Spring Security v5.4.0-M1 Release Notes
Release Date: 2020-05-06 // almost 4 years ago-
๐ฑ โญ New Features
- ๐ Jenkins does not need to build on JDK 9 and 10 #8482
- ๐ Upgrade Freefair AspectJ plugin to v5.0.1 #8456
- ๐ AesBytesEncryptor constructor that uses secret key #8443
- ๐ Rename Preface to Introduction #8411
- ๐ TestSaml2X509Credentials should only return Saml2X509Credential instances #8404
- ๐ Saml2CryptoTestSupport and TestSaml2AuthenticationObjects should be one class #8403
- ๐ Allow creating AesBytesEncryptor with key #8402
- โ Add Flag to enable searching of LDAP groups on subtrees #8400
- ๐ Documented dependencies for opaque Resource Server #8394
- ๐ Allow expose JwtAuthenticationConverter as a bean for Resource Server #8379
- ๐ Use Kotlin DSL Marker Annotations to prevent scope leaking in WebFlux DSL #8366
- ๐ Saml2AuthenticationRequestContext should be extendible #8356 #8364
- โ Add constructors receiving AuthenticationManager #8362
- ๐ Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8361
- ๐ Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default #8359
- ๐ Validate ID Token Issuer #8357
- ๐ Saml2AuthenticationRequestContext should be extendible #8356
- โ Add authorize() DSL method that accepts HttpMethod #8350
- ๐ Allow custom header during bearer token extraction #8341
- ๐ Allow specify header in ServerBearerTokenAuthenticationConverter #8337
- ๐ Provide possibility to use custom cache to store JWK Set #8332
- โ Adding Map support to DefaultMethodSecurityExpressionHandler #8331
- ๐ BCryptPasswordEncoder rawPassword cannot be null #8330
- ๐ Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8324
- ๐ Open ID Connect ID Token Issuer not validated #8321
- โ Add addFilterAfter and addFilterBefore to Kotlin DSL #8319
- โ Added setPrincipalClaimName to JwtAuthenticationConverter #8318
- ๐ BCryptPasswordEncoder.encode() throws NPE #8317
- ๐ HttpSecurityDsl does not support addFilterBefore and addFilterAfter #8316
- ๐ AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307
- ๐ SpringTestContext returns ConfigurableWebApplicationContext #8233
- ๐ Clarify use case for
ServerBearerExchangeFilterFunction
#8220 - ๐ Update Encryptors documentation for standard and stronger #8208
- ๐ Upgrade to Gradle Enterprise Plugin 3.2 #8205
- โ Add Figures to Resource Server Docs #8184
- โ Add Figures to Resource Server Docs #8182
- ๐ Document JwtGrantedAuthoritiesConverter #8176
- ๐ Fix userNameAttribute property case style #8171
- ๐ userNameAttribute case style is different others #8169
- ๐ Polish SAML 2.0 Login Sample #8163
- ๐ Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8152
- ๐ Assign sensible default for OAuth2AuthorizedClientProvider #8150
- ๐ OpenSamlImplementation should not use reflection #8147
- ๐ Allow port=0 for LDAP Servers #8139
- ๐ LDAP server configuration should support port=0 #8138
- ๐ Use io.spring.gradle-enterprise-conventions #8115
- ๐ Replace VersionsResourceTasks with WriteProperties #8114
- ๐ Improve Build Performance #8113
- ๐ Document OAuth 2.0 Login XML Support #8110
- ๐ Fix exception from empty basic auth header token #8109
- ๐ Fix typo 'properites' -> 'properties' in documentation #8096
- ๐ Document AuthenticationEventPublisher improvements #8081
- ๐ Document AuthNRequest POST binding support #8079
- ๐ Document AuthNRequest signature support #8078
- ๐ Document OAuth 2.0 Resource Server XML Support #8077
- ๐ Document Jackson serialization support for OAuth 2.0 Client #8075
- ๐ Document OAuth 2.0 Client XML Support #8074
- ๐ Document OAuth2Authorization success and failure handlers #8073
- ๐ Document OIDC Logout Success Handler Improvements #8072
- ๐ Document OAuth 2.0 Authorization Request improvements #8071
- โ Add OAuth 2.0 Test Support Docs #8050
- โ Add server request cache that uses cookie #8033
- ๐ Basic auth header without user results in exception #7976
- โ Add RequestRejectedHandler #7052
- ๐ OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #5633
- ๐ Idiomatic Kotlin DSL for configuring HTTP security #5558
- ๐ SessionRegistryImpl is now aware of SessionIdChangedEvent #5439
- ๐ SessionRegistryImpl is not aware of SessionIdChange events. #5438
- ๐ SwitchUserFilter vulnerable to CSRF #4183
๐ฑ ๐ Bug Fixes
- ๐ Fix Javadoc punctuation #8480
- ๐ Fixed typos in documentation #8454
- ๐ Support update when saving with JdbcOAuth2AuthorizedClientService #8435
- โก๏ธ JdbcOAuth2AuthorizedClientService should support update when saving #8425
- ๐ OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8421
- ๐ ActiveDirectoryLdapAuthenticationProvider uses InternalAuthenticationServiceException #8418
- ๐ Fix mismatch between CONTRIBUTING.adoc and .editorconfig #8417
- ๐ Fix Documentation to Refer to BasicAuthenticationFilter #8414
- โ Add ROLE_INFRASTRUCTURE to infrastructure beans #8407
- ๐ Fix typo with correct capitalization #8406
- ๐ Global ServerSecurityContextRepository ignored by logout #8375
- ๐ Fix example in javadoc of FilterChainProxy #8344
- ๐ Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8336
- ๐ Fixes gh-8187 : OAuth2 ClientRegistrations UserInfo endpoint NPE fix #8206
- ๐ OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8187
- ๐ Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8177
- ๐ Make OAuth2ErrorHttpMessageConverter more resilient #8157
- ๐ RSocket test should throw AccessDeniedException #8154
- ๐ Fix typo in Javadoc of HttpSecurity#csrf() #8130
- ๐ Fix Documentation to Refer to BasicAuthenticationFilter #8119
- ๐ oauth2Login WebFlux should not auto-redirect for XHR request #8118
- ๐ NPE thrown when token response contains a null value #8108
- ๐ HttpServletRequest.logout() not functioning #4760
- ๐ Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #4404
โฌ๏ธ ๐จ Dependency Upgrades
- โก๏ธ Update to aspectj-plugin:4.1.6 #8305
๐ฑ โช Non-passive
- ๐ Transfer session's max inactive interval in SessionFixationProtectionStrategy #5441
- ๐ SEC-2470: SessionFixationProtectionStrategy should migrate maxInactiveInterval #2693
๐ฑ โค๏ธ Contributors
๐ We'd like to thank all the contributors who worked on this release!
- @ahrytsiuk
- @pgerhard
- @leonard84
- @20fps
- @antonin-arquey
- @wilkinsona
- @souphorn
- @alan-czajkowski
- @bberto
- @evgeniycheban
- @shazin
- @mengelbrecht
- @evpaassen
- @hotire
- @dadikovi
- @VonUniGE
- @martinnemec3
- @maxtacco
- @jzheaux
- @bigdaz
- @corneliouzbett
- @furti
- @eleftherias
- @zeeshanadnan
- @TJReinert
- @mustafau
- @komuro-hiraku
- @aj-jaswanth
- @stavshamir
- @adamu
- @HomoEfficio