Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
4.2.14.RELEASE
⭐ New Features
🔨 Dependency Upgrades
- Update to Thymeleaf 3.0.11.RELEASE #7948
- Update to Spring Boot 1.5.22.RELEASE #7947
- Update to Spring Session 1.3.5.RELEASE #7946
- Update to Spring Data Redis 1.8.23.RELEASE #7945
- Update to Spring Data JPA 1.11.23.RELEASE #7944
- Update to Spring Data Commons 1.13.23.RELEASE #7943
- Update to CGLIB 3.2.12 #7942
- Update to Spring Framework 4.3.26.RELEASE #7941
5.3.0.RC1
⭐ New Features
- Add RSocket Authentication Extension Support #7935
- SecurityEvaluationContextExtension.getRootObject() Specific Type #7891
- Add oauth2Client MockMvc Test Support #7886
- Nimbus JwtDecoders should differentiate token and service errors #7885
- Remove redundant branches from SessionManagementConfigurer #7879
- AuthenticationWebFilter's ReactiveAuthenticationManagerResolver should take a ServerWebExchange #7872
- SAML2: Wrong IdP response URL throws NPE (for non-existing "RelyingParty") #7865
- Typo in doc #7830
- Add oauth2Login Reactive Test support #7828
- Improve Bearer Token Error Handling #7826
- Add BearerTokenErrors #7823
- Add InvalidBearerTokenException #7822
- Make OAuth2AccessToken converters public #7815
- AuthenticationEventPublisher Lookup #7802
- Modernize Documentation Styling #7801
- Invalid OAuth2 login attempts don't emit a corresponding ApplicationEvent #7793
- Set secure on cookie when logging out #7764
- Introduce Reactive OAuth2Authorization success/failure handlers #7756
- ProviderManager should have a varargs constructor #7713
- Introduce Reactive OAuth2Authorization success/failure handlers #7699
- Migrate LDAP integration tests groovy->java #7691
- WebSecurityConfigurerAdapter: Unable to use custom AuthenticationEventPublisher #7515
- Add Jackson support to OAuth2 session related classes #4886
🪲 Bug Fixes
- Build failing with NoSuchMethodError #7888
- cassample integration tests are failing #7874
- Form login requiresAuthenticationMatcher is not used in WebFlux #7863
- BasicAuthenticationFilter ignores credentials charset #7835
- Default LDIF file not picked up in LDAP "unboundid" mode #7833
- Incorrect LDIF file example in LDAP documentation #7832
- OpaqueTokenRequestPostProcessor should respect configuration order #7800
- Form Login authenticationFailureHandler is not used in ServerHttpSecurity #7782
🔨 Dependency Upgrades
- Update to Gradle 6.1.1 #7936
- Update to GAE 1.9.78 #7893
- Update to Spring Boot 2.2.4.RELEASE #7892
- Update Gradle 6.1 #7838
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.2.2.RELEASE
⭐ New Features
- Don't cache requests with
Accept: text/event-streamby default. #7744 - Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7717
- Remove redundant validation for redirect-uri #7707
- Polish oauth2-client Error-handling Tests #7647
- Remove unnecessary code in SecurityExpressionRoot #7635
- Extract HTTPS Documentation #7626
- Remove unnecessary code in SecurityExpressionRoot #7601
- Make jwks_uri optional for RFC 8414 and required for OpenID Connect #7573
🪲 Bug Fixes
- Form login requiresAuthenticationMatcher is not used in WebFlux #7867
- Form Login authenticationFailureHandler is not used in ServerHttpSecurity #7866
- BasicAuthenticationFilter ignores credentials charset #7859
- Default LDIF file not picked up in LDAP "unboundid" mode #7852
- Incorrect LDIF file example in LDAP documentation #7849
- Use the custom ServerRequestCache that the user configures #7753
- RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #7751
- Disabling logout in WebFlux does nothing #7742
- Saml2Authentication isn't serializable #7739
- Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor #7738
- CompositeServerHttpHeadersWriter Should Execute Sequentially #7732
- DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #7729
- DelegatingServerLogoutHandler Should Execute Sequentially #7725
- WebFlux oauth2Login returns 500 when bad client credentials #7703
- Correctly configure authorization requests repository for OAuth2 login #7690
- Correctly configure authorization requests repository for OAuth2 login #7689
- DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository #7684
- Update @MessageMapping to match input/output cardinality #7669
- Add http and https spring.schema mappings #7623
- Avoid toString in favor of getName in order to extract sid #6354
🔨 Dependency Upgrades
- Update to Spring Boot 2.2.4 #7909
- Update to org.slf4j 1.7.30 #7908
- Update to org.powermock 2.0.5 #7907
- Update to hibernate-validator 6.1.2.Final #7906
- Update to hibernate-entitymanager 5.4.10.Final #7905
- Update to org.aspectj 1.9.5 #7904
- Update to httpclient 4.5.11 #7903
- Update to commons-codec 1.14 #7899
- Update to com.squareup.okhttp3 3.14.6 #7898
- Update to Jackson 2.10.2 #7897
- Update to Reactor Dysprosium SR4 #7896
- Update to Spring Data Moore SR3 #7895
- Update to Spring Framework 5.2.3 #7894
- Update nimbus-jose-jwt because of CVE-2019-17195 #7570
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.1.8.RELEASE
⭐ New Features
- Remove redundant validation for redirect-uri #7708
- WebClient support should get new access token when expired and client_credentials #7685
🪲 Bug Fixes
- Default LDIF file not picked up in LDAP "unboundid" mode #7853
- CompositeServerHttpHeadersWriter Should Execute Sequentially #7735
- DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #7730
- DelegatingServerLogoutHandler Should Execute Sequentially #7727
- WebFlux oauth2Login returns 500 when bad client credentials #7704
🔨 Dependency Upgrades
- Update to Spring Boot 2.1.12 #7923
- Update to org.slf4j 1.7.30 #7922
- Update to org.powermock 2.0.5 #7921
- Update to hibernate-validator 6.0.18.Final #7920
- Update to hibernate-entitymanager 5.3.15.Final #7919
- Update to org.bouncycastle:bcpkix-jdk15on 1.64 #7918
- Update to org.aspectj 1.9.5 #7917
- Update to httpclient 4.5.11 #7916
- Update to com.squareup.okhttp3 3.12.8 #7915
- Update to Jackson 2.9.10 #7914
- Update to Reactor Californium-SR15 #7913
- Update to Spring Data Lovelace SR15 #7912
- Update to Spring Framework 5.1.13 #7911
5.0.14.RELEASE
🪲 Bug Fixes
- Default LDIF file not picked up in LDAP "unboundid" mode #7854
- CompositeServerHttpHeadersWriter Should Execute Sequentially #7736
- SEC-2980: Possible race condition in SessionRegistryImpl #7227
🔨 Dependency Upgrades
- Update to org.slf4j 1.7.30 #7934
- Update to org.powermock 2.0.5 #7933
- Update to hibernate-validator 6.0.18.Final #7932
- Update to org.bouncycastle:bcprov-jdk15on 1.64 #7931
- Update to org.bouncycastle:bcpkix-jdk15on 1.64 #7930
- Update to org.aspectj 1.9.5 #7929
- Update to httpclient 4.5.11 #7928
- Update to com.squareup.okhttp3 3.12.8 #7927
- Update to Jackson 2.9.10 #7926
- Update to Spring Framework 5.0.16 #7924
5.3.0.M1
⭐ New Features
- Allow disabling dependency locking #7799
- Build task "snapshots" should not use locked dependencies #7798
- Add oauth2Login MockMvc Test Support #7789
- Manage Versions using Version Locking #7788
- Use Gradle Platform / Constraints #7787
- Idiomatic Kotlin DSL for configuring HTTP security in servlet based applications #7785
- Fix description of PasswordEncoder #7784
- Fix unchecked assignment and possible NPE #7773
- Resolve JavaType only once for whitelisted class #7755
- Set secure when cancelling remember-me cookie #7726
- Add JwtIssuerAuthenticationManagerResolver #7724
- Add opaque token test support #7712
- Remove redundant validation for redirect-uri #7706
- Reactive Implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7702
- Incomplete Documentation for Setting Up MockMvc and Spring Security #7688
- Add Oidc Login Reactive Test Support #7680
- Remove consecutive-word duplications in Javadocs #7673
- Fix InitializeAuthenticationProviderBeanManagerConfigurer Javadoc #7666
- Fix minor typo in HttpSecurity documentation #7663
- Check BCrypt hashed value of a byte array #7661
- Allow configuration of AuthenticationManager in saml2Login() #7654
- Add oidcLogin MockMvc Test Support #7618
- Add OidcUserInfo.Builder #7593
- Add OidcIdToken.Builder #7592
- Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7569
- Specify return type in InitializeUserDetailsBeanManagerConfigurer method Javadoc #7557
- In Test @AuthenticationPrincipal is null because ServerWebExchange is not wrapped #6598
- Make MethodSecurityEvaluationContext Delegates to MethodBasedEvaluationContext #6249
- Override the key to avoid CookieTheftException #5509
- Add resource server support for multiple trusted JWT access token issuers #5385
- RememberMeConfigurer does not use the key from RememberMeServices #4140
- Option in BasicAuthenticationFilter to log more exception info #3308
🪲 Bug Fixes
- OidcLoginRequestPostProcessor should respect configuration order #7794
- Fix var typo and code readability in resource server documentation #7772
- Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor #7737
- Use the custom ServerRequestCache for Oauth2LoginSpec #7734
- CompositeServerHttpHeadersWriter Should Execute Sequentially #7731
- DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #7728
- DelegatingServerLogoutHandler Should Execute Sequentially #7723
- RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #7721
- Disabling logout in WebFlux does nothing #7682
- Saml2Authentication isn't serializable #7681
- Correctly configure authorization requests repository for OAuth2 login #7675
- Error in javadoc for oauth2ResourceServer #7670
- DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository #7544
- WebFlux oauth2Login returns 500 when bad client credentials #5562
🔨 Dependency Upgrades
⏪ Non-passive
- UsernamePasswordAuthenticationTokenDeserializer doesn't deserialize details to correct type #7482
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.2.1.RELEASE
⭐ New Features
- Fix variable reference in sample code #7571
- spring-security-saml2-service-provider impossible to use different format of assertionConsumerServiceUrlTemplate #7565
- Add Resource Server Multi-tenancy Documentation #7532
- Update SAML sample to use boot auto config #7521
- Add Reactive CSRF Documentation #6487
🪲 Bug Fixes
- Restore Removed Throws Clauses #7580
- CsrfWebFilter should handle multipart/form-data #7576
- Make saveAuthorizedClient save the authorized client #7551
- DefaultReactiveOAuth2AuthorizedClientManager.saveAuthorizedClient does not save authorized client #7546
throws Exceptionwas removed from WebSecurityConfigurerAdapter#configure(WebSecurity) #7541- SAML2 Provider SubjectConfirmation validation failure #7514
- SAML2 Provider AuthNRequest Hardcoded Protocol Binding #7513
- Clock skew to check access token expiration has wrong sign #7511
🔨 Dependency Upgrades
- Upgrade to Spring Boot 2.2.0.RELEASE #7566
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.1.7.RELEASE
⭐ New Features
- CookieServerCsrfRepositoryTests should not start domain with a dot #7501
- Fix docs typo WebSecurityConfigurationAdapter->WebSecurityConfigurerAdapter #7225
🪲 Bug Fixes
- OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri #7469
- RequestContextSubscriber could put null value in Reactor Context #7410
- OAuth2AuthorizationRequest not removed from session #7369
- InMemoryReactiveClientRegistrationRepository should not use ConcurrentReferenceHashMap #7359
- NimbusJwtDecoderJwkSupport only sets 'application/json' Accept header #7340
- SEC-2971: Footnotes are messed up in online docs #7326
- Confusing example - WebMvcConfigurer vs WebSecurityConfigurerAdapter #7303
- OnCommittedResponseWrapper fails on static resources served by Tomcat 8.5 #7297
- Fix WebClient Memory Leaks #7294
- Ensure filter order is maintained when using springSecurity() along with other filters #7267
- SessionAuthenticationStrategy make HttpSecurity.sessionManagement().maximumSessions(1) unavailability #7262
- SEC-2980: Possible race condition in SessionRegistryImpl #7226
5.2.0.RELEASE
⭐ New Features
- Add Hello RSocket Sample #7504
- Add RSocket Reference #7502
- CookieServerCsrfRepositoryTests should not start domain with a dot #7500
- Add OAuth2 Resource Server to Modules Section #7498
- Initial saml2 login docs #7495
- SAML 2 Assertion - Always require signature validation #7490
- Add Reactive Messaging CurrentSecurityContextPrincipalArgumentResolver #7488
- CurrentSecurityContextArgumentResolver polishes #7487
- Add ClientRegistration.withClientRegistration(ClientRegistration) #7486
- Add hasAuthority method to RSocketSecurity #7478
- Align Servlet ExchangeFilterFunction CoreSubscriber #7476
- WebFluxSecurityConfiguration does not configure oauth2Client #7470
- Allow to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec #7467
- Add ability to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec #7466
- Document Clear-Site-Data Support #7463
- Document RFC 8414 Support #7462
- Document Bearer Token Propagation #7461
- Document Reactive Mock Jwt Testing #7460
- Fixed typo in comment #7458
- Use Schedulers.boundedElastic() #7457
- AbstractUserDetailsReactiveAuthenticationManager uses newParallel #7456
- Add hasAnyAuthority method in AuthorizePayloadsSpec.Access #7455
- Add denyAll method in AuthorizePayloadsSpec.Access #7451
- AuthenticationFilter's methods should be private #7447
- AuthenticationFilter should provide session fixation protection #7446
- Use Jwt.Builder #7443
- Add AuthorizePayloadsSpec.Access denyAll, hasAnyRole, hasAnyAuthority #7437
- Add AuthorizePayloadsSpec.Access hasAuthority #7435
- Document Resource Server User-Info Usage #7431
- Document Reactive Opaque Token Usage #7430
- Document NimbusReactiveJwtDecoder #7425
- Document Mock Jwt Testing #7424
- Servlet ExchangeFilterFunctions should align #7422
- Document Opaque Token Usage #7420
- ServletBearerExchangeFilterFunction should propagate Authentication #7418
- Document NimbusJwtDecoder #7408
- Document Jwt.Builder #7407
- Document OAuth2AuthenticatedPrincipal #7406
- DefaultReactiveOAuth2AuthorizedClientManager should default ServerWebExchange #7390
- Make OAuth2User extends OAuth2AuthenticatedPrincipal #7383
- OAuth2User should extend OAuth2AuthenticatedPrincipal #7378
- SamlAuthenticationProvider should propagate actual validation errors #7375
- Add Reactive Messaging AuthenticationPrincipalArgumentResolver #7363
- Allow Custom PayloadInterceptor to be Added #7362
- Default RSocketSecurity #7361
- Add nonce to OIDC Authentication Request #7337
- Introduce LogoutSuccessEvent #7306
- Mock Jwt should ensure that CSRF is not required #7170
- Document BearerTokenResolver in reference #6254
- Consider adding nonce to OIDC Authentication Request #4442
- SEC-2680: Fire an event when logout has finished #2900
🪲 Bug Fixes
- Correctly populate the AuthNRequest attributes #7496
- AuthNRequest#Destination contains the SP entity ID, not the IDP SSO URI #7494
- AbstractUserDetailsReactiveAuthenticationManager default Scheduler should be disposed #7492
- Always validate saml2 signatures #7491
- CurrentSecurityContext Javadoc should be about SecurityContext #7489
- Fix AuthorizationPayloadInterceptor order using PayloadInterceptorOrd… #7450
- SAML Response Skew is using the wrong type #7448
- Jwt.Builder should keep notBefore as an Instant #7442
- AuthorizePayloadsSpec uses AUTHENTICATION for AuthorizationPayloadInterceptor #7434
- RSocketMessageHandlerITests could hang #7415
- RSocketSecurity anyRequest delegates to anyExchange #7414
- OpenSamlAuthenticationProvider should not throw AuthenticationServiceException #7377
- OpenSamlAuthenticationProvider should propagate validation errors #7376
- OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri #7036
🔨 Dependency Upgrades
- Update to Spring Data Moore-RELEASE #7506
- Remaining dependency upgrades for 5.2.0 #7505
- Upgrade JSON jackson library to 2.10.0 #7480
- Release/dependencies for 5.2 ga #7471
- Update the AspectJ Gradle Plugin to 4.0.2 #7427
- Update to Gradle 5.6.2 #7412
- Upgrade to OpenSaml 3.4.3 #7392
- Upgrade embedded Apache Tomcat to 9.0.24 #7384
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.2.0.RC1
⭐ New Features
- Add attributes Consumer to OAuth2AuthorizationContext #7385
- Improve DefaultReactiveOAuth2UserService handling IOException #7370
- Add RSocket Support #7360
- Polish Server|ServletBearerExchangeFilterFunction #7355
- Refactor Servlet/Server BearerExchangeFilterFunction #7353
- OAuth2AuthorizeRequest supports attributes #7352
- Grant Individual Authorities From Claims #7351
- DefaultOAuth2AuthorizedClientManager and DefaultServerOAuth2AuthorizedClientManager Alignment #7350
- Align Servlet ClearSiteData expression of directives #7347
- Add Adapter to Translate Jwt to BearerTokenAuthentication #7346
- Opaque Token Introspector should return an Authenticated Principal #7345
- Opaque Token Introspection Strategy Flexibility #7344
- Add BearerTokenAuthentication #7343
- Add OAuth2AuthenticatedPrincipal #7342
- OAuth2AuthorizeRequest supports attributes #7341
- DefaultOAuth2UserService should extract authorities #7339
- InMemoryReactiveClientRegistrationRepository should check for duplicates #7338
- Add Servlet and ServerBearerExchangeFilterFunction #7330
- Update to Gradle 5.6.1 #7323
- Simplify and improve the buildSrc gradle plugin #7302
- Update to Gradle 5.6 #7300
- Add Catalan localization messages #7288
- Add Catalan localization messages #7287
- Resource Server should support WebClient Bearer Token propagation #7284
- Sample should use UserDetailsService bean instead of configureGlobal method #7283
- Mock Jwt Test Samples #7278
- Allow to set default securityContextRepository for each authenticatio… #7275
- Resource Server Multi-tenancy Sample Should Manage Its Own Jwt Decoder #7272
- Add setter for authorities claim name in JwtGrantedAuthoritiesConverter #7271
- Jwk Set Uri Nimbus Jwt Decoder builders should take SignatureAlgorithm #7270
- Add setContentLengthLong detection to OnCommittedResponseWrapper. #7264
- Consolidate shared code between JwtDecoders and ReactiveJwtDecoders #7263
- Remove MultiTenantAuthenticationManagerResolver #7259
- Add setter for authority prefix in JwtGrantedAuthoritiesConverter #7256
- Prevent IntelliJ IDEA from generating spaces for indentation #7253
- TokenBasedRememberMeServices.processAutoLoginCookie (TokenBasedRememberMeServices.java:134) java.lang.NullPointerException #7251
- Authentication Mechanisms Should Default their ServerSecurityContextRepository #7249
- Rename OAuth2TokenIntrospectionClient #7246
- Consider renaming OAuth2TokenIntrospectionClient #7245
- Add OAuth2LoginSpec#securityContextRepository #7244
- Cleanup Code Style Issues #7238
- Add Checkstyle configuration for IntelliJ IDEA #7237
- Expose getPort in ApacheDsContainer #7236
- OAuth2LoginConfigurer should discover OAuth2UserService beans #7232
- Make ldap integration tests independent #7231
- Remove unused imports #7229
- ServerHttpSecurity: oauth2Login() ignores securityContextRepository() #7222
- Use the 'io.freefair.aspectj' gradle plugin #7183
- Add RequestMatcher.matcher(HttpServletRequest) #7172
- ignore Multipart requests in HttpSessionRequestCache.requestMatcher #7167
- Add test examples for Oauth2 Resource Server sample #7159
- Add unbounid support in xml #7149
- OAuth2AuthorizedClientManager implementation works outside of request #7122
- Improve OAuth2 Resource Server tests #7118
- Introduce Reactive OAuth2AuthorizedClient Manager/Provider #7116
- Allow configurable Clock in OAuth2AuthorizedClientProvider impls #7114
- JwtGrantedAuthoritiesConverter should allow configuring the authority prefix #7101
- JwtGrantedAuthoritiesConverter should allow configuring the authorities claim name #7100
- Add authenticationFailureHandler method in OAuth2LoginSpec #7071
- v5.2.0.M3 docs contain Deprecated example code #7062
- Multipartfile request with no authentication is still consumed even after an AccessDeniedException is thrown #7060
- Add OAuth2LoginSpec.authenticationFailureHandler #7051
- Add Argon2PasswordEncoder #7045
- Fix docs typo WebSecurityConfigurationAdapter->WebSecurityConfigurerAdapter #7026
- Add support for Resource Owner Password Credentials grant #7013
- Jwt decoding should support multiple algorithms #6883
- Polish Resource Server DSL Error Messaging #6876
- Remove Invalid WebMvcConfigurer from Sample Documentation #6822
- Align code in oauth2-client extensions for WebClient #6811
- OAuth2 Client Credentials Flow: Getting access tokens in the service/data tier #6780
- Provide Servlet equivalent of UnAuthenticatedServerOAuth2AuthorizedClientRepository #6683
- Spring Boot + spring-security-oauth2-resource-server should not throw a ClassNotFoundException once it supports more than one token format #6209
- Support Resource Owner Password Credentials grant #6003
- Add Argon2PasswordEncoder #5354
- Add BearerExchangeFilterFunction #5334
🪲 Bug Fixes
- Remove package tangle in headers #7380
- Remove OAuth2AuthorizationRequest when a distributed session is used [#7334](https://github.com/spring-projects/spring-se...