Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.5.0
⭐ New Features
- Configure user name used for Gradle CI builds #9747
- HttpSessionOAuth2AuthorizationRequestRepository storing one OAuth2AuthorizationRequest #9649
- Incorrect javadoc in AuthorizationCodeOAuth2AuthorizedClientProvider #9708
- Restore Dependency Constraints for commons-codec and commons-logging #8836
- Stop CI Jobs on Forks #9717
- Update javadoc AuthorizationCodeOAuth2AuthorizedClientProvider #9730
🔨 Dependency Upgrades
- Update io.projectreactor to 2020.0.7 #9750
- Update io.spring.nohttp to 0.0.8 #9753
- Update org.springframework to 5.3.7 #9754
- Update org.springframework.data to 2021.0.1 #9755
- Update r2dbc-spi-test to 0.8.5.RELEASE #9752
- Update spring-ldap-core to 2.3.4.RELEASE #9756
- Update to com.gradle.enterprise 3.6.1 #9764
- Update to Gradle. 6.9 #9758
- Update to Kotlin 1.5.0 #9763
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.5.0-RC2
⏪ Breaking Changes
- Rename DelegatingAuthorizationManager to RequestMatcherDelegatingAuthorizationManager #9692
- Inline ResourceKeyConverterAdapter #9689
⭐ New Features
- Add Ability to Exclude Minor Version Bump #9709
- Add Task to Check if All Issues in GitHub Milestone are closed #9693
- rename master->main #9683
- Make Csrf cookie secure flag configurable (WebFlux) #9679
- Make the cookie secure flag configurable in CookieServerCsrfTokenRepository #9678
- Add RELEASE.adoc #9627
🔨 Dependency Upgrades
- Update ehcache to 2.10.9.2 #9712
- Update hibernate-entitymanager to 5.4.31.Final #9714
- Update io.spring.javaformat to 0.0.28 #9710
- Update io.spring.nohttp to 0.0.7 #9711
- Update MockK to 1.11.0 #9691
- Update org.eclipse.jetty to 9.4.40.v20210413 #9713
- Update org.springframework to 5.3.6 #9715
- Update org.springframework.data to 2021.0.0 #9716
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.5.0-RC1
⭐ New Features
- Add Sections to What's New #9596
- Add AfterMethodAuthorizationManager #9591
- Add Kotlin DSL section to What's New #9589
- Add Configuration section to What's New #9588
- Add coroutine support to pre/post authorize #9586
- Make OAuth2AuthorizationResponseType constructor public #9584
- Deprecate OAuth2AuthorizationResponseType.TOKEN #9582
- Support Create/Delete Release on spring.io #9577
- Update to commons-codec 1.15 #9575
- Fix deprecation warnings in DocsPlugin #9547
- Fix deprecation warnings for SchemaZipPlugin #9546
- Use Checkstyle.configDirectory #9545
- Re-enable Gradle dependency cache #9544
- Use Gradle Constraints + platform instead of DependencyManagementPlugin #9541
- Use new api/implementation configurations #9540
- Extract Build Conventions to buildSrc #9539
- Update javadoc for AesBytesEncryptor constructors #9536
- Add jwt-bearer authorization grant #9535
- Change build to use GPG_PRIVATE_KEY_NO_HEADER #9531
- Update ComparableVersion to version from Maven 3.6.3 #9521
- Add Jwt Client Authentication support #9520
- Add javadoc at constructors. #9518
- Add Saml2MessageBinding#from #9515
- Test method in PasswordOAuth2AuthorizedClientProviderTests has incorrect setup of token expiry #9506
- Upgrade to Gradle 6.8.2 #9458
- Update Spring Security build to require JDK 11 #9419
- Add JavaDoc to AesBytesEncryptor #9361
- Add OpenSAML 4 support #9267
- Add OpenSaml 4 support #9095
- Support JWT for Client Authentication #8175
- Make EnableReactiveMethodSecurity compatible with Kotlin Coroutines #8143
- Support JWT as an Authorization Grant for client #6053
🪲 Bug Fixes
- Fix package tangle in Resource Server #9576
- Add package-list #9562
- Add null check in CsrfFilter and CsrfWebFilter #9561
- Fix javadoc in crypto/encrypt/Encryptors.java #9537
- Fix Javadoc errors in spring-security-saml2-service-provider #9530
@Orderannotations cannot be used with@Beanmethods #9154
🔨 Dependency Upgrades
- Update htmlunit-driver to 2.49.1 #9624
- Update htmlunit to 2.49.1 #9623
- Update io.spring.nohttp to 0.0.6.RELEASE #9622
- Update reactor-netty to 1.0.6 #9621
- Update io.projectreactor to 2020.0.6 #9620
- Update com.nimbusds to 9.3.3 #9619
- Update jackson-datatype-jsr310 to 2.12.3 #9618
- Update jackson-databind to 2.12.3 #9617
- Update jackson-bom to 2.12.3 #9616
- Update spring-data-bom to 2020.0.7 #9574
- Update mockito-core to 3.9.0 #9573
- Update hsqldb to 2.6.0 #9572
- Update blockhound to 1.0.6.RELEASE #9571
- Update aspectj-plugin to 5.3.3.3 #9570
- Update com.nimbusds to 9.3.1 #9569
- Update org.jetbrains.kotlin to 1.4.32 #9555
- Update nohttp-checkstyle to 0.0.5.RELEASE #9554
- Update io.spring.javaformat to 0.0.27 #9553
- Update spring-doc-resources to 0.2.5 #9552
- Update r2dbc-spi-test to 0.8.4.RELEASE #9551
- Update aspectj-plugin to 5.3.0 #9550
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.4.6
5.3.9.RELEASE
5.2.10.RELEASE
🪲 Bug Fixes
- Add null check in CsrfFilter and CsrfWebFilter #9594
🔨 Dependency Upgrades
- Update to nohttp 0.0.6.RELEASE #9609
- Update to GAE 1.9.88 #9608
- Update to OpenSAML 3.4.6 #9607
- Update to hibernate-entitymanager 5.4.30.Final #9606
- Update to Groovy 2.4.21 #9605
- Update to embedded Apache Tomcat 9.0.45 #9604
- Update blockhound to 1.0.6.RELEASE #9603
- Update to RSocket 1.0.4 #9602
- Update to Spring Data Moore-SR13 #9601
- Update to Spring Framework 5.2.13.RELEASE #9600
- Update to Reactor Dysprosium-SR18 #9599
5.5.0-M3
⭐ New Features
- Clarify in Javadoc that .csrf() enables CSRF protection #9489
- Throw Saml2AuthenticationException in Saml2AuthenticationTokenConverter on deflation or decoding error #9468
- Allow ACL to be owned by GrantedAuthoritySid #9454
- Add setMetadataFilename method to Saml2MetadataFilter #9393
- Improve HttpSessionSecurityContextRepository performance #9387
- Kotlin DSL extension for HttpSecurity#rememberMe #9319
- Add BearerTokenAuthenticationConverter #8975
🪲 Bug Fixes
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.4.5
5.4.4
This release fixes a problem with the release of 5.4.3
⭐ New Features
- Migrate SAML 2.0 Samples to Use PCFOne #9369
- Resolve artifacts from Maven Central first #9367
- Use constant time comparisons for CSRF tokens #9357
- Improve HttpSessionSecurityContextSessionRepository Performance #9388
🪲 Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9426
- Fix custom marshaller example #9409
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9403
- CurrentSecurityContextArgumentResolver should configure BeanResolver #9402
- Consider downgrading to Nimbus 8 #9399
- Remove notEmpty check for authorities in DefaultOAuth2User #9396
- Wrong example name in Spring Security documentation #9383
- Make user info response status check error only #9376
- Malformed WWW-Authenticate Causes NPE #9364
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9338
- Exception when declaring multiple AuthenticationManager beans #9332
- webflux-x509 sample cert needs renewal #9322
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9258
🔨 Dependency Upgrades
5.5.0-M2
⭐ New Features
- Constrain Nimbus dependencies to compatible majors #9400
- Misleading manifestation of error condition #9395
- Remove private BearerTokenAuthenticationWebFilter #9377
- Migrate SAML 2.0 Samples to Use PCFOne #9362
- Add manual trigger to CI workflow #9360
- Use Nimbus's SingleKeyJWSKeySelector #9348
- Extend CorsDsl with CorsConfigurationSource property #9333
- Make max-sessions configurable #9328
- Add Revved up by Gradle Enterprise badge to README #9327
- WebFlux oauth2Login with formLogin test #9326
- No converter found for RSAPublicKey #9316
- Extend CorsDsl with CorsConfigurationSource property #9314
- Removes unused code #9294
- Use constant time comparisons for CSRF tokens #9291
- Introduced DispatcherType request matcher #9278
- Add permissionsPolicy http header #9265
- Add permissionsPolicy header in HeadersConfigurers #9262
- Deprecate ClientAuthenticationMethod BASIC and POST #9220
- Fix javadoc in Pbkdf2PasswordEncoder #9219
- Added ClaimAccessor#hasClaim #9218
- Improve handling of non-String principal claim values #9215
- Improve handling of non-String principal claim values #9212
- getRemoteUser() returns principal name #9211
- Match requests based on servlet dispatcher type #9205
- Return type of oauth2.core.ClaimAccessor#containsClaim(String) could be a primitive boolean #9201
- Allow maximum age of csrf cookie to be configured #9196
- SecurityWebApplicationContextUtils cleanup gh-8868 #9194
- Decode cookie once in AbstractRememberMeServices #9192
- Add convenience constructor in OAuth2AuthenticationException #9190
- JwtIssuerAuthenticationManagerResolver should not resolve the bearer token #9186
- Make salt length configurable in Pbkdf2PasswordEncoder #9147
- Resource Server should identify unauthorized REST requests like HTTP Basic does #9100
- Add AuthorizationManager #8996
- OpenSamlAuthenticationProvider should validate Response Status #8955
- Build Github Actions CI pipeline #8698
🪲 Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9421
- Update saml2-login.adoc #9408
- Allow null or empty authorities for DefaultOAuth2User #9380
- Wrong example name in Spring Security documentation #9379
- Remove notEmpty check for authorities in DefaultOAuth2User #9366
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9337
- Make user info response status check error only #9336
- Fix bug with multiple AuthenticationManager beans #9329
- Fixed NullPointerException with WWW-Authenticate #9303
- Exception when declaring multiple AuthenticationManager beans #9256
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray or JSONObject #9222
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9210
- CookieRequestCache handles URL encoded query parameters incorrectly #9203
- Fix typo in JdbcDaoImpl Javadoc #9197
- WithSecurityContextTestExecutionListener should respect NestedTestConfiguration #9193
- Customizing the metadata endpoint does not work #9133
🔨 Dependency Upgrades
- Update to GAE 1.9.86 #9445
- Update to Kotlin 1.4.30 #9444
- Update to Spring Boot 2.4.2 #9443
- Update Gradle Enterprise Gradle Plugin #9335
❤️ Contributors
We'd like to thank all the contributors who worked on this release!