All Versions
57
Latest Version
Avg Release Cycle
47 days
Latest Release
826 days ago

Changelog History
Page 1

  • v5.5.0-M1 Changes

    November 04, 2020

    🍱 ⭐ New Features

    • Add unsupported_token_type in OAuth2ErrorCodes #9184
    • Add token and token_type_hint to OAuth2ParameterNames #9183
    • 🔒 Introduce JwaAlgorithm #9182
    • 🔒 WithSecurityContextTestExecutionListener Should Support Nested Classes #9179
    • ➕ Add WebFlux Documentation for Multiple Filter Chains #9178
    • 📇 SAML 2.0 Asserting Party Metadata resolution should read SigningMethod elements #9177
    • 🔒 Enable customization of BearerTokenResolver by adding a setter for JwtClaimIssuerConverter on JwtIssuerAuthenticationManagerResolver #9168
    • 🔒 Reactive doc points to unit tests #9157
    • 🔒 Invoke Kotlin MockMvc result matchers with parentheses #9155
    • 🔒 Change guard expressions order #9153
    • 🔒 It is not necessary to fetch all user sessions if unlimited sessions are set in the ConcurrentSessionControlAuthenticationStrategy. #9152
    • ➕ Add refresh token expiration support #9146
    • 🔒 JwtIssuerValidator handles issuer (iss) claim values as Strings and URLs #9137
    • 🔒 OpenSamlAuthenticationProvider should decrypt attributes #9131
    • ⚡️ Update snapshot build dependencies #9124
    • 🔒 spring-security-test should include jackson-datatype-jsr310 as a test dependency #9123
    • ⚡️ Update to Gradle 6.6.1 #9122
    • 🔒 Use LobHandler in JdbcOAuth2AuthorizedClientService #9070
    • 📇 Changed metadata converter to accept files as well #9056
    • ➕ Add HSM Support for Decrypting Assertions #9055
    • 📇 File-based Configuration for Asserting Party Metadata #9028
    • 🔒 Prevent PR builds from running on forks #8993
    • 🔒 Provide a R2dbc implementation of ReactiveOuath2AuthorizedClientService #8765
    • ➕ Add support for dynamic JWS signature algorithm with JWKs (2) - Issue 7160 #8752
    • 👌 Support customization of BearerTokenResolver in JwtIssuerAuthenticationManagerResolver #8535
    • 🔒 Provide reactive JDBC implementation of ReactiveOAuth2AuthorizedClientService #7890
    • 🔒 JwtDecoders and ReactiveJwtDecoders should determine algorithm from JWK Set Endpoint #7160
    • 🔒 OAuth2Token interface for AbstractOAuth2Token #5502

    🍱 🐞 Bug Fixes

    • 🔒 [docs]Add white space before strong notation. #9145
    • 🐛 Bug with JwtValidators.createDefaultWithIssuer(String)? #9136
    • 🔒 Tests should not combine Authentication and @AuthenticationPrincipal #9121
    • 🔒 Closes gh-8196 appendix indentation #9118
    • 🛠 Fixes in documentation #9099

    ⬆️ 🔨 Dependency Upgrades

    • 🔒 Set rsocketVersion to 1.1.0 #9167
    • 🔒 Set reactorVersion to 2020.0.+ #9166
    • 🔒 Set springVersion to 5.3.+ #9165

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.4.2 Changes

    December 03, 2020

    🍱 ⭐ New Features

    • ⚡️ Update snapshot build dependencies #9254
    • ⚡️ Update to Gradle 6.6.1 #9232

    🍱 🐞 Bug Fixes

    • 🔒 Tests should not combine Authentication and @AuthenticationPrincipal #9255
    • ✂ Remove empty Appendix Section from docs #9253
    • 🔒 CookieRequestCache handles URL encoded query parameters incorrectly #9252
    • 👌 Improve Metadata URL Documentation #9251

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to Google App Engine 1.9.83 #9250
    • ⚡️ Update to Kotlin 1.4.20 #9249
    • ⚡️ Update to Spring Boot 2.4.0 #9248
    • 🔒 5.4.x Snapshot Build Should Point to Other Maintenance Branches #9162
  • v5.4.1 Changes

    October 07, 2020

    🍱 ⭐ New Features

    • 🔒 Replace expired msdn link with latest web archive copy #9050
    • ➕ Add documentation for StrictHttpFirewall enhancements #9038
    • 🔒 Replace Tomcat6 URL for SSL Guide to Tomcat 10 #9034
    • 🔒 Use AssertJ for exception testing #9013

    🍱 🐞 Bug Fixes

    • ➕ Add try-with-resources to close stream #9053
    • 📇 RelyingPartyRegistrations Fails to Read Keycloak Metadata #9051
    • 🛠 fix miswritten comment of FormLoginDsl.kt #9042
    • 🔒 Adapt to WebClient's new exception wrapping #9031
    • 🔒 StandardInterceptUrlRegistry should not refer to ExpressionUrlAuthorizationConfigurer #9026
    • 🛠 Fix broken Mono chain #9022
    • 🔒 Use Schedulers.boundedElastic for UUID.randomUUID #9021
    • 🔒 CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9018
    • 🔒 WebSessionServerCsrfTokenRepository#generateToken() don't use Schedulers.boundedElastic() #9017
    • 🔒 NullPointerException SessionRegistryImpl.onApplicationEvent(SessionRegistryImpl.java:111) #9011
    • 🔒 Quick javadoc fix for DelegatingPasswordEncoder #8890

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.4.0 Changes

    September 09, 2020

    🍱 ⭐ New Features

    • ➕ Add What's New in 5.4 #9002
    • ➕ Add What's New in 5.4 Section to Docs #9001
    • ➕ Add Resource Server Servlet Logging #9000
    • 🔒 Simplify saml2Login Samples #8990
    • ✂ Remove Framework Tests from saml2Login Sample #8989
    • ➕ Add authenticationManagerResolver to resource server Kotlin DSL #8981
    • 🔒 Generalize SAML 2.0 Assertion Validation Support #8970
    • ⚡️ Update abstract-authentication-processing-filter.adoc #8965
    • ➕ Add spring-javaformat checkstyle and formatting #8946
    • ➕ Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL #8926
    • ➕ Add hasAnyAuthority(String...) and hasAnyRole(String...) to authorizeRequests in Kotlin DSL #8892
    • 🔒 Resolve oauth2 client-id, client-secret placeholders #8880
    • 📚 Restructure SAML 2.0 documentation #8763
    • 🔒 security:client-registrations doesn't take propertyconfigurer properties #8453

    🍱 🐞 Bug Fixes

    • 🔒 Clickjacking demo in docs: YouTube link in X-Frame-Options section leads to private video #8986
    • 📇 NoClassDefFoundError: AuthMetadataFlyweight at o.s.s.r.m.SimpleAuthenticationEncoder #8948
    • 🔒 SAML attributes not parsed correctly with prefixed XML elements #8864
    • 🔒 Don't use oidc scopes_supported for scope as default in ClientRegistrations #8790
    • 📇 scopes_supported metadata should not be used as default in ClientRegistrations #8514

    ⬆️ 🔨 Dependency Upgrades

    • 🔒 Set springDataVersion to Neumann-SR+ #9007
    • 🔒 Set rsocketVersion to 1.0.+ #9006

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.4.0-RC1 Changes

    August 05, 2020

    🍱 ⭐ New Features

    • 🔒 Deprecate CustomUserTypesOAuth2UserService #8908
    • 🔒 Deprecate ClientRegistration.redirectUriTemplate #8906
    • 👍 Allow for custom ClientRegistration.clientAuthenticationMethod #8903
    • 🔒 Deprecate ImplicitGrantConfigurer #8902
    • ✂ Remove use of Mono.deferWithContext() #8901
    • 🔒 Consider adding RelyingPartyRegistrationResolver #8887
    • ➕ Add HttpMessageConverter that constructs a RelyingPartyRegistration #8877
    • 🔒 RelyingPartyRegistration should default the ACS Location #8876
    • ⚡️ Update SimpleSaml2AuthenticatedPrincipal class name #8861
    • 🔒 Introduce AuthenticationConverterServerWebExchangeMatcher #8854
    • 🔒 Make class SimpleSaml2AuthenticatedPrincipal public #8852
    • 👌 Support custom filter in Server Kotlin DSL #8850
    • 🔒 Saml2AuthenticationToken should take a RelyingPartyRegistration #8845
    • 🔒 Wording changes #8832
    • 🔒 -gh 8784 Document improvement for WebSecurityConfigure #8825
    • 🔒 Consider making BearerTokenServerWebExchangeMatcher public and more generic #8824
    • ➕ Add custom HeaderWriter in Kotlin DSL #8823
    • ➕ Add Static Factories to Saml2X509Credential #8822
    • 👍 Allow disabling headers in Kotlin DSL #8816
    • ✂ Remove need for WebSecurityConfigurerAdapter #8805
    • 🔒 Configure HTTP Security without extending WebSecurityConfigurerAdapter #8804
    • 🛠 Fix #8693 Support SAML 2.0 SP Metadata Endpoints #8795
    • ➕ Add Static Factories to Saml2X509Credential #8789
    • 🔒 RelyingPartyRegistration Credentials Should Be Split by Party #8788
    • 👌 Support custom filter in Server Kotlin DSL #8783
    • 🔒 mongolian translation for messages.properties #8780
    • 🔒 Mongolian translation required for messages.propeperties #8778
    • 📇 RelyingPartyRegistration should use metadata spec language #8777
    • 🔒 ACS Binding should be in RelyingPartyRegistration #8776
    • ✂ Remove OpenSamlImplementation #8775
    • 🔒 OpenSamlAuthenticationRequestFactory should use OpenSAML directly #8774
    • 🔒 OpenSamlAuthenticationProvider should use OpenSAML directly #8773
    • 🔒 OpenSAML should get initialized as part of container lifecycle #8772
    • 🔒 SAML Assertion validation fails when OneTimeUse condition is sent from the IdP #8769
    • 👌 Improve error message when invalid content-type for UserInfo response #8764
    • 🔒 Simplify retrieving Introspection-specific attributes #8740
    • 🔒 Reactive SwitchUserWebFilter for user impersonation #8687
    • 🔒 Change getMethod() to return configured value in SimpleSavedRequest #8675
    • 🔒 gh-8589 Additional Jwt validation debug messages #8665
    • ➕ Adds cookie based RequestCache #8653
    • 🔒 Missing Reactive SwitchUserWebFilter for user impersonation #8599
    • 🔒 Use String to specify custom HTTP method in mock request #8592
    • ➕ Add logging #8589
    • 👌 Support for dynamic configuration using IDP metadata URL for SAML SSO integration #8484
    • 🔒 SAML Authentication Provider assertions #8471
    • 🔒 Throw exception when specified ldif file does not exist #8434
    • 🔒 SAML: Add RequestedAuthnContext to AuthnRequest in OpenSamlAuthenticationRequestFactory #8141
    • ➕ Add request cache that uses cookie #8034
    • 🔒 No log message or exception if expected ldif file does not exist #7791

    🍱 🐞 Bug Fixes

    • 🔒 Move RSocket Integration Tests to integration tests #8944
    • 🛠 Fix snapshot build failure related to reactor-netty #8909
    • 🔒 Resolve Bearer token after subscribing to publisher #8894
    • 🔒 ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8865
    • ⚡️ Update README.adoc #8851
    • 🔒 Saml2Error should be in a core package #8835
    • 🛠 Fix #8797: Add OAuth2AuthenticationException to allowlist #8827
    • 🔒 CookieRequestCache "REDIRECT_URI" removed by any request #8820
    • 🔒 use CookieRequestCache something went wrong #8817
    • 🔒 LoginPageGeneratingWebFilter should honor context path #8807
    • 🛠 Fix ProviderManager Javadoc typo #8800
    • 🔒 OAuth2AuthenticationException should be in allowlist #8797
    • 🔒 tutorial uses hasRole but should use hasAuthority #8796
    • 🔒 Saml2WebSsoAuthenticationFilter does not follow standard patterns for request matching. #8768
    • 🔒 Bearer Token Padding #8511
    • 🔒 Resolved bearer token has no padding indicators #8502

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.4.0-M2 Changes

    July 01, 2020

    🍱 ⭐ New Features

    • ➕ Add reified function variants to security DSL #8771
    • 🔒 OAuth2AccessTokenResponse.Builder.expiresIn works after withResponse #8766
    • 🔒 LDAP Integration Tests Should Use Random Port #8762
    • 🔒 Use memory-saving Collections.singletonList in JdbcAclService.readAclById() #8756
    • 🔒 Merge Spring security with dependencies #8755
    • ➕ Add Configurable secure flag in CookieCsrfTokenRepository #8749
    • 🛠 Fix typo in OAuth2AccessTokenResponse #8746
    • 👍 Allow customizing JWTProcessor passed to NimbusJwtDecoder #8745
    • 🔒 Use Spring Snapshots in Snapshot Build Again #8712
    • ⚡️ Update pipeline to run for PRs to all branches #8711
    • ✂ Remove Travis pipeline and README badge #8710
    • 🔒 Reject the NULL character in paths in StrictHttpFirewall #8703
    • 🔒 OAuth2AccessTokenResponse.expiresIn() is ignored when initialized from another response #8702
    • 🔒 OAuth2AuthorizedClientArgumentResolver could use OAuth2AuthorizedClientManager registered in context #8700
    • 🔒 Kotlin Configuration DSL: Use reified types wherever a class is used as a parameter #8697
    • 🔒 ProviderManager Should Use CollectionUtils#contains #8695
    • 🔒 ProviderManager#checkState() throws NullPointerException #8689
    • 🔒 Set up Github Actions pipeline for PRs #8680
    • 🔒 Deprecate X-Frame-Options ALLOW-FROM #8677
    • 🔒 Replace whitelist/blacklist with allowlist/blocklist #8676
    • 🔒 Register OAuth2AuthorizedClientArgumentResolver for XML Config #8669
    • 🔒 Getting response attributes from Saml2AuthenticatedPrincipal #8667
    • 🔒 Ability to easily read attribute values from SAML response #8661
    • 🔒 DefaultOAuth2AuthorizationRequestResolver Should Not Consume Request Body #8651
    • 🔒 StrictHttpFirewall: Validate headers and parameters #8644
    • 🔒 JwtDecoder should use Nimbus multiple-algorithm support #8623
    • ✂ Remove ClientRegistrationRepository Mock Beans from Samples #8606
    • 🔒 oauth2Client Test Support should not require an HttpSessionOAuth2AuthorizedClientRepository #8603
    • ➕ Add tokenFromMultipartDataEnabled to server CSRF Kotlin DSL #8602
    • ➕ Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter #8587
    • 🔒 FilterInvocation Support Default Methods on HttpServletRequest #8566
    • ⚡️ Update to JQuery 3.5.1 #8557
    • 🔒 Saml2WebSsoAuthenticationRequesFilter should be post-processed #8552
    • 🔒 Move TestRelyingPartyRegistrations #8551
    • 🔒 Configuration defaults to SessionRegistry bean #8548
    • 📚 Update BCryptPasswordEncoder documentation with default strength #8542
    • 🔒 authorization_code grant should use same ServerRequestCache #8536
    • Avoid using "/path/**/other" patterns in WebFlux PathPatternParser #8513
    • ➕ Add debug logging to Reactive Web #8504
    • ➕ Add issuerUri to ClientRegistration.providerDetails #8501
    • 🔒 Use Opaquetoken properties to configure timeouts #8488
    • ⚡️ Update Traditional Chinese translation. #8483
    • 👍 Allow port=0 for ApacheDSContainer #8416
    • 🔒 Throw exception if URL does not include context path when context relative #8399
    • ➕ Added setter to make RequestCache injectable #8392
    • 🔒 Consider adding ClientRegistration.providerDetails.issuerUri #8326
    • 🔒 Merge Project Modules and Dependencies Section of the docs #8199
    • ➕ Add RequestCache setter in OAuth2AuthorizationCodeGrantFilter #8120
    • 🔒 formLogin() does not work with REST Docs #7572

    🍱 🐞 Bug Fixes

    • 🔒 SwitchUserFilter.setExitUserMatcher Javadoc is incorrect #8744
    • 🔒 SwitchUserFilter.setUserDetailsChecker is missing Javadoc #8743
    • 🛠 Fix SecurityContext creation for TEST_EXECUTION #8738
    • 🔒 ReactorContext not available in PayloadSocketAcceptor delegate.accept #8654
    • 🔒 DefaultWebSecurityExpressionHandler uses RoleHierarchy bean #8652
    • 🔒 DefaultOAuth2AuthorizationRequestResolver erroneously consumes POST request body #8650
    • 🛠 Fix broken link in spring security reference document #8618
    • 🔒 Delay AuthenticationPrincipalArgumentResolver Lookup #8613
    • 🔒 OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8609
    • 🔒 spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0 clash over version of transitive dependency json-smart #8608
    • 🛠 Fix typos in BCryptPasswordEncoder documentation #8586
    • 🛠 Fixing typo in SAML 2.0 Sample README #8581
    • 🔒 Message Compose in JavaConfig hellojs Sample Fails #8556
    • 🔒 Java Config hellojs Sample Login Fails #8555
    • 🔒 XML OpenID sample should POST to logout #8554
    • ✂ Remove unused field 'digester' in Md4PasswordEncoder #8553
    • 📚 Polish JDBC Authentication documentation #8550
    • 🛠 Fix Kotlin Sample Documentation #8540
    • 🔒 Object ID Identicy conversion to long fails on old schema #8538
    • 🔒 Create the CSRF token on the bounded elactic scheduler #8534
    • 🛠 Fix AntPathRequestMatcher Javadoc #8512
    • 🔒 Document NoOpPasswordEncoder will not be removed #8508
    • 🔒 Document NoOpPasswordEncoder will not be removed #8506
    • 🛠 Fix code snippets to configure timeouts #8487
    • 🛠 Fix non-standard HTTP method for CsrfWebFilter #8452
    • 🔒 Blocking in WebSessionServerCsrfTokenRepository #8128
    • 🔒 Object ID Identity conversion to long fails on old schema #7621
    • 🔒 RoleHierarchy is not used by AbstractAuthorizeTag #7059
    • 🔒 Prevent StackOverflowError for AccessControlEntryImpl.hashCode #6820
    • 🔒 ACL : AclImpl.hashCode leads to StackOverflowError #5401

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to Spring Boot 2.4.0-M1 #8787
    • ⚡️ Update to Kotlin 1.3.72 #8786
    • ⚡️ Update to Google App Engine 1.7.80 #8785
    • 🚀 Update to spring-build-conventions:0.0.33.RELEASE #8759
    • ⚡️ Update to Spring Boot 2.3.0 #8605
    • ⚡️ Update to Gradle 6.4.1 #8604
    • 🚀 Update to spring-build-conventions:0.0.32.RELEASE #8499

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.4.0-M1 Changes

    May 06, 2020

    🍱 ⭐ New Features

    • 🔒 Jenkins does not need to build on JDK 9 and 10 #8482
    • 🔒 Upgrade Freefair AspectJ plugin to v5.0.1 #8456
    • 🔒 AesBytesEncryptor constructor that uses secret key #8443
    • 🔒 Rename Preface to Introduction #8411
    • 🔒 TestSaml2X509Credentials should only return Saml2X509Credential instances #8404
    • 🔒 Saml2CryptoTestSupport and TestSaml2AuthenticationObjects should be one class #8403
    • 👍 Allow creating AesBytesEncryptor with key #8402
    • ➕ Add Flag to enable searching of LDAP groups on subtrees #8400
    • 🔒 Documented dependencies for opaque Resource Server #8394
    • 👍 Allow expose JwtAuthenticationConverter as a bean for Resource Server #8379
    • 🔒 Use Kotlin DSL Marker Annotations to prevent scope leaking in WebFlux DSL #8366
    • 🔒 Saml2AuthenticationRequestContext should be extendible #8356 #8364
    • ➕ Add constructors receiving AuthenticationManager #8362
    • 👍 Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8361
    • 🔒 Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default #8359
    • 🔒 Validate ID Token Issuer #8357
    • 🔒 Saml2AuthenticationRequestContext should be extendible #8356
    • ➕ Add authorize() DSL method that accepts HttpMethod #8350
    • 👍 Allow custom header during bearer token extraction #8341
    • 👍 Allow specify header in ServerBearerTokenAuthenticationConverter #8337
    • 🔒 Provide possibility to use custom cache to store JWK Set #8332
    • ➕ Adding Map support to DefaultMethodSecurityExpressionHandler #8331
    • 🔒 BCryptPasswordEncoder rawPassword cannot be null #8330
    • 👍 Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8324
    • 🔒 Open ID Connect ID Token Issuer not validated #8321
    • ➕ Add addFilterAfter and addFilterBefore to Kotlin DSL #8319
    • ➕ Added setPrincipalClaimName to JwtAuthenticationConverter #8318
    • 🔒 BCryptPasswordEncoder.encode() throws NPE #8317
    • 🔒 HttpSecurityDsl does not support addFilterBefore and addFilterAfter #8316
    • 🔒 AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307
    • 🔒 SpringTestContext returns ConfigurableWebApplicationContext #8233
    • 🔒 Clarify use case for ServerBearerExchangeFilterFunction #8220
    • 📚 Update Encryptors documentation for standard and stronger #8208
    • 🔒 Upgrade to Gradle Enterprise Plugin 3.2 #8205
    • ➕ Add Figures to Resource Server Docs #8184
    • ➕ Add Figures to Resource Server Docs #8182
    • 🔒 Document JwtGrantedAuthoritiesConverter #8176
    • 🛠 Fix userNameAttribute property case style #8171
    • 💅 userNameAttribute case style is different others #8169
    • 💅 Polish SAML 2.0 Login Sample #8163
    • 🔒 Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8152
    • 🔒 Assign sensible default for OAuth2AuthorizedClientProvider #8150
    • 🔒 OpenSamlImplementation should not use reflection #8147
    • 👍 Allow port=0 for LDAP Servers #8139
    • 🔒 LDAP server configuration should support port=0 #8138
    • 🔒 Use io.spring.gradle-enterprise-conventions #8115
    • 🔒 Replace VersionsResourceTasks with WriteProperties #8114
    • 👌 Improve Build Performance #8113
    • 🔒 Document OAuth 2.0 Login XML Support #8110
    • 🛠 Fix exception from empty basic auth header token #8109
    • 🛠 Fix typo 'properites' -> 'properties' in documentation #8096
    • 🔒 Document AuthenticationEventPublisher improvements #8081
    • 🔒 Document AuthNRequest POST binding support #8079
    • 🔒 Document AuthNRequest signature support #8078
    • 🔒 Document OAuth 2.0 Resource Server XML Support #8077
    • 🔒 Document Jackson serialization support for OAuth 2.0 Client #8075
    • 🔒 Document OAuth 2.0 Client XML Support #8074
    • 🔒 Document OAuth2Authorization success and failure handlers #8073
    • 🔒 Document OIDC Logout Success Handler Improvements #8072
    • 🔒 Document OAuth 2.0 Authorization Request improvements #8071
    • ➕ Add OAuth 2.0 Test Support Docs #8050
    • ➕ Add server request cache that uses cookie #8033
    • 🔒 Basic auth header without user results in exception #7976
    • ➕ Add RequestRejectedHandler #7052
    • 🔒 OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #5633
    • 🔒 Idiomatic Kotlin DSL for configuring HTTP security #5558
    • 🔒 SessionRegistryImpl is now aware of SessionIdChangedEvent #5439
    • 🔒 SessionRegistryImpl is not aware of SessionIdChange events. #5438
    • 🔒 SwitchUserFilter vulnerable to CSRF #4183

    🍱 🐞 Bug Fixes

    • 🛠 Fix Javadoc punctuation #8480
    • 🛠 Fixed typos in documentation #8454
    • 👌 Support update when saving with JdbcOAuth2AuthorizedClientService #8435
    • ⚡️ JdbcOAuth2AuthorizedClientService should support update when saving #8425
    • 🔒 OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8421
    • 🔒 ActiveDirectoryLdapAuthenticationProvider uses InternalAuthenticationServiceException #8418
    • 🛠 Fix mismatch between CONTRIBUTING.adoc and .editorconfig #8417
    • 🛠 Fix Documentation to Refer to BasicAuthenticationFilter #8414
    • ➕ Add ROLE_INFRASTRUCTURE to infrastructure beans #8407
    • 🛠 Fix typo with correct capitalization #8406
    • 🔒 Global ServerSecurityContextRepository ignored by logout #8375
    • 🛠 Fix example in javadoc of FilterChainProxy #8344
    • 🛠 Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8336
    • 🛠 Fixes gh-8187 : OAuth2 ClientRegistrations UserInfo endpoint NPE fix #8206
    • 🔒 OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8187
    • 🛠 Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8177
    • 🔒 Make OAuth2ErrorHttpMessageConverter more resilient #8157
    • 🔒 RSocket test should throw AccessDeniedException #8154
    • 🛠 Fix typo in Javadoc of HttpSecurity#csrf() #8130
    • 🛠 Fix Documentation to Refer to BasicAuthenticationFilter #8119
    • 🔒 oauth2Login WebFlux should not auto-redirect for XHR request #8118
    • 🔒 NPE thrown when token response contains a null value #8108
    • 🔒 HttpServletRequest.logout() not functioning #4760
    • 🔒 Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #4404

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to aspectj-plugin:4.1.6 #8305

    🍱 ⏪ Non-passive

    • 🔒 Transfer session's max inactive interval in SessionFixationProtectionStrategy #5441
    • 🔒 SEC-2470: SessionFixationProtectionStrategy should migrate maxInactiveInterval #2693

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!

  • v5.3.6.RELEASE Changes

    December 03, 2020

    🍱 🐞 Bug Fixes

    • ✂ Remove empty Appendix Section from docs #9161
    • 🔒 Tests should not combine Authentication and @AuthenticationPrincipal #9125

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to Google App Engine 1.9.83 #9247
    • ⚡️ Update to Spring Boot 2.2.11 #9246
  • v5.3.5.RELEASE Changes

    October 07, 2020

    🍱 🐞 Bug Fixes

    • 🔒 SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9057
    • 🔒 CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9024

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to AspectJ 1.9.6 #9106
    • ⚡️ Update to Google App Engine 1.9.82 #9105
    • 🚀 Update to Spring Boot 2.2.10.RELEASE #9104
  • v5.3.4.RELEASE Changes

    August 05, 2020

    🍱 ⭐ New Features

    • ➕ Add logging #8888
    • 🔒 Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8855
    • 🔒 formLogin() does not work with REST Docs #8748
    • 🔒 Use Github Actions PR pipeline and remove Travis for 5.3.x #8724

    🍱 🐞 Bug Fixes

    • 🔒 ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8896
    • 🔒 OAuth2AuthenticationException should be in allowlist #8863
    • 🔒 Resolved bearer token has no padding indicators #8837
    • 🛠 Fix ProviderManager Javadoc typo #8811
    • 🔒 LoginPageGeneratingWebFilter should honor context path #8808
    • 🔒 OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8803
    • 🔒 RoleHierarchy is not used by AbstractAuthorizeTag #8678
    • 🔒 OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8672
    • 🔒 ReactorContext not available in PayloadSocketAcceptor delegate.accept #8655

    ⬆️ 🔨 Dependency Upgrades

    • 🚀 Update to spring-build-conventions:0.0.34.RELEASE #8925
    • 🚀 Update to nohttp 0.0.5.RELEASE #8924
    • ⚡️ Update to GAE 1.9.81 #8923
    • 🚀 Update to Spring Boot 2.2.9.RELEASE #8922
    • 🚀 Update to spring-build-conventions:0.0.33.RELEASE #8760

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!