Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.2.1.RELEASE
⭐ New Features
- Fix variable reference in sample code #7571
- spring-security-saml2-service-provider impossible to use different format of assertionConsumerServiceUrlTemplate #7565
- Add Resource Server Multi-tenancy Documentation #7532
- Update SAML sample to use boot auto config #7521
- Add Reactive CSRF Documentation #6487
🪲 Bug Fixes
- Restore Removed Throws Clauses #7580
- CsrfWebFilter should handle multipart/form-data #7576
- Make saveAuthorizedClient save the authorized client #7551
- DefaultReactiveOAuth2AuthorizedClientManager.saveAuthorizedClient does not save authorized client #7546
throws Exceptionwas removed from WebSecurityConfigurerAdapter#configure(WebSecurity) #7541- SAML2 Provider SubjectConfirmation validation failure #7514
- SAML2 Provider AuthNRequest Hardcoded Protocol Binding #7513
- Clock skew to check access token expiration has wrong sign #7511
🔨 Dependency Upgrades
- Upgrade to Spring Boot 2.2.0.RELEASE #7566
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.1.7.RELEASE
⭐ New Features
- CookieServerCsrfRepositoryTests should not start domain with a dot #7501
- Fix docs typo WebSecurityConfigurationAdapter->WebSecurityConfigurerAdapter #7225
🪲 Bug Fixes
- OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri #7469
- RequestContextSubscriber could put null value in Reactor Context #7410
- OAuth2AuthorizationRequest not removed from session #7369
- InMemoryReactiveClientRegistrationRepository should not use ConcurrentReferenceHashMap #7359
- NimbusJwtDecoderJwkSupport only sets 'application/json' Accept header #7340
- SEC-2971: Footnotes are messed up in online docs #7326
- Confusing example - WebMvcConfigurer vs WebSecurityConfigurerAdapter #7303
- OnCommittedResponseWrapper fails on static resources served by Tomcat 8.5 #7297
- Fix WebClient Memory Leaks #7294
- Ensure filter order is maintained when using springSecurity() along with other filters #7267
- SessionAuthenticationStrategy make HttpSecurity.sessionManagement().maximumSessions(1) unavailability #7262
- SEC-2980: Possible race condition in SessionRegistryImpl #7226
5.2.0.RELEASE
⭐ New Features
- Add Hello RSocket Sample #7504
- Add RSocket Reference #7502
- CookieServerCsrfRepositoryTests should not start domain with a dot #7500
- Add OAuth2 Resource Server to Modules Section #7498
- Initial saml2 login docs #7495
- SAML 2 Assertion - Always require signature validation #7490
- Add Reactive Messaging CurrentSecurityContextPrincipalArgumentResolver #7488
- CurrentSecurityContextArgumentResolver polishes #7487
- Add ClientRegistration.withClientRegistration(ClientRegistration) #7486
- Add hasAuthority method to RSocketSecurity #7478
- Align Servlet ExchangeFilterFunction CoreSubscriber #7476
- WebFluxSecurityConfiguration does not configure oauth2Client #7470
- Allow to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec #7467
- Add ability to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec #7466
- Document Clear-Site-Data Support #7463
- Document RFC 8414 Support #7462
- Document Bearer Token Propagation #7461
- Document Reactive Mock Jwt Testing #7460
- Fixed typo in comment #7458
- Use Schedulers.boundedElastic() #7457
- AbstractUserDetailsReactiveAuthenticationManager uses newParallel #7456
- Add hasAnyAuthority method in AuthorizePayloadsSpec.Access #7455
- Add denyAll method in AuthorizePayloadsSpec.Access #7451
- AuthenticationFilter's methods should be private #7447
- AuthenticationFilter should provide session fixation protection #7446
- Use Jwt.Builder #7443
- Add AuthorizePayloadsSpec.Access denyAll, hasAnyRole, hasAnyAuthority #7437
- Add AuthorizePayloadsSpec.Access hasAuthority #7435
- Document Resource Server User-Info Usage #7431
- Document Reactive Opaque Token Usage #7430
- Document NimbusReactiveJwtDecoder #7425
- Document Mock Jwt Testing #7424
- Servlet ExchangeFilterFunctions should align #7422
- Document Opaque Token Usage #7420
- ServletBearerExchangeFilterFunction should propagate Authentication #7418
- Document NimbusJwtDecoder #7408
- Document Jwt.Builder #7407
- Document OAuth2AuthenticatedPrincipal #7406
- DefaultReactiveOAuth2AuthorizedClientManager should default ServerWebExchange #7390
- Make OAuth2User extends OAuth2AuthenticatedPrincipal #7383
- OAuth2User should extend OAuth2AuthenticatedPrincipal #7378
- SamlAuthenticationProvider should propagate actual validation errors #7375
- Add Reactive Messaging AuthenticationPrincipalArgumentResolver #7363
- Allow Custom PayloadInterceptor to be Added #7362
- Default RSocketSecurity #7361
- Add nonce to OIDC Authentication Request #7337
- Introduce LogoutSuccessEvent #7306
- Mock Jwt should ensure that CSRF is not required #7170
- Document BearerTokenResolver in reference #6254
- Consider adding nonce to OIDC Authentication Request #4442
- SEC-2680: Fire an event when logout has finished #2900
🪲 Bug Fixes
- Correctly populate the AuthNRequest attributes #7496
- AuthNRequest#Destination contains the SP entity ID, not the IDP SSO URI #7494
- AbstractUserDetailsReactiveAuthenticationManager default Scheduler should be disposed #7492
- Always validate saml2 signatures #7491
- CurrentSecurityContext Javadoc should be about SecurityContext #7489
- Fix AuthorizationPayloadInterceptor order using PayloadInterceptorOrd… #7450
- SAML Response Skew is using the wrong type #7448
- Jwt.Builder should keep notBefore as an Instant #7442
- AuthorizePayloadsSpec uses AUTHENTICATION for AuthorizationPayloadInterceptor #7434
- RSocketMessageHandlerITests could hang #7415
- RSocketSecurity anyRequest delegates to anyExchange #7414
- OpenSamlAuthenticationProvider should not throw AuthenticationServiceException #7377
- OpenSamlAuthenticationProvider should propagate validation errors #7376
- OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri #7036
🔨 Dependency Upgrades
- Update to Spring Data Moore-RELEASE #7506
- Remaining dependency upgrades for 5.2.0 #7505
- Upgrade JSON jackson library to 2.10.0 #7480
- Release/dependencies for 5.2 ga #7471
- Update the AspectJ Gradle Plugin to 4.0.2 #7427
- Update to Gradle 5.6.2 #7412
- Upgrade to OpenSaml 3.4.3 #7392
- Upgrade embedded Apache Tomcat to 9.0.24 #7384
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.2.0.RC1
⭐ New Features
- Add attributes Consumer to OAuth2AuthorizationContext #7385
- Improve DefaultReactiveOAuth2UserService handling IOException #7370
- Add RSocket Support #7360
- Polish Server|ServletBearerExchangeFilterFunction #7355
- Refactor Servlet/Server BearerExchangeFilterFunction #7353
- OAuth2AuthorizeRequest supports attributes #7352
- Grant Individual Authorities From Claims #7351
- DefaultOAuth2AuthorizedClientManager and DefaultServerOAuth2AuthorizedClientManager Alignment #7350
- Align Servlet ClearSiteData expression of directives #7347
- Add Adapter to Translate Jwt to BearerTokenAuthentication #7346
- Opaque Token Introspector should return an Authenticated Principal #7345
- Opaque Token Introspection Strategy Flexibility #7344
- Add BearerTokenAuthentication #7343
- Add OAuth2AuthenticatedPrincipal #7342
- OAuth2AuthorizeRequest supports attributes #7341
- DefaultOAuth2UserService should extract authorities #7339
- InMemoryReactiveClientRegistrationRepository should check for duplicates #7338
- Add Servlet and ServerBearerExchangeFilterFunction #7330
- Update to Gradle 5.6.1 #7323
- Simplify and improve the buildSrc gradle plugin #7302
- Update to Gradle 5.6 #7300
- Add Catalan localization messages #7288
- Add Catalan localization messages #7287
- Resource Server should support WebClient Bearer Token propagation #7284
- Sample should use UserDetailsService bean instead of configureGlobal method #7283
- Mock Jwt Test Samples #7278
- Allow to set default securityContextRepository for each authenticatio… #7275
- Resource Server Multi-tenancy Sample Should Manage Its Own Jwt Decoder #7272
- Add setter for authorities claim name in JwtGrantedAuthoritiesConverter #7271
- Jwk Set Uri Nimbus Jwt Decoder builders should take SignatureAlgorithm #7270
- Add setContentLengthLong detection to OnCommittedResponseWrapper. #7264
- Consolidate shared code between JwtDecoders and ReactiveJwtDecoders #7263
- Remove MultiTenantAuthenticationManagerResolver #7259
- Add setter for authority prefix in JwtGrantedAuthoritiesConverter #7256
- Prevent IntelliJ IDEA from generating spaces for indentation #7253
- TokenBasedRememberMeServices.processAutoLoginCookie (TokenBasedRememberMeServices.java:134) java.lang.NullPointerException #7251
- Authentication Mechanisms Should Default their ServerSecurityContextRepository #7249
- Rename OAuth2TokenIntrospectionClient #7246
- Consider renaming OAuth2TokenIntrospectionClient #7245
- Add OAuth2LoginSpec#securityContextRepository #7244
- Cleanup Code Style Issues #7238
- Add Checkstyle configuration for IntelliJ IDEA #7237
- Expose getPort in ApacheDsContainer #7236
- OAuth2LoginConfigurer should discover OAuth2UserService beans #7232
- Make ldap integration tests independent #7231
- Remove unused imports #7229
- ServerHttpSecurity: oauth2Login() ignores securityContextRepository() #7222
- Use the 'io.freefair.aspectj' gradle plugin #7183
- Add RequestMatcher.matcher(HttpServletRequest) #7172
- ignore Multipart requests in HttpSessionRequestCache.requestMatcher #7167
- Add test examples for Oauth2 Resource Server sample #7159
- Add unbounid support in xml #7149
- OAuth2AuthorizedClientManager implementation works outside of request #7122
- Improve OAuth2 Resource Server tests #7118
- Introduce Reactive OAuth2AuthorizedClient Manager/Provider #7116
- Allow configurable Clock in OAuth2AuthorizedClientProvider impls #7114
- JwtGrantedAuthoritiesConverter should allow configuring the authority prefix #7101
- JwtGrantedAuthoritiesConverter should allow configuring the authorities claim name #7100
- Add authenticationFailureHandler method in OAuth2LoginSpec #7071
- v5.2.0.M3 docs contain Deprecated example code #7062
- Multipartfile request with no authentication is still consumed even after an AccessDeniedException is thrown #7060
- Add OAuth2LoginSpec.authenticationFailureHandler #7051
- Add Argon2PasswordEncoder #7045
- Fix docs typo WebSecurityConfigurationAdapter->WebSecurityConfigurerAdapter #7026
- Add support for Resource Owner Password Credentials grant #7013
- Jwt decoding should support multiple algorithms #6883
- Polish Resource Server DSL Error Messaging #6876
- Remove Invalid WebMvcConfigurer from Sample Documentation #6822
- Align code in oauth2-client extensions for WebClient #6811
- OAuth2 Client Credentials Flow: Getting access tokens in the service/data tier #6780
- Provide Servlet equivalent of UnAuthenticatedServerOAuth2AuthorizedClientRepository #6683
- Spring Boot + spring-security-oauth2-resource-server should not throw a ClassNotFoundException once it supports more than one token format #6209
- Support Resource Owner Password Credentials grant #6003
- Add Argon2PasswordEncoder #5354
- Add BearerExchangeFilterFunction #5334
🪲 Bug Fixes
- Remove package tangle in headers #7380
- Remove OAuth2AuthorizationRequest when a distributed session is used [#7334](https://github.com/spring-projects/spring-se...
5.2.0.M4
⭐ New Features
- Update to Reactor Dysprosium-M3 #7186
- Update to Spring Data Moore RC2 #7185
- Update to Spring Framework 5.2.0.RC1 #7184
- Downgrade modifier from public to protected #7180
- AuthenticationFilter#attemptAuthentication should be protected #7177
- Use org.mockito.ArgumentMatchers in favor of org.mockito.Matchers #7176
- Migrate VersionsResourceTasks groovy->java #7173
- Add support for allowedHostnames in StrictHttpFirewall #7158
- Upgrade org.springframework.boot:spring-boot-xxx to 2.2.0.M4 #7143
- Remove exceptions from lambda security configuration #7131
- Remove exception from security configuration methods #7128
- Support nested builder in DSL for reactive apps #7121
- Prevent disabled user from logging in on reactive applications #7113
- Oauth2 BearerTokenAuthenticationFilter logging issue #7110
- Add support for nested builders in the DSL for reactive apps #7107
- Error description by BearerTokenAccessDeniedHandler is misleading #7089
- Throws exception when passed IP address with too long mask #7084
- Allow configuration of SessionAuthenticationStrategy for CSRF #7083
- Add Chinese Traditional localized messages. #7082
- Changed docs to reflect that init should apply configurers #7080
- Update to Gradle 5.5.1 #7078
- Migrate TrangPlugin groovy->java #7077
- Cleanup redundant type casts #7073
- Allow upgrading between different SCrypt encodings #7057
- DSL nested builder for HTTP security #7046
- Add @nullable to UsernamePasswordAuthenticationFilter #7043
- Allow upgrading between different BCrypt encodings #7042
- Can't use a custom authorization grant type in a ClientRegistration #7040
- Add Generic AuthenticationFilter #7025
- Migrate DefaultLoginPageConfigurerTests groovy->java #6956
- Add generic getClaim() method in ClaimAccessor #6947
- Mock Jwt Support should accept a fully-configured Jwt #6896
- OpenID Connect Userinfo not fetched for custom claims #6886
- OAuth2LoginAuthenticationFilter sets AuthenticationDetails #6884
- OAuth2LoginAuthenticationFilter should set AuthenticationDetails #6866
- Introduce OAuth2AuthorizedClient Manager/Provider #6845
- Replace strange hashCode() implementations #6542
- Add Generic AuthenticationFilter #6506
- Allow in-memory authorized client services to be constructed with a map #5994
- Please add support for nested builders in the DSL #5557
- Allow configuration of added SessionAuthenticationStrategy for CsrfConfigurer #5300
🪲 Bug Fixes
- Basic authentication scheme is not case-insensitive #7163
- Fix CSRF session authentication strategy since version #7127
- Incorrect Javadoc for methods in HeadersConfigurer #7123
- Loggin Fix for printing the full stack trace, spring-projects/spring-… #7111
- Fix infinite loop in role hierarchy resolving #7106
- Fixed typo in documentation. #7092
- Fix typo in documentation #7050
- Allow custom ReactiveAuthenticationManager for basic and form auth #7048
- Fixed validation in ClientRegistration.Builder #7047
- Fix blocking in ServletOAuth2AuthorizedClientExchangeFilterFunction #7037
- Infinite loop in role hierarchy resolving #7035
- ServerBearerTokenAuthenticationConverter Handles Empty Tokens #7020
- Reactive OAuth2 using query parameters for access_token can cause HTTP 500s #7011
- OAuth2Login should process authenticated requests #6890
- Ensure ServletOAuth2AuthorizedClientExchangeFilterFunction is non-blocking #6589
- ServerHttpSecurity can't set multiple authentication managers #5660
- SCryptPasswordEncoder constructor javadoc needs to be fixed #4004
- SEC-2576: ArrayIndexOutOfBoundsException in IpAddressMatcher #2790
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.2.0.M3
⭐ New Features
- Move log statement in SessionRegistryImpl #6979
- Fix RoleHierarchy Javadoc #6973
- Disable bean proxying in configuration classes #6970
- Make Spring web configuration classes use proxyBeanMethods=false by default #6967
- Migrate JeeConfigurerTests groovy->java #6957
- Update to nohttp 0.0.2.RELEASE #6955
- RoleHierarchy Comments are misleading #6954
- Migrate RememberMeConfigurerTests groovy->java #6951
- Migrate CorsConfigurerTests groovy->java #6946
- Migrate ChannelSecurityConfigurerTests groovy->java #6944
- Add success handler modification of OAuth2LoginSpec #6938
- Migrate SessionManagementConfigurerTests groovy->java #6937
- JenkinsFile should always indicate the JDK in use #6928
- Add @transient to OAuth2IntrospectionAuthenticationToken #6918
- Added null checks and tests to constructors #6915
- Updates OAuth2ResourceServer configuration tests #6904
- Migrate LogoutConfigurerTests from groovy to java #6902
- Finer variables for OAuth2 redirectUriTemplate expansion #6900
- Add null checks to constructors #6892
- Fix JavaDoc for defaultSuccessUrl #6878
- Add constructor to JwtAuthenticationToken that takes a principal name #6865
- Add OAuth2LoginSpec.authenticationSuccessHandler #6863
- Add Multi-tenancy support for Reactive Resource Server #6861
- Git ignore .attach_pid* files #6860
- Translate messages.properties into Japanese #6855
- Replace bean method calls with injection #6853
- Make scheduler configurable on ReactiveAuthenticationManagerAdapter #6852
- Introduce Jwt.Builder #6851
- OpaqueToken DSL should accept an AuthenticationManager #6849
- Jwt DSL Configuration should accept an AuthenticationManager #6832
- OAuth2IntrospectionAuthenticationToken should be marked as @transient #6829
- Reactive JwkSource Builder Parameter Type Changed the parameter type from JWT to SignedJWT Fixes: gh-6771 #6827
- Fix javadoc typo #6825
- Support JwtValidationException on JwtReactiveAuthenticationManager #6823
- Switch to proxy-less configuration by leveraging @configuration(proxyBeanMethods = false) #6818
- Opaque Token Support for Custom Parameters #6798
- Fix no check if the parameter is null. #6775
- Expose bean setters in @configuration used by @EnableWebFluxSecurity #6761
- Multi-tenancy for Reactive Resource Server #6727
- Introduce ReactiveAuthenticationManagerResolver #6723
- Introduce JWT Flow API in Test Support #6634
- Opaque Token Intermediate Type #6632
- Make it possible to use Spring Security with functional bean registration #6624
- OAuth2ResourceServer configuration tests use deprecated extractAuthorities #6516
- X509 Reactive Support #6336
- Improve ClaimAccessor and externalize coercion #6245
- Add scheme/protocol variable for OAuth2 redirectUriTemplate #6239
- AccountStatusUserDetailsChecker implements MessageSourceAware #6151
- Support Path Variables in Message Expressions #6110
- WebSocket matchers ignore parameters #4469
🪲 Bug Fixes
- ID Token validation should use JwtTimestampValidator #6964
- Fix HttpSecurity Javadoc for jee() method #6959
- Fix HttpSecurity jee() Javadoc example for mappableRoles #6958
- DefaultServerOAuth2AuthorizationRequestResolver should use fromUri #6952
- WebClientReactiveClientCredentialsTokenResponseClient should not set Authorization header when ClientAuthenticationMethod.POST #6911
- Documentation fixes #6889
- java.lang.IllegalAccessError when resource server introspect token from oauth2 server #6843
- oauth2Login does not auto-redirect for XHR request #6812
🔨 Dependency Upgrades
- Update to Spring 5.2.0.M2 #6869
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.2.0.M2
⭐ New Features
- Add JDK 12 Build #6774
- Update Gradle version to 5.3.1 #6747
- Align JavaDoc in SecureRandomFactoryBean #6734
- Fix a typo #6725
- Introduce AuthenticationManagerResolver #6722
- Defer downstream filter execution if no OAuth2AuthorizedClient is found #6719
- Make UnAuthenticatedServerOAuth2AuthorizedClientRepository threadsafe #6717
- URL Cleanup #6662
- URL Cleanup #6655
- Simplify MediaTypeRequestMatcher construction #6648
- Polish #6635
- Introduced placeholder support for headers tag attributes #6623
- Allowing for a @bean of type OAuth2AccessTokenResponseClient<OAuth2Cl… #6606
- Throw exception that was created but not thrown #6604
- documentation: remove out-of-date #6603
- OAuth2LoginSpec discovers ReactiveOAuth2AccessTokenResponseClient @bean #6587
- OAuth2ClientConfiguration discovers client_credentials OAuth2AccessTokenResponseClient #6572
- Multi tenancy for Resource Server #6563
- Introduce @CurrentSecurityContext for method arguments #6562
- Fix Broken Documentation Link #6555
- Broken URL in documentation #6553
- Add Support for Clear Site Data on Logout #6550
- Introduce @CurrentSecurityContext for method arguments #6546
- Reactive Opaque Token Support #6519
- OidcIdTokenValidator ensures clockSkew is positive number #6514
- Add Reactive Opaque Token Support to Resource Server #6513
- Properties should reference scope not scopes #6510
- HeaderWriterFilter writes headers at beginning #6509
- Introduce OAuth2AuthorizationRequest.attributes #6508
- Introduce Support for Reading RSA Keys #6505
- NimbusReactiveJwtDecoder Takes Reactive Processor #6499
- Support symmetric key for JwtDecoder #6495
- Add RSA Key Converters #6494
- Improve formatting of LDAP snippets in Reference Documentation #6486
- Add client support for PKCE #6485
- OAuth2LoginSpec discovers ReactiveOAuth2AccessTokenResponseClient @bean #6477
- Add new configuration options for OAuth2LoginSpec #6462
- Update to nimbus-jose-jwt:6.7 #6459
- Consider having HeaderWriters check before writing #6456
- Added CompositeHeaderWriter #6455
- Consider having HeaderWriters check before writing #6454
- Add a composite HeaderWriter class #6453
- Support PKCE for Client #6446
- OidcIdTokenValidator ensures clockSkew is positive number #6443
- Save original request on oauth2Client filter #6418
- Add Support for Opaque OAuth2 Tokens to Resource Server #6352
- Add preload support to Strict-Transport-Security #6312
- Remove Servlet Spec 2.5 and 3.0 support #6220
- OAuth2ResourceServerConfigurerTests should avoid MockWebServer #6104
- OAuth2AuthorizationRequest.additionalParameters should not contain registration_id #5940
- NimbusReactiveJwtDecoder should accept a custom processor #5937
- Improve OAuth2LoginSpec with more configuration options #5598
- Provide support for symmetric key verification via JwtDecoder #5465
- Support for OIDC Logout #5356
- Multi-tenancy support for OAuth2 #5351
- Support RP (Client) initiated logout #5350
- Provide support for OAuth 2.0 Token Introspection #5200
- Add Clear Site Data to Log Out #4187
🪲 Bug Fixes
- ServletOAuth2AuthorizedClientExchangeFilterFunction supports chaining #6526
- Update resource-server.adoc #6523
- Fixed broken link #6522
- Fix broken link in README.adoc #6521
- Preserve existing refresh token if new refresh token not returned #6504
- Refreshing access token may remove refresh token from AuthorizedClient #6503
- ServletOAuth2AuthorizedClientExchangeFilterFunction Does Not Work For Chained Reactive Methods #6483
- Missing spring: prefix on jwk-set-uri example #6479
- Improve CsrfBeanDefinitionParser xml parsing #6451
- HTML markup fixed in DefaultLoginPageGeneratingFilter #6448
- XML configuration with multiple security:http register multiple requestDataValueProcessor #6423
- Invalid html in default login page #6417
- Webflux Oauth2 .oauth2Client() doesn't redirect back to the original request after authenticating in the auth server #6341
- Fix OAuth2 Client with Ditributed Session #6215
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
- @wangzw
- @sdoxsee
- @d3jie
- @ankurpathak
- @wilkinsona
- @sayembd
- @rhamedy
- @izeye
- @xyloman
- @rozagerardo
- @LukeButters
- @nickbr23
- @jzheaux
- @jgrandja
- @clevertension
- @spring-operator
- @farrault
- @rustamzh
- @fritzdj
- @vishalvrv9
- @andersonkyle
- @stasmihailov
- @xak2000
- @philsttr
- [@ThomasVitale](https://github.com/Thom...
5.2.0.M1
⭐ New Features
- Update to spring-build-conventions 0.0.23.RELEASE #6440
- customization support for StrictHttpFirewall #6439
- Update to Spring Data Lovelace SR4 #6438
- Update to Spring Framework 5.1.4 #6437
- Update to Reactor Californium-SR4 #6436
- Update to Spring Boot 2.1.2 #6435
- Update to htmlunit-driver 2.33.3 #6434
- Update to org.powermock 2.0.0 #6433
- Update to hibernate-entitymanager 5.4.0.Final #6432
- Update to ehcache 2.10.6 #6431
- Update to com.squareup.okhttp3 3.12.1 #6430
- Update to oauth2-oidc-sdk 6.5 #6429
- Update to nimbus-jose-jwt 6.5.1 #6428
- Update to jackson.core 2.9.8 #6427
- Update to cglib-nodep 3.2.10 #6426
- Update JwtTimestampValidator.java #6416
- Extract the ID Token JwtDecoderFactory to enable user customization #6415
- Expose ID Token JwtDecoderFactory #6379
- ID Token validation supports clock skew #6375
- Polish oauth2 client ExchangeFilterFunction's #6355
- Improve error messages in OidcIdTokenValidator #6349
- Polish tests #6346
- Removed isServlet30 check #6331
- Fixes typo in x,rnc files #6326
- Typo in Spring Security spring-security-x.y.rnc Files #6325
- Improve error messages in OidcIdTokenValidator #6323
- Add hasAnyAuthority() and hasAnyRole() in AuthorizeExchangeSpec #6310
- JdbcUserDetailsManager handles extra UserDetails attributes #6309
- Add WebFlux support for spring security web jackson module. #6305
- Add WebFlux support for spring security web jackson module #6303
- authorization_uri Supports Query Parameters #6299
- Extract OidcTokenValidator to an OAuth2TokenValidator #6298
- Remove check for method HttpServletRequest#getHeader and related test #6290
- Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6289
- Validate Scopes in ClientRegistration.Builder #6285
- Allow setting realm for Http Basic #6279
- Add cookieDomain to CookieCsrfTokenRepository #6276
- Add Anonymous Support to AuthenticatedReactiveAuthorizationManager #6267
- Remove Servlet 3.0 Support in CacheControlHeadersWriter #6265
- Remove Servlet 3.0 Support in AbstractRequestMatcherRegistry #6264
- Remove Servlet 2.5 and 3.0 Support for Remember Me #6263
- Remove Servlet Spec 2.5 and 3.0 Support for CSRF #6262
- Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6261
- Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter #6260
- Remove Servlet 2.5 Support for Session Fixation #6259
- Add DelegatingSecurityContextTaskScheduler #6257
- Validate ClientRegistration.scopes #6256
- RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #6241
- Improve error message for Chinese #6240
- Add WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient #6238
- AuthenticatedReactiveAuthorizationManager support for AnonymousAuthenticationToken #6235
- JwtDecodersTests and ClientRegistrationsTest should explicitly test for trailing slash #6234
- Add Reactive Support for UserDetailsChecker #6229
- SessionRegistryImpl uses computeIfAbsent #6221
- Accept a case-insensitive "Bearer" keyword #6210
- Restored Jacoco default task dependence #6200
- Added support for Anonymous Authentication #6198
- Update to Gradle 5.0 #6197
- Make CachingUserDetailsService Public #6196
- Bearer should be case-insensitive in ServerBearerTokenAuthenticationConverter #6195
- Use SpringUtils to check scheme #6185
- BasicAuthenticationFilter could check the scheme more efficiently #6183
- ReactiveOAuth2AccessTokenResponseClients should support setting a custom WebClient #6182
- According to RFC 2617 #1.2, the "Bearer" keyword should be case-insensitive #6150
- Update to Gradle 5.0 #6148
- Update com.squareup.okhttp3 deps to 3.12.0 #6142
- Add GenericConversionService with support for UUID and Strings #6141
- Remove unused dependency slf4j-api in javaconfig x509 sample application #6131
- Remove unused compile dependency in javaconfig x509 sample #6130
- Replace deprecated Gradle Task method in AspectJPlugin.groovy #6129
- Replace deprecated Gradle Task.deleteAllActions() method in AspectJPlugin.groovy #6128
- WebClient support should get new access token when expired and client_credentials #6127
- AesBytesEncryptorTests should check available key strengths before running #6121
- CookieClearingLogoutHandler enhancement #6116
- Update to Gradle 4.10.2 #6114
- Update to oauth2-oidc-sdk:6.2 #6101
- Update webflux-form sample to use Built in CSRF Support #6097
- Update to nimbus-jose-jwt:6.3 #6095
- Updated Spring Boot version from 2.1.0.M4 to 2.1.0.RELEASE #6084
- Update to Spring Boot 2.1.0.RELEASE #6082
- Make AesBytesEncryptor public #6079
- CookieClearingLogoutHandler for differen...