Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.4.4
This release fixes a problem with the release of 5.4.3
⭐ New Features
- Migrate SAML 2.0 Samples to Use PCFOne #9369
- Resolve artifacts from Maven Central first #9367
- Use constant time comparisons for CSRF tokens #9357
- Improve HttpSessionSecurityContextSessionRepository Performance #9388
🪲 Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9426
- Fix custom marshaller example #9409
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9403
- CurrentSecurityContextArgumentResolver should configure BeanResolver #9402
- Consider downgrading to Nimbus 8 #9399
- Remove notEmpty check for authorities in DefaultOAuth2User #9396
- Wrong example name in Spring Security documentation #9383
- Make user info response status check error only #9376
- Malformed WWW-Authenticate Causes NPE #9364
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9338
- Exception when declaring multiple AuthenticationManager beans #9332
- webflux-x509 sample cert needs renewal #9322
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9258
🔨 Dependency Upgrades
5.5.0-M2
⭐ New Features
- Constrain Nimbus dependencies to compatible majors #9400
- Misleading manifestation of error condition #9395
- Remove private BearerTokenAuthenticationWebFilter #9377
- Migrate SAML 2.0 Samples to Use PCFOne #9362
- Add manual trigger to CI workflow #9360
- Use Nimbus's SingleKeyJWSKeySelector #9348
- Extend CorsDsl with CorsConfigurationSource property #9333
- Make max-sessions configurable #9328
- Add Revved up by Gradle Enterprise badge to README #9327
- WebFlux oauth2Login with formLogin test #9326
- No converter found for RSAPublicKey #9316
- Extend CorsDsl with CorsConfigurationSource property #9314
- Removes unused code #9294
- Use constant time comparisons for CSRF tokens #9291
- Introduced DispatcherType request matcher #9278
- Add permissionsPolicy http header #9265
- Add permissionsPolicy header in HeadersConfigurers #9262
- Deprecate ClientAuthenticationMethod BASIC and POST #9220
- Fix javadoc in Pbkdf2PasswordEncoder #9219
- Added ClaimAccessor#hasClaim #9218
- Improve handling of non-String principal claim values #9215
- Improve handling of non-String principal claim values #9212
- getRemoteUser() returns principal name #9211
- Match requests based on servlet dispatcher type #9205
- Return type of oauth2.core.ClaimAccessor#containsClaim(String) could be a primitive boolean #9201
- Allow maximum age of csrf cookie to be configured #9196
- SecurityWebApplicationContextUtils cleanup gh-8868 #9194
- Decode cookie once in AbstractRememberMeServices #9192
- Add convenience constructor in OAuth2AuthenticationException #9190
- JwtIssuerAuthenticationManagerResolver should not resolve the bearer token #9186
- Make salt length configurable in Pbkdf2PasswordEncoder #9147
- Resource Server should identify unauthorized REST requests like HTTP Basic does #9100
- Add AuthorizationManager #8996
- OpenSamlAuthenticationProvider should validate Response Status #8955
- Build Github Actions CI pipeline #8698
🪲 Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9421
- Update saml2-login.adoc #9408
- Allow null or empty authorities for DefaultOAuth2User #9380
- Wrong example name in Spring Security documentation #9379
- Remove notEmpty check for authorities in DefaultOAuth2User #9366
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9337
- Make user info response status check error only #9336
- Fix bug with multiple AuthenticationManager beans #9329
- Fixed NullPointerException with WWW-Authenticate #9303
- Exception when declaring multiple AuthenticationManager beans #9256
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray or JSONObject #9222
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9210
- CookieRequestCache handles URL encoded query parameters incorrectly #9203
- Fix typo in JdbcDaoImpl Javadoc #9197
- WithSecurityContextTestExecutionListener should respect NestedTestConfiguration #9193
- Customizing the metadata endpoint does not work #9133
🔨 Dependency Upgrades
- Update to GAE 1.9.86 #9445
- Update to Kotlin 1.4.30 #9444
- Update to Spring Boot 2.4.2 #9443
- Update Gradle Enterprise Gradle Plugin #9335
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.4.3
⭐ New Features
- Migrate SAML 2.0 Samples to Use PCFOne #9369
- Resolve artifacts from Maven Central first #9367
- Use constant time comparisons for CSRF tokens #9357
- Improve HttpSessionSecurityContextSessionRepository Performance #9388
🪲 Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9426
- Fix custom marshaller example #9409
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9403
- CurrentSecurityContextArgumentResolver should configure BeanResolver #9402
- Consider downgrading to Nimbus 8 #9399
- Remove notEmpty check for authorities in DefaultOAuth2User #9396
- Wrong example name in Spring Security documentation #9383
- Make user info response status check error only #9376
- Malformed WWW-Authenticate Causes NPE #9364
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9338
- Exception when declaring multiple AuthenticationManager beans #9332
- webflux-x509 sample cert needs renewal #9322
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9258
🔨 Dependency Upgrades
5.3.8.RELEASE
This release fixes a problem with the release of 5.3.7.
⭐ New Features
- Improve HttpSessionSecurityContextSessionRepository Performance #9391
- Improve HttpSessionSecurityContextSessionRepository Performance #9389
- Migrate SAML 2.0 Samples to Use PCFOne #9370
- Resolve artifacts from Maven Central first #9368
- Use constant time comparisons for CSRF tokens #9358
🪲 Bug Fixes
- Fix the 5.3.7.RELEASE
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9427
- CurrentSecurityContextArgumentResolver should configure BeanResolver #9405
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9404
- Remove notEmpty check for authorities in DefaultOAuth2User #9397
- Wrong example name in Spring Security documentation #9384
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9339
- webflux-x509 sample cert needs renewal #9323
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9259
5.3.7.RELEASE
⭐ New Features
- Improve HttpSessionSecurityContextSessionRepository Performance #9391
- Improve HttpSessionSecurityContextSessionRepository Performance #9389
- Migrate SAML 2.0 Samples to Use PCFOne #9370
- Resolve artifacts from Maven Central first #9368
- Use constant time comparisons for CSRF tokens #9358
🪲 Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9427
- CurrentSecurityContextArgumentResolver should configure BeanResolver #9405
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9404
- Remove notEmpty check for authorities in DefaultOAuth2User #9397
- Wrong example name in Spring Security documentation #9384
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9339
- webflux-x509 sample cert needs renewal #9323
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9259
5.2.9.RELEASE
⭐ New Features
- Improve HttpSessionSecurityContextSessionRepository Performance #9390
- Migrate SAML 2.0 Samples to Use PCFOne #9371
- Use constant time comparisons for CSRF tokens #9359
🪲 Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9428
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9406
- Remove notEmpty check for authorities in DefaultOAuth2User #9398
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9340
- webflux-x509 sample cert needs renewal #9321
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9260
🔨 Dependency Upgrades
- Update to GAE 1.9.86 #9442
- Update to Tomcat 9.0.43 #9441
- Update to Jetty 9.4.36.v20210114 #9440
- Update to hibernate-validator 6.1.7.Final #9439
- Update to hibernate-entitymanager 5.4.28.Final #9438
- Update to thymeleaf-spring5 3.0.12 #9437
- Update to Spring Data Moore-SR12 #9436
- Update to Reactor Dysprosium-SR16 #9435
- Update to Spring Framework 5.2.12.RELEASE #9434
- Update to Spring Boot 2.2.13.RELEASE #9433
4.2.20.RELEASE
5.4.2
5.3.6.RELEASE
5.2.8.RELEASE
🪲 Bug Fixes
- Remove empty Appendix Section from docs #9172
- Tests should not combine Authentication and @AuthenticationPrincipal #9126
🔨 Dependency Upgrades
- Update to Spring LDAP Core 2.3.3 #9245
- Update to Powermock 2.0.9 #9244
- Update to HSQLDB 2.5.1 #9243
- Update to Hibernate EntityManager 5.4.25 #9242
- Update to Jetty 9.4.35 #9241
- Update to HttpComponents HttpClient 4.5.13 #9240
- Update to RSocket 1.0.3 #9239
- Update to Reactor Dysprosium-SR14 #9238
- Update to Google App Engine 1.9.83 #9237
- Update to Jackson Databind 2.10.5.1 #9236
- Update to Spring Data Moore-SR11 #9235
- Update to Spring 5.2.11 #9234
- Update to Spring Boot 2.2.11 #9233