All Versions
57
Latest Version
Avg Release Cycle
47 days
Latest Release
188 days ago

Changelog History
Page 1

  • v5.5.0-M1 Changes

    November 04, 2020

    ๐Ÿฑ โญ New Features

    • Add unsupported_token_type in OAuth2ErrorCodes #9184
    • Add token and token_type_hint to OAuth2ParameterNames #9183
    • ๐Ÿ”’ Introduce JwaAlgorithm #9182
    • ๐Ÿ”’ WithSecurityContextTestExecutionListener Should Support Nested Classes #9179
    • โž• Add WebFlux Documentation for Multiple Filter Chains #9178
    • ๐Ÿ“‡ SAML 2.0 Asserting Party Metadata resolution should read SigningMethod elements #9177
    • ๐Ÿ”’ Enable customization of BearerTokenResolver by adding a setter for JwtClaimIssuerConverter on JwtIssuerAuthenticationManagerResolver #9168
    • ๐Ÿ”’ Reactive doc points to unit tests #9157
    • ๐Ÿ”’ Invoke Kotlin MockMvc result matchers with parentheses #9155
    • ๐Ÿ”’ Change guard expressions order #9153
    • ๐Ÿ”’ It is not necessary to fetch all user sessions if unlimited sessions are set in the ConcurrentSessionControlAuthenticationStrategy. #9152
    • โž• Add refresh token expiration support #9146
    • ๐Ÿ”’ JwtIssuerValidator handles issuer (iss) claim values as Strings and URLs #9137
    • ๐Ÿ”’ OpenSamlAuthenticationProvider should decrypt attributes #9131
    • โšก๏ธ Update snapshot build dependencies #9124
    • ๐Ÿ”’ spring-security-test should include jackson-datatype-jsr310 as a test dependency #9123
    • โšก๏ธ Update to Gradle 6.6.1 #9122
    • ๐Ÿ”’ Use LobHandler in JdbcOAuth2AuthorizedClientService #9070
    • ๐Ÿ“‡ Changed metadata converter to accept files as well #9056
    • โž• Add HSM Support for Decrypting Assertions #9055
    • ๐Ÿ“‡ File-based Configuration for Asserting Party Metadata #9028
    • ๐Ÿ”’ Prevent PR builds from running on forks #8993
    • ๐Ÿ”’ Provide a R2dbc implementation of ReactiveOuath2AuthorizedClientService #8765
    • โž• Add support for dynamic JWS signature algorithm with JWKs (2) - Issue 7160 #8752
    • ๐Ÿ‘Œ Support customization of BearerTokenResolver in JwtIssuerAuthenticationManagerResolver #8535
    • ๐Ÿ”’ Provide reactive JDBC implementation of ReactiveOAuth2AuthorizedClientService #7890
    • ๐Ÿ”’ JwtDecoders and ReactiveJwtDecoders should determine algorithm from JWK Set Endpoint #7160
    • ๐Ÿ”’ OAuth2Token interface for AbstractOAuth2Token #5502

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • ๐Ÿ”’ [docs]Add white space before strong notation. #9145
    • ๐Ÿ› Bug with JwtValidators.createDefaultWithIssuer(String)? #9136
    • ๐Ÿ”’ Tests should not combine Authentication and @AuthenticationPrincipal #9121
    • ๐Ÿ”’ Closes gh-8196 appendix indentation #9118
    • ๐Ÿ›  Fixes in documentation #9099

    โฌ†๏ธ ๐Ÿ”จ Dependency Upgrades

    • ๐Ÿ”’ Set rsocketVersion to 1.1.0 #9167
    • ๐Ÿ”’ Set reactorVersion to 2020.0.+ #9166
    • ๐Ÿ”’ Set springVersion to 5.3.+ #9165

    ๐Ÿฑ โค๏ธ Contributors

    ๐Ÿš€ We'd like to thank all the contributors who worked on this release!

  • v5.4.2 Changes

    December 03, 2020

    ๐Ÿฑ โญ New Features

    • โšก๏ธ Update snapshot build dependencies #9254
    • โšก๏ธ Update to Gradle 6.6.1 #9232

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • ๐Ÿ”’ Tests should not combine Authentication and @AuthenticationPrincipal #9255
    • โœ‚ Remove empty Appendix Section from docs #9253
    • ๐Ÿ”’ CookieRequestCache handles URL encoded query parameters incorrectly #9252
    • ๐Ÿ‘Œ Improve Metadata URL Documentation #9251

    โฌ†๏ธ ๐Ÿ”จ Dependency Upgrades

    • โšก๏ธ Update to Google App Engine 1.9.83 #9250
    • โšก๏ธ Update to Kotlin 1.4.20 #9249
    • โšก๏ธ Update to Spring Boot 2.4.0 #9248
    • ๐Ÿ”’ 5.4.x Snapshot Build Should Point to Other Maintenance Branches #9162
  • v5.4.1 Changes

    October 07, 2020

    ๐Ÿฑ โญ New Features

    • ๐Ÿ”’ Replace expired msdn link with latest web archive copy #9050
    • โž• Add documentation for StrictHttpFirewall enhancements #9038
    • ๐Ÿ”’ Replace Tomcat6 URL for SSL Guide to Tomcat 10 #9034
    • ๐Ÿ”’ Use AssertJ for exception testing #9013

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • โž• Add try-with-resources to close stream #9053
    • ๐Ÿ“‡ RelyingPartyRegistrations Fails to Read Keycloak Metadata #9051
    • ๐Ÿ›  fix miswritten comment of FormLoginDsl.kt #9042
    • ๐Ÿ”’ Adapt to WebClient's new exception wrapping #9031
    • ๐Ÿ”’ StandardInterceptUrlRegistry should not refer to ExpressionUrlAuthorizationConfigurer #9026
    • ๐Ÿ›  Fix broken Mono chain #9022
    • ๐Ÿ”’ Use Schedulers.boundedElastic for UUID.randomUUID #9021
    • ๐Ÿ”’ CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9018
    • ๐Ÿ”’ WebSessionServerCsrfTokenRepository#generateToken() don't use Schedulers.boundedElastic() #9017
    • ๐Ÿ”’ NullPointerException SessionRegistryImpl.onApplicationEvent(SessionRegistryImpl.java:111) #9011
    • ๐Ÿ”’ Quick javadoc fix for DelegatingPasswordEncoder #8890

    ๐Ÿฑ โค๏ธ Contributors

    ๐Ÿš€ We'd like to thank all the contributors who worked on this release!

  • v5.4.0 Changes

    September 09, 2020

    ๐Ÿฑ โญ New Features

    • โž• Add What's New in 5.4 #9002
    • โž• Add What's New in 5.4 Section to Docs #9001
    • โž• Add Resource Server Servlet Logging #9000
    • ๐Ÿ”’ Simplify saml2Login Samples #8990
    • โœ‚ Remove Framework Tests from saml2Login Sample #8989
    • โž• Add authenticationManagerResolver to resource server Kotlin DSL #8981
    • ๐Ÿ”’ Generalize SAML 2.0 Assertion Validation Support #8970
    • โšก๏ธ Update abstract-authentication-processing-filter.adoc #8965
    • โž• Add spring-javaformat checkstyle and formatting #8946
    • โž• Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL #8926
    • โž• Add hasAnyAuthority(String...) and hasAnyRole(String...) to authorizeRequests in Kotlin DSL #8892
    • ๐Ÿ”’ Resolve oauth2 client-id, client-secret placeholders #8880
    • ๐Ÿ“š Restructure SAML 2.0 documentation #8763
    • ๐Ÿ”’ security:client-registrations doesn't take propertyconfigurer properties #8453

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • ๐Ÿ”’ Clickjacking demo in docs: YouTube link in X-Frame-Options section leads to private video #8986
    • ๐Ÿ“‡ NoClassDefFoundError: AuthMetadataFlyweight at o.s.s.r.m.SimpleAuthenticationEncoder #8948
    • ๐Ÿ”’ SAML attributes not parsed correctly with prefixed XML elements #8864
    • ๐Ÿ”’ Don't use oidc scopes_supported for scope as default in ClientRegistrations #8790
    • ๐Ÿ“‡ scopes_supported metadata should not be used as default in ClientRegistrations #8514

    โฌ†๏ธ ๐Ÿ”จ Dependency Upgrades

    • ๐Ÿ”’ Set springDataVersion to Neumann-SR+ #9007
    • ๐Ÿ”’ Set rsocketVersion to 1.0.+ #9006

    ๐Ÿฑ โค๏ธ Contributors

    ๐Ÿš€ We'd like to thank all the contributors who worked on this release!

  • v5.4.0-RC1 Changes

    August 05, 2020

    ๐Ÿฑ โญ New Features

    • ๐Ÿ”’ Deprecate CustomUserTypesOAuth2UserService #8908
    • ๐Ÿ”’ Deprecate ClientRegistration.redirectUriTemplate #8906
    • ๐Ÿ‘ Allow for custom ClientRegistration.clientAuthenticationMethod #8903
    • ๐Ÿ”’ Deprecate ImplicitGrantConfigurer #8902
    • โœ‚ Remove use of Mono.deferWithContext() #8901
    • ๐Ÿ”’ Consider adding RelyingPartyRegistrationResolver #8887
    • โž• Add HttpMessageConverter that constructs a RelyingPartyRegistration #8877
    • ๐Ÿ”’ RelyingPartyRegistration should default the ACS Location #8876
    • โšก๏ธ Update SimpleSaml2AuthenticatedPrincipal class name #8861
    • ๐Ÿ”’ Introduce AuthenticationConverterServerWebExchangeMatcher #8854
    • ๐Ÿ”’ Make class SimpleSaml2AuthenticatedPrincipal public #8852
    • ๐Ÿ‘Œ Support custom filter in Server Kotlin DSL #8850
    • ๐Ÿ”’ Saml2AuthenticationToken should take a RelyingPartyRegistration #8845
    • ๐Ÿ”’ Wording changes #8832
    • ๐Ÿ”’ -gh 8784 Document improvement for WebSecurityConfigure #8825
    • ๐Ÿ”’ Consider making BearerTokenServerWebExchangeMatcher public and more generic #8824
    • โž• Add custom HeaderWriter in Kotlin DSL #8823
    • โž• Add Static Factories to Saml2X509Credential #8822
    • ๐Ÿ‘ Allow disabling headers in Kotlin DSL #8816
    • โœ‚ Remove need for WebSecurityConfigurerAdapter #8805
    • ๐Ÿ”’ Configure HTTP Security without extending WebSecurityConfigurerAdapter #8804
    • ๐Ÿ›  Fix #8693 Support SAML 2.0 SP Metadata Endpoints #8795
    • โž• Add Static Factories to Saml2X509Credential #8789
    • ๐Ÿ”’ RelyingPartyRegistration Credentials Should Be Split by Party #8788
    • ๐Ÿ‘Œ Support custom filter in Server Kotlin DSL #8783
    • ๐Ÿ”’ mongolian translation for messages.properties #8780
    • ๐Ÿ”’ Mongolian translation required for messages.propeperties #8778
    • ๐Ÿ“‡ RelyingPartyRegistration should use metadata spec language #8777
    • ๐Ÿ”’ ACS Binding should be in RelyingPartyRegistration #8776
    • โœ‚ Remove OpenSamlImplementation #8775
    • ๐Ÿ”’ OpenSamlAuthenticationRequestFactory should use OpenSAML directly #8774
    • ๐Ÿ”’ OpenSamlAuthenticationProvider should use OpenSAML directly #8773
    • ๐Ÿ”’ OpenSAML should get initialized as part of container lifecycle #8772
    • ๐Ÿ”’ SAML Assertion validation fails when OneTimeUse condition is sent from the IdP #8769
    • ๐Ÿ‘Œ Improve error message when invalid content-type for UserInfo response #8764
    • ๐Ÿ”’ Simplify retrieving Introspection-specific attributes #8740
    • ๐Ÿ”’ Reactive SwitchUserWebFilter for user impersonation #8687
    • ๐Ÿ”’ Change getMethod() to return configured value in SimpleSavedRequest #8675
    • ๐Ÿ”’ gh-8589 Additional Jwt validation debug messages #8665
    • โž• Adds cookie based RequestCache #8653
    • ๐Ÿ”’ Missing Reactive SwitchUserWebFilter for user impersonation #8599
    • ๐Ÿ”’ Use String to specify custom HTTP method in mock request #8592
    • โž• Add logging #8589
    • ๐Ÿ‘Œ Support for dynamic configuration using IDP metadata URL for SAML SSO integration #8484
    • ๐Ÿ”’ SAML Authentication Provider assertions #8471
    • ๐Ÿ”’ Throw exception when specified ldif file does not exist #8434
    • ๐Ÿ”’ SAML: Add RequestedAuthnContext to AuthnRequest in OpenSamlAuthenticationRequestFactory #8141
    • โž• Add request cache that uses cookie #8034
    • ๐Ÿ”’ No log message or exception if expected ldif file does not exist #7791

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • ๐Ÿ”’ Move RSocket Integration Tests to integration tests #8944
    • ๐Ÿ›  Fix snapshot build failure related to reactor-netty #8909
    • ๐Ÿ”’ Resolve Bearer token after subscribing to publisher #8894
    • ๐Ÿ”’ ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8865
    • โšก๏ธ Update README.adoc #8851
    • ๐Ÿ”’ Saml2Error should be in a core package #8835
    • ๐Ÿ›  Fix #8797: Add OAuth2AuthenticationException to allowlist #8827
    • ๐Ÿ”’ CookieRequestCache "REDIRECT_URI" removed by any request #8820
    • ๐Ÿ”’ use CookieRequestCache something went wrong #8817
    • ๐Ÿ”’ LoginPageGeneratingWebFilter should honor context path #8807
    • ๐Ÿ›  Fix ProviderManager Javadoc typo #8800
    • ๐Ÿ”’ OAuth2AuthenticationException should be in allowlist #8797
    • ๐Ÿ”’ tutorial uses hasRole but should use hasAuthority #8796
    • ๐Ÿ”’ Saml2WebSsoAuthenticationFilter does not follow standard patterns for request matching. #8768
    • ๐Ÿ”’ Bearer Token Padding #8511
    • ๐Ÿ”’ Resolved bearer token has no padding indicators #8502

    ๐Ÿฑ โค๏ธ Contributors

    ๐Ÿš€ We'd like to thank all the contributors who worked on this release!

  • v5.4.0-M2 Changes

    July 01, 2020

    ๐Ÿฑ โญ New Features

    • โž• Add reified function variants to security DSL #8771
    • ๐Ÿ”’ OAuth2AccessTokenResponse.Builder.expiresIn works after withResponse #8766
    • ๐Ÿ”’ LDAP Integration Tests Should Use Random Port #8762
    • ๐Ÿ”’ Use memory-saving Collections.singletonList in JdbcAclService.readAclById() #8756
    • ๐Ÿ”’ Merge Spring security with dependencies #8755
    • โž• Add Configurable secure flag in CookieCsrfTokenRepository #8749
    • ๐Ÿ›  Fix typo in OAuth2AccessTokenResponse #8746
    • ๐Ÿ‘ Allow customizing JWTProcessor passed to NimbusJwtDecoder #8745
    • ๐Ÿ”’ Use Spring Snapshots in Snapshot Build Again #8712
    • โšก๏ธ Update pipeline to run for PRs to all branches #8711
    • โœ‚ Remove Travis pipeline and README badge #8710
    • ๐Ÿ”’ Reject the NULL character in paths in StrictHttpFirewall #8703
    • ๐Ÿ”’ OAuth2AccessTokenResponse.expiresIn() is ignored when initialized from another response #8702
    • ๐Ÿ”’ OAuth2AuthorizedClientArgumentResolver could use OAuth2AuthorizedClientManager registered in context #8700
    • ๐Ÿ”’ Kotlin Configuration DSL: Use reified types wherever a class is used as a parameter #8697
    • ๐Ÿ”’ ProviderManager Should Use CollectionUtils#contains #8695
    • ๐Ÿ”’ ProviderManager#checkState() throws NullPointerException #8689
    • ๐Ÿ”’ Set up Github Actions pipeline for PRs #8680
    • ๐Ÿ”’ Deprecate X-Frame-Options ALLOW-FROM #8677
    • ๐Ÿ”’ Replace whitelist/blacklist with allowlist/blocklist #8676
    • ๐Ÿ”’ Register OAuth2AuthorizedClientArgumentResolver for XML Config #8669
    • ๐Ÿ”’ Getting response attributes from Saml2AuthenticatedPrincipal #8667
    • ๐Ÿ”’ Ability to easily read attribute values from SAML response #8661
    • ๐Ÿ”’ DefaultOAuth2AuthorizationRequestResolver Should Not Consume Request Body #8651
    • ๐Ÿ”’ StrictHttpFirewall: Validate headers and parameters #8644
    • ๐Ÿ”’ JwtDecoder should use Nimbus multiple-algorithm support #8623
    • โœ‚ Remove ClientRegistrationRepository Mock Beans from Samples #8606
    • ๐Ÿ”’ oauth2Client Test Support should not require an HttpSessionOAuth2AuthorizedClientRepository #8603
    • โž• Add tokenFromMultipartDataEnabled to server CSRF Kotlin DSL #8602
    • โž• Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter #8587
    • ๐Ÿ”’ FilterInvocation Support Default Methods on HttpServletRequest #8566
    • โšก๏ธ Update to JQuery 3.5.1 #8557
    • ๐Ÿ”’ Saml2WebSsoAuthenticationRequesFilter should be post-processed #8552
    • ๐Ÿ”’ Move TestRelyingPartyRegistrations #8551
    • ๐Ÿ”’ Configuration defaults to SessionRegistry bean #8548
    • ๐Ÿ“š Update BCryptPasswordEncoder documentation with default strength #8542
    • ๐Ÿ”’ authorization_code grant should use same ServerRequestCache #8536
    • Avoid using "/path/**/other" patterns in WebFlux PathPatternParser #8513
    • โž• Add debug logging to Reactive Web #8504
    • โž• Add issuerUri to ClientRegistration.providerDetails #8501
    • ๐Ÿ”’ Use Opaquetoken properties to configure timeouts #8488
    • โšก๏ธ Update Traditional Chinese translation. #8483
    • ๐Ÿ‘ Allow port=0 for ApacheDSContainer #8416
    • ๐Ÿ”’ Throw exception if URL does not include context path when context relative #8399
    • โž• Added setter to make RequestCache injectable #8392
    • ๐Ÿ”’ Consider adding ClientRegistration.providerDetails.issuerUri #8326
    • ๐Ÿ”’ Merge Project Modules and Dependencies Section of the docs #8199
    • โž• Add RequestCache setter in OAuth2AuthorizationCodeGrantFilter #8120
    • ๐Ÿ”’ formLogin() does not work with REST Docs #7572

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • ๐Ÿ”’ SwitchUserFilter.setExitUserMatcher Javadoc is incorrect #8744
    • ๐Ÿ”’ SwitchUserFilter.setUserDetailsChecker is missing Javadoc #8743
    • ๐Ÿ›  Fix SecurityContext creation for TEST_EXECUTION #8738
    • ๐Ÿ”’ ReactorContext not available in PayloadSocketAcceptor delegate.accept #8654
    • ๐Ÿ”’ DefaultWebSecurityExpressionHandler uses RoleHierarchy bean #8652
    • ๐Ÿ”’ DefaultOAuth2AuthorizationRequestResolver erroneously consumes POST request body #8650
    • ๐Ÿ›  Fix broken link in spring security reference document #8618
    • ๐Ÿ”’ Delay AuthenticationPrincipalArgumentResolver Lookup #8613
    • ๐Ÿ”’ OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8609
    • ๐Ÿ”’ spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0 clash over version of transitive dependency json-smart #8608
    • ๐Ÿ›  Fix typos in BCryptPasswordEncoder documentation #8586
    • ๐Ÿ›  Fixing typo in SAML 2.0 Sample README #8581
    • ๐Ÿ”’ Message Compose in JavaConfig hellojs Sample Fails #8556
    • ๐Ÿ”’ Java Config hellojs Sample Login Fails #8555
    • ๐Ÿ”’ XML OpenID sample should POST to logout #8554
    • โœ‚ Remove unused field 'digester' in Md4PasswordEncoder #8553
    • ๐Ÿ“š Polish JDBC Authentication documentation #8550
    • ๐Ÿ›  Fix Kotlin Sample Documentation #8540
    • ๐Ÿ”’ Object ID Identicy conversion to long fails on old schema #8538
    • ๐Ÿ”’ Create the CSRF token on the bounded elactic scheduler #8534
    • ๐Ÿ›  Fix AntPathRequestMatcher Javadoc #8512
    • ๐Ÿ”’ Document NoOpPasswordEncoder will not be removed #8508
    • ๐Ÿ”’ Document NoOpPasswordEncoder will not be removed #8506
    • ๐Ÿ›  Fix code snippets to configure timeouts #8487
    • ๐Ÿ›  Fix non-standard HTTP method for CsrfWebFilter #8452
    • ๐Ÿ”’ Blocking in WebSessionServerCsrfTokenRepository #8128
    • ๐Ÿ”’ Object ID Identity conversion to long fails on old schema #7621
    • ๐Ÿ”’ RoleHierarchy is not used by AbstractAuthorizeTag #7059
    • ๐Ÿ”’ Prevent StackOverflowError for AccessControlEntryImpl.hashCode #6820
    • ๐Ÿ”’ ACL : AclImpl.hashCode leads to StackOverflowError #5401

    โฌ†๏ธ ๐Ÿ”จ Dependency Upgrades

    • โšก๏ธ Update to Spring Boot 2.4.0-M1 #8787
    • โšก๏ธ Update to Kotlin 1.3.72 #8786
    • โšก๏ธ Update to Google App Engine 1.7.80 #8785
    • ๐Ÿš€ Update to spring-build-conventions:0.0.33.RELEASE #8759
    • โšก๏ธ Update to Spring Boot 2.3.0 #8605
    • โšก๏ธ Update to Gradle 6.4.1 #8604
    • ๐Ÿš€ Update to spring-build-conventions:0.0.32.RELEASE #8499

    ๐Ÿฑ โค๏ธ Contributors

    ๐Ÿš€ We'd like to thank all the contributors who worked on this release!

  • v5.4.0-M1 Changes

    May 06, 2020

    ๐Ÿฑ โญ New Features

    • ๐Ÿ”’ Jenkins does not need to build on JDK 9 and 10 #8482
    • ๐Ÿ”’ Upgrade Freefair AspectJ plugin to v5.0.1 #8456
    • ๐Ÿ”’ AesBytesEncryptor constructor that uses secret key #8443
    • ๐Ÿ”’ Rename Preface to Introduction #8411
    • ๐Ÿ”’ TestSaml2X509Credentials should only return Saml2X509Credential instances #8404
    • ๐Ÿ”’ Saml2CryptoTestSupport and TestSaml2AuthenticationObjects should be one class #8403
    • ๐Ÿ‘ Allow creating AesBytesEncryptor with key #8402
    • โž• Add Flag to enable searching of LDAP groups on subtrees #8400
    • ๐Ÿ”’ Documented dependencies for opaque Resource Server #8394
    • ๐Ÿ‘ Allow expose JwtAuthenticationConverter as a bean for Resource Server #8379
    • ๐Ÿ”’ Use Kotlin DSL Marker Annotations to prevent scope leaking in WebFlux DSL #8366
    • ๐Ÿ”’ Saml2AuthenticationRequestContext should be extendible #8356 #8364
    • โž• Add constructors receiving AuthenticationManager #8362
    • ๐Ÿ‘ Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8361
    • ๐Ÿ”’ Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default #8359
    • ๐Ÿ”’ Validate ID Token Issuer #8357
    • ๐Ÿ”’ Saml2AuthenticationRequestContext should be extendible #8356
    • โž• Add authorize() DSL method that accepts HttpMethod #8350
    • ๐Ÿ‘ Allow custom header during bearer token extraction #8341
    • ๐Ÿ‘ Allow specify header in ServerBearerTokenAuthenticationConverter #8337
    • ๐Ÿ”’ Provide possibility to use custom cache to store JWK Set #8332
    • โž• Adding Map support to DefaultMethodSecurityExpressionHandler #8331
    • ๐Ÿ”’ BCryptPasswordEncoder rawPassword cannot be null #8330
    • ๐Ÿ‘ Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8324
    • ๐Ÿ”’ Open ID Connect ID Token Issuer not validated #8321
    • โž• Add addFilterAfter and addFilterBefore to Kotlin DSL #8319
    • โž• Added setPrincipalClaimName to JwtAuthenticationConverter #8318
    • ๐Ÿ”’ BCryptPasswordEncoder.encode() throws NPE #8317
    • ๐Ÿ”’ HttpSecurityDsl does not support addFilterBefore and addFilterAfter #8316
    • ๐Ÿ”’ AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307
    • ๐Ÿ”’ SpringTestContext returns ConfigurableWebApplicationContext #8233
    • ๐Ÿ”’ Clarify use case for ServerBearerExchangeFilterFunction #8220
    • ๐Ÿ“š Update Encryptors documentation for standard and stronger #8208
    • ๐Ÿ”’ Upgrade to Gradle Enterprise Plugin 3.2 #8205
    • โž• Add Figures to Resource Server Docs #8184
    • โž• Add Figures to Resource Server Docs #8182
    • ๐Ÿ”’ Document JwtGrantedAuthoritiesConverter #8176
    • ๐Ÿ›  Fix userNameAttribute property case style #8171
    • ๐Ÿ’… userNameAttribute case style is different others #8169
    • ๐Ÿ’… Polish SAML 2.0 Login Sample #8163
    • ๐Ÿ”’ Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8152
    • ๐Ÿ”’ Assign sensible default for OAuth2AuthorizedClientProvider #8150
    • ๐Ÿ”’ OpenSamlImplementation should not use reflection #8147
    • ๐Ÿ‘ Allow port=0 for LDAP Servers #8139
    • ๐Ÿ”’ LDAP server configuration should support port=0 #8138
    • ๐Ÿ”’ Use io.spring.gradle-enterprise-conventions #8115
    • ๐Ÿ”’ Replace VersionsResourceTasks with WriteProperties #8114
    • ๐Ÿ‘Œ Improve Build Performance #8113
    • ๐Ÿ”’ Document OAuth 2.0 Login XML Support #8110
    • ๐Ÿ›  Fix exception from empty basic auth header token #8109
    • ๐Ÿ›  Fix typo 'properites' -> 'properties' in documentation #8096
    • ๐Ÿ”’ Document AuthenticationEventPublisher improvements #8081
    • ๐Ÿ”’ Document AuthNRequest POST binding support #8079
    • ๐Ÿ”’ Document AuthNRequest signature support #8078
    • ๐Ÿ”’ Document OAuth 2.0 Resource Server XML Support #8077
    • ๐Ÿ”’ Document Jackson serialization support for OAuth 2.0 Client #8075
    • ๐Ÿ”’ Document OAuth 2.0 Client XML Support #8074
    • ๐Ÿ”’ Document OAuth2Authorization success and failure handlers #8073
    • ๐Ÿ”’ Document OIDC Logout Success Handler Improvements #8072
    • ๐Ÿ”’ Document OAuth 2.0 Authorization Request improvements #8071
    • โž• Add OAuth 2.0 Test Support Docs #8050
    • โž• Add server request cache that uses cookie #8033
    • ๐Ÿ”’ Basic auth header without user results in exception #7976
    • โž• Add RequestRejectedHandler #7052
    • ๐Ÿ”’ OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #5633
    • ๐Ÿ”’ Idiomatic Kotlin DSL for configuring HTTP security #5558
    • ๐Ÿ”’ SessionRegistryImpl is now aware of SessionIdChangedEvent #5439
    • ๐Ÿ”’ SessionRegistryImpl is not aware of SessionIdChange events. #5438
    • ๐Ÿ”’ SwitchUserFilter vulnerable to CSRF #4183

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • ๐Ÿ›  Fix Javadoc punctuation #8480
    • ๐Ÿ›  Fixed typos in documentation #8454
    • ๐Ÿ‘Œ Support update when saving with JdbcOAuth2AuthorizedClientService #8435
    • โšก๏ธ JdbcOAuth2AuthorizedClientService should support update when saving #8425
    • ๐Ÿ”’ OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8421
    • ๐Ÿ”’ ActiveDirectoryLdapAuthenticationProvider uses InternalAuthenticationServiceException #8418
    • ๐Ÿ›  Fix mismatch between CONTRIBUTING.adoc and .editorconfig #8417
    • ๐Ÿ›  Fix Documentation to Refer to BasicAuthenticationFilter #8414
    • โž• Add ROLE_INFRASTRUCTURE to infrastructure beans #8407
    • ๐Ÿ›  Fix typo with correct capitalization #8406
    • ๐Ÿ”’ Global ServerSecurityContextRepository ignored by logout #8375
    • ๐Ÿ›  Fix example in javadoc of FilterChainProxy #8344
    • ๐Ÿ›  Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8336
    • ๐Ÿ›  Fixes gh-8187 : OAuth2 ClientRegistrations UserInfo endpoint NPE fix #8206
    • ๐Ÿ”’ OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8187
    • ๐Ÿ›  Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8177
    • ๐Ÿ”’ Make OAuth2ErrorHttpMessageConverter more resilient #8157
    • ๐Ÿ”’ RSocket test should throw AccessDeniedException #8154
    • ๐Ÿ›  Fix typo in Javadoc of HttpSecurity#csrf() #8130
    • ๐Ÿ›  Fix Documentation to Refer to BasicAuthenticationFilter #8119
    • ๐Ÿ”’ oauth2Login WebFlux should not auto-redirect for XHR request #8118
    • ๐Ÿ”’ NPE thrown when token response contains a null value #8108
    • ๐Ÿ”’ HttpServletRequest.logout() not functioning #4760
    • ๐Ÿ”’ Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #4404

    โฌ†๏ธ ๐Ÿ”จ Dependency Upgrades

    • โšก๏ธ Update to aspectj-plugin:4.1.6 #8305

    ๐Ÿฑ โช Non-passive

    • ๐Ÿ”’ Transfer session's max inactive interval in SessionFixationProtectionStrategy #5441
    • ๐Ÿ”’ SEC-2470: SessionFixationProtectionStrategy should migrate maxInactiveInterval #2693

    ๐Ÿฑ โค๏ธ Contributors

    ๐Ÿš€ We'd like to thank all the contributors who worked on this release!

  • v5.3.6.RELEASE Changes

    December 03, 2020

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • โœ‚ Remove empty Appendix Section from docs #9161
    • ๐Ÿ”’ Tests should not combine Authentication and @AuthenticationPrincipal #9125

    โฌ†๏ธ ๐Ÿ”จ Dependency Upgrades

    • โšก๏ธ Update to Google App Engine 1.9.83 #9247
    • โšก๏ธ Update to Spring Boot 2.2.11 #9246
  • v5.3.5.RELEASE Changes

    October 07, 2020

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • ๐Ÿ”’ SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9057
    • ๐Ÿ”’ CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9024

    โฌ†๏ธ ๐Ÿ”จ Dependency Upgrades

    • โšก๏ธ Update to AspectJ 1.9.6 #9106
    • โšก๏ธ Update to Google App Engine 1.9.82 #9105
    • ๐Ÿš€ Update to Spring Boot 2.2.10.RELEASE #9104
  • v5.3.4.RELEASE Changes

    August 05, 2020

    ๐Ÿฑ โญ New Features

    • โž• Add logging #8888
    • ๐Ÿ”’ Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8855
    • ๐Ÿ”’ formLogin() does not work with REST Docs #8748
    • ๐Ÿ”’ Use Github Actions PR pipeline and remove Travis for 5.3.x #8724

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • ๐Ÿ”’ ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8896
    • ๐Ÿ”’ OAuth2AuthenticationException should be in allowlist #8863
    • ๐Ÿ”’ Resolved bearer token has no padding indicators #8837
    • ๐Ÿ›  Fix ProviderManager Javadoc typo #8811
    • ๐Ÿ”’ LoginPageGeneratingWebFilter should honor context path #8808
    • ๐Ÿ”’ OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8803
    • ๐Ÿ”’ RoleHierarchy is not used by AbstractAuthorizeTag #8678
    • ๐Ÿ”’ OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8672
    • ๐Ÿ”’ ReactorContext not available in PayloadSocketAcceptor delegate.accept #8655

    โฌ†๏ธ ๐Ÿ”จ Dependency Upgrades

    • ๐Ÿš€ Update to spring-build-conventions:0.0.34.RELEASE #8925
    • ๐Ÿš€ Update to nohttp 0.0.5.RELEASE #8924
    • โšก๏ธ Update to GAE 1.9.81 #8923
    • ๐Ÿš€ Update to Spring Boot 2.2.9.RELEASE #8922
    • ๐Ÿš€ Update to spring-build-conventions:0.0.33.RELEASE #8760

    ๐Ÿฑ โค๏ธ Contributors

    ๐Ÿš€ We'd like to thank all the contributors who worked on this release!