Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.2.3.RELEASE
⏪ Non-passive
- SwitchUserFilter vulnerable to CSRF #8223
⭐ New Features
- SpringTestContext returns ConfigurableWebApplicationContext #8240
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8235
- Update Encryptors documentation for standard and stronger #8212
- Getting OAuth2AuthenticationException when Bearer token is empty #8207
- Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8159
- Basic auth header without user results in exception #8123
- Typo 'properites' -> 'properties' in documentation #8099
🪲 Bug Fixes
- Update tests to use absolute paths #8260
- HttpServletRequest.logout() not functioning #8241
- OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8210
- oauth2Login WebFlux should not auto-redirect for XHR request #8202
- Make OAuth2ErrorHttpMessageConverter more resilient #8180
- RSocket test should throw AccessDeniedException #8155
- Fix typo in Javadoc of HttpSecurity#csrf() #8137
- Empty RelayState causes errors with ADFS #8070
- Fix typo in AntPathRequestMatcher contructor comment #8045
- An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8040
- OAuth2 access token response parsing fails with nested JSON object #8021
- Fix typo in snippet code 'jwtAuthenticationConveter' -> 'jwtAuthenticationConverter' #7969
- OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7967
- OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7964
- Query parameters in authorization-url are double-encoded #7960
- Don't force downcasting of RequestAttributes to ServletRequestAttributes #7959
- ClassCastException for ServletRequestAttributes #7958
🔨 Dependency Upgrades
- Update RSocket to 1.0.0-RC6 #8280
- Update to reactive-streams 1.0.3 #8279
- Update to OpenSAML 3.4.5 #8278
- Update to hibernate-entitymanager 5.4.13.Final #8277
- Update to hibernate-core 5.2.18.Final #8276
- Update blockhound to 1.0.3.RELEASE #8275
- Update to unboundid-ldapsdk 4.0.14 #8274
- Update to okhttp 3.14.7 #8259
- Update to Jackson 2.10.3 #8258
- Update to mockwebserver 3.14.7 #8257
- Update to org.powermock 2.0.6 #8255
- Upgrade to embedded Apache Tomcat 9.0.33 #8254
- Update to httpclient 4.5.12 #8253
- Update to Spring Boot 2.2.6.RELEASE #8252
- Update to GAE 1.9.79 #8251
- Update to Reactor Dysprosium-SR6 #8250
- Update to Spring Framework 5.2.5 #8249
- Update to Spring Data Moore-SR6 #8248
- Update to Jetty 9.4.22.v20191022 #7507
5.1.9.RELEASE
⭐ New Features
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8236
- SwitchUserFilter vulnerable to CSRF #8224
- Update Encryptors documentation for standard and stronger #8215
- Typo 'properites' -> 'properties' in documentation #8100
- Typo 'hasPermision()' in GlobalMethodSecurityBeanDefinitionParser.java #8068
- Remove unwanted code #7949
🪲 Bug Fixes
- HttpServletRequest.logout() not functioning #8242
- oauth2Login WebFlux should not auto-redirect for XHR request #8203
- Make OAuth2ErrorHttpMessageConverter more resilient #8181
- Fix typo in Javadoc of HttpSecurity#csrf() #8135
- Fix typo in AntPathRequestMatcher contructor comment #8046
- An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8043
- OAuth2 access token response parsing fails with nested JSON object #8022
- OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7968
- OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7965
🔨 Dependency Upgrades
- Update to httpclient 4.5.12 #8294
- Update to hibernate-validator 6.0.19.Final #8293
- Update to reactive-streams 1.0.3 #8292
- Update to hibernate-core 5.2.18.Final #8291
- Update to groovy 2.4.19 #8290
- Update to unboundid-ldapsdk 4.0.14 #8289
- Update to okhttp 3.12.10 #8288
- Update to mockwebserver 3.12.10 #8287
- Update to org.powermock 2.0.6 #8286
- Update to Spring Boot 2.1.13.RELEASE #8285
- Update to GAE 1.9.79 #8284
- Update to Reactor Californium-SR17 #8283
- Update to Spring Data Lovelace-SR16 #8282
- Update to Spring Framework 5.1.14.RELEASE #8281
- Update to Jetty 9.4.22.v20191022 #8093
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.0.15.RELEASE
⭐ New Features
- SwitchUserFilter vulnerable to CSRF #8225
- Update Encryptors documentation for standard and stronger #8218
- Typo 'properites' -> 'properties' in documentation #8101
- Remove unwanted code #7950
🪲 Bug Fixes
- HttpServletRequest.logout() not functioning #8243
- Fix typo in Javadoc of HttpSecurity#csrf() #8136
- Fix typo in AntPathRequestMatcher contructor comment #8047
- Typo in Spring Security 5.0.x docs #5254
🔨 Dependency Upgrades
- Update to httpclient 4.5.12 #8304
- Update to hibernate-validator 6.0.19.Final #8303
- Update to reactive-streams 1.0.3 #8302
- Update to hibernate-core 5.2.18.Final #8301
- Update to groovy 2.4.19 #8300
- Update to unboundid-ldapsdk 4.0.14 #8299
- Update to okhttp 3.12.10 #8298
- Update to mockwebserver 3.12.10 #8297
- Update to org.powermock 2.0.6 #8296
- Update to GAE 1.9.79 #8295
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
4.2.15.RELEASE
⭐ New Features
- SwitchUserFilter vulnerable to CSRF #8226
- Update Encryptors documentation for standard and stronger #8219
- Typo 'properites' -> 'properties' in documentation #8102
🪲 Bug Fixes
- HttpServletRequest.logout() not functioning #8244
- Spring Security BOM 4.2.14.RELEASE is missing #7975
🔨 Dependency Upgrades
- Update to jackson-databind:2.8.11.6 #8273
- Update to appengine:1.9.79 #8272
- Update to spring-io-plugin:0.0.8.RELEASE #8271
- Update to nekohtml:1.9.22 #8270
- Update to thymeleaf-layout-dialect:2.0.5 #8269
- Update to httpclient:4.2.6 #8268
- Update to taglibs-standard-jstlel:1.2.5 #8267
- Update to Jetty 8.1.22.v20160922 #8266
- Update to Tomcat 7.0.103 #8265
- Update to asciidoctor-gradle-plugin:1.5.7 #8264
- Update to Groovy 2.4.19 #8263
- Update to spring-boot-gradle-plugin:1.5.22.RELEASE #8262
5.3.1.RELEASE
⭐ New Features
- SpringTestContext returns ConfigurableWebApplicationContext #8237
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8234
- SwitchUserFilter vulnerable to CSRF #8222
- Clarify use case for
ServerBearerExchangeFilterFunction#8221 - Update Encryptors documentation for standard and stronger #8211
- Document JwtGrantedAuthoritiesConverter #8183
- userNameAttribute case style is different others #8179
- Document AuthNRequest POST binding support #8165
- Polish SAML 2.0 Login Sample #8164
- OpenSamlImplementation should not use reflection #8161
- Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8153
- Assign sensible default for OAuth2AuthorizedClientProvider #8151
- Document OAuth2Authorization success and failure handlers #8146
- Document Jackson serialization support for OAuth 2.0 Client #8145
- Document OAuth 2.0 Authorization Request improvements #8133
- Document OAuth 2.0 Login XML Support #8132
- Document OAuth 2.0 Client XML Support #8131
- Basic auth header without user results in exception #8122
- Document AuthenticationEventPublisher improvements #8103
- Typo 'properites' -> 'properties' in documentation #8098
- Document OAuth 2.0 Resource Server XML Support #8094
- Provide spring-security-5*.xsd for https://www.springframework.org/schema/security/ #8091
- Document OIDC Logout Success Handler Improvements #8088
- Add OAuth 2.0 Test Support Docs #8087
- Update test to have comment about secure salt length #8084
- Document JwtClaimValidator #8076
🪲 Bug Fixes
- HttpServletRequest.logout() not functioning #8238
- OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8209
- oauth2Login WebFlux should not auto-redirect for XHR request #8201
- Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8178
- RSocket test should throw AccessDeniedException #8160
- Make OAuth2ErrorHttpMessageConverter more resilient #8158
- Fix typo in Javadoc of HttpSecurity#csrf() #8134
- NPE thrown when token response contains a null value #8121
- Google's top result for "Spring Security Reference" returns a 404 #8086
- 5.3.0 Documentation What's New has some broken links #8069
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.3.0.RELEASE
⭐ New Features
- Update What's New Section #8062
- Document JdbcOAuth2AuthorizedClientService #8061
- Add oauth2login xml sample #8060
- Update doc diagram palette to use sans-serif font #8057
- Add SecurityFilterChain Figure #8055
- oauth2Client Test Support should allow configuration of principal name #8054
- Add Kotlin Configuration section to docs #8051
- Add anchors to SAML 2.0 documentation #8049
- Update UserDetailsService Docs #8048
- Add Figures to Basic Authentication Docs #8039
- Add Link to DispatcherServlet in Filter Review Doc #8036
- Add Figures to Form Log In Docs #8035
- Add Figure for AuthenticationEntryPoint Docs #8030
- Add ProviderManager to Docs #8029
- Custom ServerHttpHeadersWriter to HeaderSpec #8028
- Add hasRole(String) to authorizeRequests in Kotlin DSL #8023
- Add missing @FunctionalInterface in oauth2 modules #8020
- Provide configurable Clock in OidcIdTokenValidator #8019
- Add OAuth2AuthorizeRequest.Builder.principal(String) #8018
- Extract AuthenticationManager Docs #8006
- Extract SecurityContextHolder, SecurityContext, Authentication, and GrantedAuthority Docs #8005
- Add AbstractAuthenticationProcessingFilter Docs #8004
- Extract AuthenticationEntryPoint Docs #8003
- Extract ExceptionTranslationFilter Docs #8002
- Extract FilterSecurityInterceptor Docs #8001
- Use Color Palette that is Accessible for Color Blind #8000
- Create a palette.odg #7999
- Add Numbers Icons #7998
- Instantiate exceptions lazily #7996
- JwtIssuerReactiveAuthenticationManagerResolver eagerly creates Exceptions #7995
- OAuth2AuthorizationRequest.Builder should configure additional parameters with a consumer #7993
- Add OAuth2Authorization success/failure handlers #7986
- Refactor Duplicate Security Filter Chain Doc #7979
- Fix Asciidoctor Warnings #7973
- Use Kotlin DSL Marker Annotations to prevent scope leaking #7971
- Add JwtClaimValidator #7962
- Support custom filter in Kotlin DSL #7951
- Option for default event in DefaultAuthenticationEventPublisher #7937
- DefaultAuthenticationEventPublisher is now configurable via a Map #7925
- Add oauth2Client WebTestClient Test Support #7910
- Nimbus OpaqueTokenIntrospectors should differentiate token and service errors #7902
- OAuth 2.0 Client supports application clustering #7889
- Add JwtIssuerReactiveAuthenticationManagerResolver #7887
- Consider adding JwtClaimValidator #7860
- Add ReactiveJwtIssuerAuthenticationManagerResolver and Reactive Multi Tentant Examples #7857
- Add JDBC implementation of OAuth2AuthorizedClientService #7855
- Set default redirect in OidcClientInitiatedServerLogoutSuccessHandler #7842
- Introduce OAuth2Authorization success/failure handlers #7840
- Add Opaque Token Reactive Test Support #7827
- DefaultAuthenticationEventPublisher should allow configuring a default event #7825
- DefaultAuthenticationEventPublisher should be configurable via Map #7824
- Oauth2login xmlconfig implementation #7821
- OAuth 2.0 Resource Server XML Support #7775
- SAML AuthNRequest Signatures - Step 2 #7759
- SAML AuthNRequest Signatures - Step 1 #7758
- Simplify customizing OAuth2AuthorizationRequest #7748
- SAML2 HTTP-Redirect: Missing Signature and SigAlg parameters in SAMLRequest Url (AuthNRequest) #7711
- Consider adding switch to enable or disable OIDC nonce #7696
- Getting OAuth2AuthenticationException when Bearer token is empty #7668
- Provide JDBC implementation of OAuth2AuthorizedClientService #7655
- Add custom ServerHttpHeadersWriter to HeadersSpec #7636
- RefreshTokenOAuth2AuthorizedClientProvider does not handle expired refresh token #7583
- Fix typo 'is' -> 'if' in javadoc #7559
- Saml2LoginConfigurer should expose AuthenticationManager setter #7374
- Provide XML namespace support for OAuth 2.0 Resource Server #5185
- Provide XML namespace support for OAuth 2.0 Client #5184
- Migrate Groovy to Java #4939
- Provide XML namespace support for OAuth2Login #4557
🪲 Bug Fixes
- Typo fix #8059
- Fix typo in AntPathRequestMatcher contructor comment #8042
- Docs Should Style Links that are Code as Link #8038
- An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8031
- Tab switching does not work in documentation code samples #8025
- Build failure with NoClassDefFoundError on javax/mail/internet #7994
- Remove Duplicate Runtime Environment From Docs #7980
- OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7966
- OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7963
- fix #7952 Don't force downcasting of RequestAttributes to ServletRequestAttributes #7953
- ClassCastException for ServletRequestAttributes #7952
- Prevent double-escaping of authorize URL parameters [#7881](https://gi...
4.2.14.RELEASE
⭐ New Features
🔨 Dependency Upgrades
- Update to Thymeleaf 3.0.11.RELEASE #7948
- Update to Spring Boot 1.5.22.RELEASE #7947
- Update to Spring Session 1.3.5.RELEASE #7946
- Update to Spring Data Redis 1.8.23.RELEASE #7945
- Update to Spring Data JPA 1.11.23.RELEASE #7944
- Update to Spring Data Commons 1.13.23.RELEASE #7943
- Update to CGLIB 3.2.12 #7942
- Update to Spring Framework 4.3.26.RELEASE #7941
5.3.0.RC1
⭐ New Features
- Add RSocket Authentication Extension Support #7935
- SecurityEvaluationContextExtension.getRootObject() Specific Type #7891
- Add oauth2Client MockMvc Test Support #7886
- Nimbus JwtDecoders should differentiate token and service errors #7885
- Remove redundant branches from SessionManagementConfigurer #7879
- AuthenticationWebFilter's ReactiveAuthenticationManagerResolver should take a ServerWebExchange #7872
- SAML2: Wrong IdP response URL throws NPE (for non-existing "RelyingParty") #7865
- Typo in doc #7830
- Add oauth2Login Reactive Test support #7828
- Improve Bearer Token Error Handling #7826
- Add BearerTokenErrors #7823
- Add InvalidBearerTokenException #7822
- Make OAuth2AccessToken converters public #7815
- AuthenticationEventPublisher Lookup #7802
- Modernize Documentation Styling #7801
- Invalid OAuth2 login attempts don't emit a corresponding ApplicationEvent #7793
- Set secure on cookie when logging out #7764
- Introduce Reactive OAuth2Authorization success/failure handlers #7756
- ProviderManager should have a varargs constructor #7713
- Introduce Reactive OAuth2Authorization success/failure handlers #7699
- Migrate LDAP integration tests groovy->java #7691
- WebSecurityConfigurerAdapter: Unable to use custom AuthenticationEventPublisher #7515
- Add Jackson support to OAuth2 session related classes #4886
🪲 Bug Fixes
- Build failing with NoSuchMethodError #7888
- cassample integration tests are failing #7874
- Form login requiresAuthenticationMatcher is not used in WebFlux #7863
- BasicAuthenticationFilter ignores credentials charset #7835
- Default LDIF file not picked up in LDAP "unboundid" mode #7833
- Incorrect LDIF file example in LDAP documentation #7832
- OpaqueTokenRequestPostProcessor should respect configuration order #7800
- Form Login authenticationFailureHandler is not used in ServerHttpSecurity #7782
🔨 Dependency Upgrades
- Update to Gradle 6.1.1 #7936
- Update to GAE 1.9.78 #7893
- Update to Spring Boot 2.2.4.RELEASE #7892
- Update Gradle 6.1 #7838
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.2.2.RELEASE
⭐ New Features
- Don't cache requests with
Accept: text/event-streamby default. #7744 - Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7717
- Remove redundant validation for redirect-uri #7707
- Polish oauth2-client Error-handling Tests #7647
- Remove unnecessary code in SecurityExpressionRoot #7635
- Extract HTTPS Documentation #7626
- Remove unnecessary code in SecurityExpressionRoot #7601
- Make jwks_uri optional for RFC 8414 and required for OpenID Connect #7573
🪲 Bug Fixes
- Form login requiresAuthenticationMatcher is not used in WebFlux #7867
- Form Login authenticationFailureHandler is not used in ServerHttpSecurity #7866
- BasicAuthenticationFilter ignores credentials charset #7859
- Default LDIF file not picked up in LDAP "unboundid" mode #7852
- Incorrect LDIF file example in LDAP documentation #7849
- Use the custom ServerRequestCache that the user configures #7753
- RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #7751
- Disabling logout in WebFlux does nothing #7742
- Saml2Authentication isn't serializable #7739
- Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor #7738
- CompositeServerHttpHeadersWriter Should Execute Sequentially #7732
- DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #7729
- DelegatingServerLogoutHandler Should Execute Sequentially #7725
- WebFlux oauth2Login returns 500 when bad client credentials #7703
- Correctly configure authorization requests repository for OAuth2 login #7690
- Correctly configure authorization requests repository for OAuth2 login #7689
- DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository #7684
- Update @MessageMapping to match input/output cardinality #7669
- Add http and https spring.schema mappings #7623
- Avoid toString in favor of getName in order to extract sid #6354
🔨 Dependency Upgrades
- Update to Spring Boot 2.2.4 #7909
- Update to org.slf4j 1.7.30 #7908
- Update to org.powermock 2.0.5 #7907
- Update to hibernate-validator 6.1.2.Final #7906
- Update to hibernate-entitymanager 5.4.10.Final #7905
- Update to org.aspectj 1.9.5 #7904
- Update to httpclient 4.5.11 #7903
- Update to commons-codec 1.14 #7899
- Update to com.squareup.okhttp3 3.14.6 #7898
- Update to Jackson 2.10.2 #7897
- Update to Reactor Dysprosium SR4 #7896
- Update to Spring Data Moore SR3 #7895
- Update to Spring Framework 5.2.3 #7894
- Update nimbus-jose-jwt because of CVE-2019-17195 #7570
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.1.8.RELEASE
⭐ New Features
- Remove redundant validation for redirect-uri #7708
- WebClient support should get new access token when expired and client_credentials #7685
🪲 Bug Fixes
- Default LDIF file not picked up in LDAP "unboundid" mode #7853
- CompositeServerHttpHeadersWriter Should Execute Sequentially #7735
- DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #7730
- DelegatingServerLogoutHandler Should Execute Sequentially #7727
- WebFlux oauth2Login returns 500 when bad client credentials #7704
🔨 Dependency Upgrades
- Update to Spring Boot 2.1.12 #7923
- Update to org.slf4j 1.7.30 #7922
- Update to org.powermock 2.0.5 #7921
- Update to hibernate-validator 6.0.18.Final #7920
- Update to hibernate-entitymanager 5.3.15.Final #7919
- Update to org.bouncycastle:bcpkix-jdk15on 1.64 #7918
- Update to org.aspectj 1.9.5 #7917
- Update to httpclient 4.5.11 #7916
- Update to com.squareup.okhttp3 3.12.8 #7915
- Update to Jackson 2.9.10 #7914
- Update to Reactor Californium-SR15 #7913
- Update to Spring Data Lovelace SR15 #7912
- Update to Spring Framework 5.1.13 #7911