Releases: spring-projects/spring-security
Releases Β· spring-projects/spring-security
6.2.0
β New Features
- AuthorizationManager[Before/After]ReactiveMethodInterceptor doesn't support Kotlin coroutines #12080
- Simplify configuration of OAuth2 Client component model #11783
πͺ² Bug Fixes
- On Cancel, ObservationWebFilterDecorator Starts After-Filter Span without Stopping It #14064
- Authentication not propagated correctly after migrating to SB3 #14112
- Authorization does not show up on Features section #14105
- Fix obsolete comment and typos #14060
- Fix typo in documentation #14130
- improve render in headers.adoc #14102
- ReactiveRemoteJWKSource caches invalid response status into jwkSetURL #14042
- References to WebFlux docs do not link to them #14108
- relay_state should not be included in signing calculation when it is null #14039
- samesite set by Tomcat CookieProcessor ignored when creating XSRF-TOKEN cookie in CsrfTokenRepository #14138
- Security configuration is failed to be initialized in a Servlet 6.0 container #14166
- Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #14115
- Spring Security metric names should not contain dashes #14067
- spring.security counters inaccurate due onComplete and cancel() #14147
- The latest "OAuth2AuthorizedClientManager" class is not AOT ready #14094
- UnboundIdContainer should be marked as not running at shutdown #14095
π¨ Dependency Upgrades
- Bump io-spring-javaformat from 0.0.39 to 0.0.40 #14156
- Bump io.micrometer:micrometer-observation from 1.12.0-RC1 to 1.12.0 #14135
- Bump io.projectreactor:reactor-bom from 2023.0.0-RC1 to 2023.0.0 #14145
- Bump org.junit:junit-bom from 5.10.0 to 5.10.1 #14097
- Bump org.springframework.data:spring-data-bom from 2023.1.0-RC1 to 2023.1.0 #14172
- Bump org.springframework.ldap:spring-ldap-core from 3.2.0-RC1 to 3.2.0 #14155
- Bump org.springframework:spring-framework-bom from 6.1.0-RC1 to 6.1.0-RC2 #14055
- Bump org.springframework:spring-framework-bom from 6.1.0-RC2 to 6.1.0 #14157
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.2.0-RC2
β New Features
- Propagate security context via channel interceptor #12532
- RequestedUrlRedirectInvalidSessionStrategy can cause the HTTP method to change depending on the user agent #12797
- RequestedUrlRedirectInvalidSessionStrategy doesn't take servlet context path into account #12795
πͺ² Bug Fixes
- Added a note about the fact that if the CSRF protection is disabled in configuration, no logout confirmation page is shown to the user and the logout is performed directly. #13442
- Use same case for all fields in toString #13917
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.2.0-RC1
β New Features
- Add servletPath support to AuthorizeHttpRequests #13857
- Allow AuthenticationConverter to be settable in BasicAuthenticationFilter #13989
- Dependabot should consider minor versions for org.springframework* on main #14029
- Document how to publish an
AuthenticationManager@BeanwithoutWebSecurityConfigurerAdapter#14016 - Update doc references for forwarded headers support #13880
- Use Gradle's Version Catalog #13872
πͺ² Bug Fixes
- Breaking change in
AuthorizeHttpRequestsConfigurer#14012 - Dependency convergence failed: nimbus-jose-jwt #13972
- Fix
snapshot_testson CI workflow #13879 - Fix parsing of GET SAML logout requests #14024
- Saml-Metadata with special characters is corrupted #13862
- Saml2LogoutRequestMixin relayState property should be binding #13943
- Update http.adoc: IP number does not follow IP number format #13969
π¨ Dependency Upgrades
- Bump com.fasterxml.jackson:jackson-bom from 2.15.2 to 2.15.3 #14005
- Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #13983
- Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #13929
- Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #13962
- Bump com.gradle.enterprise from 3.12.3 to 3.12.6 #13960
- Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #13932
- Bump Gradle Wrapper from 8.3 to 8.4 #13975
- Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #13933
- Bump io.mockk:mockk from 1.13.7 to 1.13.8 #13902
- Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #13931
- Bump org-apache-maven-resolver from 1.9.15 to 1.9.16 #13894
- Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #14002
- Bump org.apache.maven:maven-resolver-provider from 3.9.4 to 3.9.5 #13963
- Bump org.hibernate.orm:hibernate-core from 6.3.0.CR1 to 6.3.1.Final #13905
- Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #13964
- Update io.micrometer:micrometer-observation to 1.12.0-RC1 #14027
- Update io.projectreactor:reactor-bom to 2023.0.0-RC1 #14028
- Update org.springframework.data:spring-data-bom to 2023.1.0-RC1 #14025
- Update org.springframework.ldap:spring-ldap-core to 3.2.0-RC1 #14026
- Update org.springframework:spring-framework-bom to 6.1.0-RC1 #14023
- Update to io.freefair.aspectj 8.4 #14017
- Update to org.apereo.cas.client:cas-client-core 4.0.3 #13948
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.1.5
β New Features
- Document how to publish an
AuthenticationManager@BeanwithoutWebSecurityConfigurerAdapter#14015 - Replace deprecated method #13649
- Use Gradle's Version Catalog #13871
πͺ² Bug Fixes
- Dependency convergence failed: nimbus-jose-jwt #13843
- Docs custom AuthorizationManager fix #13991
- Fix
snapshot_testson CI workflow #13878 - Fix parsing of GET SAML logout requests #13970
- Saml-Metadata with special characters is corrupted #13861
- Saml2LogoutRequestMixin relayState property should be binding #13942
π¨ Dependency Upgrades
- Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #13984
- Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #13891
- Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #13950
- Bump com.gradle.enterprise from 3.12.3 to 3.12.6 #13934
- Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #13903
- Bump Gradle Wrapper from 8.3 to 8.4 #13974
- Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #13935
- Bump io.micrometer:micrometer-observation from 1.10.10 to 1.10.11 #13945
- Bump io.micrometer:micrometer-observation from 1.10.11 to 1.10.12 #14001
- Bump io.mockk:mockk from 1.13.7 to 1.13.8 #13952
- Bump io.projectreactor:reactor-bom from 2022.0.10 to 2022.0.11 #13937
- Bump io.projectreactor:reactor-bom from 2022.0.11 to 2022.0.12 #14000
- Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #13985
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.1 #13949
- Bump org-aspectj from 1.9.20 to 1.9.20.1 #13896
- Bump org-eclipse-jetty from 11.0.15 to 11.0.16 #13901
- Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #13999
- Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #13953
- Bump org.slf4j:slf4j-api from 2.0.7 to 2.0.9 #13938
- Bump org.springframework.data:spring-data-bom from 2022.0.10 to 2022.0.11 #14019
- Bump org.springframework.data:spring-data-bom from 2022.0.9 to 2022.0.10 #13951
- Bump org.springframework.ldap:spring-ldap-core from 3.0.5 to 3.0.6 #14007
- Bump org.springframework:spring-framework-bom from 6.0.11 to 6.0.12 #13904
- Bump org.springframework:spring-framework-bom from 6.0.12 to 6.0.13 #14006
- Update to org.apereo.cas.client:cas-client-core 4.0.3 #13947
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.8
β New Features
- Document how to publish an
AuthenticationManager@BeanwithoutWebSecurityConfigurerAdapter#14014 - Use Gradle's Version Catalog #13870
πͺ² Bug Fixes
- Fix
snapshot_testson CI workflow #13877 - Saml-Metadata with special characters is corrupted #13860
- Saml2LogoutRequestMixin relayState property should be binding #13939
π¨ Dependency Upgrades
- Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #13981
- Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #13886
- Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #13898
- Bump com.gradle.enterprise from 3.11.1 to 3.11.4 #13957
- Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #13895
- Bump Gradle Wrapper from 8.3 to 8.4 #13973
- Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #13980
- Bump io.micrometer:micrometer-observation from 1.10.10 to 1.10.11 #13921
- Bump io.micrometer:micrometer-observation from 1.10.11 to 1.10.12 #13995
- Bump io.projectreactor.netty:reactor-netty from 1.1.10 to 1.1.11 #13958
- Bump io.projectreactor.netty:reactor-netty from 1.1.11 to 1.1.12 #13994
- Bump io.projectreactor:reactor-bom from 2022.0.10 to 2022.0.12 #13992
- Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #13919
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.1 #13906
- Bump org-aspectj from 1.9.20 to 1.9.20.1 #13979
- Bump org-eclipse-jetty from 11.0.15 to 11.0.16 #13922
- Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #13993
- Bump org.apache.logging.log4j:log4j-core from 2.17.1 to 2.17.2 #13923
- Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #13955
- Bump org.slf4j:slf4j-api from 2.0.7 to 2.0.9 #13920
- Bump org.springframework.data:spring-data-bom from 2022.0.10 to 2022.0.11 #14020
- Bump org.springframework.data:spring-data-bom from 2022.0.9 to 2022.0.10 #13892
- Bump org.springframework.ldap:spring-ldap-core from 3.0.5 to 3.0.6 #14009
- Bump org.springframework:spring-framework-bom from 6.0.11 to 6.0.12 #13978
- Bump org.springframework:spring-framework-bom from 6.0.12 to 6.0.13 #14008
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.8
β New Features
- Document how to publish an
AuthenticationManager@BeanwithoutWebSecurityConfigurerAdapter#11926 - Use Gradle's Version Catalog #13868
πͺ² Bug Fixes
- Fix
snapshot_testson CI workflow #13876 - fix corrupted saml2 metadata once special characters are present #13777
- Saml-Metadata with special characters is corrupted #13776
- Saml2LogoutRequestMixin relayState property should be binding #12539
π¨ Dependency Upgrades
- Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #13982
- Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #13927
- Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #13890
- Bump com.gradle.enterprise from 3.11.1 to 3.11.4 #13928
- Bump io.projectreactor.netty:reactor-netty from 1.0.35 to 1.0.36 #13885
- Bump io.projectreactor.netty:reactor-netty from 1.0.36 to 1.0.38 #13998
- Bump io.projectreactor:reactor-bom from 2020.0.35 to 2020.0.36 #13944
- Bump io.projectreactor:reactor-bom from 2020.0.36 to 2020.0.37 #13997
- Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #13925
- Bump org-aspectj from 1.9.20 to 1.9.20.1 #13893
- Bump org-eclipse-jetty from 9.4.51.v20230217 to 9.4.52.v20230823 #13909
- Bump org-eclipse-jetty from 9.4.52.v20230823 to 9.4.53.v20231009 #13996
- Bump org.apache.logging.log4j:log4j-core from 2.17.1 to 2.17.2 #13926
- Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #13954
- Bump org.springframework.data:spring-data-bom from 2021.2.15 to 2021.2.16 #13907
- Bump org.springframework.data:spring-data-bom from 2021.2.16 to 2021.2.17 #14018
- Bump org.springframework:spring-framework-bom from 5.3.29 to 5.3.30 #13908
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.2.0-M3
β New Features
- Adopt dedicated AssertJ assertions for more expressive test failure messages #13619
- Automate spring-security.xsd #13826
- Correct mentioned HTTP Method in Documentation #13751
- Fix grammar on logout page of the docs #13750
- Fix untitled page title in documentation #13575
- Improve StrictHttpFirewall error messaging #13615
- Improve StrictHttpFirewall error messaging #13614
- Replace wildcard type ? with * in Kotlin and fix typo in Spring docs #13719
- Support nested suspend calls for Kotlin coroutines #13766
- Update OAuth2 docs landing page with examples #13784
- Add OIDC Back-channel Logout Support #7845
πͺ² Bug Fixes
- CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set #13748
- CookieRequestCache ignores user Locale #13797
- Default Security Configuration adds WWW-Authenticate Twice #13760
- OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #13802
- Problem uploading multipart file after migrating to latest Spring Security. #13821
- Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #13807
- Spring ACL and native compilation fail to process datasource properties #13815
π¨ Dependency Upgrades
- Update io.projectreactor to 2023.0.0-M3 #13829
- Update jakarta.xml.bind-api to 4.0.1 #13831
- Update micrometer-observation to 1.12.0-M3 #13828
- Update org.aspectj to 1.9.20.1 #13832
- Update org.eclipse.jetty to 11.0.16 #13833
- Update org.jetbrains.kotlin to 1.9.10 #13835
- Update org.springframework to 6.1.0-M5 #13837
- Update org.springframework.data to 2023.1.0-M3 #13838
- Update reactor-netty to 1.1.11 #13830
- Update slf4j-api to 2.0.9 #13836
- Update Spring Framework to 6.1.0-SNAPSHOT #13765
- Update spring-ldap-core to 3.2.0-M3 #13839
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.1.4
β New Features
- Automate spring-security.xsd #13825
πͺ² Bug Fixes
- CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set #13659
- CookieRequestCache ignores user Locale #13796
- Default Security Configuration adds WWW-Authenticate Twice #13759
- Fix inaccurate information about permitting the FORWARD dispatcher in Kotlin #13729
- OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #13800
- Problem uploading multipart file after migrating to latest Spring Security. #13820
- Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #13806
- Spring ACL and native compilation fail to process datasource properties #13814
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.7
β New Features
- Automate spring-security.xsd #13824
πͺ² Bug Fixes
- CookieRequestCache ignores user Locale #13795
- Default Security Configuration adds WWW-Authenticate Twice #13758
- OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #13799
- Problem uploading multipart file after migrating to latest Spring Security. #13731
- Resolve The matchingRequestParameterName From The Query String #13817
- Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #13805
- Spring ACL and native compilation fail to process datasource properties #12653
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!