Releases: spring-projects/spring-security
Releases Β· spring-projects/spring-security
6.3.0-RC1
β New Features
- [ISSUE-11725] Add secondary statusCode messages on error #14743
- Add Authorization Denied Handlers for Method Security #14712
- Add ClientAuthenticationMethod constants tls_client_auth and self_signed_tls_client_auth #14889
- Add reference documentation for Token Exchange #14698
- Add Value-Type Ignore Support #14780
- Allow customization of redirect strategy in
CasAuthenticationEntrypoint#14881 - Create Authorized Proxy of Return Values #14669
- Handle SpEL AuthorizationDeniedExceptions #14882
- Improve logging in AuthenticationWebFilter #14764
- InitializeUserDetailsBeanManagerConfigurer inject PasswordEncoder into DaoAuthenticationProvider constructor #14766
- Provide Password (Compromised) Checking API #7395
- Simplification of creation of OAuth2TokenValidator with JwtValidators defaults. #14832
- Support Certificate-Bound (POP) JWT Access Token Validation #10538
- Support SpEL Returning AuthorizationDecision #14840
- Update reactive OAuth2 docs landing page with examples #14758
πͺ² Bug Fixes
- SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException #14806
- docs: fix typo in FilterChainProxy #14861
- Fix continueOnError default value in java doc #14871
- ReactiveOAuth2AuthorizedClientManagerConfiguration has been created too early #14900
- Transactional annotation breaks AOT for native image #14866
- Update the documentation of AuthenticationProvider.java #14710
π¨ Dependency Upgrades
- Bump ch.qos.logback:logback-classic from 1.5.3 to 1.5.4 #14875
- Bump ch.qos.logback:logback-classic from 1.5.4 to 1.5.5 #14905
- Bump com.gradle.enterprise from 3.16.2 to 3.17 #14849
- Bump io.micrometer:micrometer-observation from 1.12.4 to 1.12.5 #14868
- Bump io.projectreactor:reactor-bom from 2023.0.4 to 2023.0.5 #14874
- Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #14820
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.1 to 1.0.2 #14785
- Bump org-aspectj from 1.9.21.2 to 1.9.22 #14800
- Bump org.gretty:gretty from 4.1.2 to 4.1.3 #14776
- Bump org.slf4j:slf4j-api from 2.0.12 to 2.0.13 #14906
- Bump org.springframework.ldap:spring-ldap-core from 3.2.2 to 3.2.3 #14893
- Bump org.springframework:spring-framework-bom from 6.1.5 to 6.1.6 #14892
- Upgrade to Spring Data Bom 2024.0.0-RC1 #14901
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@Ali-Hassan33, @CrazyParanoid, @ThomasHagelberg, @dependabot[bot], @erie0210, @jzheaux, @kse-music, @marcusdacoregio, and @youngkih
Contributors
jzheaux, marcusdacoregio, and 7 other contributors
Assets 2
6.2.4
πͺ² Bug Fixes
- SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException #14805
- Address AuthorizationObservationConvention Package Tangle #14795
- bug org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector introspect method error #14848
- Transactional annotation breaks AOT for native image #14865
π¨ Dependency Upgrades
- Bump io.micrometer:micrometer-observation from 1.12.4 to 1.12.5 #14867
- Bump io.projectreactor:reactor-bom from 2023.0.4 to 2023.0.5 #14873
- Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #14821
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.1 to 1.0.2 #14786
- Bump org-aspectj from 1.9.21.2 to 1.9.22 #14798
- Bump org.slf4j:slf4j-api from 2.0.12 to 2.0.13 #14907
- Bump org.springframework.data:spring-data-bom from 2023.1.4 to 2023.1.5 #14908
- Bump org.springframework.ldap:spring-ldap-core from 3.2.2 to 3.2.3 #14896
- Bump org.springframework:spring-framework-bom from 6.1.5 to 6.1.6 #14895
- Update org.opensaml:opensaml-core4 to 4.3.1 #14850
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@dependabot[bot]
Contributors
dependabot
Assets 2
6.1.9
β New Features
- Bump Gradle Wrapper from 8.6 to 8.7 #14796
πͺ² Bug Fixes
- SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException #14634
- Address AuthorizationObservationConvention Package Tangle #14794
- bug org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector introspect method error #14847
- Transactional annotation breaks AOT for native image #14825
π¨ Dependency Upgrades
- Bump io.projectreactor:reactor-bom from 2022.0.17 to 2022.0.18 #14876
- Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #14823
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.1 to 1.0.2 #14783
- Bump org-aspectj from 1.9.21.2 to 1.9.22 #14799
- Bump org.slf4j:slf4j-api from 2.0.12 to 2.0.13 #14909
- Bump org.springframework:spring-framework-bom from 6.0.18 to 6.0.19 #14894
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@dependabot[bot] and @github-actions[bot]
Contributors
dependabot
Assets 2
5.8.12
πͺ² Bug Fixes
- Conditional check for data-source-ref is incorrect #14742
π¨ Dependency Upgrades
- Bump io.projectreactor.netty:reactor-netty from 1.0.43 to 1.0.44 #14878
- Bump io.projectreactor:reactor-bom from 2020.0.42 to 2020.0.43 #14877
- Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #14822
- Bump org.springframework:spring-framework-bom from 5.3.33 to 5.3.34 #14891
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.3.0-M3
β New Features
- Add ContinueOnError Support for Failed Authentications #14591
- Add DelegatingAuthenticationConverter #14655
- Add DelegatingServerAuthenticationConverter #14654
- Add JSON session support for SwitchUserGrantedAuthority #11758
- Add meta-annotation annotation parameter support #14494
- Add Programmatic Proxy Support for Method Security #14716
- Add support for configuring token-exchange via a bean #14701
- Add support for OAuth 2.0 Token Exchange Grant #14692
- Customize mapping the OidcUser from OidcUserRequest and OidcUserInfo #14672
- Fix Delegation-based Strategy with OidcUserService/OidcReactiveOAuth2UserService examples #12281
- Implement customization of
rolePrefixinLdapUserDetailsManager#14574 - Introduce Customizable AuthorizationFailureHandler in OAuth2AuthorizationRequestRedirectFilter #14168
- Simplify configuration of reactive OAuth2 Client component model #13763
πͺ² Bug Fixes
- Check for
nullAuthentication #14667 - PostAuthorize Method Interceptors Should Use Order from
AuthorizationInterceptorsOrder#14724 - Publishing PrePostTemplateDefaults creates circular dependency #14674
π¨ Dependency Upgrades
- Bump ch.qos.logback:logback-classic from 1.4.14 to 1.5.3 #14744
- Bump com.fasterxml.jackson:jackson-bom from 2.15.4 to 2.17.0 #14746
- Bump com.github.ben-manes:gradle-versions-plugin from 0.38.0 to 0.51.0 #14753
- Bump com.google.code.gson:gson from 2.8.9 to 2.10.1 #14737
- Bump com.gradle.enterprise from 3.12.6 to 3.16.2 #14760
- Bump com.nimbusds:oauth2-oidc-sdk from 9.43.3 to 9.43.4 #14695
- Bump io.freefair.gradle:aspectj-plugin from 8.4 to 8.6 #14755
- Bump io.github.gradle-nexus:publish-plugin from 1.1.0 to 1.3.0 #14761
- Bump io.micrometer:micrometer-observation from 1.12.3 to 1.12.4 #14718
- Bump io.mockk:mockk from 1.13.9 to 1.13.10 #14659
- Bump io.projectreactor:reactor-bom from 2023.0.3 to 2023.0.4 #14727
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #14707
- Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #14738
- Bump org.assertj:assertj-core from 3.24.2 to 3.25.3 #14748
- Bump org.gretty:gretty from 4.0.3 to 4.1.2 #14754
- Bump org.hibernate.orm:hibernate-core from 6.3.2.Final to 6.4.4.Final #14747
- Bump org.jetbrains.kotlin:kotlin-bom from 1.9.22 to 1.9.23 #14709
- Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.22 to 1.9.23 #14708
- Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.7.3 to 1.8.0 #14739
- Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.4 to 4.33.13 #14735
- Bump org.mockito:mockito-bom from 5.5.0 to 5.11.0 #14736
- Bump org.sonarsource.scanner.gradle:sonarqube-gradle-plugin from 2.7.1 to 2.8.0.1969 #14752
- Bump org.springframework.data:spring-data-bom from 2023.1.3 to 2023.1.4 #14769
- Bump org.springframework:spring-framework-bom from 6.1.4 to 6.1.5 #14756
- Bump org.yaml:snakeyaml from 1.30 to 1.33 #14745
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@CrazyParanoid, @Haarolean, @daniel-shuy, @dependabot[bot], @jzheaux, @kse-music, @leewin12, @markusheiden, and @sjohnr
Contributors
markusheiden, Haarolean, and 7 other contributors
Assets 2
6.2.3
β New Features
- Structure101 Plugin Should Ignore Deprecated Files #14640
πͺ² Bug Fixes
- Check for
nullAuthentication #14666 - Fix Package Tangle in CAS #14641
- LogoutConfigurer#createLogoutFilter sets the SecurityContextHolderStrategy twice #14648
- ObservationTextHandler class is not defined in a reactive context #14653
- PostAuthorize Method Interceptors Should Use Order from
AuthorizationInterceptorsOrder#14723 - Spring security's ServerLogoutHandler order problem. #14682
π¨ Dependency Upgrades
- Bump io.micrometer:micrometer-observation from 1.12.3 to 1.12.4 #14719
- Bump io.mockk:mockk from 1.13.9 to 1.13.10 #14661
- Bump io.projectreactor:reactor-bom from 2023.0.3 to 2023.0.4 #14726
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #14705
- Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #14734
- Bump org.jetbrains.kotlin:kotlin-bom from 1.9.22 to 1.9.23 #14706
- Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.22 to 1.9.23 #14704
- Bump org.springframework.data:spring-data-bom from 2023.1.3 to 2023.1.4 #14770
- Bump org.springframework:spring-framework-bom from 6.1.4 to 6.1.5 #14757
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@dependabot[bot]
Contributors
dependabot
Assets 2
6.1.8
πͺ² Bug Fixes
- Check for
nullAuthentication #14665 - Fix Package Tangle in CAS #14627
- Fix Package Tangle in SAML 2.0 #14628
- LogoutConfigurer#createLogoutFilter sets the SecurityContextHolderStrategy twice #14647
- ObservationTextHandler class is not defined in a reactive context #14651
- PostAuthorize Method Interceptors Should Use Order from
AuthorizationInterceptorsOrder#14722 - Spring security's ServerLogoutHandler order problem. #14681
π¨ Dependency Upgrades
- Bump io.mockk:mockk from 1.13.9 to 1.13.10 #14660
- Bump io.projectreactor:reactor-bom from 2022.0.16 to 2022.0.17 #14728
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #14703
- Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #14733
- Bump org.springframework:spring-framework-bom from 6.0.17 to 6.0.18 #14762
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@dependabot[bot]
Contributors
dependabot
Assets 2
5.8.11
πͺ² Bug Fixes
- Allow tab in HTTP header values. #14590
- Check for
nullAuthentication #14664 - PostAuthorize Method Interceptors Should Use Order from
AuthorizationInterceptorsOrder#14720 - Remove duplicate setSecurityContextHolderStrategy #14603
- Spring security's ServerLogoutHandler order problem. #14379
π¨ Dependency Upgrades
- Bump io.projectreactor.netty:reactor-netty from 1.0.41 to 1.0.43 #14730
- Bump io.projectreactor:reactor-bom from 2020.0.41 to 2020.0.42 #14729
- Bump org.springframework:spring-framework-bom from 5.3.32 to 5.3.33 #14759
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.12
6.3.0-M2
β New Features
- Add
usernameParameterandpasswordParameterto FormLoginDsl #14488 - Add argument resolver for SecurityContext #14449
- Add functionality to set custom web client in ReactiveOidcIdTokenDecoderFactory #13301
- Cleanup Saml2MetadataFilter #14476
- Customize when UserInfo is called #13259
- Implement providing a custom AuthoritiesPopulator in ADLdapAuthProvider #14539
- Migrate spring-security-rsa into spring-security-crypto #14202
- Nested username attribute in DefaultOAuth2User #14265
- Revise
AuthorizationAnnotationUtils#14407 - Spring Security annotations on subclasses support intercepting parent class methods. #14516
πͺ² Bug Fixes
WebTestUtilsTestRuntimeHintsshould implementRuntimeHintsRegistrar#14469- Cannot configure
SecurityContextRepositoryinCasAuthenticationFilter#14537 - Fix wrong class name in JavaDoc #14466
- Fixed Interceptor name in Method Security reference document #14475
- Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #14471
- Typo: Update anonymous.adoc #14541
- Typo: Update rememberme.adoc #14542
π¨ Dependency Upgrades
- Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.15.4 #14619
- Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #14578
- Bump gradle/gradle-build-action from 2 to 3 #14502
- Bump io.micrometer:micrometer-observation from 1.12.2 to 1.12.3 #14588
- Bump io.projectreactor:reactor-bom from 2023.0.2 to 2023.0.3 #14613
- Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #14462
- Bump org-aspectj from 1.9.21 to 1.9.21.1 #14604
- Bump org-eclipse-jetty from 11.0.19 to 11.0.20 #14517
- Bump org.junit:junit-bom from 5.10.1 to 5.10.2 #14544
- Bump org.slf4j:slf4j-api from 2.0.11 to 2.0.12 #14556
- Bump org.springframework.data:spring-data-bom from 2023.1.2 to 2023.1.3 #14625
- Bump org.springframework.ldap:spring-ldap-core from 3.2.1 to 3.2.2 #14620
- Bump org.springframework:spring-framework-bom from 6.1.3 to 6.1.4 #14618
- Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #14501
- Bump spring-io/spring-github-workflows from eaf17a1890b1ef1b337f015d6eb263baaf8c6dab to 1e8b0587a1f4f01697f9753fa3339c3e0d30f396 #14579
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@Haarolean, @NerminKarapandzic, @ahmd-nabil, @boulce, @dependabot[bot], @irerin07, @kse-music, @leshalv, @sbrannen, @sonallux, @ty-v1, and @ubaid4j
Contributors
sbrannen, Haarolean, and 10 other contributors