Releases: spring-projects/spring-security
Releases Β· spring-projects/spring-security
5.8.16
β New Features
- Support ServerExchangeRejectedHandler
@Bean#15976
πͺ² Bug Fixes
π¨ Dependency Upgrades
- Bump org.hsqldb:hsqldb from 2.7.3 to 2.7.4 #16030
- Bump org.springframework.ldap:spring-ldap-core from 2.4.2 to 2.4.4 #16094
π© Build Updates
- Bump
@antora/collector-extension from 1.0.0-beta.4 to 1.0.0-beta.5 in /docs #16114 - Update Antora UI Spring to v0.4.17 #15933
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.14
6.4.0-RC1
β New Features
- Add API for Looking Up Security Annotations #15700
- Add loginPage() to DSL in reactive oauth2Login() #15674
- Add public InMemoryOneTimeTokenService.setClock(Clock) #15864
- Support One-Time Tokens in a Clustered Environment [#15735][https://github.com//issues/15735]
- Add Reactive One-Time Token Login Kotlin DSL Support #15888
- Add Support for Passkeys #13305
- Allow OAuth2ClientSpec to get ReactiveOAuth2AccessTokenResponseClient from Spring IoC #11097
- Allow access token request parameters to override defaults #15339
- Allow building a ClientRegistration from provided configuration #15716
- Allow logout+jwt JWT type for reactive #15847
- AuthorizationEventPublisher should accept an AuthorizationResult #15915
- AuthorizationManager should return AuthorizationResult #14846
- Clarify Username/Password Authentication Docs #15806
- Customize the strategy for resolving the principal #15833
- Introduce ExpressionJwtGrantedAuthoritiesConverter to extract nested authorities via SpEL expression #15202
- Improve encapsulation for jwtValidators #15879
- Improve readibility of empty collection checks #15898
- Improved error message for PasswordEncoder #14968
- Make Security Observations Selectable #15678
- ObjectProvider over custom getBeanOrNull method #15816
- Parameters customizer called before all parameters are set #15939
- Polish diamond operator usage #15900
- Polish OAuth2ClientConfiguration #15857
- Reactive oauth2Login should pick up OAuth2ReactiveUserService bean #15848
- Replace Date().getTime() method with System.currentTimeMillis() #15890
- Simplify Casting with ReactiveJwtDecoders #15797
- Support refresh token for Token Exchange #15534
- Update document #15862
- Update javaDoc for DefaultOneTimeTokenSubmitPageGeneratingFilter #15870
- Update websocket integration docs #15438
- Use SessionAuthenticationStrategy for Remember-Me authentication #15748
πͺ² Bug Fixes
- Fix HttpSecurity Deprecation notices #15827
- Minor fix in Kotlin docs for noSpringSecurityObservations #15831
- OidcBackChannelLogoutTokenValidator should not construct when missing OIDC Provider Issuer #15824
- Restore Framework version on Snapshot build #15916
- The additionalParameters array parameter of OAuth2AuthorizationRequest causes the authorizationRequestUri to be incorrect #15830
π¨ Dependency Upgrades
- Bump ch.qos.logback:logback-classic from 1.5.10 to 1.5.11 #15924
- Bump com.fasterxml.jackson:jackson-bom from 2.17.2 to 2.18.0 #15859
- Bump io.freefair.gradle:aspectj-plugin from 8.10 to 8.10.2 #15881
- Bump io.micrometer:micrometer-observation from 1.13.5 to 1.13.6 #15918
- Bump io.mockk:mockk from 1.13.12 to 1.13.13 #15895
- Bump io.projectreactor:reactor-bom from 2023.0.10 to 2023.0.11 #15922
- Bump io.spring.develocity.conventions from 0.0.21 to 0.0.22 #15871
- Bump org.hibernate.orm:hibernate-core from 6.6.0.Final to 6.6.1.Final #15823
- Bump org.htmlunit:htmlunit from 4.4.0 to 4.5.0 #15960
- Bump org.junit:junit-bom from 5.11.1 to 5.11.2 #15882
- Bump org.mockito:mockito-bom from 5.14.1 to 5.14.2 #15923
- Bump org.seleniumhq.selenium:htmlunit3-driver from 4.23.0 to 4.25.0 #15959
- Bump org.seleniumhq.selenium:selenium-java from 4.24.0 to 4.25.0 #15839
- Bump org.springframework.data:spring-data-bom from 2024.0.4 to 2024.0.5 #15961
- Bump org.springframework.ldap:spring-ldap-core from 3.2.6 to 3.2.7 #15942
- Bump org.springframework:spring-framework-bom from 6.2.0-RC1 to 6.2.0-RC2 #15943
π© Build Updates
- Bump
@antora/collector-extension from 1.0.0-beta.2 to 1.0.0-beta.3 in /docs #15911 - Bump
@springio/asciidoctor-extensions from 1.0.0-alpha.13 to 1.0.0-alpha.14 in /docs #15834 - Fix Broken Resource Server Doc Links #15845
- Fix typo of createDefaultRequestMacher in WebSessionServerRequestCache #15867
- Polish ExpressionTemplateSecurityAnnotationScanner #15832
- Release 6.4.0-RC1 #15966
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@JohnNiang, @bottlerocketjonny, @c1rd3cm, @dependabot[bot], @franticticktick, @heruan, @jinia91, @kse-music, @kwonyonghyun, @ngocnhan-tran1996, @nimakarimiank, @openrefactorymunawar, @regiuss-own, @rs017991, @sjohnr, @thomasdarimont, @wapkch, and @xhaggi
Contributors
thomasdarimont, heruan, and 16 other contributors
Assets 2
6.3.4
πͺ² Bug Fixes
- Annotation expression template processing should not fail on Class parameter types #15711
- Disabling credentials erasure on custom AuthenticationManager is not working #15808
- Documentation inconsistency in AuthorizationManager's verify method return type #15822
- Methods annotated with
@PostFilterare processed twice by PostFilterAuthorizationMethodInterceptor #15676 - OidcBackChannelLogoutTokenValidator should not construct when missing OIDC Provider Issuer #15868
- SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module #15767
- The additionalParameters array parameter of OAuth2AuthorizationRequest causes the authorizationRequestUri to be incorrect #15829
π¨ Dependency Upgrades
- Bump ch.qos.logback:logback-classic from 1.5.10 to 1.5.11 #15926
- Bump io.micrometer:micrometer-observation from 1.12.10 to 1.12.11 #15917
- Bump io.mockk:mockk from 1.13.12 to 1.13.13 #15897
- Bump io.projectreactor:reactor-bom from 2023.0.10 to 2023.0.11 #15925
- Bump jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api from 3.0.1 to 3.0.2 #15694
- Bump org-eclipse-jetty from 11.0.23 to 11.0.24 #15731
- Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.21 to 4.33.22 #15761
- Bump org.junit:junit-bom from 5.10.4 to 5.10.5 #15883
- Bump org.springframework.data:spring-data-bom from 2024.0.4 to 2024.0.5 #15958
- Bump org.springframework.ldap:spring-ldap-core from 3.2.6 to 3.2.7 #15944
- Bump org.springframework:spring-framework-bom from 6.1.13 to 6.1.14 #15945
π© Build Updates
- Bump
@antora/collector-extension from 1.0.0-beta.2 to 1.0.0-beta.3 in /docs #15907 - Bump
@springio/asciidoctor-extensions from 1.0.0-alpha.13 to 1.0.0-alpha.14 in /docs #15836 - Migrate slack notifications to GChat #15668
- Release 6.3.4 #15964
- Update eclipse/vscode configuration to use -parameters #15681
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@dependabot[bot] and @kse-music
Contributors
dependabot and kse-music
Assets 2
6.2.7
πͺ² Bug Fixes
- Disabling credentials erasure on custom AuthenticationManager is not working #15807
- Documentation inconsistency in AuthorizationManager's verify method return type #15704
- Fix code format in OIDC Logout docs #15566
- Fix OIDC Logout docs: Session Strategy vs. Registry #15686
- Methods annotated with
@PostFilterare processed twice by PostFilterAuthorizationMethodInterceptor #15675 - Methods annotated with
@PostFilterare processed twice by PostFilterAuthorizationMethodInterceptor #15651 - SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module #15766
- The additionalParameters array parameter of OAuth2AuthorizationRequest causes the authorizationRequestUri to be incorrect #15828
π¨ Dependency Upgrades
- Bump Gradle Wrapper from 8.10.1 to 8.10.2 #15841
- Bump io.micrometer:micrometer-observation from 1.12.10 to 1.12.11 #15919
- Bump io.mockk:mockk from 1.13.12 to 1.13.13 #15896
- Bump io.projectreactor:reactor-bom from 2023.0.10 to 2023.0.11 #15927
- Bump jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api from 3.0.1 to 3.0.2 #15693
- Bump org-eclipse-jetty from 11.0.23 to 11.0.24 #15733
- Bump org.junit:junit-bom from 5.10.4 to 5.10.5 #15880
- Bump org.springframework.data:spring-data-bom from 2023.1.10 to 2023.1.11 #15962
- Bump org.springframework.ldap:spring-ldap-core from 3.2.6 to 3.2.7 #15946
- Bump org.springframework:spring-framework-bom from 6.1.13 to 6.1.14 #15947
π© Build Updates
- Bump
@antora/collector-extension from 1.0.0-beta.2 to 1.0.0-beta.3 in /docs #15910 - Bump
@springio/asciidoctor-extensions from 1.0.0-alpha.13 to 1.0.0-alpha.14 in /docs #15838 - Bump Gradle Wrapper from 8.7 to 8.10 #15609
- CORS documentation should use UrlBasedCorsConfigurationSource #15769
- Migrate slack notifications to GChat #15667
- Release 6.2.7 #15965
- Update CORS document #15784
- Update eclipse/vscode configuration to use -parameters #15680
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@Junhyunny, @dependabot[bot], @github-actions[bot], @hwanders, and @ngocnhan-tran1996
Contributors
hwanders, dependabot, and 2 other contributors
Assets 2
5.8.15
β New Features
- Address unnecessary method invocation in AbstractRequestMatcherRegistry #15718
- The SecuredAuthorizationManager can now find
@Securedannotations on β¦ #15014
πͺ² Bug Fixes
- Disabling credentials erasure on custom AuthenticationManager is not working #15683
- Methods annotated with
@PostFilterare processed twice by PostFilterAuthorizationMethodInterceptor #15624 - SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module #15749
- The additionalParameters array parameter of OAuth2AuthorizationRequest causes the authorizationRequestUri to be incorrect #15533
π¨ Dependency Upgrades
- Bump io.projectreactor.tools:blockhound from 1.0.9.RELEASE to 1.0.10.RELEASE #15928
- Bump org-eclipse-jetty from 9.4.55.v20240627 to 9.4.56.v20240826 #15730
- Bump org.springframework.ldap:spring-ldap-core from 2.4.1 to 2.4.2 #15941
π© Build Updates
- Bump
@antora/collector-extension from 1.0.0-beta.2 to 1.0.0-beta.3 in /docs #15908 - Bump
@springio/asciidoctor-extensions from 1.0.0-alpha.13 to 1.0.0-alpha.14 in /docs #15837 - Migrate slack notifications to GChat #15503
- Release 5.8.15 #15963
β€οΈ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.13
Release 5.7.13
6.4.0-M4
β New Features
- Abstract Common Code in
UnmodifiableListDeserializerandUnmodifiableSetDeserializer#15673 - Add API for Registering Security Hints #15772
- Add cookie customizer to CookieRequestCache #15685
- Add DefaultResourcesFitler to XML configuration #15790
- Add One-Time Token Login support to Kotlin DSL #15727
- Add RestClient implementations #15337
- Add Support for One-Time Token Login #15114
- Cache Annotation Lookups #15799
- Consider adding
RestClientimplementations ofOAuth2AccessTokenResponseClient#15298 - Deprecate default
OAuth2AccessTokenResponseClients in favor ofRestClient-based ones #15737 - Document how to configure One-Time Token TTL #15743
- EnableReactiveMethodSecurity Supports Custom MethodSecurityExpressionHandler #15719
- Fix adding more implied roles in the RoleHierarchy Builder. #15717
- Include FilterChain on SessionInformationExpiredEvent to allow continuing the request #14077
- Make OidcSessionRegistry Configurable in Kotlin #15814
- Oidc Logout Improvements #15540
- Pick Up OidcSessionRegistry bean in OIDC Configuration #15813
- Polish OneTimeTokenLogin #15750
- Provide Runtime Hints for Beans used in Pre/PostAuthorize Expressions #15794
- Remove the need for
@JsonSerializewhen serializing authorization proxy objects with Jackson #15687 - Remove trailing spaces in default UIs #15791
- Serve static resources (JS, CSS) from dedicated filter #15723
- Throw AuthorizationDeniedException when AuthorizationResult is available #15706
- Use HTML templating in default UIs #15580
πͺ² Bug Fixes
- Correct Title in logout.adoc #15736
- Disabling credentials erasure on custom AuthenticationManager is not working #15809
- Fix getBeansWithName in global authentication configurers #15781
- Fix variable targetClassToUse is not passed into the synthesize method #15568
- Fixed typo in the Servlet API Integration documentation #15691
- Fixed typos in the Servlet and Reactive Observability documents #15692
- Hardcode ott-username input name in DefaultLoginPageGeneratingFilter #15740
- SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module #15768
π¨ Dependency Upgrades
- Bump ch.qos.logback:logback-classic from 1.5.7 to 1.5.8 #15762
- Bump com.gradle.develocity from 3.17.6 to 3.18 #15682
- Bump io.micrometer:micrometer-observation from 1.13.3 to 1.13.4 #15777
- Bump io.projectreactor:reactor-bom from 2023.0.9 to 2023.0.10 #15787
- Bump io.spring.develocity.conventions from 0.0.20 to 0.0.21 #15795
- Bump jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api from 3.0.1 to 3.0.2 #15695
- Bump org-eclipse-jetty from 11.0.23 to 11.0.24 #15732
- Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.8.1 to 1.9.0 #15810
- Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.21 to 4.33.22 #15763
- Bump org.mockito:mockito-bom from 5.12.0 to 5.13.0 #15703
- Bump org.seleniumhq.selenium:selenium-java from 4.23.1 to 4.24.0 #15708
- Bump org.springframework.data:spring-data-bom from 2024.0.3 to 2024.0.4 #15811
- Bump org.springframework:spring-framework-bom from 6.2.0-M7 to 6.2.0-RC1 #15801
π© Build Updates
- Bump
@springio/asciidoctor-extensions from 1.0.0-alpha.12 to 1.0.0-alpha.13 in /docs #15755 - Check samples is stuck on an old snapshot dependency #15798
- Update Spring Boot links #15720
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@CrazyParanoid, @Kehrlann, @dependabot[bot], @fb64, @hyunmin0317, @jzheaux, @kse-music, @marcusdacoregio, @ngocnhan-tran1996, @nielsbasjes, @sjohnr, and @ximinghui
Contributors
nielsbasjes, fb64, and 10 other contributors
Assets 2
6.4.0-M3
β New Features
- Simplify adding AuthorizationAdvisors to AuthorizationAdvisorProxyFactory #15497
π¨ Dependency Upgrades
- Bump com.gradle.develocity from 3.17.6 to 3.18 #15654
- Bump io.freefair.gradle:aspectj-plugin from 8.7.1 to 8.10 #15653
- Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.20 to 4.33.21 #15671
π© Build Updates
- Migrate slack notifications to GChat #15669
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@dependabot[bot]
Contributors
dependabot
Assets 2
6.3.3
πͺ² Bug Fixes
- ObservationRegistry is never post-processed #15658
π¨ Dependency Upgrades
- Bump org-eclipse-jetty from 11.0.22 to 11.0.23 #15664
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@dependabot[bot]
Contributors
dependabot