Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.5.0-M1
⭐ New Features
- Add unsupported_token_type in OAuth2ErrorCodes #9184
- Add token and token_type_hint to OAuth2ParameterNames #9183
- Introduce JwaAlgorithm #9182
- WithSecurityContextTestExecutionListener Should Support Nested Classes #9179
- Add WebFlux Documentation for Multiple Filter Chains #9178
- SAML 2.0 Asserting Party Metadata resolution should read SigningMethod elements #9177
- Enable customization of BearerTokenResolver by adding a setter for JwtClaimIssuerConverter on JwtIssuerAuthenticationManagerResolver #9168
- Reactive doc points to unit tests #9157
- Invoke Kotlin MockMvc result matchers with parentheses #9155
- Change guard expressions order #9153
- It is not necessary to fetch all user sessions if unlimited sessions are set in the ConcurrentSessionControlAuthenticationStrategy. #9152
- Add refresh token expiration support #9146
- JwtIssuerValidator handles issuer (iss) claim values as Strings and URLs #9137
- OpenSamlAuthenticationProvider should decrypt attributes #9131
- Update snapshot build dependencies #9124
- spring-security-test should include jackson-datatype-jsr310 as a test dependency #9123
- Update to Gradle 6.6.1 #9122
- Use LobHandler in JdbcOAuth2AuthorizedClientService #9070
- Changed metadata converter to accept files as well #9056
- Add HSM Support for Decrypting Assertions #9055
- File-based Configuration for Asserting Party Metadata #9028
- Prevent PR builds from running on forks #8993
- Provide a R2dbc implementation of ReactiveOuath2AuthorizedClientService #8765
- Add support for dynamic JWS signature algorithm with JWKs (2) - Issue 7160 #8752
- Support customization of BearerTokenResolver in JwtIssuerAuthenticationManagerResolver #8535
- Provide reactive JDBC implementation of ReactiveOAuth2AuthorizedClientService #7890
- JwtDecoders and ReactiveJwtDecoders should determine algorithm from JWK Set Endpoint #7160
- OAuth2Token interface for AbstractOAuth2Token #5502
🪲 Bug Fixes
- [docs]Add white space before strong notation. #9145
- Bug with JwtValidators.createDefaultWithIssuer(String)? #9136
- Tests should not combine Authentication and @AuthenticationPrincipal #9121
- Closes gh-8196 appendix indentation #9118
- Fixes in documentation #9099
🔨 Dependency Upgrades
- Set rsocketVersion to 1.1.0 #9167
- Set reactorVersion to 2020.0.+ #9166
- Set springVersion to 5.3.+ #9165
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.4.1
⭐ New Features
- Replace expired msdn link with latest web archive copy #9050
- Add documentation for StrictHttpFirewall enhancements #9038
- Replace Tomcat6 URL for SSL Guide to Tomcat 10 #9034
- Use AssertJ for exception testing #9013
🪲 Bug Fixes
- Add try-with-resources to close stream #9053
- RelyingPartyRegistrations Fails to Read Keycloak Metadata #9051
- fix miswritten comment of FormLoginDsl.kt #9042
- Adapt to WebClient's new exception wrapping #9031
- StandardInterceptUrlRegistry should not refer to ExpressionUrlAuthorizationConfigurer #9026
- Fix broken Mono chain #9022
- Use Schedulers.boundedElastic for UUID.randomUUID #9021
- CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9018
- WebSessionServerCsrfTokenRepository#generateToken() don't use Schedulers.boundedElastic() #9017
- NullPointerException SessionRegistryImpl.onApplicationEvent(SessionRegistryImpl.java:111) #9011
- Quick javadoc fix for DelegatingPasswordEncoder #8890
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.3.5.RELEASE
5.2.7.RELEASE
🪲 Bug Fixes
- SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9058
- CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9025
🔨 Dependency Upgrades
- Update to Spring Data Moore-SR10 #9088
- Update to Hibernate Entity manager 5.4.22 #9087
- Update to Hibernate Validator 6.1.6 #9086
- Upgrade to embedded Apache Tomcat 9.0.38 #9085
- Update to RSocket 1.0.2 #9084
- Update to Spring Framework 5.2.9 #9083
- Update to Reactor Dysprosium-SR12 #9082
- Update to Spring Boot 2.2.10 #9081
- Update to GAE 1.9.82 #9080
- Update to org.aspectj 1.9.6 #9079
5.1.13.RELEASE
🪲 Bug Fixes
- SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9059
🔨 Dependency Upgrades
- Update to Spring Boot 2.1.17.RELEASE #9078
- Update to Hibernate Validator 6.0.21 #9077
- Update to org.aspectj 1.9.6 #9076
- Update to GAE 1.9.82 #9075
- Update to Jackson Databind 2.9.10.6 #9074
- Update to Spring Data Lovelace-SR20 #9073
- Update to Spring Framework 5.1.18 #9072
- Update to Reactor Californium-SR21 #9071
5.0.19.RELEASE
🪲 Bug Fixes
- SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9060
🔨 Dependency Upgrades
4.2.19.RELEASE
5.4.0
⭐ New Features
- Add What's New in 5.4 #9002
- Add What's New in 5.4 Section to Docs #9001
- Add Resource Server Servlet Logging #9000
- Simplify saml2Login Samples #8990
- Remove Framework Tests from saml2Login Sample #8989
- Add authenticationManagerResolver to resource server Kotlin DSL #8981
- Generalize SAML 2.0 Assertion Validation Support #8970
- Update abstract-authentication-processing-filter.adoc #8965
- Add spring-javaformat checkstyle and formatting #8946
- Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL #8926
- Add hasAnyAuthority(String...) and hasAnyRole(String...) to authorizeRequests in Kotlin DSL #8892
- Resolve oauth2 client-id, client-secret placeholders #8880
- Restructure SAML 2.0 documentation #8763
- security:client-registrations doesn't take propertyconfigurer properties #8453
🪲 Bug Fixes
- Clickjacking demo in docs: YouTube link in X-Frame-Options section leads to private video #8986
- NoClassDefFoundError: AuthMetadataFlyweight at o.s.s.r.m.SimpleAuthenticationEncoder #8948
- SAML attributes not parsed correctly with prefixed XML elements #8864
- Don't use oidc scopes_supported for scope as default in ClientRegistrations #8790
- scopes_supported metadata should not be used as default in ClientRegistrations #8514
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.4.0-RC1
⭐ New Features
- Deprecate CustomUserTypesOAuth2UserService #8908
- Deprecate ClientRegistration.redirectUriTemplate #8906
- Allow for custom ClientRegistration.clientAuthenticationMethod #8903
- Deprecate ImplicitGrantConfigurer #8902
- Remove use of Mono.deferWithContext() #8901
- Consider adding RelyingPartyRegistrationResolver #8887
- Add HttpMessageConverter that constructs a RelyingPartyRegistration #8877
- RelyingPartyRegistration should default the ACS Location #8876
- Update SimpleSaml2AuthenticatedPrincipal class name #8861
- Introduce AuthenticationConverterServerWebExchangeMatcher #8854
- Make class SimpleSaml2AuthenticatedPrincipal public #8852
- Support custom filter in Server Kotlin DSL #8850
- Saml2AuthenticationToken should take a RelyingPartyRegistration #8845
- Wording changes #8832
- -gh 8784 Document improvement for WebSecurityConfigure #8825
- Consider making BearerTokenServerWebExchangeMatcher public and more generic #8824
- Add custom HeaderWriter in Kotlin DSL #8823
- Add Static Factories to Saml2X509Credential #8822
- Allow disabling headers in Kotlin DSL #8816
- Remove need for WebSecurityConfigurerAdapter #8805
- Configure HTTP Security without extending WebSecurityConfigurerAdapter #8804
- Fix #8693 Support SAML 2.0 SP Metadata Endpoints #8795
- Add Static Factories to Saml2X509Credential #8789
- RelyingPartyRegistration Credentials Should Be Split by Party #8788
- Support custom filter in Server Kotlin DSL #8783
- mongolian translation for messages.properties #8780
- Mongolian translation required for messages.propeperties #8778
- RelyingPartyRegistration should use metadata spec language #8777
- ACS Binding should be in RelyingPartyRegistration #8776
- Remove OpenSamlImplementation #8775
- OpenSamlAuthenticationRequestFactory should use OpenSAML directly #8774
- OpenSamlAuthenticationProvider should use OpenSAML directly #8773
- OpenSAML should get initialized as part of container lifecycle #8772
- SAML Assertion validation fails when OneTimeUse condition is sent from the IdP #8769
- Improve error message when invalid content-type for UserInfo response #8764
- Simplify retrieving Introspection-specific attributes #8740
- Reactive SwitchUserWebFilter for user impersonation #8687
- Change getMethod() to return configured value in SimpleSavedRequest #8675
- gh-8589 Additional Jwt validation debug messages #8665
- Adds cookie based RequestCache #8653
- Missing Reactive SwitchUserWebFilter for user impersonation #8599
- Use String to specify custom HTTP method in mock request #8592
- Add logging #8589
- Support for dynamic configuration using IDP metadata URL for SAML SSO integration #8484
- SAML Authentication Provider assertions #8471
- Throw exception when specified ldif file does not exist #8434
- SAML: Add RequestedAuthnContext to AuthnRequest in OpenSamlAuthenticationRequestFactory #8141
- Add request cache that uses cookie #8034
- No log message or exception if expected ldif file does not exist #7791
🪲 Bug Fixes
- Move RSocket Integration Tests to integration tests #8944
- Fix snapshot build failure related to reactor-netty #8909
- Resolve Bearer token after subscribing to publisher #8894
- ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8865
- Update README.adoc #8851
- Saml2Error should be in a core package #8835
- Fix #8797: Add OAuth2AuthenticationException to allowlist #8827
- CookieRequestCache "REDIRECT_URI" removed by any request #8820
- use CookieRequestCache something went wrong #8817
- LoginPageGeneratingWebFilter should honor context path #8807
- Fix ProviderManager Javadoc typo #8800
- OAuth2AuthenticationException should be in allowlist #8797
- tutorial uses hasRole but should use hasAuthority #8796
- Saml2WebSsoAuthenticationFilter does not follow standard patterns for request matching. #8768
- Bearer Token Padding #8511
- Resolved bearer token has no padding indicators #8502
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.3.4.RELEASE
⭐ New Features
- Add logging #8888
- Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8855
- formLogin() does not work with REST Docs #8748
- Use Github Actions PR pipeline and remove Travis for 5.3.x #8724
🪲 Bug Fixes
- ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8896
- OAuth2AuthenticationException should be in allowlist #8863
- Resolved bearer token has no padding indicators #8837
- Fix ProviderManager Javadoc typo #8811
- LoginPageGeneratingWebFilter should honor context path #8808
- OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8803
- RoleHierarchy is not used by AbstractAuthorizeTag #8678
- OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8672
- ReactorContext not available in PayloadSocketAcceptor delegate.accept #8655
🔨 Dependency Upgrades
- Update to spring-build-conventions:0.0.34.RELEASE #8925
- Update to nohttp 0.0.5.RELEASE #8924
- Update to GAE 1.9.81 #8923
- Update to Spring Boot 2.2.9.RELEASE #8922
- Update to spring-build-conventions:0.0.33.RELEASE #8760
❤️ Contributors
We'd like to thank all the contributors who worked on this release!