Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Spring Security 5.8.9 -> 6.2.1 #1010

Merged
merged 1 commit into from
Feb 13, 2024

Conversation

Picnic-Bot
Copy link
Contributor

@Picnic-Bot Picnic-Bot commented Jan 31, 2024

This PR contains the following updates:

Package Type Update Change
Spring Security (source) import major 5.8.9 -> 6.2.1

Release Notes

spring-projects/spring-security (Spring Security)

v6.2.1

Compare Source

⭐ New Features

  • docs: make XML and Java/Kotlin consistent with AspectJExpressionPointcut #​14219
  • Document that Shibboleth Repository is Required for SAML Support #​14295
  • Integrate HandlerMappingIntrospector Caching #​14332
  • OAuth2 Resource Server is exposing server information. #​14278

🪲 Bug Fixes

  • Update Java Config Spring MVC documentation #​14234
  • add missing [tabs] fix typo in docs #​14208
  • AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #​14267
  • Correct What's New in 6.2 reference to forServletPattern #​14200
  • Fix typo in getClaimAsMap docstring #​14183
  • Fix typo in the 'Authorizing Requests' example #​14169
  • fix wrong document about "jws-algorithms" #​14280
  • Improve error message when ServletRegistration API is unavailable #​14232
  • Update Javadoc Comments in AuthorizationEvent Class #​14175
  • Fix typo in architecture.adoc #​14254
  • Fixing link in authentication/architecture.adoc #​13593

🔨 Dependency Upgrades

  • Bump actions/checkout from 3 to 4 #​14323
  • Bump actions/setup-java from 3 to 4 #​14320
  • Bump ch.qos.logback:logback-classic from 1.4.11 to 1.4.13 #​14213
  • Bump ch.qos.logback:logback-classic from 1.4.13 to 1.4.14 #​14239
  • Bump com.unboundid:unboundid-ldapsdk from 6.0.10 to 6.0.11 #​14223
  • Bump Gamesight/slack-workflow-status from 1.0.1 to 1.2.0 #​14328
  • Bump Gradle Wrapper from 8.4 to 8.5 #​14222
  • Bump io.micrometer:micrometer-observation from 1.12.0 to 1.12.1 #​14284
  • Bump io.projectreactor:reactor-bom from 2023.0.0 to 2023.0.1 #​14289
  • Bump org-apache-maven-resolver from 1.9.16 to 1.9.17 #​14184
  • Bump org-apache-maven-resolver from 1.9.17 to 1.9.18 #​14197
  • Bump org-aspectj from 1.9.20.1 to 1.9.21 #​14271
  • Bump org.apache.maven:maven-resolver-provider from 3.9.5 to 3.9.6 #​14228
  • Bump org.hibernate.orm:hibernate-core from 6.3.1.Final to 6.3.2.Final #​14190
  • Bump org.jetbrains.kotlin:kotlin-bom from 1.9.20 to 1.9.21 #​14192
  • Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.20 to 1.9.21 #​14191
  • Bump org.springframework.data:spring-data-bom from 2023.1.0 to 2023.1.1 #​14341
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.0 to 3.2.1 #​14335
  • Bump org.springframework:spring-framework-bom from 6.1.0 to 6.1.1 #​14189
  • Bump org.springframework:spring-framework-bom from 6.1.1 to 6.1.2 #​14319
  • Bump sjohnr/slack-workflow-status from 1.pre.beta to 1.1.0 #​14318
  • Bump slackapi/slack-github-action from 1.19.0 to 1.24.0 #​14322
  • Bump spring-io/spring-gradle-build-action from 1 to 2 #​14321

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ParkerM, @​YangSiJun528, @​aaron-to-go, @​ahmd-nabil, @​andreilisa, @​dependabot[bot], @​limvik, and @​prufrock

v6.2.0

Compare Source

⭐ New Features

  • AuthorizationManager[Before/After]ReactiveMethodInterceptor doesn't support Kotlin coroutines #​12080
  • Simplify configuration of OAuth2 Client component model #​11783

🪲 Bug Fixes

  • On Cancel, ObservationWebFilterDecorator Starts After-Filter Span without Stopping It #​14064
  • Authentication not propagated correctly after migrating to SB3 #​14112
  • Authorization does not show up on Features section #​14105
  • Fix obsolete comment and typos #​14060
  • Fix typo in documentation #​14130
  • improve render in headers.adoc #​14102
  • ReactiveRemoteJWKSource caches invalid response status into jwkSetURL #​14042
  • References to WebFlux docs do not link to them #​14108
  • relay_state should not be included in signing calculation when it is null #​14039
  • samesite set by Tomcat CookieProcessor ignored when creating XSRF-TOKEN cookie in CsrfTokenRepository #​14138
  • Security configuration is failed to be initialized in a Servlet 6.0 container #​14166
  • Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #​14115
  • Spring Security metric names should not contain dashes #​14067
  • spring.security counters inaccurate due onComplete and cancel() #​14147
  • The latest "OAuth2AuthorizedClientManager" class is not AOT ready #​14094
  • UnboundIdContainer should be marked as not running at shutdown #​14095

🔨 Dependency Upgrades

  • Bump io-spring-javaformat from 0.0.39 to 0.0.40 #​14156
  • Bump io.micrometer:micrometer-observation from 1.12.0-RC1 to 1.12.0 #​14135
  • Bump io.projectreactor:reactor-bom from 2023.0.0-RC1 to 2023.0.0 #​14145
  • Bump org.junit:junit-bom from 5.10.0 to 5.10.1 #​14097
  • Bump org.springframework.data:spring-data-bom from 2023.1.0-RC1 to 2023.1.0 #​14172
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.0-RC1 to 3.2.0 #​14155
  • Bump org.springframework:spring-framework-bom from 6.1.0-RC1 to 6.1.0-RC2 #​14055
  • Bump org.springframework:spring-framework-bom from 6.1.0-RC2 to 6.1.0 #​14157

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v6.1.6

Compare Source

⭐ New Features

  • Document that Shibboleth Repository is Required for SAML Support #​14294
  • Integrate HandlerMappingIntrospector Caching #​14128
  • OAuth2 Resource Server is exposing server information. #​14277
  • Resolve RequestMatcher at request-time #​14085

🪲 Bug Fixes

  • AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #​14266
  • Authentication not propagated correctly after migrating to SB3 #​14111
  • Authorization does not show up on Features section #​14104
  • DefaultLoginPageGeneratingFilter should be able to handle AuthenticationExceptions without message #​14117
  • Fix broken link for servlet getting started page #​14119
  • Fix typo in method-security.adoc #​14059
  • fix wrong document about "jws-algorithms" #​14279
  • Improve error message when ServletRegistration API is unavailable #​14231
  • improve render in headers.adoc #​14101
  • On Cancel, ObservationWebFilterDecorator Starts After-Filter Span without Stopping It #​14063
  • ReactiveRemoteJWKSource caches invalid response status into jwkSetURL #​14041
  • References to WebFlux docs do not link to them #​14107
  • relay_state should not be included in signing calculation when it is null #​14038
  • samesite set by Tomcat CookieProcessor ignored when creating XSRF-TOKEN cookie in CsrfTokenRepository #​14131
  • Security configuration is failed to be initialized in a Servlet 6.0 container #​14165
  • Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #​14114
  • Spring Security metric names should not contain dashes #​14066
  • spring.security counters inaccurate due onComplete and cancel() #​14146
  • Update Java Config Spring MVC documentation #​14233
  • Update logout.adoc: Replace Directives with Directive #​14062

🔨 Dependency Upgrades

  • Bump actions/checkout from 3 to 4 #​14310
  • Bump actions/setup-java from 3 to 4 #​14327
  • Bump ch.qos.logback:logback-classic from 1.4.11 to 1.4.13 #​14214
  • Bump ch.qos.logback:logback-classic from 1.4.13 to 1.4.14 #​14238
  • Bump com.unboundid:unboundid-ldapsdk from 6.0.10 to 6.0.11 #​14224
  • Bump Gamesight/slack-workflow-status from 1.0.1 to 1.2.0 #​14317
  • Bump Gradle Wrapper from 8.4 to 8.5 #​14218
  • Bump io-spring-javaformat from 0.0.39 to 0.0.40 #​14158
  • Bump io.micrometer:micrometer-observation from 1.10.12 to 1.10.13 #​14134
  • Bump io.projectreactor:reactor-bom from 2022.0.12 to 2022.0.13 #​14144
  • Bump io.projectreactor:reactor-bom from 2022.0.13 to 2022.0.14 #​14288
  • Bump org-aspectj from 1.9.20.1 to 1.9.21 #​14272
  • Bump org-eclipse-jetty from 11.0.17 to 11.0.18 #​14081
  • Bump org.springframework.data:spring-data-bom from 2022.0.11 to 2022.0.12 #​14173
  • Bump org.springframework:spring-framework-bom from 6.0.13 to 6.0.14 #​14159
  • Bump org.springframework:spring-framework-bom from 6.0.14 to 6.0.15 #​14312
  • Bump sjohnr/slack-workflow-status from 1.pre.beta to 1.1.0 #​14315
  • Bump slackapi/slack-github-action from 1.19.0 to 1.24.0 #​14316
  • Bump spring-io/spring-gradle-build-action from 1 to 2 #​14305

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Ruffeng, @​dependabot[bot], @​github-actions[bot], @​marbon87, and @​sadidshaikh

v6.1.5

Compare Source

⭐ New Features

  • Document how to publish an AuthenticationManager @Bean without WebSecurityConfigurerAdapter #​14015
  • Replace deprecated method #​13649
  • Use Gradle's Version Catalog #​13871

🪲 Bug Fixes

  • Dependency convergence failed: nimbus-jose-jwt #​13843
  • Docs custom AuthorizationManager fix #​13991
  • Fix snapshot_tests on CI workflow #​13878
  • Fix parsing of GET SAML logout requests #​13970
  • Saml-Metadata with special characters is corrupted #​13861
  • Saml2LogoutRequestMixin relayState property should be binding #​13942

🔨 Dependency Upgrades

  • Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #​13984
  • Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #​13891
  • Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #​13950
  • Bump com.gradle.enterprise from 3.12.3 to 3.12.6 #​13934
  • Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #​13903
  • Bump Gradle Wrapper from 8.3 to 8.4 #​13974
  • Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #​13935
  • Bump io.micrometer:micrometer-observation from 1.10.10 to 1.10.11 #​13945
  • Bump io.micrometer:micrometer-observation from 1.10.11 to 1.10.12 #​14001
  • Bump io.mockk:mockk from 1.13.7 to 1.13.8 #​13952
  • Bump io.projectreactor:reactor-bom from 2022.0.10 to 2022.0.11 #​13937
  • Bump io.projectreactor:reactor-bom from 2022.0.11 to 2022.0.12 #​14000
  • Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #​13985
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.1 #​13949
  • Bump org-aspectj from 1.9.20 to 1.9.20.1 #​13896
  • Bump org-eclipse-jetty from 11.0.15 to 11.0.16 #​13901
  • Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #​13999
  • Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #​13953
  • Bump org.slf4j:slf4j-api from 2.0.7 to 2.0.9 #​13938
  • Bump org.springframework.data:spring-data-bom from 2022.0.10 to 2022.0.11 #​14019
  • Bump org.springframework.data:spring-data-bom from 2022.0.9 to 2022.0.10 #​13951
  • Bump org.springframework.ldap:spring-ldap-core from 3.0.5 to 3.0.6 #​14007
  • Bump org.springframework:spring-framework-bom from 6.0.11 to 6.0.12 #​13904
  • Bump org.springframework:spring-framework-bom from 6.0.12 to 6.0.13 #​14006
  • Update to org.apereo.cas.client:cas-client-core 4.0.3 #​13947

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v6.1.4

Compare Source

⭐ New Features

🪲 Bug Fixes

  • CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set #​13659
  • CookieRequestCache ignores user Locale #​13796
  • Default Security Configuration adds WWW-Authenticate Twice #​13759
  • Fix inaccurate information about permitting the FORWARD dispatcher in Kotlin #​13729
  • OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #​13800
  • Problem uploading multipart file after migrating to latest Spring Security. #​13820
  • Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #​13806
  • Spring ACL and native compilation fail to process datasource properties #​13814

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v6.1.3

Compare Source

⭐ New Features

  • Add MvcRequestMatcher reference documentation #​13726
  • Refactor for readability #​13472
  • requestMatchers servlet validation error should include information about servlet paths #​13722
  • requestMatchers should not count servlets without mappings #​13724

🪲 Bug Fixes

  • Add return statement of the roleHierachy method in the servlet/author… #​13596
  • Fix typo in docs #​13637
  • Referrer Header is set in Reactive Web Applications by default, although doc says it is not. #​13590
  • RequestMatcherMetadataResponseResolver only shows last RelyingPartyRegistration #​13700
  • saml2Login should not override OpenSaml4AuthenticationProvider bean #​13655
  • The bean 'preFilterAuthorizationAdvisor', defined in class path resource could not be registered #​13580
  • Update links in adocs #​13632

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v6.1.2

Compare Source

⭐ New Features

  • Improve RequestMatcher Validation #​13557
  • Improve Security Filters Documentation #​13414
  • Optimize Querying of RequestCache -> continue parameter #​13488
  • Optimize Querying of RequestCache -> continue parameter #​13482

🪲 Bug Fixes

  • Error message should show underlying Client Authentication method #​13498
  • Javadoc for AuthorizationFilter#filterErrorDispatch is wrong #​13465
  • once-per-request="true" does not work in XML configuration #​13494
  • Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #​13199
  • Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration #​13421
  • Unable to Use hasIpAddress() Method After Migrating to authorizeHttpRequests() in Spring Security 6 #​13478
  • update l179 of jwt docs #​13480
  • Use default PathPatternParser instance #​13464

🔨 Dependency Upgrades

  • Update io.projectreactor to 2022.0.9 #​13525
  • Update jakarta.websocket to 2.1.1 #​13526
  • Update micrometer-observation to 1.10.9 #​13524
  • Update org.springframework to 6.0.11 #​13527
  • Update org.springframework.data to 2022.0.8 #​13528
  • Update org.springframework.data to 2022.0.8 #​13522

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v6.1.1

Compare Source

⭐ New Features

  • Add initial Native section to reference docs #​13236
  • Align Resource Server documentation with Boot's capabilities #​13239
  • Convert to Asciidoctor Tabs #​13407
  • Document How to Handle Method Security in Native Image #​13237
  • Improve javadoc about deprecation of .and() and non-Customizer methods #​13273
  • Make eclipse/vscode project import work #​13284
  • Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #​13229
  • mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #​13254
  • Use Antora name of security #​13331

🪲 Bug Fixes

  • Additional filters registered when using Custom DSL #​13282
  • AOT Fails to proxy #​13369
  • CasAuthenticationFilter.successfulAuthentication missing call to securityContextRepository.saveContext #​13243
  • DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #​13223
  • Deprecated hint on BasicAuthenticationFilter #​13279
  • Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13193
  • Fix Antora Warnings #​13294
  • Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13221
  • Fix Documentation Title #​13318
  • Fix legacy-websocket-configuration cross-reference #​13206
  • Fix type on method-security.adoc #​13212
  • http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13209
  • Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #​13218
  • No longer maintained net.sourceforge.nekohtml with known security issues #​13287
  • Provide meaningful error when invalid client-authentication-method is provided #​13309
  • Proxy Server section is not linked in nav #​13324
  • Use consistent list of micrometer tags in web observation handler #​13190
  • UserBuilder does not allow authorities to be overridden #​13290

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v6.1.0

Compare Source

⭐ New Features

  • Explain the rational about deprecating .and() and non-lambda DSL methods #​13094
  • Revisit CSRF Documentation #​13089

🪲 Bug Fixes

  • AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #​13087
  • AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #​13154
  • Clarify that Kotlin DSL needs an import #​13103
  • CookieCsrfTokenRepository overwrites previous Set-Cookie response headers #​13075
  • Fix code snippets in Authorize HttpServletRequest #​13126
  • Fix invalid link in ref doc #​12573
  • fix javadoc typo #​12884
  • Fix typo cas.adoc #​13116
  • Links between migration docs are out of date #​13157
  • RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #​13128
  • rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #​13083
  • SAML login fails in Internet Explorer 11 #​13142
  • SimpleAroundFilterObservation.wrap calls scope.close() duplicated #​13150
  • Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #​13122
  • Update acls.adoc #​13078
  • Update architecture.adoc #​13077
  • Web Security Expression section of Documentation is obsolete or it does not work #​12974

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v6.0.8

Compare Source

⭐ New Features

  • Document how to publish an AuthenticationManager @Bean without WebSecurityConfigurerAdapter #​14014
  • Use Gradle's Version Catalog #​13870

🪲 Bug Fixes

  • Fix snapshot_tests on CI workflow #​13877
  • Saml-Metadata with special characters is corrupted #​13860
  • Saml2LogoutRequestMixin relayState property should be binding #​13939

🔨 Dependency Upgrades

  • Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #​13981
  • Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #​13886
  • Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #​13898
  • Bump com.gradle.enterprise from 3.11.1 to 3.11.4 #​13957
  • Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #​13895
  • Bump Gradle Wrapper from 8.3 to 8.4 #​13973
  • Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #​13980
  • Bump io.micrometer:micrometer-observation from 1.10.10 to 1.10.11 #​13921
  • Bump io.micrometer:micrometer-observation from 1.10.11 to 1.10.12 #​13995
  • Bump io.projectreactor.netty:reactor-netty from 1.1.10 to 1.1.11 #​13958
  • Bump io.projectreactor.netty:reactor-netty from 1.1.11 to 1.1.12 #​13994
  • Bump io.projectreactor:reactor-bom from 2022.0.10 to 2022.0.12 #​13992
  • Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #​13919
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.1 #​13906
  • Bump org-aspectj from 1.9.20 to 1.9.20.1 #​13979
  • Bump org-eclipse-jetty from 11.0.15 to 11.0.16 #​13922
  • Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #​13993
  • Bump org.apache.logging.log4j:log4j-core from 2.17.1 to 2.17.2 #​13923
  • Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #​13955
  • Bump org.slf4j:slf4j-api from 2.0.7 to 2.0.9 #​13920
  • Bump org.springframework.data:spring-data-bom from 2022.0.10 to 2022.0.11 #​14020
  • Bump org.springframework.data:spring-data-bom from 2022.0.9 to 2022.0.10 #​13892
  • Bump org.springframework.ldap:spring-ldap-core from 3.0.5 to 3.0.6 #​14009
  • Bump org.springframework:spring-framework-bom from 6.0.11 to 6.0.12 #​13978
  • Bump org.springframework:spring-framework-bom from 6.0.12 to 6.0.13 #​14008

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v6.0.7

Compare Source

⭐ New Features

🪲 Bug Fixes

  • CookieRequestCache ignores user Locale #​13795
  • Default Security Configuration adds WWW-Authenticate Twice #​13758
  • OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #​13799
  • Problem uploading multipart file after migrating to latest Spring Security. #​13731
  • Resolve The matchingRequestParameterName From The Query String #​13817
  • Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #​13805
  • Spring ACL and native compilation fail to process datasource properties #​12653

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v6.0.6

Compare Source

⭐ New Features

  • requestMatchers servlet validation error should include information about servlet paths #​13721
  • requestMatchers should not count servlets without mappings #​13720

🪲 Bug Fixes

  • Doc : typo in Custom DSLs section #​13325
  • Fix typo in docs #​13605
  • Referrer Header is set in Reactive Web Applications by default, although doc says it is not. #​13589
  • saml2Login should not override OpenSaml4AuthenticationProvider bean #​13654
  • The bean 'preFilterAuthorizationAdvisor', defined in class path resource could not be registered #​13579
  • Update links in adocs #​13565

🔨 Dependency Upgrades

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

v6.0.5

Compare Source

⭐ New Features

  • Improve RequestMatcher Validation #​13556
  • Improve Security Filters Documentation #​13413
  • Optimize Querying of RequestCache -> continue parameter #​13487
  • Optimize Querying of RequestCache -> continue parameter #​13481

🪲 Bug Fixes

  • Error message should show underlying Client Authentication method #​13496
  • Javadoc for AuthorizationFilter#filterErrorDispatch is wrong #​13456
  • once-per-request="true" does not work in XML configuration #​13491
  • Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #​13198
  • Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration #​13420
  • Unable to Use hasIpAddress() Method After Migrating to authorizeHttpRequests() in Spring Security 6 #​13477
  • Use default PathPatternParser instance #​13463

🔨 Dependency Upgrades

  • Update io.projectreactor to 2022.0.9 #​13518
  • Update jakarta.websocket to 2.1.1 #​13519
  • Update micrometer-observation to 1.10.9 #​13517
  • Update org.springframework to 6.0.11 #​13520
  • Update org.springframework.data to 2022.0.8 #​13521

v6.0.4

Compare Source

⭐ New Features

  • Add initial Native section to reference docs #​12029
  • Align Resource Server documentation with Boot's capabilities #​13238
  • Convert to Asciidoctor Tabs #​13406
  • Document How to Handle Method Security in Native Image #​13226
  • Error On Unsupported Client Authentication Methods #​13240
  • Make eclipse/vscode project import work #​12930
  • Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #​13228
  • mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #​13253
  • Use Antora name of security #​13330

🪲 Bug Fixes

  • Additional filters registered when using Custom DSL #​13281
  • AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #​13086
  • AOT Fails to proxy #​13368
  • AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #​13153
  • Clarify that Kotlin DSL needs an import #​13102
  • DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #​13222
  • Delete duplicate line from oauth2/client/core.adoc #​13233
  • Deprecated hint on BasicAuthenticationFilter #​13278
  • Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13192
  • Fix Antora Warnings #​13293
  • Fix code snippets in Authorize HttpServletRequest #​13125
  • Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13220
  • Fix Documentation Title #​13317
  • Fix legacy-websocket-configuration cross-reference #​13205
  • http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13208
  • java.lang.IllegalArgumentException: Context does not have an entry for key [class io.micrometer.core.instrument.Timer$Sample] #​13133
  • Links between migration docs are out of date #​13156
  • Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #​13217
  • No longer maintained net.sourceforge.nekohtml with known security issues #​13286
  • Proxy Server section is not linked in nav #​13323
  • RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #​13127
  • rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #​13079
  • SAML login fails in Internet Explorer 11 #​13141
  • SimpleAroundFilterObservation.wrap calls scope.close() duplicated #​12787
  • Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #​13084
  • Spring Security SAML signature validation issue #​13182
  • The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added. #​13008
  • Use consistent list of micrometer tags in web observation handler #​13179
  • X-XSS-Protection is now disabled #​13129

🔨 Dependency Upgrades

  • Update com.nimbusds to 9.43.3 [

@Picnic-Bot
Copy link
Contributor Author

Picnic-Bot commented Jan 31, 2024

Suggested commit message:

Upgrade Spring Security 5.8.9 -> 6.2.1 (#1010)

See:
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M1
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M2
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M3
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M4
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M5
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M6
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M7
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-RC1
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-RC2
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0
- https://github.com/spring-projects/spring-security/releases/tag/6.0.1
- https://github.com/spring-projects/spring-security/releases/tag/6.0.2
- https://github.com/spring-projects/spring-security/releases/tag/6.0.3
- https://github.com/spring-projects/spring-security/releases/tag/6.0.4
- https://github.com/spring-projects/spring-security/releases/tag/6.0.5
- https://github.com/spring-projects/spring-security/releases/tag/6.0.6
- https://github.com/spring-projects/spring-security/releases/tag/6.0.7
- https://github.com/spring-projects/spring-security/releases/tag/6.0.8
- https://github.com/spring-projects/spring-security/releases/tag/6.1.0-M1
- https://github.com/spring-projects/spring-security/releases/tag/6.1.0-M2
- https://github.com/spring-projects/spring-security/releases/tag/6.1.0-RC1
- https://github.com/spring-projects/spring-security/releases/tag/6.1.0
- https://github.com/spring-projects/spring-security/releases/tag/6.1.1
- https://github.com/spring-projects/spring-security/releases/tag/6.1.2
- https://github.com/spring-projects/spring-security/releases/tag/6.1.3
- https://github.com/spring-projects/spring-security/releases/tag/6.1.4
- https://github.com/spring-projects/spring-security/releases/tag/6.1.5
- https://github.com/spring-projects/spring-security/releases/tag/6.1.6
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0-M1
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0-M2
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0-M3
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0-RC1
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0-RC2
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0
- https://github.com/spring-projects/spring-security/releases/tag/6.2.1
- https://github.com/spring-projects/spring-security/compare/5.8.9...6.2.1

Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

2 similar comments
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@Stephan202
Copy link
Member

Blocked on #679.

@Picnic-Bot Picnic-Bot force-pushed the renovate/spring-security-6.x branch from 2638716 to f83d483 Compare February 1, 2024 02:06
Copy link

github-actions bot commented Feb 1, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

2 similar comments
Copy link

github-actions bot commented Feb 1, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

Copy link

github-actions bot commented Feb 1, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@Picnic-Bot Picnic-Bot force-pushed the renovate/spring-security-6.x branch from f83d483 to 26f8f47 Compare February 2, 2024 02:09
@Picnic-Bot Picnic-Bot changed the title Upgrade Spring Security 5.3.13.RELEASE -> 6.2.1 Upgrade Spring Security 5.8.9 -> 6.2.1 Feb 2, 2024
Copy link

github-actions bot commented Feb 2, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

1 similar comment
Copy link

github-actions bot commented Feb 2, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@Picnic-Bot Picnic-Bot force-pushed the renovate/spring-security-6.x branch from 26f8f47 to 9a6cb3f Compare February 10, 2024 02:04
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@Picnic-Bot Picnic-Bot force-pushed the renovate/spring-security-6.x branch from 9a6cb3f to d614229 Compare February 11, 2024 02:01
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@Stephan202 Stephan202 added this to the 0.16.0 milestone Feb 11, 2024
@Picnic-Bot Picnic-Bot force-pushed the renovate/spring-security-6.x branch from d614229 to a4dc430 Compare February 12, 2024 02:07
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

1 similar comment
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@Picnic-Bot Picnic-Bot force-pushed the renovate/spring-security-6.x branch from a4dc430 to ae124af Compare February 13, 2024 02:02
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

2 similar comments
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@rickie rickie force-pushed the renovate/spring-security-6.x branch from ae124af to 9f03e66 Compare February 13, 2024 07:38
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@Stephan202 Stephan202 force-pushed the renovate/spring-security-6.x branch from 9f03e66 to 83a8207 Compare February 13, 2024 14:54
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

Copy link
Member

@Stephan202 Stephan202 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the suggested commit message; will merge once built.

@Stephan202 Stephan202 merged commit d3cc77e into master Feb 13, 2024
15 checks passed
@Stephan202 Stephan202 deleted the renovate/spring-security-6.x branch February 13, 2024 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

3 participants