fix(deps): update dependency org.springframework.security:spring-security-web to v5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.security:spring-security-web (source)	4.2.20.RELEASE -> 5.2.9.RELEASE

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-22112

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-web)

v5.2.9.RELEASE

Compare Source

⭐ New Features

• Improve HttpSessionSecurityContextSessionRepository Performance #​9390
• Migrate SAML 2.0 Samples to Use PCFOne #​9371
• Use constant time comparisons for CSRF tokens #​9359

🪲 Bug Fixes

• OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #​9428
• Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #​9406
• Remove notEmpty check for authorities in DefaultOAuth2User #​9398
• CsrfWebFilter creates CsrfException with incorrect message when no token is found #​9340
• webflux-x509 sample cert needs renewal #​9321
• OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #​9260

🔨 Dependency Upgrades

• Update to GAE 1.9.86 #​9442
• Update to Tomcat 9.0.43 #​9441
• Update to Jetty 9.4.36.v20210114 #​9440
• Update to hibernate-validator 6.1.7.Final #​9439
• Update to hibernate-entitymanager 5.4.28.Final #​9438
• Update to thymeleaf-spring5 3.0.12 #​9437
• Update to Spring Data Moore-SR12 #​9436
• Update to Reactor Dysprosium-SR16 #​9435
• Update to Spring Framework 5.2.12.RELEASE #​9434
• Update to Spring Boot 2.2.13.RELEASE #​9433

v5.2.8.RELEASE

Compare Source

🪲 Bug Fixes

• Remove empty Appendix Section from docs #​9172
• Tests should not combine Authentication and @​AuthenticationPrincipal #​9126

🔨 Dependency Upgrades

• Update to Spring LDAP Core 2.3.3 #​9245
• Update to Powermock 2.0.9 #​9244
• Update to HSQLDB 2.5.1 #​9243
• Update to Hibernate EntityManager 5.4.25 #​9242
• Update to Jetty 9.4.35 #​9241
• Update to HttpComponents HttpClient 4.5.13 #​9240
• Update to RSocket 1.0.3 #​9239
• Update to Reactor Dysprosium-SR14 #​9238
• Update to Google App Engine 1.9.83 #​9237
• Update to Jackson Databind 2.10.5.1 #​9236
• Update to Spring Data Moore-SR11 #​9235
• Update to Spring 5.2.11 #​9234
• Update to Spring Boot 2.2.11 #​9233

v5.2.7.RELEASE

Compare Source

🪲 Bug Fixes

• SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #​9058
• CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #​9025

🔨 Dependency Upgrades

• Update to Spring Data Moore-SR10 #​9088
• Update to Hibernate Entity manager 5.4.22 #​9087
• Update to Hibernate Validator 6.1.6 #​9086
• Upgrade to embedded Apache Tomcat 9.0.38 #​9085
• Update to RSocket 1.0.2 #​9084
• Update to Spring Framework 5.2.9 #​9083
• Update to Reactor Dysprosium-SR12 #​9082
• Update to Spring Boot 2.2.10 #​9081
• Update to GAE 1.9.82 #​9080
• Update to org.aspectj 1.9.6 #​9079

v5.2.6.RELEASE

Compare Source

⭐ New Features

• Add logging #​8889
• Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #​8856
• Use Github Actions PR pipeline and remove Travis for 5.2.x #​8723

🪲 Bug Fixes

• ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #​8897
• Resolved bearer token has no padding indicators #​8838
• Fix ProviderManager Javadoc typo #​8812
• LoginPageGeneratingWebFilter should honor context path #​8809
• RoleHierarchy is not used by AbstractAuthorizeTag #​8679
• OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #​8673
• ReactorContext not available in PayloadSocketAcceptor delegate.accept #​8656

🔨 Dependency Upgrades

• Update to nohttp 0.0.5.RELEASE #​8927
• Update to Spring Boot 2.2.9.RELEASE #​8921
• Update to Reactor Dysprosium-SR10 #​8920
• Update to Spring Framework 5.2.8.RELEASE #​8919
• Update to Spring Data Moore-SR9 #​8918
• Update to PowerMock Mockito2 2.0.7 #​8917
• Update blockhound to 1.0.4.RELEASE #​8916
• Update to groovy 2.4.20 #​8915
• Update to embedded Tomcat websocket 8.5.57 #​8914
• Upgrade to embedded Apache Tomcat 9.0.37 #​8913
• Update to jaxb-impl 2.3.3 #​8912
• Update to GAE 1.9.81 #​8911
• Update to Jackson 2.10.5 #​8910
• Update to spring-build-conventions:0.0.33.RELEASE #​8761
• Update to RSocket 1.0.1 #​8664

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​elliedori

v5.2.5.RELEASE

Compare Source

🪲 Bug Fixes

• Delay AuthenticationPrincipalArgumentResolver Lookup #​8615
• Mock request with non-standard HTTP method in test #​8595
• Remove unused field 'digester' in Md4PasswordEncoder #​8576
• ACL : AclImpl.hashCode leads to StackOverflowError #​8570
• Object ID Identity conversion to long fails on old schema #​8559
• Blocking in WebSessionServerCsrfTokenRepository #​8545
• Fix AntPathRequestMatcher Javadoc #​8527
• Document NoOpPasswordEncoder will not be removed #​8522
• Fix non-standard HTTP method for CsrfWebFilter #​8516

🔨 Dependency Upgrades

• Update to Spring Boot 2.2.7 #​8630
• Update to okhttp 3.14.9 #​8629
• Update to Jython 2.5.3 #​8628
• Update to mockwebserver 3.14.9 #​8627
• Update to RSocket 1.0.0 #​8626
• Update to groovy 2.4.19 #​8625

v5.2.4.RELEASE

Compare Source

⭐ New Features

• SAML Authentication Provider assertions #​8495
• BCryptPasswordEncoder.encode() throws NPE #​8346

🪲 Bug Fixes

• Fix Javadoc punctuation #​8494
• Add ROLE_INFRASTRUCTURE to infrastructure beans #​8438
• SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #​8430
• OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #​8426
• Fix typo with correct capitalization #​8409
• Global ServerSecurityContextRepository ignored by logout #​8386
• Fix example in javadoc of FilterChainProxy #​8352
• Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #​8338
• Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #​8312

🔨 Dependency Upgrades

• Update to Byte Buddy 1.9.16 #​8481
• Upgrade to embedded Apache Tomcat 9.0.34 #​8469
• Update RSocket to 1.0.0-RC7 #​8468
• Update to GAE 1.9.80 #​8467
• Update to Jackson 2.10.4 #​8466
• Update to org.powermock 2.0.7 #​8465
• Update to Reactor Dysprosium-SR7 #​8464
• Update to Spring Framework 5.2.6.RELEASE #​8463
• Update to Spring Data Moore-SR7 #​8462

v5.2.3.RELEASE

Compare Source

⏪ Non-passive

• SwitchUserFilter vulnerable to CSRF #​8223

⭐ New Features

• SpringTestContext returns ConfigurableWebApplicationContext #​8240
• OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #​8235
• Update Encryptors documentation for standard and stronger #​8212
• Getting OAuth2AuthenticationException when Bearer token is empty #​8207
• Document AuthorizedClientServiceOAuth2AuthorizedClientManager #​8159
• Basic auth header without user results in exception #​8123
• Typo 'properites' -> 'properties' in documentation #​8099

🪲 Bug Fixes

• Update tests to use absolute paths #​8260
• HttpServletRequest.logout() not functioning #​8241
• OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #​8210
• oauth2Login WebFlux should not auto-redirect for XHR request #​8202
• Make OAuth2ErrorHttpMessageConverter more resilient #​8180
• RSocket test should throw AccessDeniedException #​8155
• Fix typo in Javadoc of HttpSecurity#csrf() #​8137
• Empty RelayState causes errors with ADFS #​8070
• Fix typo in AntPathRequestMatcher contructor comment #​8045
• An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #​8040
• OAuth2 access token response parsing fails with nested JSON object #​8021
• Fix typo in snippet code 'jwtAuthenticationConveter' -> 'jwtAuthenticationConverter' #​7969
• OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #​7967
• OAuth2AuthorizationCodeGrantFilter should also match on query parameters #​7964
• Query parameters in authorization-url are double-encoded #​7960
• Don't force downcasting of RequestAttributes to ServletRequestAttributes #​7959
• ClassCastException for ServletRequestAttributes #​7958

🔨 Dependency Upgrades

• Update RSocket to 1.0.0-RC6 #​8280
• Update to reactive-streams 1.0.3 #​8279
• Update to OpenSAML 3.4.5 #​8278
• Update to hibernate-entitymanager 5.4.13.Final #​8277
• Update to hibernate-core 5.2.18.Final #​8276
• Update blockhound to 1.0.3.RELEASE #​8275
• Update to unboundid-ldapsdk 4.0.14 #​8274
• Update to okhttp 3.14.7 #​8259
• Update to Jackson 2.10.3 #​8258
• Update to mockwebserver 3.14.7 #​8257
• Update to org.powermock 2.0.6 #​8255
• Upgrade to embedded Apache Tomcat 9.0.33 #​8254
• Update to httpclient 4.5.12 #​8253
• Update to Spring Boot 2.2.6.RELEASE #​8252
• Update to GAE 1.9.79 #​8251
• Update to Reactor Dysprosium-SR6 #​8250
• Update to Spring Framework 5.2.5 #​8249
• Update to Spring Data Moore-SR6 #​8248
• Update to Jetty 9.4.22.v20191022 #​7507

v5.2.2.RELEASE

Compare Source

⭐ New Features

• Don't cache requests with Accept: text/event-stream by default. #​7744
• Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #​7717
• Remove redundant validation for redirect-uri #​7707
• Polish oauth2-client Error-handling Tests #​7647
• Remove unnecessary code in SecurityExpressionRoot #​7635
• Extract HTTPS Documentation #​7626
• Remove unnecessary code in SecurityExpressionRoot #​7601
• Make jwks_uri optional for RFC 8414 and required for OpenID Connect #​7573

🪲 Bug Fixes

• Form login requiresAuthenticationMatcher is not used in WebFlux #​7867
• Form Login authenticationFailureHandler is not used in ServerHttpSecurity #​7866
• BasicAuthenticationFilter ignores credentials charset #​7859
• Default LDIF file not picked up in LDAP "unboundid" mode #​7852
• Incorrect LDIF file example in LDAP documentation #​7849
• Use the custom ServerRequestCache that the user configures #​7753
• RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #​7751
• Disabling logout in WebFlux does nothing #​7742
• Saml2Authentication isn't serializable #​7739
• Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor #​7738
• CompositeServerHttpHeadersWriter Should Execute Sequentially #​7732
• DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #​7729
• DelegatingServerLogoutHandler Should Execute Sequentially #​7725
• WebFlux oauth2Login returns 500 when bad client credentials #​7703
• Correctly configure authorization requests repository for OAuth2 login #​7690
• Correctly configure authorization requests repository for OAuth2 login #​7689
• DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository #​7684
• Update @​MessageMapping to match input/output cardinality #​7669
• Add http and https spring.schema mappings #​7623
• Avoid toString in favor of getName in order to extract sid #​6354

🔨 Dependency Upgrades

• Update to Spring Boot 2.2.4 #​7909
• Update to org.slf4j 1.7.30 #​7908
• Update to org.powermock 2.0.5 #​7907
• Update to hibernate-validator 6.1.2.Final #​7906
• Update to hibernate-entitymanager 5.4.10.Final #​7905
• Update to org.aspectj 1.9.5 #​7904
• Update to httpclient 4.5.11 #​7903
• Update to commons-codec 1.14 #​7899
• Update to com.squareup.okhttp3 3.14.6 #​7898
• Update to Jackson 2.10.2 #​7897
• Update to Reactor Dysprosium SR4 #​7896
• Update to Spring Data Moore SR3 #​7895
• Update to Spring Framework 5.2.3 #​7894
• Update nimbus-jose-jwt because of CVE-2019-17195 #​7570

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​rhamedy
• @​Atry
• @​fhanik
• @​quaff
• @​joshiste
• @​eleftherias
• @​LeeHainie

v5.2.1.RELEASE

Compare Source

⭐ New Features

• Fix variable reference in sample code #​7571
• spring-security-saml2-service-provider impossible to use different format of assertionConsumerServiceUrlTemplate #​7565
• Add Resource Server Multi-tenancy Documentation #​7532
• Update SAML sample to use boot auto config #​7521
• Add Reactive CSRF Documentation #​6487

🪲 Bug Fixes

• Restore Removed Throws Clauses #​7580
• CsrfWebFilter should handle multipart/form-data #​7576
• Make saveAuthorizedClient save the authorized client #​7551
• DefaultReactiveOAuth2AuthorizedClientManager.saveAuthorizedClient does not save authorized client #​7546
• throws Exception was removed from WebSecurityConfigurerAdapter#configure(WebSecurity) #​7541
• SAML2 Provider SubjectConfirmation validation failure #​7514
• SAML2 Provider AuthNRequest Hardcoded Protocol Binding #​7513
• Clock skew to check access token expiration has wrong sign #​7511

🔨 Dependency Upgrades

• Upgrade to Spring Boot 2.2.0.RELEASE #​7566

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​fhanik
• @​mftruso
• @​jzheaux
• @​philsttr
• @​rweisleder
• @​ramonPires

v5.2.0.RELEASE

Compare Source

⭐ New Features

• Add Hello RSocket Sample #​7504
• Add RSocket Reference #​7502
• CookieServerCsrfRepositoryTests should not start domain with a dot #​7500
• Add OAuth2 Resource Server to Modules Section #​7498
• Initial saml2 login docs #​7495
• SAML 2 Assertion - Always require signature validation #​7490
• Add Reactive Messaging CurrentSecurityContextPrincipalArgumentResolver #​7488
• CurrentSecurityContextArgumentResolver polishes #​7487
• Add ClientRegistration.withClientRegistration(ClientRegistration) #​7486
• Add hasAuthority method to RSocketSecurity #​7478
• Align Servlet ExchangeFilterFunction CoreSubscriber #​7476
• WebFluxSecurityConfiguration does not configure oauth2Client #​7470
• Allow to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec #​7467
• Add ability to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec #​7466
• Document Clear-Site-Data Support #​7463
• Document RFC 8414 Support #​7462
• Document Bearer Token Propagation #​7461
• Document Reactive Mock Jwt Testing #​7460
• Fixed typo in comment #​7458
• Use Schedulers.boundedElastic() #​7457
• AbstractUserDetailsReactiveAuthenticationManager uses newParallel #​7456
• Add hasAnyAuthority method in AuthorizePayloadsSpec.Access #​7455
• Add denyAll method in AuthorizePayloadsSpec.Access #​7451
• AuthenticationFilter's methods should be private #​7447
• AuthenticationFilter should provide session fixation protection #​7446
• Use Jwt.Builder #​7443
• Add AuthorizePayloadsSpec.Access denyAll, hasAnyRole, hasAnyAuthority #​7437
• Add AuthorizePayloadsSpec.Access hasAuthority #​7435
• Document Resource Server User-Info Usage #​7431
• Document Reactive Opaque Token Usage #​7430
• Document NimbusReactiveJwtDecoder #​7425
• Document Mock Jwt Testing #​7424
• Servlet ExchangeFilterFunctions should align #​7422
• Document Opaque Token Usage #​7420
• ServletBearerExchangeFilterFunction should propagate Authentication #​7418
• Document NimbusJwtDecoder #​7408
• Document Jwt.Builder #​7407
• Document OAuth2AuthenticatedPrincipal #​7406
• DefaultReactiveOAuth2AuthorizedClientManager should default ServerWebExchange #​7390
• Make OAuth2User extends OAuth2AuthenticatedPrincipal #​7383
• OAuth2User should extend OAuth2AuthenticatedPrincipal #​7378
• SamlAuthenticationProvider should propagate actual validation errors #​7375
• Add Reactive Messaging AuthenticationPrincipalArgumentResolver #​7363
• Allow Custom PayloadInterceptor to be Added #​7362
• Default RSocketSecurity #​7361
• Add nonce to OIDC Authentication Request #​7337
• Introduce LogoutSuccessEvent #​7306
• Mock Jwt should ensure that CSRF is not required #​7170
• Document BearerTokenResolver in reference #​6254
• Consider adding nonce to OIDC Authentication Request #​4442
• SEC-2680: Fire an event when logout has finished #​2900

🪲 Bug Fixes

• Correctly populate the AuthNRequest attributes #​7496
• AuthNRequest#Destination contains the SP entity ID, not the IDP SSO URI #​7494
• AbstractUserDetailsReactiveAuthenticationManager default Scheduler should be disposed #​7492
• Always validate saml2 signatures #​7491
• CurrentSecurityContext Javadoc should be about SecurityContext #​7489
• Fix AuthorizationPayloadInterceptor order using PayloadInterceptorOrd… #​7450
• SAML Response Skew is using the wrong type #​7448
• Jwt.Builder should keep notBefore as an Instant #​7442
• AuthorizePayloadsSpec uses AUTHENTICATION for AuthorizationPayloadInterceptor #​7434
• RSocketMessageHandlerITests could hang #​7415
• RSocketSecurity anyRequest delegates to anyExchange #​7414
• OpenSamlAuthenticationProvider should not throw AuthenticationServiceException #​7377
• OpenSamlAuthenticationProvider should propagate validation errors #​7376
• OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri #​7036

🔨 Dependency Upgrades

• Update to Spring Data Moore-RELEASE #​7506
• Remaining dependency upgrades for 5.2.0 #​7505
• Upgrade JSON jackson library to 2.10.0 #​7480
• Release/dependencies for 5.2 ga #​7471
• Update the AspectJ Gradle Plugin to 4.0.2 #​7427
• Update to Gradle 5.6.2 #​7412
• Upgrade to OpenSaml 3.4.3 #​7392
• Upgrade embedded Apache Tomcat to 9.0.24 #​7384

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​rchigvintsev
• @​munilvc
• @​sdoxsee
• @​jgrandja
• @​jascama
• @​bedla
• @​mkheck
• @​fhanik
• @​larsgrefer
• @​okohub
• @​eberttc
• @​eddumelendez
• @​evfool

v5.1.13.RELEASE

Compare Source

🪲 Bug Fixes

• SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #​9059

🔨 Dependency Upgrades

• Update to Spring Boot 2.1.17.RELEASE #​9078
• Update to Hibernate Validator 6.0.21 #​9077
• Update to org.aspectj 1.9.6 #​9076
• Update to GAE 1.9.82 #​9075
• Update to Jackson Databind 2.9.10.6 #​9074
• Update to Spring Data Lovelace-SR20 #​9073
• Update to Spring Framework 5.1.18 #​9072
• Update to Reactor Californium-SR21 #​9071

v5.1.12.RELEASE

Compare Source

⭐ New Features

• Add logging #​8891
• Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #​8857
• Use Github Actions PR pipeline and remove Travis for 5.1.x #​8722
• Use Github Actions PR pipeline in 5.1.x #​8717

🪲 Bug Fixes

• ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #​8898
• Resolved bearer token has no padding indicators #​8839
• Fix ProviderManager Javadoc typo #​8813
• LoginPageGeneratingWebFilter should honor context path #​8810
• RoleHierarchy is not used by AbstractAuthorizeTag #​8681
• OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #​8674

🔨 Dependency Upgrades

• Update to Spring Ldap 2.3.3 #​8943
• Update to Hibernate Validator 6.0.20 #​8942
• Update to Hibernate Entitymanager 5.3.17 #​8941
• Update to Groovy 2.4.20 #​8940
• Update to Spring Boot 2.1.16.RELEASE #​8939
• Update to Google App Engine 1.9.81 #​8938
• Update to Jackson Databind 2.9.10.5 #​8937
• Update to Project Reactor Californium-SR20 #​8936
• Update to Spring Framework 5.1.17 #​8935
• Update to Spring Data Lovelace-SR19 #​8934

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​elliedori

v5.1.11.RELEASE

Compare Source

⭐ New Features

• HTTP Host header attack #​8641

🪲 Bug Fixes

• Remove unused field 'digester' in Md4PasswordEncoder #​8577
• ACL : AclImpl.hashCode leads to StackOverflowError #​8571
• Blocking in WebSessionServerCsrfTokenRepository #​8546
• Fix AntPathRequestMatcher Javadoc #​8528
• Document NoOpPasswordEncoder will not be removed #​8523
• Fix non-standard HTTP method for CsrfWebFilter #​8517

🔨 Dependency Upgrades

• Update to okhttp 3.12.12 #​8635
• Update to jaxb-impl 2.3.3 #​8634
• Update to mockwebserver 3.12.12 #​8633
• Update to Spring Boot 2.1.14.RELEASE #​8632

v5.1.10.RELEASE

Compare Source

⭐ New Features

• BCryptPasswordEncoder.encode() throws NPE #​8347

🪲 Bug Fixes

• Fix Javadoc punctuation #​8496
• Add ROLE_INFRASTRUCTURE to infrastructure beans #​8440
• SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #​8431
• Fix typo with correct capitalization #​8410
• Global ServerSecurityContextRepository ignored by logout #​8388
• Fix example in javadoc of FilterChainProxy #​8353
• Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #​8339
• Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #​8313

🔨 Dependency Upgrades

• Update to org.powermock 2.0.7 #​8475
• Update to Spring Data Lovelace-SR17 #​8474
• Update to Reactor Californium-SR18 #​8473
• Update to Spring Framework 5.1.15.RELEASE #​8472
• Update to GAE 1.9.80 #​8470

v5.1.9.RELEASE

Compare Source

⭐ New Features

• OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #​8236
• SwitchUserFilter vulnerable to CSRF #​8224
• Update Encryptors documentation for standard and stronger #​8215
• Typo 'properites' -> 'properties' in documentation #​8100
• Typo 'hasPermision()' in GlobalMethodSecurityBeanDefinitionParser.java #​8068
• Remove unwanted code #​7949

🪲 Bug Fixes

• HttpServletRequest.logout() not functioning #​8242
• oauth2Login WebFlux should not auto-redirect for XHR request #​8203
• Make OAuth2ErrorHttpMessageConverter more resilient #​8181
• Fix typo in Javadoc of HttpSecurity#csrf() #​8135
• Fix typo in AntPathRequestMatcher contructor comment #​8046
• An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #​8043
• OAuth2 access token response parsing fails with nested JSON object #​8022
• OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #​7968
• OAuth2AuthorizationCodeGrantFilter should also match on query parameters #​7965

🔨 Dependency Upgrades

• Update to httpclient 4.5.12 #​8294
• Update to hibernate-validator 6.0.19.Final #​8293
• Update to reactive-streams 1.0.3 #​8292
• Update to hibernate-core 5.2.18.Final #​8291
• Update to groovy 2.4.19 #​8290
• Update to unboundid-ldapsdk 4.0.14 #​8289
• Update to okhttp 3.12.10 #​8288
• Update to mockwebserver 3.12.10 #​8287
• Update to org.powermock 2.0.6 #​8286
• Update to Spring Boot 2.1.13.RELEASE #​8285
• Update to GAE 1.9.79 #​8284
• Update to Reactor Californium-SR17 #​8283
• Update to Spring Data Lovelace-SR16 #​8282
• Update to Spring Framework 5.1.14.RELEASE #​8281
• Update to Jetty 9.4.22.v20191022 #​8093

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​LeeHainie

v5.1.8.RELEASE

Compare Source

⭐ New Features

• Remove redundant validation for redirect-uri #​7708
• WebClient support should get new access token when expired and client_credentials #​7685

🪲 Bug Fixes

• Default LDIF file not picked up in LDAP "unboundid" mode #​7853
• CompositeServerHttpHeadersWriter Should Execute Sequentially #​7735
• DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #​7730
• DelegatingServerLogoutHandler Should Execute Sequentially #​7727
• WebFlux oauth2Login returns 500 when bad client credentials #​7704

🔨 Dependency Upgrades

• Update to Spring Boot 2.1.12 #​7923
• Update to org.slf4j 1.7.30 #​7922
• Update to org.powermock 2.0.5 #​7921
• Update to hibernate-validator 6.0.18.Final #​7920
• Update to hibernate-entitymanager 5.3.15.Final #​7919
• Update to org.bouncycastle:bcpkix-jdk15on 1.64 #​7918
• Update to org.aspectj 1.9.5 #​7917
• Update to httpclient 4.5.11 #​7916
• Update to com.squareup.okhttp3 3.12.8 #​7915
• Update to Jackson 2.9.10 #​7914
• Update to Reactor Californium-SR15 #​7913
• Update to Spring Data Lovelace SR15 [#​7912](https://togithub.com/spring-projects/sp

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.