All Versions
35
Latest Version
Avg Release Cycle
51 days
Latest Release
25 days ago

Changelog History
Page 1

  • v5.4.0-M1

    May 06, 2020

    🍱 ⭐ New Features

    • 🔒 Jenkins does not need to build on JDK 9 and 10 #8482
    • 🔒 Upgrade Freefair AspectJ plugin to v5.0.1 #8456
    • 🔒 AesBytesEncryptor constructor that uses secret key #8443
    • 🔒 Rename Preface to Introduction #8411
    • 🔒 TestSaml2X509Credentials should only return Saml2X509Credential instances #8404
    • 🔒 Saml2CryptoTestSupport and TestSaml2AuthenticationObjects should be one class #8403
    • 👍 Allow creating AesBytesEncryptor with key #8402
    • ➕ Add Flag to enable searching of LDAP groups on subtrees #8400
    • 🔒 Documented dependencies for opaque Resource Server #8394
    • 👍 Allow expose JwtAuthenticationConverter as a bean for Resource Server #8379
    • 🔒 Use Kotlin DSL Marker Annotations to prevent scope leaking in WebFlux DSL #8366
    • 🔒 Saml2AuthenticationRequestContext should be extendible #8356 #8364
    • ➕ Add constructors receiving AuthenticationManager #8362
    • 👍 Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8361
    • 🔒 Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default #8359
    • 🔒 Validate ID Token Issuer #8357
    • 🔒 Saml2AuthenticationRequestContext should be extendible #8356
    • ➕ Add authorize() DSL method that accepts HttpMethod #8350
    • 👍 Allow custom header during bearer token extraction #8341
    • 👍 Allow specify header in ServerBearerTokenAuthenticationConverter #8337
    • 🔒 Provide possibility to use custom cache to store JWK Set #8332
    • ➕ Adding Map support to DefaultMethodSecurityExpressionHandler #8331
    • 🔒 BCryptPasswordEncoder rawPassword cannot be null #8330
    • 👍 Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8324
    • 🔒 Open ID Connect ID Token Issuer not validated #8321
    • ➕ Add addFilterAfter and addFilterBefore to Kotlin DSL #8319
    • ➕ Added setPrincipalClaimName to JwtAuthenticationConverter #8318
    • 🔒 BCryptPasswordEncoder.encode() throws NPE #8317
    • 🔒 HttpSecurityDsl does not support addFilterBefore and addFilterAfter #8316
    • 🔒 AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307
    • 🔒 SpringTestContext returns ConfigurableWebApplicationContext #8233
    • 🔒 Clarify use case for ServerBearerExchangeFilterFunction #8220
    • 📚 Update Encryptors documentation for standard and stronger #8208
    • 🔒 Upgrade to Gradle Enterprise Plugin 3.2 #8205
    • ➕ Add Figures to Resource Server Docs #8184
    • ➕ Add Figures to Resource Server Docs #8182
    • 🔒 Document JwtGrantedAuthoritiesConverter #8176
    • 🛠 Fix userNameAttribute property case style #8171
    • 💅 userNameAttribute case style is different others #8169
    • 💅 Polish SAML 2.0 Login Sample #8163
    • 🔒 Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8152
    • 🔒 Assign sensible default for OAuth2AuthorizedClientProvider #8150
    • 🔒 OpenSamlImplementation should not use reflection #8147
    • 👍 Allow port=0 for LDAP Servers #8139
    • 🔒 LDAP server configuration should support port=0 #8138
    • 🔒 Use io.spring.gradle-enterprise-conventions #8115
    • 🔒 Replace VersionsResourceTasks with WriteProperties #8114
    • 👌 Improve Build Performance #8113
    • 🔒 Document OAuth 2.0 Login XML Support #8110
    • 🛠 Fix exception from empty basic auth header token #8109
    • 🛠 Fix typo 'properites' -> 'properties' in documentation #8096
    • 🔒 Document AuthenticationEventPublisher improvements #8081
    • 🔒 Document AuthNRequest POST binding support #8079
    • 🔒 Document AuthNRequest signature support #8078
    • 🔒 Document OAuth 2.0 Resource Server XML Support #8077
    • 🔒 Document Jackson serialization support for OAuth 2.0 Client #8075
    • 🔒 Document OAuth 2.0 Client XML Support #8074
    • 🔒 Document OAuth2Authorization success and failure handlers #8073
    • 🔒 Document OIDC Logout Success Handler Improvements #8072
    • 🔒 Document OAuth 2.0 Authorization Request improvements #8071
    • ➕ Add OAuth 2.0 Test Support Docs #8050
    • ➕ Add server request cache that uses cookie #8033
    • 🔒 Basic auth header without user results in exception #7976
    • ➕ Add RequestRejectedHandler #7052
    • 🔒 OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #5633
    • 🔒 Idiomatic Kotlin DSL for configuring HTTP security #5558
    • 🔒 SessionRegistryImpl is now aware of SessionIdChangedEvent #5439
    • 🔒 SessionRegistryImpl is not aware of SessionIdChange events. #5438
    • 🔒 SwitchUserFilter vulnerable to CSRF #4183

    🍱 🐞 Bug Fixes

    • 🛠 Fix Javadoc punctuation #8480
    • 🛠 Fixed typos in documentation #8454
    • 👌 Support update when saving with JdbcOAuth2AuthorizedClientService #8435
    • ⚡️ JdbcOAuth2AuthorizedClientService should support update when saving #8425
    • 🔒 OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8421
    • 🔒 ActiveDirectoryLdapAuthenticationProvider uses InternalAuthenticationServiceException #8418
    • 🛠 Fix mismatch between CONTRIBUTING.adoc and .editorconfig #8417
    • 🛠 Fix Documentation to Refer to BasicAuthenticationFilter #8414
    • ➕ Add ROLE_INFRASTRUCTURE to infrastructure beans #8407
    • 🛠 Fix typo with correct capitalization #8406
    • 🔒 Global ServerSecurityContextRepository ignored by logout #8375
    • 🛠 Fix example in javadoc of FilterChainProxy #8344
    • 🛠 Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8336
    • 🛠 Fixes gh-8187 : OAuth2 ClientRegistrations UserInfo endpoint NPE fix #8206
    • 🔒 OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8187
    • 🛠 Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8177
    • 🔒 Make OAuth2ErrorHttpMessageConverter more resilient #8157
    • 🔒 RSocket test should throw AccessDeniedException #8154
    • 🛠 Fix typo in Javadoc of HttpSecurity#csrf() #8130
    • 🛠 Fix Documentation to Refer to BasicAuthenticationFilter #8119
    • 🔒 oauth2Login WebFlux should not auto-redirect for XHR request #8118
    • 🔒 NPE thrown when token response contains a null value #8108
    • 🔒 HttpServletRequest.logout() not functioning #4760
    • 🔒 Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #4404

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to aspectj-plugin:4.1.6 #8305

    🍱 ⏪ Non-passive

    • 🔒 Transfer session's max inactive interval in SessionFixationProtectionStrategy #5441
    • 🔒 SEC-2470: SessionFixationProtectionStrategy should migrate maxInactiveInterval #2693

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.3.2.RELEASE

    May 06, 2020

    🍱 ⭐ New Features

    • 🔒 SAML Authentication Provider assertions #8491
    • 🔒 BCryptPasswordEncoder.encode() throws NPE #8345

    🍱 🐞 Bug Fixes

    • 🛠 Fix Javadoc punctuation #8490
    • 🛠 Fixed typos in documentation #8460
    • ⚡️ JdbcOAuth2AuthorizedClientService should support update when saving #8448
    • ➕ Add ROLE_INFRASTRUCTURE to infrastructure beans #8437
    • 🛠 Fix Documentation to Refer to BasicAuthenticationFilter #8423
    • 🛠 Fix typo with correct capitalization #8408
    • 🔒 Global ServerSecurityContextRepository ignored by logout #8385
    • 🛠 Fix example in javadoc of FilterChainProxy #8351
    • 🔒 Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8311

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to aspectj-plugin:4.1.6 #8306
  • v5.3.1.RELEASE

    March 31, 2020

    🍱 ⭐️ New Features

    • 🔒 SpringTestContext returns ConfigurableWebApplicationContext #8237
    • 🔒 OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8234
    • 🔒 SwitchUserFilter vulnerable to CSRF #8222
    • 🔒 Clarify use case for ServerBearerExchangeFilterFunction #8221
    • 📚 Update Encryptors documentation for standard and stronger #8211
    • 🔒 Document JwtGrantedAuthoritiesConverter #8183
    • 💅 userNameAttribute case style is different others #8179
    • 🔒 Document AuthNRequest POST binding support #8165
    • 💅 Polish SAML 2.0 Login Sample #8164
    • 🔒 OpenSamlImplementation should not use reflection #8161
    • 🔒 Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8153
    • 🔒 Assign sensible default for OAuth2AuthorizedClientProvider #8151
    • 🔒 Document OAuth2Authorization success and failure handlers #8146
    • 🔒 Document Jackson serialization support for OAuth 2.0 Client #8145
    • 🔒 Document OAuth 2.0 Authorization Request improvements #8133
    • 🔒 Document OAuth 2.0 Login XML Support #8132
    • 🔒 Document OAuth 2.0 Client XML Support #8131
    • 🔒 Basic auth header without user results in exception #8122
    • 🔒 Document AuthenticationEventPublisher improvements #8103
    • 📚 Typo 'properites' -> 'properties' in documentation #8098
    • 🔒 Document OAuth 2.0 Resource Server XML Support #8094
    • 🔒 Provide spring-security-5*.xsd for https://www.springframework.org/schema/security/ #8091
    • 🔒 Document OIDC Logout Success Handler Improvements #8088
    • ➕ Add OAuth 2.0 Test Support Docs #8087
    • ⚡️ Update test to have comment about secure salt length #8084
    • 🔒 Document JwtClaimValidator #8076

    🍱 🐞 Bug Fixes

    • 🔒 HttpServletRequest.logout() not functioning #8238
    • 🔒 OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8209
    • 🔒 oauth2Login WebFlux should not auto-redirect for XHR request #8201
    • 🛠 Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8178
    • 🔒 RSocket test should throw AccessDeniedException #8160
    • 🔒 Make OAuth2ErrorHttpMessageConverter more resilient #8158
    • 🛠 Fix typo in Javadoc of HttpSecurity#csrf() #8134
    • 🔒 NPE thrown when token response contains a null value #8121
    • 🔒 Google's top result for "Spring Security Reference" returns a 404 #8086
    • 📚 5.3.0 Documentation What's New has some broken links #8069

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.3.0.RELEASE

    March 04, 2020

    🍱 ⭐️ New Features

    • ⚡️ Update What's New Section #8062
    • 🔒 Document JdbcOAuth2AuthorizedClientService #8061
    • ➕ Add oauth2login xml sample #8060
    • ⚡️ Update doc diagram palette to use sans-serif font #8057
    • ➕ Add SecurityFilterChain Figure #8055
    • 🔒 oauth2Client Test Support should allow configuration of principal name #8054
    • ➕ Add Kotlin Configuration section to docs #8051
    • ➕ Add anchors to SAML 2.0 documentation #8049
    • ⚡️ Update UserDetailsService Docs #8048
    • ➕ Add Figures to Basic Authentication Docs #8039
    • ➕ Add Link to DispatcherServlet in Filter Review Doc #8036
    • ➕ Add Figures to Form Log In Docs #8035
    • ➕ Add Figure for AuthenticationEntryPoint Docs #8030
    • ➕ Add ProviderManager to Docs #8029
    • 🔒 Custom ServerHttpHeadersWriter to HeaderSpec #8028
    • ➕ Add hasRole(String) to authorizeRequests in Kotlin DSL #8023
    • ➕ Add missing @FunctionalInterface in oauth2 modules #8020
    • 🔒 Provide configurable Clock in OidcIdTokenValidator #8019
    • ➕ Add OAuth2AuthorizeRequest.Builder.principal(String) #8018
    • 🔒 Extract AuthenticationManager Docs #8006
    • 🔒 Extract SecurityContextHolder, SecurityContext, Authentication, and GrantedAuthority Docs #8005
    • ➕ Add AbstractAuthenticationProcessingFilter Docs #8004
    • 🔒 Extract AuthenticationEntryPoint Docs #8003
    • 🔒 Extract ExceptionTranslationFilter Docs #8002
    • 🔒 Extract FilterSecurityInterceptor Docs #8001
    • 🔒 Use Color Palette that is Accessible for Color Blind #8000
    • 🔒 Create a palette.odg #7999
    • ➕ Add Numbers Icons #7998
    • 🔒 Instantiate exceptions lazily #7996
    • 🔒 JwtIssuerReactiveAuthenticationManagerResolver eagerly creates Exceptions #7995
    • 🔒 OAuth2AuthorizationRequest.Builder should configure additional parameters with a consumer #7993
    • ➕ Add OAuth2Authorization success/failure handlers #7986
    • ♻️ Refactor Duplicate Security Filter Chain Doc #7979
    • 🛠 Fix Asciidoctor Warnings #7973
    • 🔒 Use Kotlin DSL Marker Annotations to prevent scope leaking #7971
    • ➕ Add JwtClaimValidator #7962
    • 👌 Support custom filter in Kotlin DSL #7951
    • 🔒 Option for default event in DefaultAuthenticationEventPublisher #7937
    • 🔒 DefaultAuthenticationEventPublisher is now configurable via a Map #7925
    • ➕ Add oauth2Client WebTestClient Test Support #7910
    • 🔒 Nimbus OpaqueTokenIntrospectors should differentiate token and service errors #7902
    • 🔒 OAuth 2.0 Client supports application clustering #7889
    • ➕ Add JwtIssuerReactiveAuthenticationManagerResolver #7887
    • 🔒 Consider adding JwtClaimValidator #7860
    • ➕ Add ReactiveJwtIssuerAuthenticationManagerResolver and Reactive Multi Tentant Examples #7857
    • ➕ Add JDBC implementation of OAuth2AuthorizedClientService #7855
    • 🔒 Set default redirect in OidcClientInitiatedServerLogoutSuccessHandler #7842
    • 🔒 Introduce OAuth2Authorization success/failure handlers #7840
    • ➕ Add Opaque Token Reactive Test Support #7827
    • 🔒 DefaultAuthenticationEventPublisher should allow configuring a default event #7825
    • 🔒 DefaultAuthenticationEventPublisher should be configurable via Map #7824
    • 🔒 Oauth2login xmlconfig implementation #7821
    • 🔒 OAuth 2.0 Resource Server XML Support #7775
    • 🔒 SAML AuthNRequest Signatures - Step 2 #7759
    • 🔒 SAML AuthNRequest Signatures - Step 1 #7758
    • 🔒 Simplify customizing OAuth2AuthorizationRequest #7748
    • 🔒 SAML2 HTTP-Redirect: Missing Signature and SigAlg parameters in SAMLRequest Url (AuthNRequest) #7711
    • 🔒 Consider adding switch to enable or disable OIDC nonce #7696
    • 🔒 Getting OAuth2AuthenticationException when Bearer token is empty #7668
    • 🔒 Provide JDBC implementation of OAuth2AuthorizedClientService #7655
    • ➕ Add custom ServerHttpHeadersWriter to HeadersSpec #7636
    • 🔒 RefreshTokenOAuth2AuthorizedClientProvider does not handle expired refresh token #7583
    • 🛠 Fix typo 'is' -> 'if' in javadoc #7559
    • 🔒 Saml2LoginConfigurer should expose AuthenticationManager setter #7374
    • 🔒 Provide XML namespace support for OAuth 2.0 Resource Server #5185
    • 🔒 Provide XML namespace support for OAuth 2.0 Client #5184
    • 🔒 Migrate Groovy to Java #4939
    • 🔒 Provide XML namespace support for OAuth2Login #4557

    🍱 🐞 Bug Fixes

    • 🔒 Typo fix #8059
    • 🛠 Fix typo in AntPathRequestMatcher contructor comment #8042
    • 📄 Docs Should Style Links that are Code as Link #8038
    • 🔒 An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8031
    • 📚 Tab switching does not work in documentation code samples #8025
    • 🔒 Build failure with NoClassDefFoundError on javax/mail/internet #7994
    • ✂ Remove Duplicate Runtime Environment From Docs #7980
    • 🔒 OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7966
    • 🔒 OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7963
    • 🛠 fix #7952 Don't force downcasting of RequestAttributes to ServletRequestAttributes #7953
    • 🔒 ClassCastException for ServletRequestAttributes #7952
    • 🔒 Prevent double-escaping of authorize URL parameters #7881
    • 🔒 Resource Server clientCredentials take precedence over introspector in Kotlin DSL #7878
    • 🔒 Resource Server jwkSetUri takes precedence over jwtDecoder in Kotlin DSL #7877
    • 🔒 Error in WebSecurityConfigurer Javadoc #7876
    • 🔒 Query parameters in authorization-url are double-encoded #7871
    • 🔒 OAuth2 access token response parsing fails with nested JSON object #6463

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to Gradle 6.2.2 #8065
    • ⚡️ Update Kotlin to 1.3.70 #8064
    • ⚡️ Update Spring Boot to 2.2.5 #8063
    • 🚀 Update to spring-build-conventions:0.0.31.RELEASE #8058
    • ⚡️ Update dependencies #8056
    • 🚀 Update to spring-build-conventions:0.0.29.RELEASE #7974

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.3.0.RC1

    February 05, 2020

    🍱 ⭐️ New Features

    • ➕ Add RSocket Authentication Extension Support #7935
    • 🔒 SecurityEvaluationContextExtension.getRootObject() Specific Type #7891
    • ➕ Add oauth2Client MockMvc Test Support #7886
    • 🔒 Nimbus JwtDecoders should differentiate token and service errors #7885
    • ✂ Remove redundant branches from SessionManagementConfigurer #7879
    • 🔒 AuthenticationWebFilter's ReactiveAuthenticationManagerResolver should take a ServerWebExchange #7872
    • 🔒 SAML2: Wrong IdP response URL throws NPE (for non-existing "RelyingParty") #7865
    • 🔒 Typo in doc #7830
    • ➕ Add oauth2Login Reactive Test support #7828
    • 👌 Improve Bearer Token Error Handling #7826
    • ➕ Add BearerTokenErrors #7823
    • ➕ Add InvalidBearerTokenException #7822
    • 🔒 Make OAuth2AccessToken converters public #7815
    • 🔒 AuthenticationEventPublisher Lookup #7802
    • 📚 Modernize Documentation Styling #7801
    • 🔒 Invalid OAuth2 login attempts don't emit a corresponding ApplicationEvent #7793
    • 🔒 Set secure on cookie when logging out #7764
    • 🔒 Introduce Reactive OAuth2Authorization success/failure handlers #7756
    • 🔒 ProviderManager should have a varargs constructor #7713
    • 🔒 Introduce Reactive OAuth2Authorization success/failure handlers #7699
    • 🔒 Migrate LDAP integration tests groovy->java #7691
    • 🔒 WebSecurityConfigurerAdapter: Unable to use custom AuthenticationEventPublisher #7515
    • ➕ Add Jackson support to OAuth2 session related classes #4886

    🍱 🐞 Bug Fixes

    • 🔒 Build failing with NoSuchMethodError #7888
    • 🔒 cassample integration tests are failing #7874
    • 🔒 Form login requiresAuthenticationMatcher is not used in WebFlux #7863
    • 🔒 BasicAuthenticationFilter ignores credentials charset #7835
    • 🔒 Default LDIF file not picked up in LDAP "unboundid" mode #7833
    • 📚 Incorrect LDIF file example in LDAP documentation #7832
    • 🔒 OpaqueTokenRequestPostProcessor should respect configuration order #7800
    • 🔒 Form Login authenticationFailureHandler is not used in ServerHttpSecurity #7782

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to Gradle 6.1.1 #7936
    • ⚡️ Update to GAE 1.9.78 #7893
    • 🚀 Update to Spring Boot 2.2.4.RELEASE #7892
    • ⚡️ Update Gradle 6.1 #7838

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.3.0.M1

    January 08, 2020

    🍱 ⭐️ New Features

    • 👍 Allow disabling dependency locking #7799
    • 🔒 Build task "snapshots" should not use locked dependencies #7798
    • ➕ Add oauth2Login MockMvc Test Support #7789
    • 🔒 Manage Versions using Version Locking #7788
    • 🔒 Use Gradle Platform / Constraints #7787
    • 🔒 Idiomatic Kotlin DSL for configuring HTTP security in servlet based applications #7785
    • 🛠 Fix description of PasswordEncoder #7784
    • 🛠 Fix unchecked assignment and possible NPE #7773
    • 🔒 Resolve JavaType only once for whitelisted class #7755
    • 🔒 Set secure when cancelling remember-me cookie #7726
    • ➕ Add JwtIssuerAuthenticationManagerResolver #7724
    • ➕ Add opaque token test support #7712
    • ✂ Remove redundant validation for redirect-uri #7706
    • 🔒 Reactive Implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7702
    • 🔒 Enable AuthenticationManager configuration in saml2Login #7693
    • 📚 Incomplete Documentation for Setting Up MockMvc and Spring Security #7688
    • ➕ Add Oidc Login Reactive Test Support #7680
    • ✂ Remove consecutive-word duplications in Javadocs #7673
    • 🛠 Fix InitializeAuthenticationProviderBeanManagerConfigurer Javadoc #7666
    • 🛠 Fix minor typo in HttpSecurity documentation #7663
    • 🔒 Check BCrypt hashed value of a byte array #7661
    • 👍 Allow configuring authenticationManagerResolver for SAML2 #7654
    • ➕ Add oidcLogin MockMvc Test Support #7618
    • ➕ Add OidcUserInfo.Builder #7593
    • ➕ Add OidcIdToken.Builder #7592
    • 🔒 Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7569
    • 🔒 Specify return type in InitializeUserDetailsBeanManagerConfigurer method Javadoc #7557
    • 🔒 In Test @AuthenticationPrincipal is null because ServerWebExchange is not wrapped #6598
    • 🔒 Make MethodSecurityEvaluationContext Delegates to MethodBasedEvaluationContext #6249
    • 🔒 Override the key to avoid CookieTheftException #5509
    • ➕ Add resource server support for multiple trusted JWT access token issuers #5385
    • 🔒 RememberMeConfigurer does not use the key from RememberMeServices #4140
    • 🔒 Option in BasicAuthenticationFilter to log more exception info #3308

    🍱 🐞 Bug Fixes

    • 🔒 OidcLoginRequestPostProcessor should respect configuration order #7794
    • 🛠 Fix var typo and code readability in resource server documentation #7772
    • 📄 Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor #7737
    • 🔒 Use the custom ServerRequestCache for Oauth2LoginSpec #7734
    • 🔒 CompositeServerHttpHeadersWriter Should Execute Sequentially #7731
    • 🔒 DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #7728
    • 🔒 DelegatingServerLogoutHandler Should Execute Sequentially #7723
    • 🔒 RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #7721
    • 🔒 Disabling logout in WebFlux does nothing #7682
    • 🔒 Saml2Authentication isn't serializable #7681
    • 🔒 Correctly configure authorization requests repository for OAuth2 login #7675
    • 🔒 Error in javadoc for oauth2ResourceServer #7670
    • 🔒 DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository #7544
    • 🔒 WebFlux oauth2Login returns 500 when bad client credentials #5562

    ⬆️ 🔨 Dependency Upgrades

    • 🚀 Update to Spring Boot 2.2.2.RELEASE #7797
    • 🔒 Upgrade com.nimbusds:nimbus-jose-jwt dependency #7720

    🍱 ⏪ Non-passive

    • 🔒 UsernamePasswordAuthenticationTokenDeserializer doesn't deserialize details to correct type #7482

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.2.4.RELEASE

    May 06, 2020

    🍱 ⭐ New Features

    • 🔒 SAML Authentication Provider assertions #8495
    • 🔒 BCryptPasswordEncoder.encode() throws NPE #8346

    🍱 🐞 Bug Fixes

    • 🛠 Fix Javadoc punctuation #8494
    • ➕ Add ROLE_INFRASTRUCTURE to infrastructure beans #8438
    • 🔒 SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #8430
    • 🔒 OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8426
    • 🛠 Fix typo with correct capitalization #8409
    • 🔒 Global ServerSecurityContextRepository ignored by logout #8386
    • 🛠 Fix example in javadoc of FilterChainProxy #8352
    • 🛠 Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8338
    • 🔒 Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8312

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to Byte Buddy 1.9.16 #8481
    • 🔒 Upgrade to embedded Apache Tomcat 9.0.34 #8469
    • ⚡️ Update RSocket to 1.0.0-RC7 #8468
    • ⚡️ Update to GAE 1.9.80 #8467
    • ⚡️ Update to Jackson 2.10.4 #8466
    • ⚡️ Update to org.powermock 2.0.7 #8465
    • ⚡️ Update to Reactor Dysprosium-SR7 #8464
    • 🚀 Update to Spring Framework 5.2.6.RELEASE #8463
    • ⚡️ Update to Spring Data Moore-SR7 #8462
  • v5.2.3.RELEASE

    April 01, 2020

    🍱 ⭐️ New Features

    • 🔒 SpringTestContext returns ConfigurableWebApplicationContext #8240
    • 🔒 OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8235
    • 🔒 SwitchUserFilter vulnerable to CSRF #8223
    • 📚 Update Encryptors documentation for standard and stronger #8212
    • 🔒 Getting OAuth2AuthenticationException when Bearer token is empty #8207
    • 🔒 Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8159
    • 🔒 Basic auth header without user results in exception #8123
    • 📚 Typo 'properites' -> 'properties' in documentation #8099

    🍱 🐞 Bug Fixes

    • ⚡️ Update tests to use absolute paths #8260
    • 🔒 HttpServletRequest.logout() not functioning #8241
    • 🔒 OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8210
    • 🔒 oauth2Login WebFlux should not auto-redirect for XHR request #8202
    • 🔒 Make OAuth2ErrorHttpMessageConverter more resilient #8180
    • 🔒 RSocket test should throw AccessDeniedException #8155
    • 🛠 Fix typo in Javadoc of HttpSecurity#csrf() #8137
    • 🔒 Empty RelayState causes errors with ADFS #8070
    • 🛠 Fix typo in AntPathRequestMatcher contructor comment #8045
    • 🔒 An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8040
    • 🔒 OAuth2 access token response parsing fails with nested JSON object #8021
    • 🛠 Fix typo in snippet code 'jwtAuthenticationConveter' -> 'jwtAuthenticationConverter' #7969
    • 🔒 OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7967
    • 🔒 OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7964
    • 🔒 Query parameters in authorization-url are double-encoded #7960
    • 🔒 Don't force downcasting of RequestAttributes to ServletRequestAttributes #7959
    • 🔒 ClassCastException for ServletRequestAttributes #7958

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update RSocket to 1.0.0-RC6 #8280
    • ⚡️ Update to reactive-streams 1.0.3 #8279
    • ⚡️ Update to OpenSAML 3.4.5 #8278
    • ⚡️ Update to hibernate-entitymanager 5.4.13.Final #8277
    • ⚡️ Update to hibernate-core 5.2.18.Final #8276
    • 🚀 Update blockhound to 1.0.3.RELEASE #8275
    • ⚡️ Update to unboundid-ldapsdk 4.0.14 #8274
    • ⚡️ Update to okhttp 3.14.7 #8259
    • ⚡️ Update to Jackson 2.10.3 #8258
    • ⚡️ Update to mockwebserver 3.14.7 #8257
    • ⚡️ Update to org.powermock 2.0.6 #8255
    • 🔒 Upgrade to embedded Apache Tomcat 9.0.33 #8254
    • ⚡️ Update to httpclient 4.5.12 #8253
    • 🚀 Update to Spring Boot 2.2.6.RELEASE #8252
    • ⚡️ Update to GAE 1.9.79 #8251
    • ⚡️ Update to Reactor Dysprosium-SR6 #8250
    • ⚡️ Update to Spring Framework 5.2.5 #8249
    • ⚡️ Update to Spring Data Moore-SR6 #8248
    • ⚡️ Update to Jetty 9.4.22.v20191022 #7507
  • v5.2.2.RELEASE

    February 05, 2020

    🍱 ⭐️ New Features

    • 🔒 Don't cache requests with Accept: text/event-stream by default. #7744
    • 🔒 Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7717
    • ✂ Remove redundant validation for redirect-uri #7707
    • 💅 Polish oauth2-client Error-handling Tests #7647
    • ✂ Remove unnecessary code in SecurityExpressionRoot #7635
    • 📚 Extract HTTPS Documentation #7626
    • ✂ Remove unnecessary code in SecurityExpressionRoot #7601
    • 🔒 Make jwks_uri optional for RFC 8414 and required for OpenID Connect #7573

    🍱 🐞 Bug Fixes

    • 🔒 Form login requiresAuthenticationMatcher is not used in WebFlux #7867
    • 🔒 Form Login authenticationFailureHandler is not used in ServerHttpSecurity #7866
    • 🔒 BasicAuthenticationFilter ignores credentials charset #7859
    • 🔒 Default LDIF file not picked up in LDAP "unboundid" mode #7852
    • 📚 Incorrect LDIF file example in LDAP documentation #7849
    • 🔒 Use the custom ServerRequestCache that the user configures #7753
    • 🔒 RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #7751
    • 🔒 Disabling logout in WebFlux does nothing #7742
    • 🔒 Saml2Authentication isn't serializable #7739
    • 📄 Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor #7738
    • 🔒 CompositeServerHttpHeadersWriter Should Execute Sequentially #7732
    • 🔒 DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #7729
    • 🔒 DelegatingServerLogoutHandler Should Execute Sequentially #7725
    • 🔒 WebFlux oauth2Login returns 500 when bad client credentials #7703
    • 🔒 Correctly configure authorization requests repository for OAuth2 login #7690
    • 🔒 Correctly configure authorization requests repository for OAuth2 login #7689
    • 🔒 DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository #7684
    • ⚡️ Update @MessageMapping to match input/output cardinality #7669
    • ➕ Add http and https spring.schema mappings #7623
    • 🔒 Avoid toString in favor of getName in order to extract sid #6354

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to Spring Boot 2.2.4 #7909
    • ⚡️ Update to org.slf4j 1.7.30 #7908
    • ⚡️ Update to org.powermock 2.0.5 #7907
    • ⚡️ Update to hibernate-validator 6.1.2.Final #7906
    • ⚡️ Update to hibernate-entitymanager 5.4.10.Final #7905
    • ⚡️ Update to org.aspectj 1.9.5 #7904
    • ⚡️ Update to httpclient 4.5.11 #7903
    • ⚡️ Update to commons-codec 1.14 #7899
    • ⚡️ Update to com.squareup.okhttp3 3.14.6 #7898
    • ⚡️ Update to Jackson 2.10.2 #7897
    • ⚡️ Update to Reactor Dysprosium SR4 #7896
    • ⚡️ Update to Spring Data Moore SR3 #7895
    • ⚡️ Update to Spring Framework 5.2.3 #7894
    • ⚡️ Update nimbus-jose-jwt because of CVE-2019-17195 #7570

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.2.1.RELEASE

    November 04, 2019

    🍱 ⭐️ New Features

    • 🛠 Fix variable reference in sample code #7571
    • 🔒 spring-security-saml2-service-provider impossible to use different format of assertionConsumerServiceUrlTemplate #7565
    • ➕ Add Resource Server Multi-tenancy Documentation #7532
    • ⚡️ Update SAML sample to use boot auto config #7521
    • ➕ Add Reactive CSRF Documentation #6487

    🍱 🐞 Bug Fixes

    • 🔒 Restore Removed Throws Clauses #7580
    • 🔒 CsrfWebFilter should handle multipart/form-data #7576
    • 🔒 Make saveAuthorizedClient save the authorized client #7551
    • 🔒 DefaultReactiveOAuth2AuthorizedClientManager.saveAuthorizedClient does not save authorized client #7546
    • 🔒 throws Exception was removed from WebSecurityConfigurerAdapter#configure(WebSecurity) #7541
    • 🔒 SAML2 Provider SubjectConfirmation validation failure #7514
    • 🔒 SAML2 Provider AuthNRequest Hardcoded Protocol Binding #7513
    • 🔒 Clock skew to check access token expiration has wrong sign #7511

    ⬆️ 🔨 Dependency Upgrades

    • 🚀 Upgrade to Spring Boot 2.2.0.RELEASE #7566

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!