Releases: spring-projects/spring-security
Releases Β· spring-projects/spring-security
5.7.6
β New Features
- Improve deprecation notice in WebSecurityConfigurerAdapter #12260
- Replace deprecated set-state set-output GitHub Action's commands #12297
πͺ² Bug Fixes
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12407
- Fix AuthorizationFilter diagram in docs #12285
- Incorrect scope map fix #12205
- SAML logout: Incorrect log messages #12208
- Saml2MetadataFilter response should configure writer to UTF-8 #12221
- SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12125
- Update the RP-initiated Logout links #12121
π¨ Dependency Upgrades
- Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12153
- Update Gradle to 7.5.1 #12157
- Update hibernate-entitymanager to 5.6.14.Final #12397
- Update httpclient to 4.5.14 #12395
- Update io.projectreactor to 2020.0.26 #12393
- Update jackson-bom to 2.13.4.20221013 #12391
- Update jackson-databind to 2.13.4.2 #12392
- Update org.eclipse.jetty to 9.4.50.v20221201 #12396
- Update org.springframework to 5.3.24 #12398
- Update org.springframework.data to 2021.2.6 #12399
- Update reactor-netty to 1.0.26 #12394
5.6.10
β New Features
- Replace deprecated set-state set-output GitHub Action's commands #12032
- update generateAntora task to make prereleases unique #12083
πͺ² Bug Fixes
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12090
- docs: fix realm typo #12120
- Fix AuthorizationFilter diagram in docs #12274
- Fix typo in DefaultLoginPageConfigurer Javadoc #12311
- Fix typo on opaque-token.adoc #12114
- Fix: Replace tenantRepository with tenants #12269
- Incorrect scope map fix #12144
- OAuth 2.0 Resource Server Multi-tenancy - documentation improvement #12295
- Outdated example in Javadoc of UrlAuthorizationConfigurer #11487
- Saml2MetadataFilter response should configure writer to UTF-8 #12026
- SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #3065
- Update the RP-initiated Logout links #12081
π¨ Dependency Upgrades
- Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12152
- Update Gradle to 7.5.1 #11779
- Update hibernate-entitymanager to 5.6.14.Final #12388
- Update httpclient to 4.5.14 #12386
- Update io.projectreactor to 2020.0.26 #12384
- Update jackson-bom to 2.13.4.20221013 #12381
- Update jackson-databind to 2.13.4.2 #12382
- Update mockk to 1.12.8 #12383
- Update org.eclipse.jetty to 9.4.50.v20221201 #12387
- Update org.springframework to 5.3.24 #12389
- Update org.springframework.data to 2021.1.10 #12390
- Update reactor-netty to 1.0.26 #12385
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.0
βͺ Breaking Changes
- CsrfAuthenticationStrategy is not consistent with CsrfFilter #12235
- Register FilterChainProxy for all dispatcher types #12180
β New Features
- Add test runtime hints for annotations using
@WithSecurityContext#12215 - Add WebTestUtils test runtime hints #12216
- Align with Servlet API 6 #12146
- Document Configure Default SessionAuthenticationStrategy #12192
- Document DelegatingSecurityContextRepository #12185
- Improve deprecation notice in WebSecurityConfigurerAdapter #12262
- Log a warning when
AuthorizationGrantTypedoes not exactly match a pre-defined constant #12234 - Migration guide for the removal of CAS #12163
- Polish Span and Meter Names #12225
- Register FilterChainProxy for All Dispatcher Types Migration Steps #12212
- Restructure 6.0 Migration Guide #12242
- Support Jakarta WebSocket 2.1 #12148
πͺ² Bug Fixes
- CsrfAuthenticationStrategy does not check for existing token #12241
- Ensure instrumentation names align with semantic conventions #12156
- Incorrect scope map fix #12207
- SAML logout: Incorrect log messages #12210
- Saml2MetadataFilter response should configure writer to UTF-8 #12223
π¨ Dependency Upgrades
- Update micrometer-observation to 1.10.1 #12250
- Update org.springframework to 6.0.0 #12255
- Update org.springframework.data to 2022.0.0 #12256
- Update r2dbc-h2 to 1.0.0.RELEASE #12251
- Update slf4j-api to 2.0.4 #12254
- Update spring-ldap-core to 3.0.0 #12257
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.0
β New Features
- Add Kotlin example showing integration with WebTestClient #11611
- Add MethodExpressionAuthorizationManager #11502
- Add Polish localization to error messages from ExceptionTranslationFi⦠#12201
- Add support AuthorizationManager + #11503
- AnonymousAuthenticationFilter should cache its Supplier #11900
- CookieServerCsrfTokenRepository doesn't support setting MaxAge #11441
- DefaultFilterChainValidator should check AuthorizationFilter #11473
- Deprecate Resource Owner Password Credentials grant #11591
- Document Configure Default CsrfToken BREACH Protection #12107
- Document Defer load CsrfToken #12105
- Document DelegatingSecurityContextRepository #12069
- Document deprecations in oauth2-client #12193
- Document how to opt-in for SHA256 in RememberMe #12097
- Document how to use the new
requestMatchersandsecurityMatchers#12100 - Document Migration to SecurityContextHolderFilter #12098
- Document new oauth2Login() authority defaults #12188
- Document reactive CSRF migration steps #12226
- Document Saved Requests Spring Security 6 Migration #12089
- Document Update to 5.8 for Migration Guide #12196
- Fix Javadoc in EnableWebSocketSecurity #12211
- Improve deprecation notice in WebSecurityConfigurerAdapter #12261
- InterceptMethodsBeanDefinitionDecorator should allow using AuthorizationManager #11469
- Migration guide for CAS support removal #12240
- Preparation and Migration Guides should point to each other #12093
- Preparation Guide should follow Reference Manual standards #12096
- Preparation Guide should show opt-out steps after opt-in steps #12104
- Provide guide for migrating from FilterSecurityInterceptor to AuthorizationFilter #11337
- Register FilterChainProxy for All Dispatcher Types Migration Steps #12186
- SAML: OpenSaml4AuthenticationProvider.createDefaultAssertionValidator() should make it easier to add ValidationContext static parameters #11675
- trigger partial docs build on push (5.8.x) #12195
πͺ² Bug Fixes
- AuthenticationServiceException propagation flag is unconfigurable in 5.8 #12132
- CsrfAuthenticationStrategy does not check for existing token #12236
- CsrfAuthenticationStrategy does not regenerate CsrfToken with CookieCsrfTokenRepository #12141
- fix deploy docs workflow (5.8.x) #12197
- Fix saganCreateRelease saganDeleteRelease Required Permissions #11424
- Incorrect scope map fix #12206
- IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #12076
- org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11604
- SAML logout: Incorrect log messages #12209
- Saml2MetadataFilter response should configure writer to UTF-8 #12222
- SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12126
- SecurityContextRepository.loadContext(HttpServletRequest) cache result #11391
- Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11483
- Update the RP-initiated Logout links #12122
π¨ Dependency Upgrades
- Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12154
- Update aspectj-plugin to 6.5.0.3 #11583
- Update assertj-core to 3.23.1 #11572
- Update com.nimbusds to 9.38.1 #11570
- Update Gradle to 7.5.1 #12158
- Update hibernate-entitymanager to 5.6.10.Final #11578
- Update hibernate-entitymanager to 5.6.14.Final #12245
- Update hsqldb to 2.7.1 #12246
- Update htmlunit to 2.63.0 #11575
- Update htmlunit-driver to 2.63.0 #11580
- Update io.projectreactor to 2020.0.21 #11567
- Update io.projectreactor to 2020.0.25 #12243
- Update io.spring.javaformat to 0.0.34 #11573
- Update jackson-bom to 2.13.3 #11574
- Update jsonassert to 1.5.1 #11581
- Update junit-bom to 5.9.0-RC1 #11571
- Update mockk to 1.12.4 #11568
- Update org.eclipse.jetty to 9.4.48.v20220622 #11576
- Update org.jetbrains.kotlin to 1.7.10 #11582
- Update org.jetbrains.kotlin to 1.7.21 #12247
- Update org.jetbrains.kotlinx to 1.6.4 #11566
- Update org.springframework to 5.3.22 #11569
- Update org.springframework to 5.3.24 #12248
- Update org.springframework.data to 2021.2.2 #11579
- Update org.springframework.data to 2021.2.6 #12249
- Update reactor-netty to 1.0.25 #12244
- Update spring-ldap-core to 2.4.1 #11577
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.0-RC2
β New Features
- Add release line extension #12078
- Add SpringTestContext.addFilter #12071
- Document Defer load CsrfToken #12106
- Document how to opt-in for SHA256 in RememberMe #12119
- Document how to use the new
requestMatchersandsecurityMatchers#12151 - Document Saved Requests Spring Security 6 Migration #12091
- SAML: OpenSaml4AuthenticationProvider.createDefaultAssertionValidator() should make it easier to add ValidationContext static parameters #12149
- sync local-antora-playbook.yml with antora-playbook.yml #12085
πͺ² Bug Fixes
- AuthenticationServiceException propagation flag is unconfigurable in 5.8 #12133
- CsrfAuthenticationStrategy does not regenerate CsrfToken with CookieCsrfTokenRepository #12142
- IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #12077
- Remove antMatcher usage from Multiple HttpSecurity docs #12150
- SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12127
- Unauthorized when authenticated user is shown an error page #12070
- Update the RP-initiated Logout links #12123
π¨ Dependency Upgrades
- Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12155
- Update Gradle to 7.5.1 #12159
- Update hibernate-core to 6.1.5.Final #12173
- Update hsqldb to 2.7.1 #12174
- Update htmlunit to 2.66.0 #12172
- Update htmlunit-driver to 2.66.0 #12176
- Update io.projectreactor to 2022.0.0 #12170
- Update jackson-bom to 2.14.0 #12166
- Update jackson-databind to 2.14.0 #12167
- Update jackson-datatype-jsr310 to 2.14.0 #12168
- Update micrometer-observation to 1.10.0 #12169
- Update org.jetbrains.kotlin to 1.7.21 #12175
- Update org.springframework to 6.0.0-RC4 #12178
- Update reactor-netty to 1.1.0 #12171
- Update spring-data-jpa to 3.0.0-RC2 #12177
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.5
5.6.9
6.0.0-RC1
βͺ Breaking Changes
RequestMatcherDelegatingAuthorizationManagershould deny when no match #11958- Authentication(Web)Filter should return a 500 on AuthenticationServiceExceptions #9429
- BasicAuthenticationFilter skips re-authentication if username changes and Authentication object is not UsernamePasswordAuthenticationToken #10347
- Default to DelegatingSecurityContextRepository in SecurityContextConfigurer #12049
- Default to Xor CSRF protection #11960
- Default use of RequestAttributeSecurityContextRepository instead of NullSecurityContextRepository #11026
- OidcUserAuthority should not automatically include ROLE_USER authority #7856
- Remove deprecated constructors in PasswordEncoders #11985
- Remove deprecated CsrfSpec.tokenFromMultipartDataEnabled #12020
- Remove deprecated CsrfWebFilter.setTokenFromMultipartDataEnabled #12019
- Remove Deprecated OpenSAML 3 Support #11789
- Remove deprecated RequestMatcher methods from Java Configuration #11939
- Remove OpenSAML3 support #10556
- Remove WebSecurityConfigurerAdapter #11923
- Remove WebSecurityConfigurerAdapter #10902
- Resource Server Package Name Inconsistencies #7349
- SAML 2.0 filters should be in the web package #8819
- Update Defaults for Smarter Session Access #11454
- Use MvcRequestMatcher by default if Spring MVC is present #11899
- WebAuthenticationDetails#hashCode often returns zero #4133
- XSS protection should be set to 0 by default per updated OWASP recommendation #9631
β New Features
- Add 'securityMatcher' as an alias of 'requestMatcher' #11945
- Add native hint for OAuth2 Client's schemas #11920
- Add native hint for the users JDBC schema #11907
- Add static factory methods to RequestMatcher implementations #11978
- Add XML support for
shouldFilterAllDispatcherTypes#11971 - automatically manage docs version (with collector) #11957
- Change XML default use-authorization-manager="true" #11929
- Default to shouldFilterAllDispatcherTypes=true in XML #11970
- Deprecate HPKP security header #11937
- Enabling authenticationIsRequired to be overridden for custom checks.β¦ #10971
- HttpSecurityConfiguration should configure ContentNegotiationStrategy #11922
- Observability #11906
- SessionManagementDsl.requireExplicitAuthenticationStrategy #11928
- Simplify Java Configuration RequestMatcher Usage #11940
- Smarter HttpSession Access #6125
- Update What's New in 6.0 #12024
πͺ² Bug Fixes
- Build fails with missing project property cloneOutputDirectory #11981
- Possible misconfiguration of SecurityContextRepository #12023
- SAML Logout move onload script to body tag #11881
- SecurityContextImpl does not have hints to resolve the Authentication #11987
π¨ Dependency Upgrades
- Update to Spring Data 2022.0.0-RC1 #12066
- Update to Spring LDAP 3.0.0-RC1 #12067
- Upgrade to Update hibernate-core to 6.1.4.Final #12038
- Upgrade to Update htmlunit to 2.65.1 #12039
- Upgrade to Update htmlunit-driver to 2.65.0 #12034
- Upgrade to Update io.spring.javaformat to 0.0.35 #12040
- Upgrade to Update jackson-bom to 2.13.4.20221013 #12042
- Upgrade to Update junit-bom to 5.9.1 #12036
- Upgrade to Update logback-classic to 1.4.4 #12043
- Upgrade to Update mockk to 1.13.2 #12041
- Upgrade to Update org.jetbrains.kotlin to 1.7.20 #12037
- Upgrade to Update org.mockito to 4.8.1 #12035
- Upgrade to Update org.slf4j to 2.0.3 #12033
- Upgrade to Update to Micrometer 1.10.0-RC1 #12046
- Upgrade to Update to Reactor 2022.0.0-RC1 #12045
- Upgrade to Update to Spring Framework 6.0.0-RC1 #12047
- Upgrade Unboundid to 6.0.6 #10210
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.0-RC1
βͺ Breaking Changes
- Make X-Xss-Protection header value configurable in ServerHttpSecurity #11908
β New Features
- Add 'securityMatcher' as an alias of 'requestMatcher' #9159
- Add CsrfTokenRepository.loadDeferredToken(HttpServletRequest, HttpServletResponse) #11918
- Add csrfTokenRequestHandler to Kotlin DSL #11952
- Add DeferredSecurityContext and DelegatingSecurityContextRepository #12044
- Add opt-in strategy in for Authentication(Web)Filter should return a 500 on AuthenticationServiceExceptions #11932
- Add reactive support for BREACH to CsrfWebFilter #11959
- Add SecurityContextHolderStrategy to RequestAttributeSecurityContextRepository #11895
- Add static factory method to AntPathRequestMather and RegexRequestMather #11965
- Add static factory methods to RequestMatcher implementations #11938
- Add X-Xss-Protection headerValue to XML config #11936
- Add XML support for
shouldFilterAllDispatcherTypes#11492 - automatically manage docs version (with collector) #11956
- Cache Xor CSRF token in supplier #11988
- CSRF tokens are vulnerable to a BREACH attack #4001
- Deprecate AccessDecisionManager and related classes #11302
- Deprecate HPKP security header #10144
- HttpSecurityConfiguration should configure ContentNegotiationStrategy #11916
- ListeningSecurityContextHolderStrategy should work with deferred contexts #11817
- Oauth2 client: Allow deescalating logged ERROR for invalid client registration ID #11344
- Provide common super class for AuthorizationDeniedEvent and AuthorizationGrantedEvent #11972
- SessionManagementDsl.requireExplicitAuthenticationStrategy #11927
- Simplify AuthorizationManager composition #11625
- Simplify Java Configuration RequestMatcher Usage #11347
- Update default configuration for Pbkdf2PasswordEncoder #10489
- Update PasswordEncoder Minimums #10506
- Update What's New for 5.8 #12021
πͺ² Bug Fixes
- Build fails with missing project property cloneOutputDirectory #11980
- SAML Logout move onload script to body tag #11879
π¨ Dependency Upgrades
- Update hibernate-entitymanager to 5.6.12.Final #12059
- Update htmlunit to 2.65.1 #12058
- Update htmlunit-driver to 2.65.0 #12064
- Update io.projectreactor to 2020.0.24 #12055
- Update io.spring.javaformat to 0.0.35 #12057
- Update jackson-bom to 2.13.4.20221013 #12052
- Update jackson-databind to 2.13.4.2 #12053
- Update junit-bom to 5.9.1 #12061
- Update mockk to 1.13.2 #12054
- Update org.jetbrains.kotlin to 1.7.20 #12060
- Update org.junit.jupiter to 5.9.1 #12062
- Update org.mockito to 4.8.1 #12063
- Update org.springframework.data to 2021.2.5 #12065
- Update reactor-netty to 1.1.0-M6 #12056
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.4
β New Features
- automatically manage docs version (with collector) #11955
πͺ² Bug Fixes
- AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #11729
- Build fails with missing project property cloneOutputDirectory #11979
- GitHubMilestoneApiTests due_on Should Use LocalDate #11707
- HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #11727
- NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #11711
- RemoteJwkSet is not refreshed when encountering an unknown KID #11723
- RequestRejectedHandler does not reliable prevent Internal Server Error #11744
π¨ Dependency Upgrades
- Update Gradle Enterprise plugin to 3.11.1 #11830
- Update hibernate-entitymanager to 5.6.10.Final #11745
- Update hibernate-entitymanager to 5.6.12.Final #12016
- Update io.projectreactor to 2020.0.22 #11743
- Update io.projectreactor to 2020.0.24 #12012
- Update io.rsocket to 1.1.3 #12014
- Update jackson-bom to 2.13.4.20221012 #12008
- Update jackson-databind to 2.13.4.1 #12009
- Update jackson-datatype-jsr310 to 2.13.4 #12010
- Update jsonassert to 1.5.1 #11741
- Update mockk to 1.12.8 #12011
- Update org.eclipse.jetty to 9.4.48.v20220622 #11740
- Update org.eclipse.jetty to 9.4.49.v20220914 #12015
- Update org.springframework to 5.3.22 #11739
- Update org.springframework to 5.3.23 #12017
- Update org.springframework.data to 2021.1.6 #11742
- Update org.springframework.data to 2021.2.4 #12018
- Update reactor-netty to 1.0.24 #12013