Skip to content

Releases: spring-projects/spring-security

6.4.1

20 Nov 21:29
Compare
Choose a tag to compare

πŸͺ² Bug Fixes

  • Documentation images should render clearly in both light and dark mode #16132
  • Fix conflicting bean names between @EnableWebSecurity and @EnableWebSocketSecurity #16113

πŸ”© Build Updates

  • Update Antora UI Spring to v0.4.18 #16112

❀️ Contributors

Thank you to all the contributors who worked on this release:

@github-actions[bot] and @ngocnhan-tran1996

6.4.0

18 Nov 16:00
Compare
Choose a tag to compare

⭐ New Features

  • Add @FunctionalInterface to AuthorizationEventPublisher #15934
  • Add DefaultResourcesFilter.webauthn() #15970
  • Add deprecation notice for missing leading slashes #16020
  • Code Cleanup #15996
  • Document passkeys dependencies #16107
  • Factor out some common object mocking in tests #15396
  • Fix saml2 authentication guide docs #16017
  • Improve documentation about CredentialsContainer #15554
  • Improve Documentation on Adding a Custom Security Filter #15893
  • Improve Error Message for Conflicting Filter Chains #15992
  • Make it easier to determine where a filter chain has been defined #15874
  • OIDC logout not working for JPA/JDBC OAuth2AuthorizationService because DefaultSaml2AuthenticatedPrincipal does not implement equality #15346
  • Polish JdbcOneTimeTokenService #15997
  • relying-party-registration doesn't allow placeholders in xml #14645
  • Remove unnecessary parentheses and add static final field MockPortResolver#getServerPort #15875
  • Support ServerExchangeRejectedHandler @Bean #16063

πŸͺ² Bug Fixes

  • An empty-string bearer token should result in an appropriate HTTP status code #16037
  • AuthorizeReturnObject AOT support should register proxied class as well #16106
  • Correct class name reference in WebFilterChainProxy JavaDoc #16004
  • Fix typo javadoc some classes #16022
  • Initialize OpenSAML in OpenSamlAssertingPartyMetadataRepository #16055
  • IpAddressMatcher null pointer exception #16104
  • OpenSamlAssertingPartyMetadataRepository should initialize OpenSAML #16042
  • Support ServerWebExchangeFirewall @Bean #15999
  • UniqueSecurityAnnotationScanner throws ConcurrentModificationException #15906

πŸ”¨ Dependency Upgrades

  • Bump ch.qos.logback:logback-classic from 1.5.11 to 1.5.12 #16005
  • Bump com.fasterxml.jackson:jackson-bom from 2.18.0 to 2.18.1 #16007
  • Bump com.webauthn4j:webauthn4j-core from 0.28.1.RELEASE to 0.28.2.RELEASE #16122
  • Bump io.freefair.gradle:aspectj-plugin from 8.10.2 to 8.11 #16123
  • Bump io.micrometer:micrometer-observation from 1.14.0 to 1.14.1 #16121
  • Bump io.projectreactor:reactor-bom from 2023.0.11 to 2023.0.12 #16079
  • Bump org-bouncycastle from 1.78.1 to 1.79 #16010
  • Bump org.hibernate.orm:hibernate-core from 6.6.1.Final to 6.6.2.Final #16048
  • Bump org.hsqldb:hsqldb from 2.7.3 to 2.7.4 #16028
  • Bump org.htmlunit:htmlunit from 4.5.0 to 4.6.0 #16044
  • Bump org.junit:junit-bom from 5.11.2 to 5.11.3 #15968
  • Bump org.seleniumhq.selenium:htmlunit3-driver from 4.25.0 to 4.26.0 #16043
  • Bump org.seleniumhq.selenium:selenium-java from 4.25.0 to 4.26.0 #16018
  • Bump org.springframework.data:spring-data-bom from 2024.0.5 to 2024.1.0 #16124
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.7 to 3.2.8 #16097
  • Bump org.springframework:spring-framework-bom from 6.2.0-RC3 to 6.2.0 #16096

πŸ”© Build Updates

  • Bump @antora/collector-extension from 1.0.0-beta.4 to 1.0.0-beta.5 in /docs #16115
  • Update Antora UI Spring to v0.4.17 #15929

❀️ Contributors

Thank you to all the contributors who worked on this release:

@Chu3laMan, @Kehrlann, @Limm-jk, @dcolazin, @dependabot[bot], @franticticktick, @github-actions[bot], @gzhao9, @ig-jinwoo, @jzheaux, @kse-music, @ngocnhan-tran1996, and @nomoreFt

6.3.5

18 Nov 16:00
Compare
Choose a tag to compare

⭐ New Features

  • Support ServerExchangeRejectedHandler @Bean #16062
  • Supporting logout+jwt for back-channel logout with spring-webflux #15702

πŸͺ² Bug Fixes

  • Align DelegatingAuthenticationConverter Constructors #15949
  • An empty-string bearer token should result in an appropriate HTTP status code #16036
  • IpAddressMatcher null pointer exception #15527
  • RequestMatcherDelegatingAuthorizationManager should be post-processable #15981
  • Support ServerWebExchangeFirewall @Bean #15991
  • Unhandled exception in CookieRequestCache results in 500 Internal Server Error #15986
  • Update logout.adoc: Fix Customizing Logout Success Example #15956

πŸ”¨ Dependency Upgrades

  • Bump ch.qos.logback:logback-classic from 1.5.11 to 1.5.12 #16006
  • Bump com.fasterxml.jackson:jackson-bom from 2.17.2 to 2.17.3 #16032
  • Bump io.micrometer:micrometer-observation from 1.12.12 to 1.12.13 #16126
  • Bump io.projectreactor:reactor-bom from 2023.0.11 to 2023.0.12 #16082
  • Bump org.hsqldb:hsqldb from 2.7.3 to 2.7.4 #16033
  • Bump org.springframework.data:spring-data-bom from 2024.0.5 to 2024.0.6 #16125
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.7 to 3.2.8 #16102
  • Bump org.springframework:spring-framework-bom from 6.1.14 to 6.1.15 #16101

πŸ”© Build Updates

  • Bump @antora/collector-extension from 1.0.0-beta.4 to 1.0.0-beta.5 in /docs #16117
  • Update Antora UI Spring to v0.4.17 #15930

❀️ Contributors

Thank you to all the contributors who worked on this release:

@asimuleo, @dependabot[bot], @github-actions[bot], and @kse-music

6.2.8

18 Nov 15:48
Compare
Choose a tag to compare

⭐ New Features

  • Support ServerExchangeRejectedHandler @Bean #16061
  • Support ServerWebExchangeFirewall @Bean #15987

πŸͺ² Bug Fixes

  • Fix error when Bearer token is requested with empty string #15940
  • Make RequestMatcherDelegatingAuthorizationManager post-processable #15978
  • RequestMatcherDelegatingAuthorizationManager should be post-processable #15948
  • Unhandled exception in CookieRequestCache results in 500 Internal Server Error #15985

πŸ”¨ Dependency Upgrades

  • Bump io.micrometer:micrometer-observation from 1.12.12 to 1.12.13 #16128
  • Bump io.projectreactor:reactor-bom from 2023.0.11 to 2023.0.12 #16081
  • Bump org.hsqldb:hsqldb from 2.7.3 to 2.7.4 #16031
  • Bump org.springframework.data:spring-data-bom from 2023.1.11 to 2023.1.12 #16127
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.7 to 3.2.8 #16100
  • Bump org.springframework:spring-framework-bom from 6.1.14 to 6.1.15 #16099

πŸ”© Build Updates

  • Bump @antora/collector-extension from 1.0.0-beta.4 to 1.0.0-beta.5 in /docs #16120
  • Update Antora UI Spring to v0.4.17 #15931

❀️ Contributors

Thank you to all the contributors who worked on this release:

@codeconsole, @dependabot[bot], @github-actions[bot], and @jacknie84

5.8.16

18 Nov 16:01
Compare
Choose a tag to compare

⭐ New Features

  • Support ServerExchangeRejectedHandler @Bean #15976

πŸͺ² Bug Fixes

  • Catch base64 decode exception #15914
  • Support ServerWebExchangeFirewall @Bean #15977

πŸ”¨ Dependency Upgrades

  • Bump org.hsqldb:hsqldb from 2.7.3 to 2.7.4 #16030
  • Bump org.springframework.ldap:spring-ldap-core from 2.4.2 to 2.4.4 #16094

πŸ”© Build Updates

  • Bump @antora/collector-extension from 1.0.0-beta.4 to 1.0.0-beta.5 in /docs #16114
  • Update Antora UI Spring to v0.4.17 #15933

❀️ Contributors

We'd like to thank all the contributors who worked on this release!

5.7.14

18 Nov 17:12
Compare
Choose a tag to compare

⭐ New Features

  • Support ServerExchangeRejectedHandler @Bean #15975

πŸͺ² Bug Fixes

  • Support ServerWebExchangeFirewall @Bean #15974

6.4.0-RC1

21 Oct 18:41
Compare
Choose a tag to compare
6.4.0-RC1 Pre-release
Pre-release

⭐ New Features

  • Add API for Looking Up Security Annotations #15700
  • Add loginPage() to DSL in reactive oauth2Login() #15674
  • Add public InMemoryOneTimeTokenService.setClock(Clock) #15864
  • Support One-Time Tokens in a Clustered Environment [#15735][https://github.com//issues/15735]
  • Add Reactive One-Time Token Login Kotlin DSL Support #15888
  • Add Support for Passkeys #13305
  • Allow OAuth2ClientSpec to get ReactiveOAuth2AccessTokenResponseClient from Spring IoC #11097
  • Allow access token request parameters to override defaults #15339
  • Allow building a ClientRegistration from provided configuration #15716
  • Allow logout+jwt JWT type for reactive #15847
  • AuthorizationEventPublisher should accept an AuthorizationResult #15915
  • AuthorizationManager should return AuthorizationResult #14846
  • Clarify Username/Password Authentication Docs #15806
  • Customize the strategy for resolving the principal #15833
  • Introduce ExpressionJwtGrantedAuthoritiesConverter to extract nested authorities via SpEL expression #15202
  • Improve encapsulation for jwtValidators #15879
  • Improve readibility of empty collection checks #15898
  • Improved error message for PasswordEncoder #14968
  • Make Security Observations Selectable #15678
  • ObjectProvider over custom getBeanOrNull method #15816
  • Parameters customizer called before all parameters are set #15939
  • Polish diamond operator usage #15900
  • Polish OAuth2ClientConfiguration #15857
  • Reactive oauth2Login should pick up OAuth2ReactiveUserService bean #15848
  • Replace Date().getTime() method with System.currentTimeMillis() #15890
  • Simplify Casting with ReactiveJwtDecoders #15797
  • Support refresh token for Token Exchange #15534
  • Update document #15862
  • Update javaDoc for DefaultOneTimeTokenSubmitPageGeneratingFilter #15870
  • Update websocket integration docs #15438
  • Use SessionAuthenticationStrategy for Remember-Me authentication #15748

πŸͺ² Bug Fixes

  • Fix HttpSecurity Deprecation notices #15827
  • Minor fix in Kotlin docs for noSpringSecurityObservations #15831
  • OidcBackChannelLogoutTokenValidator should not construct when missing OIDC Provider Issuer #15824
  • Restore Framework version on Snapshot build #15916
  • The additionalParameters array parameter of OAuth2AuthorizationRequest causes the authorizationRequestUri to be incorrect #15830

πŸ”¨ Dependency Upgrades

  • Bump ch.qos.logback:logback-classic from 1.5.10 to 1.5.11 #15924
  • Bump com.fasterxml.jackson:jackson-bom from 2.17.2 to 2.18.0 #15859
  • Bump io.freefair.gradle:aspectj-plugin from 8.10 to 8.10.2 #15881
  • Bump io.micrometer:micrometer-observation from 1.13.5 to 1.13.6 #15918
  • Bump io.mockk:mockk from 1.13.12 to 1.13.13 #15895
  • Bump io.projectreactor:reactor-bom from 2023.0.10 to 2023.0.11 #15922
  • Bump io.spring.develocity.conventions from 0.0.21 to 0.0.22 #15871
  • Bump org.hibernate.orm:hibernate-core from 6.6.0.Final to 6.6.1.Final #15823
  • Bump org.htmlunit:htmlunit from 4.4.0 to 4.5.0 #15960
  • Bump org.junit:junit-bom from 5.11.1 to 5.11.2 #15882
  • Bump org.mockito:mockito-bom from 5.14.1 to 5.14.2 #15923
  • Bump org.seleniumhq.selenium:htmlunit3-driver from 4.23.0 to 4.25.0 #15959
  • Bump org.seleniumhq.selenium:selenium-java from 4.24.0 to 4.25.0 #15839
  • Bump org.springframework.data:spring-data-bom from 2024.0.4 to 2024.0.5 #15961
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.6 to 3.2.7 #15942
  • Bump org.springframework:spring-framework-bom from 6.2.0-RC1 to 6.2.0-RC2 #15943

πŸ”© Build Updates

  • Bump @antora/collector-extension from 1.0.0-beta.2 to 1.0.0-beta.3 in /docs #15911
  • Bump @springio/asciidoctor-extensions from 1.0.0-alpha.13 to 1.0.0-alpha.14 in /docs #15834
  • Fix Broken Resource Server Doc Links #15845
  • Fix typo of createDefaultRequestMacher in WebSessionServerRequestCache #15867
  • Polish ExpressionTemplateSecurityAnnotationScanner #15832
  • Release 6.4.0-RC1 #15966

❀️ Contributors

Thank you to all the contributors who worked on this release:

@JohnNiang, @bottlerocketjonny, @c1rd3cm, @dependabot[bot], @franticticktick, @heruan, @jinia91, @kse-music, @kwonyonghyun, @ngocnhan-tran1996, @nimakarimiank, @openrefactorymunawar, @regiuss-own, @rs017991, @sjohnr, @thomasdarimont, @wapkch, and @xhaggi

6.3.4

21 Oct 17:41
Compare
Choose a tag to compare

πŸͺ² Bug Fixes

  • Annotation expression template processing should not fail on Class parameter types #15711
  • Disabling credentials erasure on custom AuthenticationManager is not working #15808
  • Documentation inconsistency in AuthorizationManager's verify method return type #15822
  • Methods annotated with @PostFilter are processed twice by PostFilterAuthorizationMethodInterceptor #15676
  • OidcBackChannelLogoutTokenValidator should not construct when missing OIDC Provider Issuer #15868
  • SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module #15767
  • The additionalParameters array parameter of OAuth2AuthorizationRequest causes the authorizationRequestUri to be incorrect #15829

πŸ”¨ Dependency Upgrades

  • Bump ch.qos.logback:logback-classic from 1.5.10 to 1.5.11 #15926
  • Bump io.micrometer:micrometer-observation from 1.12.10 to 1.12.11 #15917
  • Bump io.mockk:mockk from 1.13.12 to 1.13.13 #15897
  • Bump io.projectreactor:reactor-bom from 2023.0.10 to 2023.0.11 #15925
  • Bump jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api from 3.0.1 to 3.0.2 #15694
  • Bump org-eclipse-jetty from 11.0.23 to 11.0.24 #15731
  • Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.21 to 4.33.22 #15761
  • Bump org.junit:junit-bom from 5.10.4 to 5.10.5 #15883
  • Bump org.springframework.data:spring-data-bom from 2024.0.4 to 2024.0.5 #15958
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.6 to 3.2.7 #15944
  • Bump org.springframework:spring-framework-bom from 6.1.13 to 6.1.14 #15945

πŸ”© Build Updates

  • Bump @antora/collector-extension from 1.0.0-beta.2 to 1.0.0-beta.3 in /docs #15907
  • Bump @springio/asciidoctor-extensions from 1.0.0-alpha.13 to 1.0.0-alpha.14 in /docs #15836
  • Migrate slack notifications to GChat #15668
  • Release 6.3.4 #15964
  • Update eclipse/vscode configuration to use -parameters #15681

❀️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot] and @kse-music

6.2.7

21 Oct 17:41
Compare
Choose a tag to compare

πŸͺ² Bug Fixes

  • Disabling credentials erasure on custom AuthenticationManager is not working #15807
  • Documentation inconsistency in AuthorizationManager's verify method return type #15704
  • Fix code format in OIDC Logout docs #15566
  • Fix OIDC Logout docs: Session Strategy vs. Registry #15686
  • Methods annotated with @PostFilter are processed twice by PostFilterAuthorizationMethodInterceptor #15675
  • Methods annotated with @PostFilter are processed twice by PostFilterAuthorizationMethodInterceptor #15651
  • SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module #15766
  • The additionalParameters array parameter of OAuth2AuthorizationRequest causes the authorizationRequestUri to be incorrect #15828

πŸ”¨ Dependency Upgrades

  • Bump Gradle Wrapper from 8.10.1 to 8.10.2 #15841
  • Bump io.micrometer:micrometer-observation from 1.12.10 to 1.12.11 #15919
  • Bump io.mockk:mockk from 1.13.12 to 1.13.13 #15896
  • Bump io.projectreactor:reactor-bom from 2023.0.10 to 2023.0.11 #15927
  • Bump jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api from 3.0.1 to 3.0.2 #15693
  • Bump org-eclipse-jetty from 11.0.23 to 11.0.24 #15733
  • Bump org.junit:junit-bom from 5.10.4 to 5.10.5 #15880
  • Bump org.springframework.data:spring-data-bom from 2023.1.10 to 2023.1.11 #15962
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.6 to 3.2.7 #15946
  • Bump org.springframework:spring-framework-bom from 6.1.13 to 6.1.14 #15947

πŸ”© Build Updates

  • Bump @antora/collector-extension from 1.0.0-beta.2 to 1.0.0-beta.3 in /docs #15910
  • Bump @springio/asciidoctor-extensions from 1.0.0-alpha.13 to 1.0.0-alpha.14 in /docs #15838
  • Bump Gradle Wrapper from 8.7 to 8.10 #15609
  • CORS documentation should use UrlBasedCorsConfigurationSource #15769
  • Migrate slack notifications to GChat #15667
  • Release 6.2.7 #15965
  • Update CORS document #15784
  • Update eclipse/vscode configuration to use -parameters #15680

❀️ Contributors

Thank you to all the contributors who worked on this release:

@Junhyunny, @dependabot[bot], @github-actions[bot], @hwanders, and @ngocnhan-tran1996

5.8.15

21 Oct 17:51
Compare
Choose a tag to compare

⭐ New Features

  • Address unnecessary method invocation in AbstractRequestMatcherRegistry #15718
  • The SecuredAuthorizationManager can now find @Secured annotations on … #15014

πŸͺ² Bug Fixes

  • Disabling credentials erasure on custom AuthenticationManager is not working #15683
  • Methods annotated with @PostFilter are processed twice by PostFilterAuthorizationMethodInterceptor #15624
  • SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module #15749
  • The additionalParameters array parameter of OAuth2AuthorizationRequest causes the authorizationRequestUri to be incorrect #15533

πŸ”¨ Dependency Upgrades

  • Bump io.projectreactor.tools:blockhound from 1.0.9.RELEASE to 1.0.10.RELEASE #15928
  • Bump org-eclipse-jetty from 9.4.55.v20240627 to 9.4.56.v20240826 #15730
  • Bump org.springframework.ldap:spring-ldap-core from 2.4.1 to 2.4.2 #15941

πŸ”© Build Updates

  • Bump @antora/collector-extension from 1.0.0-beta.2 to 1.0.0-beta.3 in /docs #15908
  • Bump @springio/asciidoctor-extensions from 1.0.0-alpha.13 to 1.0.0-alpha.14 in /docs #15837
  • Migrate slack notifications to GChat #15503
  • Release 5.8.15 #15963

❀️ Contributors

We'd like to thank all the contributors who worked on this release!