Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.4.0-M2
⭐ New Features
- Add reified function variants to security DSL #8771
- OAuth2AccessTokenResponse.Builder.expiresIn works after withResponse #8766
- LDAP Integration Tests Should Use Random Port #8762
- Use memory-saving Collections.singletonList in JdbcAclService.readAclById() #8756
- Merge Spring security with dependencies #8755
- Add Configurable secure flag in CookieCsrfTokenRepository #8749
- Fix typo in OAuth2AccessTokenResponse #8746
- Allow customizing
JWTProcessorpassed toNimbusJwtDecoder#8745 - Use Spring Snapshots in Snapshot Build Again #8712
- Update pipeline to run for PRs to all branches #8711
- Remove Travis pipeline and README badge #8710
- Reject the NULL character in paths in StrictHttpFirewall #8703
- OAuth2AccessTokenResponse.expiresIn() is ignored when initialized from another response #8702
- OAuth2AuthorizedClientArgumentResolver could use OAuth2AuthorizedClientManager registered in context #8700
- Kotlin Configuration DSL: Use reified types wherever a class is used as a parameter #8697
- ProviderManager Should Use CollectionUtils#contains #8695
- ProviderManager#checkState() throws NullPointerException #8689
- Set up Github Actions pipeline for PRs #8680
- Deprecate X-Frame-Options ALLOW-FROM #8677
- Replace whitelist/blacklist with allowlist/blocklist #8676
- Register OAuth2AuthorizedClientArgumentResolver for XML Config #8669
- Getting response attributes from Saml2AuthenticatedPrincipal #8667
- Ability to easily read attribute values from SAML response #8661
- DefaultOAuth2AuthorizationRequestResolver Should Not Consume Request Body #8651
- StrictHttpFirewall: Validate headers and parameters #8644
- JwtDecoder should use Nimbus multiple-algorithm support #8623
- Remove ClientRegistrationRepository Mock Beans from Samples #8606
- oauth2Client Test Support should not require an HttpSessionOAuth2AuthorizedClientRepository #8603
- Add tokenFromMultipartDataEnabled to server CSRF Kotlin DSL #8602
- Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter #8587
- FilterInvocation Support Default Methods on HttpServletRequest #8566
- Update to JQuery 3.5.1 #8557
- Saml2WebSsoAuthenticationRequesFilter should be post-processed #8552
- Move TestRelyingPartyRegistrations #8551
- Configuration defaults to SessionRegistry bean #8548
- Update BCryptPasswordEncoder documentation with default strength #8542
- authorization_code grant should use same ServerRequestCache #8536
- Avoid using "/path/**/other" patterns in WebFlux PathPatternParser #8513
- Add debug logging to Reactive Web #8504
- Add issuerUri to ClientRegistration.providerDetails #8501
- Use Opaquetoken properties to configure timeouts #8488
- Update Traditional Chinese translation. #8483
- Allow port=0 for ApacheDSContainer #8416
- Throw exception if URL does not include context path when context relative #8399
- Added setter to make RequestCache injectable #8392
- Consider adding ClientRegistration.providerDetails.issuerUri #8326
- Merge Project Modules and Dependencies Section of the docs #8199
- Add RequestCache setter in OAuth2AuthorizationCodeGrantFilter #8120
- formLogin() does not work with REST Docs #7572
🪲 Bug Fixes
- SwitchUserFilter.setExitUserMatcher Javadoc is incorrect #8744
- SwitchUserFilter.setUserDetailsChecker is missing Javadoc #8743
- Fix SecurityContext creation for TEST_EXECUTION #8738
- ReactorContext not available in PayloadSocketAcceptor delegate.accept #8654
- DefaultWebSecurityExpressionHandler uses RoleHierarchy bean #8652
- DefaultOAuth2AuthorizationRequestResolver erroneously consumes POST request body #8650
- Fix broken link in spring security reference document #8618
- Delay AuthenticationPrincipalArgumentResolver Lookup #8613
- OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8609
- spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0 clash over version of transitive dependency json-smart #8608
- Fix typos in BCryptPasswordEncoder documentation #8586
- Fixing typo in SAML 2.0 Sample README #8581
- Message Compose in JavaConfig hellojs Sample Fails #8556
- Java Config hellojs Sample Login Fails #8555
- XML OpenID sample should POST to logout #8554
- Remove unused field 'digester' in Md4PasswordEncoder #8553
- Polish JDBC Authentication documentation #8550
- Fix Kotlin Sample Documentation #8540
- Object ID Identicy conversion to long fails on old schema #8538
- Create the CSRF token on the bounded elactic scheduler #8534
- Fix AntPathRequestMatcher Javadoc #8512
- Document NoOpPasswordEncoder will not be removed #8508
- Document NoOpPasswordEncoder will not be removed #8506
- Fix code snippets to configure timeouts #8487
- Fix non-standard HTTP method for CsrfWebFilter #8452
- Blocking in WebSessionServerCsrfTokenRepository #8128
- Object ID Identity conversion to long fails on old schema #7621
- RoleHierarchy is not used by AbstractAuthorizeTag [#7059](https://github.com/spring-proje...
5.3.3.RELEASE
⭐ New Features
- Update BCryptPasswordEncoder documentation with default strength #8574
🪲 Bug Fixes
- Delay AuthenticationPrincipalArgumentResolver Lookup #8614
- Fix typos in BCryptPasswordEncoder documentation #8601
- Fixing typo in SAML 2.0 Sample README #8600
- Mock request with non-standard HTTP method in test #8597
- Remove unused field 'digester' in Md4PasswordEncoder #8575
- Polish JDBC Authentication documentation #8573
- ACL : AclImpl.hashCode leads to StackOverflowError #8569
- Fix Kotlin Sample Documentation #8565
- Object ID Identity conversion to long fails on old schema #8558
- Blocking in WebSessionServerCsrfTokenRepository #8544
- Fix AntPathRequestMatcher Javadoc #8526
- Document NoOpPasswordEncoder will not be removed #8521
- Fix non-standard HTTP method for CsrfWebFilter #8515
🔨 Dependency Upgrades
5.2.5.RELEASE
🪲 Bug Fixes
- Delay AuthenticationPrincipalArgumentResolver Lookup #8615
- Mock request with non-standard HTTP method in test #8595
- Remove unused field 'digester' in Md4PasswordEncoder #8576
- ACL : AclImpl.hashCode leads to StackOverflowError #8570
- Object ID Identity conversion to long fails on old schema #8559
- Blocking in WebSessionServerCsrfTokenRepository #8545
- Fix AntPathRequestMatcher Javadoc #8527
- Document NoOpPasswordEncoder will not be removed #8522
- Fix non-standard HTTP method for CsrfWebFilter #8516
🔨 Dependency Upgrades
5.1.11.RELEASE
⭐ New Features
- HTTP Host header attack #8641
🪲 Bug Fixes
- Remove unused field 'digester' in Md4PasswordEncoder #8577
- ACL : AclImpl.hashCode leads to StackOverflowError #8571
- Blocking in WebSessionServerCsrfTokenRepository #8546
- Fix AntPathRequestMatcher Javadoc #8528
- Document NoOpPasswordEncoder will not be removed #8523
- Fix non-standard HTTP method for CsrfWebFilter #8517
🔨 Dependency Upgrades
5.0.17.RELEASE
⭐ New Features
- HTTP Host header attack #8640
🪲 Bug Fixes
- Remove unused field 'digester' in Md4PasswordEncoder #8578
- ACL : AclImpl.hashCode leads to StackOverflowError #8572
- Blocking in WebSessionServerCsrfTokenRepository #8547
- Fix AntPathRequestMatcher Javadoc #8529
- Document NoOpPasswordEncoder will not be removed #8524
- Fix non-standard HTTP method for CsrfWebFilter #8518
🔨 Dependency Upgrades
4.2.17.RELEASE
5.4.0-M1
⭐ New Features
- Jenkins does not need to build on JDK 9 and 10 #8482
- Upgrade Freefair AspectJ plugin to v5.0.1 #8456
- AesBytesEncryptor constructor that uses secret key #8443
- Rename Preface to Introduction #8411
- TestSaml2X509Credentials should only return Saml2X509Credential instances #8404
- Saml2CryptoTestSupport and TestSaml2AuthenticationObjects should be one class #8403
- Allow creating AesBytesEncryptor with key #8402
- Add Flag to enable searching of LDAP groups on subtrees #8400
- Documented dependencies for opaque Resource Server #8394
- Allow expose JwtAuthenticationConverter as a bean for Resource Server #8379
- Use Kotlin DSL Marker Annotations to prevent scope leaking in WebFlux DSL #8366
- Saml2AuthenticationRequestContext should be extendible #8356 #8364
- Add constructors receiving AuthenticationManager #8362
- Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8361
- Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default #8359
- Validate ID Token Issuer #8357
- Saml2AuthenticationRequestContext should be extendible #8356
- Add authorize() DSL method that accepts HttpMethod #8350
- Allow custom header during bearer token extraction #8341
- Allow specify header in ServerBearerTokenAuthenticationConverter #8337
- Provide possibility to use custom cache to store JWK Set #8332
- Adding Map support to DefaultMethodSecurityExpressionHandler #8331
- BCryptPasswordEncoder rawPassword cannot be null #8330
- Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8324
- Open ID Connect ID Token Issuer not validated #8321
- Add addFilterAfter and addFilterBefore to Kotlin DSL #8319
- Added setPrincipalClaimName to JwtAuthenticationConverter #8318
- BCryptPasswordEncoder.encode() throws NPE #8317
- HttpSecurityDsl does not support addFilterBefore and addFilterAfter #8316
- AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307
- SpringTestContext returns ConfigurableWebApplicationContext #8233
- Clarify use case for
ServerBearerExchangeFilterFunction#8220 - Update Encryptors documentation for standard and stronger #8208
- Upgrade to Gradle Enterprise Plugin 3.2 #8205
- Add Figures to Resource Server Docs #8184
- Add Figures to Resource Server Docs #8182
- Document JwtGrantedAuthoritiesConverter #8176
- Fix userNameAttribute property case style #8171
- userNameAttribute case style is different others #8169
- Polish SAML 2.0 Login Sample #8163
- Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8152
- Assign sensible default for OAuth2AuthorizedClientProvider #8150
- OpenSamlImplementation should not use reflection #8147
- Allow port=0 for LDAP Servers #8139
- LDAP server configuration should support port=0 #8138
- Use io.spring.gradle-enterprise-conventions #8115
- Replace VersionsResourceTasks with WriteProperties #8114
- Improve Build Performance #8113
- Document OAuth 2.0 Login XML Support #8110
- Fix exception from empty basic auth header token #8109
- Fix typo 'properites' -> 'properties' in documentation #8096
- Document AuthenticationEventPublisher improvements #8081
- Document AuthNRequest POST binding support #8079
- Document AuthNRequest signature support #8078
- Document OAuth 2.0 Resource Server XML Support #8077
- Document Jackson serialization support for OAuth 2.0 Client #8075
- Document OAuth 2.0 Client XML Support #8074
- Document OAuth2Authorization success and failure handlers #8073
- Document OIDC Logout Success Handler Improvements #8072
- Document OAuth 2.0 Authorization Request improvements #8071
- Add OAuth 2.0 Test Support Docs #8050
- Add server request cache that uses cookie #8033
- Basic auth header without user results in exception #7976
- Add RequestRejectedHandler #7052
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #5633
- Idiomatic Kotlin DSL for configuring HTTP security #5558
- SessionRegistryImpl is now aware of SessionIdChangedEvent #5439
- SessionRegistryImpl is not aware of SessionIdChange events. #5438
- SwitchUserFilter vulnerable to CSRF #4183
🪲 Bug Fixes
- Fix Javadoc punctuation #8480
- Fixed typos in documentation #8454
- Support update when saving with JdbcOAuth2AuthorizedClientService #8435
- JdbcOAuth2AuthorizedClientService should support update when saving #8425
- OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8421
- ActiveDirectoryLdapAuthenticationProvider uses InternalAuthenticationServiceException #8418
- Fix mismatch between CONTRIBUTING.adoc and .editorconfig #8417
- Fix Documentation to Refer to BasicAuthenticationFilter #8414
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8407
- Fix typo with correct capitalization [#8406](https://github.com/spring-projects/s...
5.3.2.RELEASE
⭐ New Features
🪲 Bug Fixes
- Fix Javadoc punctuation #8490
- Fixed typos in documentation #8460
- JdbcOAuth2AuthorizedClientService should support update when saving #8448
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8437
- Fix Documentation to Refer to BasicAuthenticationFilter #8423
- Fix typo with correct capitalization #8408
- Global ServerSecurityContextRepository ignored by logout #8385
- Fix example in javadoc of FilterChainProxy #8351
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8311
🔨 Dependency Upgrades
- Update to aspectj-plugin:4.1.6 #8306
5.2.4.RELEASE
⭐ New Features
🪲 Bug Fixes
- Fix Javadoc punctuation #8494
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8438
- SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #8430
- OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8426
- Fix typo with correct capitalization #8409
- Global ServerSecurityContextRepository ignored by logout #8386
- Fix example in javadoc of FilterChainProxy #8352
- Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8338
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8312
🔨 Dependency Upgrades
- Update to Byte Buddy 1.9.16 #8481
- Upgrade to embedded Apache Tomcat 9.0.34 #8469
- Update RSocket to 1.0.0-RC7 #8468
- Update to GAE 1.9.80 #8467
- Update to Jackson 2.10.4 #8466
- Update to org.powermock 2.0.7 #8465
- Update to Reactor Dysprosium-SR7 #8464
- Update to Spring Framework 5.2.6.RELEASE #8463
- Update to Spring Data Moore-SR7 #8462
5.1.10.RELEASE
⭐ New Features
- BCryptPasswordEncoder.encode() throws NPE #8347
🪲 Bug Fixes
- Fix Javadoc punctuation #8496
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8440
- SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #8431
- Fix typo with correct capitalization #8410
- Global ServerSecurityContextRepository ignored by logout #8388
- Fix example in javadoc of FilterChainProxy #8353
- Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8339
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8313