Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.6.0-M2
⭐ New Features
- Add converter for authentication result in OAuth2LoginAuthenticationFilter #10041
- Add Saml2AuthenticationRequestRepository #10060
- Add Saml2AuthenticationRequestRepository #9185
- Add SpringOpaqueTokenIntrospector #9354
- Document api changes to OAuth2AccessTokenResponseHttpMessageConverter #10063
- enable customization of headers in AbstractWebClientReactiveOAuth2AccessTokenResponseClient #10131
- Introducing WebSessionServerLogoutHandler #10046
- Move and rename OAuth2IntrospectionClaimAccessor/Names #9647
- OAuth2 - Support customizing OAuth2AuthenticationToken through a single AuthenticationProvider #10033
- Session is not invalidated on logout #8971
- Support customizing headers of a request in AbstractWebClientReactiveOAuth2AccessTokenResponseClient #10130
- Update deprecated usage in reference docs #10132
- Verify Samples in Build #10031
- Verify Samples in Build #9846
🔨 Dependency Upgrades
- Update com.nimbusds to 9.12 #10198
- Update hibernate-entitymanager to 5.5.6 #10202
- Update htmlunit to 2.52.0 #10201
- Update htmlunit-driver to 2.52.0 #10203
- Update io.projectreactor to 2020.0.10 #10199
- Update logback-classic to 1.2.5 #10196
- Update nebula-project-plugin to 8.1.0 #10197
- Update org.slf4j to 1.7.32 #10204
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.5.2
⭐ New Features
- Consider adding springFrameworkVersion property #10068
- Introduce samplesBranch property #10036
- Use the new springFrameworkVersion property in docs' links #10067
🔨 Dependency Upgrades
- Update com.nimbusds to 9.9.1 #10186
- Update io.projectreactor to 2020.0.10 #10187
- Update jackson-bom to 2.12.4 #10183
- Update jackson-databind to 2.12.4 #10184
- Update jackson-datatype-jsr310 to 2.12.4 #10185
- Update logback-classic to 1.2.5 #10182
- Update org.aspectj to 1.9.7 #10189
- Update org.eclipse.jetty to 9.4.43.v20210629 #10190
- Update org.jetbrains.kotlin to 1.5.21 #10191
- Update org.jetbrains.kotlinx to 1.5.1 #10192
- Update org.slf4j to 1.7.32 #10193
- Update org.springframework to 5.3.9 #10194
- Update org.springframework.data to 2021.0.4 #10195
- Update reactor-netty to 1.0.10 #10188
5.4.8
⭐ New Features
- Remove -PdeployDocsHost=docs-ip.spring.io from Build #10021
🪲 Bug Fixes
- Regression with URL encode client credentials #10126
- AuthenticationFailureEvent does not exist #10107
- Fix a typo in some class names in the oauth documentation #10052
- Fix Saml2WebSsoAuthenticationRequestFilter javadoc #10027
- Update to use s01.oss.sonatype.org Maven Publishing #10015
- Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher #10009
- logoutSuccessUrl in DefaultLoginPageGeneratingFilter is not set #9997
🔨 Dependency Upgrades
5.3.11.RELEASE
⭐ New Features
- Remove -PdeployDocsHost=docs-ip.spring.io from Build #10023
🪲 Bug Fixes
- Regression with URL encode client credentials #10127
- AuthenticationFailureEvent does not exist #10108
- Update to use s01.oss.sonatype.org Maven Publishing #10024
- Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher #10010
🔨 Dependency Upgrades
- Update to spring-build-conventions:0.0.38 #10022
5.2.12.RELEASE
🪲 Bug Fixes
- Regression with URL encode client credentials #10128
- Update to use s01.oss.sonatype.org Maven Publishing #10030
- Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher #10012
🔨 Dependency Upgrades
- Update to embedded Tomcat websocket 8.5.69 #10170
- Update to org.aspectj 1.9.7 #10169
- Update to org.slf4j 1.7.32 #10168
- Update to Jetty 9.4.43.v20210629 #10167
- Update to embedded Apache Tomcat 9.0.52 #10166
- Update to jaxb-impl 2.3.5 #10165
- Update to Spring Framework 5.2.16.RELEASE #10164
- Update to Reactor Dysprosium-SR22 #10163
- Update to spring-build-conventions:0.0.23.2.RELEASE #10029
5.6.0-M1
⏪ Breaking Changes
- Client credentials not correctly encoded in Basic Auth #9610
- CookieClearingLogoutHandler cannot delete cookie when servlet context path is set #8846
- spring-security-core depends on spring-security-crypto #9767
⭐ New Features
- Access Token Response supports any data type #9779
- Add AuthenticationDetailsSource to Form Login Kotlin DSL #9837
- Add AuthenticationDetailsSource to OAuth2 Login Kotlin DSL #9838
- Add Kotlin samples to the reference documentation #8172
- Add method authorizeHttpRequests with defaults only #9612
- Add RequestedUrlRedirectInvalidSessionStrategy implemention of InvalidSessionStrategy #9632
- Add SecurityContext to delegating TaskScheduler #9532
- Add support for any data type in Access Token Response #9685
- Allow configuration of AuthenticationManager in saml2Login Kotlin DSL #9905
- Allow multiple security annotations on a method (combining result of evaluations with AND operator) #4003
- Anonymous in ExceptionTranslationWebFilter #9508
- AuthorizationManager + Method Security Support #9289
- Consider adding a link checker to build #9818
- Consider adding springFrameworkVersion property #9954
- DigestAuthenticationFilter decodes nonce only once #8455
- GlobalMethodSecurity and multiple annotation ordering #4103
- HttpSecurity DSL should accept an AuthenticationManager #10040
- HttpSecurityConfigurer should have a no-parameter method for authorizeHttpRequests #9498
- Improve Error Message for Invalid Properties in InMemoryUserDetailsManager #9919
- Improve Error Messages in XsdDocumentedTests #9829
- Include Port in DNS SRV type lookups #9030
- Introduce samplesBranch property #10019
- JWT Kotlin DSL should accept an AuthenticationManager #10045
- Load ReactiveJwtAuthenticationConverter bean in OAuth2 Resource Server config #9699
- Make XsdDocumentedTests Parsing More Lenient #9830
- Mark methodSecurityMetadataSource as infrastructure bean #9860
- Migrate JUnit 4 to 5 #9467
- Multiple Pre or PostAuthorization Annotations #9452
- OpaqueToken Kotlin DSL should accept an AuthenticationManager #10044
- Provide KeyInfo as part of the Signature object when an object is signed #9746
- Remove DependencySetPlugin #10070
- Remove PowerMock Dependency #6025
- Replace < and > with < and > in Javadoc #9847
- SAML docs should encourage OpenSAML 4 usage #10014
- ServerHttpSecurity Kotlin DSL should accept a ReactiveAuthenticationManager #10053
- Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #9912
- Support A Well-Known URL for Changing Passwords #8688
- Support for X509 Certificate in RsaKeyConverters #9736 #9853
- Update to Spring Security 5.6 #9695
- Use GPG_PRIVATE_KEY directly #9776
- Use the new springFrameworkVersion property in docs' links #9987
🔨 Dependency Upgrades
- Update assertj-core to 3.20.2 #10096
- Update com.nimbusds to 9.10.1 #10089
- Update hibernate-entitymanager to 5.5.3.Final #10099
- Update htmlunit to 2.51.0 #10094
- Update htmlunit-driver to 2.51.0 #10102
- Update io.projectreactor to 2020.0.9 #10091
- Update io.rsocket to 1.1.1 #10093
- Update jackson-bom to 2.12.4 #10086
- Update jackson-databind to 2.12.4 #10087
- Update jackson-datatype-jsr310 to 2.12.4 #10088
- Update mockk to 1.12.0 #10090
- Update org.aspectj to 1.9.7 #10095
- Update org.bouncycastle to 1.69 #10097
- Update org.eclipse.jetty to 9.4.43.v20210629 #10098
- Update org.jetbrains.kotlin to 1.5.21 #10100
- Update org.jetbrains.kotlinx to 1.5.1 #10101
- Update org.slf4j to 1.7.31 #10103
- Update org.springframework to 5.3.9 #10104
- Update org.springframework.data to 2021.1.0-M1 #10105
- Update reactor-netty to 1.0.9 #10092
- Update to org.mockito 3.11.2 #10054
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.3.10.RELEASE
⭐ New Features
- Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #9915
🪲 Bug Fixes
- Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #9945
- Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #9932
- Adding filters relative to custom ones is broken #9909
- SEC-3139: Anonymous authentication token not passed to Controller #9892
- Clarify quick start section in README #9887
- RSocket and WebClient with Security refCount: 0 #9872
- Client credentials not correctly encoded in Basic Auth #9862
- Docs should state default value for Resource Server validation clock skew is 60 seconds #9850
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #9821
- DefaultSpringSecurityContextSource can't handle spaces in baseDn #9808
- OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #9803
- NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #9799
- docs.af.pivotal.io->docs-ip.spring.io #9687
- Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter #9682
- WebFlux httpBasic() should match on XHR requests #9664
- HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #9644
- oauth2Login() generates authorization links for "client_credentials" grant type #9638
5.5.1
⭐ New Features
- Consider adding a link checker to build #9972
- Use Job Outputs to Transmit Error #9928
- Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #9917
- Combine different OS Build in one CI Job #9798
- Use GPG_PRIVATE_KEY directly #9778
🪲 Bug Fixes
- Update links to point to migrated samples #9971
- Add messaging to documentation about sample migration #9970
- Fix broken links in docs #9969
- CORS section is missing in Reactive reference documentation #9952
- RSocket documentation mentions non-existent class #9950
- Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #9941
- Missing log of "caused by" exception when OP document metadata cannot be reached #9939
- Missing support for private_key_jwt in ClientRegistrations #9936
- Allow client registration from issuer uri with no authorize_endpoint #9935
- Missing support for urn:ietf:params:oauth:grant-type:jwt-bearer in ClientRegistrations #9934
- Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #9929
- Jwt client authentication converter should detect new key #9927
- Adding filters relative to custom ones is broken #9906
- SEC-3139: Anonymous authentication token not passed to Controller #9890
- Clarify quick start section in README #9885
- RSocket and WebClient with Security refCount: 0 #9870
- spring-security-config kotlin-stdlib-jdk8 dependency isn't optional #9864
- Client credentials not correctly encoded in Basic Auth #9858
- Docs should state default value for Resource Server validation clock skew is 60 seconds #9849
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #9819
- DefaultSpringSecurityContextSource can't handle spaces in baseDn #9806
- OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #9805
- NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #9801
- Fix Build Scan in Build Windows CI Job #9797
- GitHub Actions only Activated for main #9777
- Artifactory missing mavenJava publication #9774
- spring-security-core depends on spring-security-crypto #9773
🔨 Dependency Upgrades
- Update org.springframework to 5.3.8 #9984
- Update org.slf4j to 1.7.31 #9983
- Update org.jetbrains.kotlin to 1.5.10 #9982
- Update hibernate-entitymanager to 5.4.32.Final #9981
- Update org.eclipse.jetty to 9.4.42.v20210604 #9980
- Update io.rsocket to 1.1.1 #9979
- Remove commons-codec constraint #9977
- Update to OpenSAML 4.1.1 #9976
- Update to nimbus-jose-jwt 9.10 #9975
- Update to oauth2-oidc-sdk 9.9 #9974
5.4.7
⭐ New Features
- Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #9920
🪲 Bug Fixes
- Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #9942
- Missing log of "caused by" exception when OP document metadata cannot be reached #9940
- Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #9930
- Adding filters relative to custom ones is broken #9908
- SEC-3139: Anonymous authentication token not passed to Controller #9891
- Clarify quick start section in README #9886
- RSocket and WebClient with Security refCount: 0 #9871
- Client credentials not correctly encoded in Basic Auth #9861
- Docs should state default value for Resource Server validation clock skew is 60 seconds #9848
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #9820
- DefaultSpringSecurityContextSource can't handle spaces in baseDn #9807
- OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #9802
- NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #9800
- docs.af.pivotal.io->docs-ip.spring.io #9686
- Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter #9681
- NullPointerException in StrictHttpFirewall spring-security-web version 5.4.5 #9674
- WebFlux httpBasic() should match on XHR requests #9662
- HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #9643
- oauth2Login() generates authorization links for "client_credentials" grant type #9637
5.2.11.RELEASE
⭐ New Features
- Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #9921
🪲 Bug Fixes
- Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #9948
- Adding filters relative to custom ones is broken #9910
- SEC-3139: Anonymous authentication token not passed to Controller #9893
- Clarify quick start section in README #9888
- RSocket and WebClient with Security refCount: 0 #9873
- URL encode client credentials #9866
- Client credentials not correctly encoded in Basic Auth #9863
- Docs should state default value for Resource Server validation clock skew is 60 seconds #9851
- DefaultSpringSecurityContextSource can't handle spaces in baseDn #9809
- OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #9804
- docs.af.pivotal.io->docs-ip.spring.io #9688
- WebFlux httpBasic() should match on XHR requests #9665
- HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #9645
- oauth2Login() generates authorization links for "client_credentials" grant type #9639
🔨 Dependency Upgrades
- Update to Spring LDAP Core 2.3.4.RELEASE #9968
- Update to org.slf4j 1.7.31 #9967
- Update to HSQLDB 2.5.2 #9966
- Update to hibernate-entitymanager 5.4.32.Final #9965
- Update to Jetty 9.4.42.v20210604 #9964
- Update to embedded Apache Tomcat 9.0.48 #9963
- Update to embedded Tomcat websocket 8.5.68 #9962
- Update ehcache to 2.10.9.2 #9961
- Update to jaxb-impl 2.3.4 #9960
- Update to RSocket 1.0.5 #9959
- Update to Spring Framework 5.2.15.RELEASE #9958
- Update to Reactor Dysprosium-SR20 #9957
- Upgrade to nohttp 0.0.8 #9956
❤️ Contributors
We'd like to thank all the contributors who worked on this release!