Spring Security v5.4.0-M1 Release Notes

Release Date: 2020-05-06 // almost 4 years ago
  • ๐Ÿฑ โญ New Features

    • ๐Ÿ”’ Jenkins does not need to build on JDK 9 and 10 #8482
    • ๐Ÿ”’ Upgrade Freefair AspectJ plugin to v5.0.1 #8456
    • ๐Ÿ”’ AesBytesEncryptor constructor that uses secret key #8443
    • ๐Ÿ”’ Rename Preface to Introduction #8411
    • ๐Ÿ”’ TestSaml2X509Credentials should only return Saml2X509Credential instances #8404
    • ๐Ÿ”’ Saml2CryptoTestSupport and TestSaml2AuthenticationObjects should be one class #8403
    • ๐Ÿ‘ Allow creating AesBytesEncryptor with key #8402
    • โž• Add Flag to enable searching of LDAP groups on subtrees #8400
    • ๐Ÿ”’ Documented dependencies for opaque Resource Server #8394
    • ๐Ÿ‘ Allow expose JwtAuthenticationConverter as a bean for Resource Server #8379
    • ๐Ÿ”’ Use Kotlin DSL Marker Annotations to prevent scope leaking in WebFlux DSL #8366
    • ๐Ÿ”’ Saml2AuthenticationRequestContext should be extendible #8356 #8364
    • โž• Add constructors receiving AuthenticationManager #8362
    • ๐Ÿ‘ Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8361
    • ๐Ÿ”’ Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default #8359
    • ๐Ÿ”’ Validate ID Token Issuer #8357
    • ๐Ÿ”’ Saml2AuthenticationRequestContext should be extendible #8356
    • โž• Add authorize() DSL method that accepts HttpMethod #8350
    • ๐Ÿ‘ Allow custom header during bearer token extraction #8341
    • ๐Ÿ‘ Allow specify header in ServerBearerTokenAuthenticationConverter #8337
    • ๐Ÿ”’ Provide possibility to use custom cache to store JWK Set #8332
    • โž• Adding Map support to DefaultMethodSecurityExpressionHandler #8331
    • ๐Ÿ”’ BCryptPasswordEncoder rawPassword cannot be null #8330
    • ๐Ÿ‘ Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8324
    • ๐Ÿ”’ Open ID Connect ID Token Issuer not validated #8321
    • โž• Add addFilterAfter and addFilterBefore to Kotlin DSL #8319
    • โž• Added setPrincipalClaimName to JwtAuthenticationConverter #8318
    • ๐Ÿ”’ BCryptPasswordEncoder.encode() throws NPE #8317
    • ๐Ÿ”’ HttpSecurityDsl does not support addFilterBefore and addFilterAfter #8316
    • ๐Ÿ”’ AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307
    • ๐Ÿ”’ SpringTestContext returns ConfigurableWebApplicationContext #8233
    • ๐Ÿ”’ Clarify use case for ServerBearerExchangeFilterFunction #8220
    • ๐Ÿ“š Update Encryptors documentation for standard and stronger #8208
    • ๐Ÿ”’ Upgrade to Gradle Enterprise Plugin 3.2 #8205
    • โž• Add Figures to Resource Server Docs #8184
    • โž• Add Figures to Resource Server Docs #8182
    • ๐Ÿ”’ Document JwtGrantedAuthoritiesConverter #8176
    • ๐Ÿ›  Fix userNameAttribute property case style #8171
    • ๐Ÿ’… userNameAttribute case style is different others #8169
    • ๐Ÿ’… Polish SAML 2.0 Login Sample #8163
    • ๐Ÿ”’ Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8152
    • ๐Ÿ”’ Assign sensible default for OAuth2AuthorizedClientProvider #8150
    • ๐Ÿ”’ OpenSamlImplementation should not use reflection #8147
    • ๐Ÿ‘ Allow port=0 for LDAP Servers #8139
    • ๐Ÿ”’ LDAP server configuration should support port=0 #8138
    • ๐Ÿ”’ Use io.spring.gradle-enterprise-conventions #8115
    • ๐Ÿ”’ Replace VersionsResourceTasks with WriteProperties #8114
    • ๐Ÿ‘Œ Improve Build Performance #8113
    • ๐Ÿ”’ Document OAuth 2.0 Login XML Support #8110
    • ๐Ÿ›  Fix exception from empty basic auth header token #8109
    • ๐Ÿ›  Fix typo 'properites' -> 'properties' in documentation #8096
    • ๐Ÿ”’ Document AuthenticationEventPublisher improvements #8081
    • ๐Ÿ”’ Document AuthNRequest POST binding support #8079
    • ๐Ÿ”’ Document AuthNRequest signature support #8078
    • ๐Ÿ”’ Document OAuth 2.0 Resource Server XML Support #8077
    • ๐Ÿ”’ Document Jackson serialization support for OAuth 2.0 Client #8075
    • ๐Ÿ”’ Document OAuth 2.0 Client XML Support #8074
    • ๐Ÿ”’ Document OAuth2Authorization success and failure handlers #8073
    • ๐Ÿ”’ Document OIDC Logout Success Handler Improvements #8072
    • ๐Ÿ”’ Document OAuth 2.0 Authorization Request improvements #8071
    • โž• Add OAuth 2.0 Test Support Docs #8050
    • โž• Add server request cache that uses cookie #8033
    • ๐Ÿ”’ Basic auth header without user results in exception #7976
    • โž• Add RequestRejectedHandler #7052
    • ๐Ÿ”’ OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #5633
    • ๐Ÿ”’ Idiomatic Kotlin DSL for configuring HTTP security #5558
    • ๐Ÿ”’ SessionRegistryImpl is now aware of SessionIdChangedEvent #5439
    • ๐Ÿ”’ SessionRegistryImpl is not aware of SessionIdChange events. #5438
    • ๐Ÿ”’ SwitchUserFilter vulnerable to CSRF #4183

    ๐Ÿฑ ๐Ÿž Bug Fixes

    • ๐Ÿ›  Fix Javadoc punctuation #8480
    • ๐Ÿ›  Fixed typos in documentation #8454
    • ๐Ÿ‘Œ Support update when saving with JdbcOAuth2AuthorizedClientService #8435
    • โšก๏ธ JdbcOAuth2AuthorizedClientService should support update when saving #8425
    • ๐Ÿ”’ OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8421
    • ๐Ÿ”’ ActiveDirectoryLdapAuthenticationProvider uses InternalAuthenticationServiceException #8418
    • ๐Ÿ›  Fix mismatch between CONTRIBUTING.adoc and .editorconfig #8417
    • ๐Ÿ›  Fix Documentation to Refer to BasicAuthenticationFilter #8414
    • โž• Add ROLE_INFRASTRUCTURE to infrastructure beans #8407
    • ๐Ÿ›  Fix typo with correct capitalization #8406
    • ๐Ÿ”’ Global ServerSecurityContextRepository ignored by logout #8375
    • ๐Ÿ›  Fix example in javadoc of FilterChainProxy #8344
    • ๐Ÿ›  Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8336
    • ๐Ÿ›  Fixes gh-8187 : OAuth2 ClientRegistrations UserInfo endpoint NPE fix #8206
    • ๐Ÿ”’ OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8187
    • ๐Ÿ›  Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8177
    • ๐Ÿ”’ Make OAuth2ErrorHttpMessageConverter more resilient #8157
    • ๐Ÿ”’ RSocket test should throw AccessDeniedException #8154
    • ๐Ÿ›  Fix typo in Javadoc of HttpSecurity#csrf() #8130
    • ๐Ÿ›  Fix Documentation to Refer to BasicAuthenticationFilter #8119
    • ๐Ÿ”’ oauth2Login WebFlux should not auto-redirect for XHR request #8118
    • ๐Ÿ”’ NPE thrown when token response contains a null value #8108
    • ๐Ÿ”’ HttpServletRequest.logout() not functioning #4760
    • ๐Ÿ”’ Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #4404

    โฌ†๏ธ ๐Ÿ”จ Dependency Upgrades

    • โšก๏ธ Update to aspectj-plugin:4.1.6 #8305

    ๐Ÿฑ โช Non-passive

    • ๐Ÿ”’ Transfer session's max inactive interval in SessionFixationProtectionStrategy #5441
    • ๐Ÿ”’ SEC-2470: SessionFixationProtectionStrategy should migrate maxInactiveInterval #2693

    ๐Ÿฑ โค๏ธ Contributors

    ๐Ÿš€ We'd like to thank all the contributors who worked on this release!