Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.4.0-RC1
⭐ New Features
- Deprecate CustomUserTypesOAuth2UserService #8908
- Deprecate ClientRegistration.redirectUriTemplate #8906
- Allow for custom ClientRegistration.clientAuthenticationMethod #8903
- Deprecate ImplicitGrantConfigurer #8902
- Remove use of Mono.deferWithContext() #8901
- Consider adding RelyingPartyRegistrationResolver #8887
- Add HttpMessageConverter that constructs a RelyingPartyRegistration #8877
- RelyingPartyRegistration should default the ACS Location #8876
- Update SimpleSaml2AuthenticatedPrincipal class name #8861
- Introduce AuthenticationConverterServerWebExchangeMatcher #8854
- Make class SimpleSaml2AuthenticatedPrincipal public #8852
- Support custom filter in Server Kotlin DSL #8850
- Saml2AuthenticationToken should take a RelyingPartyRegistration #8845
- Wording changes #8832
- -gh 8784 Document improvement for WebSecurityConfigure #8825
- Consider making BearerTokenServerWebExchangeMatcher public and more generic #8824
- Add custom HeaderWriter in Kotlin DSL #8823
- Add Static Factories to Saml2X509Credential #8822
- Allow disabling headers in Kotlin DSL #8816
- Remove need for WebSecurityConfigurerAdapter #8805
- Configure HTTP Security without extending WebSecurityConfigurerAdapter #8804
- Fix #8693 Support SAML 2.0 SP Metadata Endpoints #8795
- Add Static Factories to Saml2X509Credential #8789
- RelyingPartyRegistration Credentials Should Be Split by Party #8788
- Support custom filter in Server Kotlin DSL #8783
- mongolian translation for messages.properties #8780
- Mongolian translation required for messages.propeperties #8778
- RelyingPartyRegistration should use metadata spec language #8777
- ACS Binding should be in RelyingPartyRegistration #8776
- Remove OpenSamlImplementation #8775
- OpenSamlAuthenticationRequestFactory should use OpenSAML directly #8774
- OpenSamlAuthenticationProvider should use OpenSAML directly #8773
- OpenSAML should get initialized as part of container lifecycle #8772
- SAML Assertion validation fails when OneTimeUse condition is sent from the IdP #8769
- Improve error message when invalid content-type for UserInfo response #8764
- Simplify retrieving Introspection-specific attributes #8740
- Reactive SwitchUserWebFilter for user impersonation #8687
- Change getMethod() to return configured value in SimpleSavedRequest #8675
- gh-8589 Additional Jwt validation debug messages #8665
- Adds cookie based RequestCache #8653
- Missing Reactive SwitchUserWebFilter for user impersonation #8599
- Use String to specify custom HTTP method in mock request #8592
- Add logging #8589
- Support for dynamic configuration using IDP metadata URL for SAML SSO integration #8484
- SAML Authentication Provider assertions #8471
- Throw exception when specified ldif file does not exist #8434
- SAML: Add RequestedAuthnContext to AuthnRequest in OpenSamlAuthenticationRequestFactory #8141
- Add request cache that uses cookie #8034
- No log message or exception if expected ldif file does not exist #7791
🪲 Bug Fixes
- Move RSocket Integration Tests to integration tests #8944
- Fix snapshot build failure related to reactor-netty #8909
- Resolve Bearer token after subscribing to publisher #8894
- ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8865
- Update README.adoc #8851
- Saml2Error should be in a core package #8835
- Fix #8797: Add OAuth2AuthenticationException to allowlist #8827
- CookieRequestCache "REDIRECT_URI" removed by any request #8820
- use CookieRequestCache something went wrong #8817
- LoginPageGeneratingWebFilter should honor context path #8807
- Fix ProviderManager Javadoc typo #8800
- OAuth2AuthenticationException should be in allowlist #8797
- tutorial uses hasRole but should use hasAuthority #8796
- Saml2WebSsoAuthenticationFilter does not follow standard patterns for request matching. #8768
- Bearer Token Padding #8511
- Resolved bearer token has no padding indicators #8502
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.3.4.RELEASE
⭐ New Features
- Add logging #8888
- Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8855
- formLogin() does not work with REST Docs #8748
- Use Github Actions PR pipeline and remove Travis for 5.3.x #8724
🪲 Bug Fixes
- ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8896
- OAuth2AuthenticationException should be in allowlist #8863
- Resolved bearer token has no padding indicators #8837
- Fix ProviderManager Javadoc typo #8811
- LoginPageGeneratingWebFilter should honor context path #8808
- OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8803
- RoleHierarchy is not used by AbstractAuthorizeTag #8678
- OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8672
- ReactorContext not available in PayloadSocketAcceptor delegate.accept #8655
🔨 Dependency Upgrades
- Update to spring-build-conventions:0.0.34.RELEASE #8925
- Update to nohttp 0.0.5.RELEASE #8924
- Update to GAE 1.9.81 #8923
- Update to Spring Boot 2.2.9.RELEASE #8922
- Update to spring-build-conventions:0.0.33.RELEASE #8760
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.2.6.RELEASE
⭐ New Features
- Add logging #8889
- Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8856
- Use Github Actions PR pipeline and remove Travis for 5.2.x #8723
🪲 Bug Fixes
- ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8897
- Resolved bearer token has no padding indicators #8838
- Fix ProviderManager Javadoc typo #8812
- LoginPageGeneratingWebFilter should honor context path #8809
- RoleHierarchy is not used by AbstractAuthorizeTag #8679
- OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8673
- ReactorContext not available in PayloadSocketAcceptor delegate.accept #8656
🔨 Dependency Upgrades
- Update to nohttp 0.0.5.RELEASE #8927
- Update to Spring Boot 2.2.9.RELEASE #8921
- Update to Reactor Dysprosium-SR10 #8920
- Update to Spring Framework 5.2.8.RELEASE #8919
- Update to Spring Data Moore-SR9 #8918
- Update to PowerMock Mockito2 2.0.7 #8917
- Update blockhound to 1.0.4.RELEASE #8916
- Update to groovy 2.4.20 #8915
- Update to embedded Tomcat websocket 8.5.57 #8914
- Upgrade to embedded Apache Tomcat 9.0.37 #8913
- Update to jaxb-impl 2.3.3 #8912
- Update to GAE 1.9.81 #8911
- Update to Jackson 2.10.5 #8910
- Update to spring-build-conventions:0.0.33.RELEASE #8761
- Update to RSocket 1.0.1 #8664
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.1.12.RELEASE
⭐ New Features
- Add logging #8891
- Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8857
- Use Github Actions PR pipeline and remove Travis for 5.1.x #8722
- Use Github Actions PR pipeline in 5.1.x #8717
🪲 Bug Fixes
- ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8898
- Resolved bearer token has no padding indicators #8839
- Fix ProviderManager Javadoc typo #8813
- LoginPageGeneratingWebFilter should honor context path #8810
- RoleHierarchy is not used by AbstractAuthorizeTag #8681
- OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8674
🔨 Dependency Upgrades
- Update to Spring Ldap 2.3.3 #8943
- Update to Hibernate Validator 6.0.20 #8942
- Update to Hibernate Entitymanager 5.3.17 #8941
- Update to Groovy 2.4.20 #8940
- Update to Spring Boot 2.1.16.RELEASE #8939
- Update to Google App Engine 1.9.81 #8938
- Update to Jackson Databind 2.9.10.5 #8937
- Update to Project Reactor Californium-SR20 #8936
- Update to Spring Framework 5.1.17 #8935
- Update to Spring Data Lovelace-SR19 #8934
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.0.18.RELEASE
⭐ New Features
- Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8858
- Use Github Actions PR pipeline and remove Travis for 5.0.x #8721
- Use Github Actions PR pipeline in 5.0.x #8716
🪲 Bug Fixes
🔨 Dependency Upgrades
- Update to Spring Ldap 2.3.3 #8933
- Update to Hibernate Validator 6.0.20 #8932
- Update to Groovy 2.4.20 #8931
- Update to Google App Engine 1.9.81 #8930
- Update to Jackson Databind 2.9.10.5 #8929
- Update to Spring Framework 5.0.18 #8928
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
4.2.18.RELEASE
⭐ New Features
- Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8859
- Use Github Actions PR pipeline and remove Travis for 4.2.x #8720
- Use Github Actions PR pipeline in 4.2.x #8715
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.4.0-M2
⭐ New Features
- Add reified function variants to security DSL #8771
- OAuth2AccessTokenResponse.Builder.expiresIn works after withResponse #8766
- LDAP Integration Tests Should Use Random Port #8762
- Use memory-saving Collections.singletonList in JdbcAclService.readAclById() #8756
- Merge Spring security with dependencies #8755
- Add Configurable secure flag in CookieCsrfTokenRepository #8749
- Fix typo in OAuth2AccessTokenResponse #8746
- Allow customizing
JWTProcessorpassed toNimbusJwtDecoder#8745 - Use Spring Snapshots in Snapshot Build Again #8712
- Update pipeline to run for PRs to all branches #8711
- Remove Travis pipeline and README badge #8710
- Reject the NULL character in paths in StrictHttpFirewall #8703
- OAuth2AccessTokenResponse.expiresIn() is ignored when initialized from another response #8702
- OAuth2AuthorizedClientArgumentResolver could use OAuth2AuthorizedClientManager registered in context #8700
- Kotlin Configuration DSL: Use reified types wherever a class is used as a parameter #8697
- ProviderManager Should Use CollectionUtils#contains #8695
- ProviderManager#checkState() throws NullPointerException #8689
- Set up Github Actions pipeline for PRs #8680
- Deprecate X-Frame-Options ALLOW-FROM #8677
- Replace whitelist/blacklist with allowlist/blocklist #8676
- Register OAuth2AuthorizedClientArgumentResolver for XML Config #8669
- Getting response attributes from Saml2AuthenticatedPrincipal #8667
- Ability to easily read attribute values from SAML response #8661
- DefaultOAuth2AuthorizationRequestResolver Should Not Consume Request Body #8651
- StrictHttpFirewall: Validate headers and parameters #8644
- JwtDecoder should use Nimbus multiple-algorithm support #8623
- Remove ClientRegistrationRepository Mock Beans from Samples #8606
- oauth2Client Test Support should not require an HttpSessionOAuth2AuthorizedClientRepository #8603
- Add tokenFromMultipartDataEnabled to server CSRF Kotlin DSL #8602
- Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter #8587
- FilterInvocation Support Default Methods on HttpServletRequest #8566
- Update to JQuery 3.5.1 #8557
- Saml2WebSsoAuthenticationRequesFilter should be post-processed #8552
- Move TestRelyingPartyRegistrations #8551
- Configuration defaults to SessionRegistry bean #8548
- Update BCryptPasswordEncoder documentation with default strength #8542
- authorization_code grant should use same ServerRequestCache #8536
- Avoid using "/path/**/other" patterns in WebFlux PathPatternParser #8513
- Add debug logging to Reactive Web #8504
- Add issuerUri to ClientRegistration.providerDetails #8501
- Use Opaquetoken properties to configure timeouts #8488
- Update Traditional Chinese translation. #8483
- Allow port=0 for ApacheDSContainer #8416
- Throw exception if URL does not include context path when context relative #8399
- Added setter to make RequestCache injectable #8392
- Consider adding ClientRegistration.providerDetails.issuerUri #8326
- Merge Project Modules and Dependencies Section of the docs #8199
- Add RequestCache setter in OAuth2AuthorizationCodeGrantFilter #8120
- formLogin() does not work with REST Docs #7572
🪲 Bug Fixes
- SwitchUserFilter.setExitUserMatcher Javadoc is incorrect #8744
- SwitchUserFilter.setUserDetailsChecker is missing Javadoc #8743
- Fix SecurityContext creation for TEST_EXECUTION #8738
- ReactorContext not available in PayloadSocketAcceptor delegate.accept #8654
- DefaultWebSecurityExpressionHandler uses RoleHierarchy bean #8652
- DefaultOAuth2AuthorizationRequestResolver erroneously consumes POST request body #8650
- Fix broken link in spring security reference document #8618
- Delay AuthenticationPrincipalArgumentResolver Lookup #8613
- OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8609
- spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0 clash over version of transitive dependency json-smart #8608
- Fix typos in BCryptPasswordEncoder documentation #8586
- Fixing typo in SAML 2.0 Sample README #8581
- Message Compose in JavaConfig hellojs Sample Fails #8556
- Java Config hellojs Sample Login Fails #8555
- XML OpenID sample should POST to logout #8554
- Remove unused field 'digester' in Md4PasswordEncoder #8553
- Polish JDBC Authentication documentation #8550
- Fix Kotlin Sample Documentation #8540
- Object ID Identicy conversion to long fails on old schema #8538
- Create the CSRF token on the bounded elactic scheduler #8534
- Fix AntPathRequestMatcher Javadoc #8512
- Document NoOpPasswordEncoder will not be removed #8508
- Document NoOpPasswordEncoder will not be removed #8506
- Fix code snippets to configure timeouts #8487
- Fix non-standard HTTP method for CsrfWebFilter #8452
- Blocking in WebSessionServerCsrfTokenRepository #8128
- Object ID Identity conversion to long fails on old schema #7621
- RoleHierarchy is not used by AbstractAuthorizeTag [#7059](https://github.com/spring-proje...
5.3.3.RELEASE
⭐ New Features
- Update BCryptPasswordEncoder documentation with default strength #8574
🪲 Bug Fixes
- Delay AuthenticationPrincipalArgumentResolver Lookup #8614
- Fix typos in BCryptPasswordEncoder documentation #8601
- Fixing typo in SAML 2.0 Sample README #8600
- Mock request with non-standard HTTP method in test #8597
- Remove unused field 'digester' in Md4PasswordEncoder #8575
- Polish JDBC Authentication documentation #8573
- ACL : AclImpl.hashCode leads to StackOverflowError #8569
- Fix Kotlin Sample Documentation #8565
- Object ID Identity conversion to long fails on old schema #8558
- Blocking in WebSessionServerCsrfTokenRepository #8544
- Fix AntPathRequestMatcher Javadoc #8526
- Document NoOpPasswordEncoder will not be removed #8521
- Fix non-standard HTTP method for CsrfWebFilter #8515
🔨 Dependency Upgrades
5.2.5.RELEASE
🪲 Bug Fixes
- Delay AuthenticationPrincipalArgumentResolver Lookup #8615
- Mock request with non-standard HTTP method in test #8595
- Remove unused field 'digester' in Md4PasswordEncoder #8576
- ACL : AclImpl.hashCode leads to StackOverflowError #8570
- Object ID Identity conversion to long fails on old schema #8559
- Blocking in WebSessionServerCsrfTokenRepository #8545
- Fix AntPathRequestMatcher Javadoc #8527
- Document NoOpPasswordEncoder will not be removed #8522
- Fix non-standard HTTP method for CsrfWebFilter #8516
🔨 Dependency Upgrades
5.1.11.RELEASE
⭐ New Features
- HTTP Host header attack #8641
🪲 Bug Fixes
- Remove unused field 'digester' in Md4PasswordEncoder #8577
- ACL : AclImpl.hashCode leads to StackOverflowError #8571
- Blocking in WebSessionServerCsrfTokenRepository #8546
- Fix AntPathRequestMatcher Javadoc #8528
- Document NoOpPasswordEncoder will not be removed #8523
- Fix non-standard HTTP method for CsrfWebFilter #8517