attribute name in http.adoc #16776
• Fix Spring Framework reference link #16718
• Fix WebFlux authentication reference link #16719
• Update ServerOAuth2AuthorizedClientExchangeFilterFunction javadoc #16555

🪲 Bug Fixes

• Do not validate parameters in ServerBearerTokenAuthenticationConverter and DefaultBearerTokenResolver if not enabled #16039
• Fix the request matcher patterns in the documentation #16713
• setCookieCustomizer should not reset withHttpOnlyFalse httpOnly setting #16822
• Sorting in AuthorizationAdvisorProxyFactory should be thread-safe #16834
• Use correct message prompt in AuthorizeReturnObjectMethodInterceptor constructor #16829
• XML config does not apply request-handler-ref to CsrfAuthenticationStrategy #16801

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 #16769
• Bump io.projectreactor:reactor-bom from 2023.0.16 to 2023.0.17 #16942
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.3 to 1.0.4 #16916
• Bump org-aspectj from 1.9.22.1 to 1.9.24 #16927
• Bump org-eclipse-jetty from 11.0.24 to 11.0.25 #16759
• Bump org.springframework.ldap:spring-ldap-core from 3.2.11 to 3.2.12 #16957
• Bump org.springframework:spring-framework-bom from 6.1.18 to 6.1.19 #16958

🔩 Build Updates

• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.16 to 1.0.0-alpha.17 in /docs #16809
• Release 6.3.9 #16973

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Bragolgirith, @dependabot[bot], @jonah1und1, @kse-music, and @ngocnhan-tran1996

6.5.0-M3

⭐ New Features

• Add HttpsRedirectFilter #16678
• Add BadCredentialsException to OneTimeTokenAuthenticationProvider #16506
• Add customizable RowMappers for user details and authorities in JdbcUserDetailsManager #16561
• Add JwtAudienceValidator #16682
• Add page section to migration-7 #16663
• Add PathPatternRequestMatcher #16499
• Add PathPatternRequestMatcher #16429
• Add SingleResultAuthorizationManager #16612
• Add support for automatic context-propagation with Micrometer #16665
• Add Support ServerFormPostRedirectStrategy #16551
• Add Type Validator #16672
• Allow at+jwt, according to RFC-9068 #13186
• Deprecate ChannelDecisionManager and components #16681
• Deprecate ChannelSecurityConfigurer and components #16680
• JwtDecoders should support issuer hostnames containing underscores #15853
• Make DefaultOneTimeToken Serializable #16618
• Polish AbstractAuthenticationTargetUrlRequestHandler #16557
• Refactored Http403ForbiddenEntryPoint to use HttpStatus.FORBIDDEN.value #16616
• Replace HttpSecurity#requiresChannel with HttpSecurity#redirectToHttps #16679
• Use PortResolver Beans by Default #16664

🪲 Bug Fixes

• Add missing migration-7/web.adoc to nav.adoc #16661
• Add testRuntimeOnly junit-platform-launcher #16757
• Disable Flaky WebAuthnWebDriverTests #16754
• Fix JdbcUserCredentialRepository Save #16621
• Fix ordering for security filter configuration #16558
• Fix source type of migration-7/web.adoc #16662

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 #16654
• Bump com.fasterxml.jackson:jackson-bom from 2.18.2 to 2.18.3 #16689
• Bump com.webauthn4j:webauthn4j-core from 0.28.5.RELEASE to 0.28.6.RELEASE #16690
• Bump io.freefair.gradle:aspectj-plugin from 8.12.2.1 to 8.13 #16723
• Bump io.micrometer:micrometer-observation from 1.14.4 to 1.14.5 #16716
• Bump io.mockk:mockk from 1.13.16 to 1.13.17 #16674
• Bump io.projectreactor:reactor-bom from 2023.0.15 to 2023.0.16 #16722
• Bump org.hibernate.orm:hibernate-core from 6.6.10.Final to 6.6.11.Final #16745
• Bump org.htmlunit:htmlunit from 4.9.0 to 4.10.0 #16639
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.23 to 4.34.1 #16671
• Bump org.junit:junit-bom from 5.11.4 to 5.12.0 #16643
• Bump org.junit:junit-bom from 5.11.4 to 5.12.1 #16744
• Bump org.mockito:mockito-bom from 5.16.0 to 5.16.1 #16746
• Bump org.seleniumhq.selenium:htmlunit3-driver from 4.28.0 to 4.29.0 #16641
• Bump org.seleniumhq.selenium:selenium-java from 4.28.1 to 4.29.0 #16625
• Bump org.slf4j:slf4j-api from 2.0.16 to 2.0.17 #16653
• Bump org.springframework:spring-framework-bom from 6.2.3 to 6.2.4 #16736

🔩 Build Updates

• Bump @springio/antora-extensions from 1.14.2 to 1.14.4 in /docs #16636
• Deprecate PortResolver #15972

❤️ Contributors

Thank you to all the contributors who worked on this release:

@big-cir, @bodograumann, @dependabot[bot], @franticticktick, @jzheaux, @matthewgreene, @vpavic, @yelm-212, and @ymajoros

6.4.4

🪲 Bug Fixes

• Add testRuntimeOnly junit-platform-launcher #16756
• Align Method Traversal Algorithm with Spring Framework #16751
• Disable Flaky WebAuthnWebDriverTests #16753
• Fix @PostResult example in method-security doc #16628
• Grammar Fixes in OAuth 2.0 JavaDoc #16619

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 #16649
• Bump com.fasterxml.jackson:jackson-bom from 2.18.2 to 2.18.3 #16692
• Bump com.webauthn4j:webauthn4j-core from 0.28.5.RELEASE to 0.28.6.RELEASE #16691
• Bump io.micrometer:micrometer-observation from 1.14.4 to 1.14.5 #16715
• Bump io.mockk:mockk from 1.13.16 to 1.13.17 #16675
• Bump io.projectreactor:reactor-bom from 2023.0.15 to 2023.0.16 #16725
• Bump org.hibernate.orm:hibernate-core from 6.6.10.Final to 6.6.11.Final #16748
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.23 to 4.33.24 #16669
• Bump org.slf4j:slf4j-api from 2.0.16 to 2.0.17 #16650
• Bump org.springframework.data:spring-data-bom from 2024.1.3 to 2024.1.4 #16749
• Bump org.springframework:spring-framework-bom from 6.2.3 to 6.2.4 #16733

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Kuba15, @dependabot[bot], and @pat-mccusker

6.3.8

🪲 Bug Fixes

• Add testRuntimeOnly junit-platform-launcher #16755
• Fix typo security-api-url attribute in faq.adoc #16633
• Security SpEL Expressions Should Propagate AuthorizationDeniedException from Proxied Objects #16697

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 #16651
• Bump io.mockk:mockk from 1.13.16 to 1.13.17 #16676
• Bump io.projectreactor:reactor-bom from 2023.0.15 to 2023.0.16 #16724
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.23 to 4.33.24 #16670
• Bump org.slf4j:slf4j-api from 2.0.16 to 2.0.17 #16652
• Bump org.springframework.data:spring-data-bom from 2024.0.9 to 2024.0.10 #16747
• Bump org.springframework:spring-framework-bom from 6.1.17 to 6.1.18 #16735

🔩 Build Updates

• Bump @springio/antora-extensions from 1.14.2 to 1.14.4 in /docs #16637

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot] and @ngocnhan-tran1996

6.5.0-M2

⭐ New Features

• Add FormPostRedirectStrategy to enable POST OIDC Logout #16214
• Add HttpStatusAccessDeniedHandler #16502
• Add support for OAuth 2.0 Demonstrating Proof of Possession (DPoP) #16574
• Add Support GenerateOneTimeTokenRequestResolver #16297
• Add Support ServerGenerateOneTimeTokenRequestResolver #16489
• Consistently NonNull annotation #16587
• Consistently Spring Security javadocs #16586
• Display default login page with only one-time token login #16414
• Generic error message in Log In page and debug messages #16575
• Lazily compose debug message in AbstractUserDetailsAuthenticationProv… #16513
• Make PublicKeyCredentialRequestOptions Serializable #16438
• One time token authentication filter should be its own class #16539
• One Time Token login registers the default login page #16480
• Polish OneTimeTokenLoginConfigurer #16468
• Refactor authorization manager variable naming #16559
• Remove Deprecated Usages of RemoteJWKSet #16537
• Support JWK Selection Strategy in NimbusJwtEncoder #16570
• Update DelegatingPasswordEncoder.java #16479
• Update reference Spring Framwork links #16564
• Update settings.gradle to correct the behavior if creating a new subproject with default buildFile name #16387
• Update UsernameNotFoundException message #16508

🪲 Bug Fixes

• Fix javadoc typo onResponseCommmitted-> onResponseCommitted #16535
• Fix loader has changed while resolving nodes in WebAuthnWebDriverTests #16464
• Fix RestClient Documentation Header #16562
• Fix serializeCurrentVersionClasses #16443
• Fixed assertion in DefaultGenerateOneTimeTokenRequestResolver #16507
• GenerateOneTimeTokenWebFilter triggers double execution of the downstream WebFilterChain #16465
• Implement Serializable for WebAuthnAuthentication #16474
• Misconfigured OAuth2LoginAuthenticationFilter when combining OAuth2 login and OAuth2 client configuration #16467
• OTT Should Use non-static member to capture the last OneTimeToken #16472
• OTT Tests should use mocks instead of comparing expires #16515

🔨 Dependency Upgrades

• Bump com.github.ben-manes:gradle-versions-plugin from 0.51.0 to 0.52.0 #16475
• Bump com.google.code.gson:gson from 2.12.0 to 2.12.1 #16511
• Bump com.nimbusds:oauth2-oidc-sdk from 9.43.5 to 9.43.6 #16593
• Bump com.webauthn4j:webauthn4j-core from 0.28.4.RELEASE to 0.28.5.RELEASE #16522
• Bump esbuild from 0.23.0 to 0.25.0 in /javascript #16580
• Bump io.freefair.gradle:aspectj-plugin from 8.12 to 8.12.1 #16531
• Bump io.micrometer:micrometer-observation from 1.14.3 to 1.14.4 #16568
• Bump io.projectreactor:reactor-bom from 2023.0.14 to 2023.0.15 #16578
• Bump io.rsocket:rsocket-bom from 1.1.4 to 1.1.5 #16532
• Bump org.hibernate.orm:hibernate-core from 6.6.7.Final to 6.6.8.Final #16609
• Bump org.htmlunit:htmlunit from 4.8.0 to 4.9.0 #16469
• Bump org.seleniumhq.selenium:htmlunit3-driver from 4.27.0 to 4.28.0 #16476
• Bump org.seleniumhq.selenium:selenium-java from 4.28.0 to 4.28.1 #16477
• Bump org.springframework.data:spring-data-bom from 2024.1.2 to 2024.1.3 #16608
• Bump org.springframework.ldap:spring-ldap-core from 3.2.10 to 3.2.11 #16592
• Bump org.springframework:spring-framework-bom from 6.2.2 to 6.2.3 #16591
• Bump serialize-javascript and mocha in /javascript #16581

🔩 Build Updates

• Add GenerateOneTimeTokenFilterTests #16327
• Add TestBytes #16462
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.14 to 1.0.0-alpha.16 in /docs #16518

❤️ Contributors

Thank you to all the contributors who worked on this release:

@ChristianHoesel, @Kehrlann, @LiYing2010, @Tejas-Teju, @big-cir, @candrews, @dependabot[bot], @douxiaofeng99, @earlgrey02, @franticticktick, @guesshe, @jgrandja, @kse-music, @kwondh5217, @ngocnhan-tran1996, @patpatpat123, and @plll0123

6.4.3

⭐ New Features

• Add Support disableDefaultRegistrationPage to WebAuthnDsl #16395

🪲 Bug Fixes

• withValue used incorrectly #16527
• Fix for JdbcOneTimeTokenService cleanupExpiredTokens failing with PostgreSQL #16344
• Fix GenerateOneTimeTokenWebFilter double publish of chain.filter(...) #16459
• Fix Kotlin DSL webAuthn { } #16338
• Fix loader has changed while resolving nodes in WebAuthnWebDriverTests #16463
• Fix logoutRequestRepository not set on Saml2RelyingPartyInitiatedLogoutSuccessHandler #16310
• Implement Serializable for WebAuthnAuthentication #16285
• Make AuthorizationDecision Serializable #16544
• Make PublicKeyCredentialRequestOptions Serializable Backport #16584
• Make Saml2AuthenticationToken Serializable #16287
• Make WebAuthnAuthentication Serializable #16273
• Make WebAuthnAuthenticationRequestToken Serializable #16602
• Make WebAuthnAuthenticationTokenRequest Serializable #16481
• Misconfigured OAuth2LoginAuthenticationFilter when combining OAuth2 login and OAuth2 client configuration #16466
• OTT Should Use non-static member to capture the last OneTimeToken #16471
• webauthn js should ensure allowCredentials[].id is an ArrayBuffer #16440

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.15 to 1.5.16 #16364
• Bump com.nimbusds:oauth2-oidc-sdk from 9.43.5 to 9.43.6 #16598
• Bump com.webauthn4j:webauthn4j-core from 0.28.4.RELEASE to 0.28.5.RELEASE #16523
• Bump io.micrometer:micrometer-observation from 1.14.3 to 1.14.4 #16565
• Bump io.mockk:mockk from 1.13.14 to 1.13.16 #16399
• Bump io.projectreactor:reactor-bom from 2023.0.14 to 2023.0.15 #16576
• Bump io.rsocket:rsocket-bom from 1.1.4 to 1.1.5 #16534
• Bump org.hibernate.orm:hibernate-core from 6.6.7.Final to 6.6.8.Final #16610
• Bump org.junit:junit-bom from 5.11.3 to 5.11.4 #16292
• Bump org.springframework.data:spring-data-bom from 2024.1.2 to 2024.1.3 #16611
• Bump org.springframework.ldap:spring-ldap-core from 3.2.10 to 3.2.11 #16597
• Bump org.springframework:spring-framework-bom from 6.2.2 to 6.2.3 #16599
• Update to oauth2-oidc-sdk 9.43.5 #16583

🔩 Build Updates

• Add TestBytes #16461
• Troubleshoot missing GChat notifications #16424

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Kehrlann, @NeoTraveler, @dependabot[bot], @franticticktick, @making, and @ngocnhan-tran1996