Spring Security/CHANGELOG and Spring Security Releases (Page 4)

All Versions

Latest Version

5.5.0-M1

Avg Release Cycle

47 days

Latest Release

875 days ago

Changelog History

Page 3

v5.2.4.RELEASE Changes
May 06, 2020
🍱 ⭐ New Features
- 🔒 SAML Authentication Provider assertions #8495
- 🔒 BCryptPasswordEncoder.encode() throws NPE #8346
🍱 🐞 Bug Fixes
- 🛠 Fix Javadoc punctuation #8494
- ➕ Add ROLE_INFRASTRUCTURE to infrastructure beans #8438
- 🔒 SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #8430
- 🔒 OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8426
- 🛠 Fix typo with correct capitalization #8409
- 🔒 Global ServerSecurityContextRepository ignored by logout #8386
- 🛠 Fix example in javadoc of FilterChainProxy #8352
- 🛠 Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8338
- 🔒 Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8312
⬆️ 🔨 Dependency Upgrades
- ⚡️ Update to Byte Buddy 1.9.16 #8481
- 🔒 Upgrade to embedded Apache Tomcat 9.0.34 #8469
- ⚡️ Update RSocket to 1.0.0-RC7 #8468
- ⚡️ Update to GAE 1.9.80 #8467
- ⚡️ Update to Jackson 2.10.4 #8466
- ⚡️ Update to org.powermock 2.0.7 #8465
- ⚡️ Update to Reactor Dysprosium-SR7 #8464
- 🚀 Update to Spring Framework 5.2.6.RELEASE #8463
- ⚡️ Update to Spring Data Moore-SR7 #8462
v5.2.3.RELEASE Changes
April 01, 2020
🍱 ⭐️ New Features
- 🔒 SpringTestContext returns ConfigurableWebApplicationContext #8240
- 🔒 OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8235
- 🔒 SwitchUserFilter vulnerable to CSRF #8223
- 📚 Update Encryptors documentation for standard and stronger #8212
- 🔒 Getting OAuth2AuthenticationException when Bearer token is empty #8207
- 🔒 Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8159
- 🔒 Basic auth header without user results in exception #8123
- 📚 Typo 'properites' -> 'properties' in documentation #8099
🍱 🐞 Bug Fixes
- ⚡️ Update tests to use absolute paths #8260
- 🔒 HttpServletRequest.logout() not functioning #8241
- 🔒 OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8210
- 🔒 oauth2Login WebFlux should not auto-redirect for XHR request #8202
- 🔒 Make OAuth2ErrorHttpMessageConverter more resilient #8180
- 🔒 RSocket test should throw AccessDeniedException #8155
- 🛠 Fix typo in Javadoc of HttpSecurity#csrf() #8137
- 🔒 Empty RelayState causes errors with ADFS #8070
- 🛠 Fix typo in AntPathRequestMatcher contructor comment #8045
- 🔒 An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8040
- 🔒 OAuth2 access token response parsing fails with nested JSON object #8021
- 🛠 Fix typo in snippet code 'jwtAuthenticationConveter' -> 'jwtAuthenticationConverter' #7969
- 🔒 OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7967
- 🔒 OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7964
- 🔒 Query parameters in authorization-url are double-encoded #7960
- 🔒 Don't force downcasting of RequestAttributes to ServletRequestAttributes #7959
- 🔒 ClassCastException for ServletRequestAttributes #7958
⬆️ 🔨 Dependency Upgrades
- ⚡️ Update RSocket to 1.0.0-RC6 #8280
- ⚡️ Update to reactive-streams 1.0.3 #8279
- ⚡️ Update to OpenSAML 3.4.5 #8278
- ⚡️ Update to hibernate-entitymanager 5.4.13.Final #8277
- ⚡️ Update to hibernate-core 5.2.18.Final #8276
- 🚀 Update blockhound to 1.0.3.RELEASE #8275
- ⚡️ Update to unboundid-ldapsdk 4.0.14 #8274
- ⚡️ Update to okhttp 3.14.7 #8259
- ⚡️ Update to Jackson 2.10.3 #8258
- ⚡️ Update to mockwebserver 3.14.7 #8257
- ⚡️ Update to org.powermock 2.0.6 #8255
- 🔒 Upgrade to embedded Apache Tomcat 9.0.33 #8254
- ⚡️ Update to httpclient 4.5.12 #8253
- 🚀 Update to Spring Boot 2.2.6.RELEASE #8252
- ⚡️ Update to GAE 1.9.79 #8251
- ⚡️ Update to Reactor Dysprosium-SR6 #8250
- ⚡️ Update to Spring Framework 5.2.5 #8249
- ⚡️ Update to Spring Data Moore-SR6 #8248
- ⚡️ Update to Jetty 9.4.22.v20191022 #7507
v5.2.2.RELEASE Changes
February 05, 2020
🍱 ⭐️ New Features
- 🔒 Don't cache requests with Accept: text/event-stream by default. #7744
- 🔒 Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7717
- ✂ Remove redundant validation for redirect-uri #7707
- 💅 Polish oauth2-client Error-handling Tests #7647
- ✂ Remove unnecessary code in SecurityExpressionRoot #7635
- 📚 Extract HTTPS Documentation #7626
- ✂ Remove unnecessary code in SecurityExpressionRoot #7601
- 🔒 Make jwks_uri optional for RFC 8414 and required for OpenID Connect #7573
🍱 🐞 Bug Fixes
- 🔒 Form login requiresAuthenticationMatcher is not used in WebFlux #7867
- 🔒 Form Login authenticationFailureHandler is not used in ServerHttpSecurity #7866
- 🔒 BasicAuthenticationFilter ignores credentials charset #7859
- 🔒 Default LDIF file not picked up in LDAP "unboundid" mode #7852
- 📚 Incorrect LDIF file example in LDAP documentation #7849
- 🔒 Use the custom ServerRequestCache that the user configures #7753
- 🔒 RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #7751
- 🔒 Disabling logout in WebFlux does nothing #7742
- 🔒 Saml2Authentication isn't serializable #7739
- 📄 Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor #7738
- 🔒 CompositeServerHttpHeadersWriter Should Execute Sequentially #7732
- 🔒 DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #7729
- 🔒 DelegatingServerLogoutHandler Should Execute Sequentially #7725
- 🔒 WebFlux oauth2Login returns 500 when bad client credentials #7703
- 🔒 Correctly configure authorization requests repository for OAuth2 login #7690
- 🔒 Correctly configure authorization requests repository for OAuth2 login #7689
- 🔒 DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository #7684
- ⚡️ Update @MessageMapping to match input/output cardinality #7669
- ➕ Add http and https spring.schema mappings #7623
- 🔒 Avoid toString in favor of getName in order to extract sid #6354
⬆️ 🔨 Dependency Upgrades
- ⚡️ Update to Spring Boot 2.2.4 #7909
- ⚡️ Update to org.slf4j 1.7.30 #7908
- ⚡️ Update to org.powermock 2.0.5 #7907
- ⚡️ Update to hibernate-validator 6.1.2.Final #7906
- ⚡️ Update to hibernate-entitymanager 5.4.10.Final #7905
- ⚡️ Update to org.aspectj 1.9.5 #7904
- ⚡️ Update to httpclient 4.5.11 #7903
- ⚡️ Update to commons-codec 1.14 #7899
- ⚡️ Update to com.squareup.okhttp3 3.14.6 #7898
- ⚡️ Update to Jackson 2.10.2 #7897
- ⚡️ Update to Reactor Dysprosium SR4 #7896
- ⚡️ Update to Spring Data Moore SR3 #7895
- ⚡️ Update to Spring Framework 5.2.3 #7894
- ⚡️ Update nimbus-jose-jwt because of CVE-2019-17195 #7570
🍱 ❤️ Contributors

🚀 We'd like to thank all the contributors who worked on this release!
- @rhamedy
- @Atry
- @fhanik
- @quaff
- @joshiste
- @eleftherias
- @LeeHainie
v5.2.1.RELEASE Changes
November 04, 2019
🍱 ⭐️ New Features
- 🛠 Fix variable reference in sample code #7571
- 🔒 spring-security-saml2-service-provider impossible to use different format of assertionConsumerServiceUrlTemplate #7565
- ➕ Add Resource Server Multi-tenancy Documentation #7532
- ⚡️ Update SAML sample to use boot auto config #7521
- ➕ Add Reactive CSRF Documentation #6487
🍱 🐞 Bug Fixes
- 🔒 Restore Removed Throws Clauses #7580
- 🔒 CsrfWebFilter should handle multipart/form-data #7576
- 🔒 Make saveAuthorizedClient save the authorized client #7551
- 🔒 DefaultReactiveOAuth2AuthorizedClientManager.saveAuthorizedClient does not save authorized client #7546
- 🔒 throws Exception was removed from WebSecurityConfigurerAdapter#configure(WebSecurity) #7541
- 🔒 SAML2 Provider SubjectConfirmation validation failure #7514
- 🔒 SAML2 Provider AuthNRequest Hardcoded Protocol Binding #7513
- 🔒 Clock skew to check access token expiration has wrong sign #7511
⬆️ 🔨 Dependency Upgrades
- 🚀 Upgrade to Spring Boot 2.2.0.RELEASE #7566
🍱 ❤️ Contributors

🚀 We'd like to thank all the contributors who worked on this release!
- @fhanik
- @mftruso
- @jzheaux
- @philsttr
- @rweisleder
- @ramonPires
v5.2.0.RELEASE
September 30, 2019
v5.2.0.RC1 Changes
September 06, 2019
🍱 ⭐️ New Features
- ➕ Add attributes Consumer to OAuth2AuthorizationContext #7385
- 👌 Improve DefaultReactiveOAuth2UserService handling IOException #7370
- ➕ Add RSocket Support #7360
- 💅 Polish Server|ServletBearerExchangeFilterFunction #7355
- 🔨 Refactor Servlet/Server BearerExchangeFilterFunction #7353
- 🔒 OAuth2AuthorizeRequest supports attributes #7352
- 🔒 Grant Individual Authorities From Claims #7351
- 🔒 DefaultOAuth2AuthorizedClientManager and DefaultServerOAuth2AuthorizedClientManager Alignment #7350
- 🔒 Align Servlet ClearSiteData expression of directives #7347
- ➕ Add Adapter to Translate Jwt to BearerTokenAuthentication #7346
- 🔒 Opaque Token Introspector should return an Authenticated Principal #7345
- 🔒 Opaque Token Introspection Strategy Flexibility #7344
- ➕ Add BearerTokenAuthentication #7343
- ➕ Add OAuth2AuthenticatedPrincipal #7342
- 🔒 OAuth2AuthorizeRequest supports attributes #7341
- 🔒 DefaultOAuth2UserService should extract authorities #7339
- 🔒 InMemoryReactiveClientRegistrationRepository should check for duplicates #7338
- ➕ Add Servlet and ServerBearerExchangeFilterFunction #7330
- ⚡️ Update to Gradle 5.6.1 #7323
- 🔒 Simplify and improve the buildSrc gradle plugin #7302
- ⚡️ Update to Gradle 5.6 #7300
- ➕ Add Catalan localization messages #7288
- ➕ Add Catalan localization messages #7287
- 🔒 Resource Server should support WebClient Bearer Token propagation #7284
- 🔒 Sample should use UserDetailsService bean instead of configureGlobal method #7283
- 🔒 Mock Jwt Test Samples #7278
- 👍 Allow to set default securityContextRepository for each authenticatio… #7275
- 🔒 Resource Server Multi-tenancy Sample Should Manage Its Own Jwt Decoder #7272
- ➕ Add setter for authorities claim name in JwtGrantedAuthoritiesConverter #7271
- 🔒 Jwk Set Uri Nimbus Jwt Decoder builders should take SignatureAlgorithm #7270
- ➕ Add setContentLengthLong detection to OnCommittedResponseWrapper. #7264
- 🔒 Consolidate shared code between JwtDecoders and ReactiveJwtDecoders #7263
- ✂ Remove MultiTenantAuthenticationManagerResolver #7259
- ➕ Add setter for authority prefix in JwtGrantedAuthoritiesConverter #7256
- 🔒 Prevent IntelliJ IDEA from generating spaces for indentation #7253
- 🔒 TokenBasedRememberMeServices.processAutoLoginCookie (TokenBasedRememberMeServices.java:134) java.lang.NullPointerException #7251
- 🔒 Authentication Mechanisms Should Default their ServerSecurityContextRepository #7249
- 🔒 Rename OAuth2TokenIntrospectionClient #7246
- 🔒 Consider renaming OAuth2TokenIntrospectionClient #7245
- ➕ Add OAuth2LoginSpec#securityContextRepository #7244
- 💅 Cleanup Code Style Issues #7238
- ➕ Add Checkstyle configuration for IntelliJ IDEA #7237
- 🔒 Expose getPort in ApacheDsContainer #7236
- 🔒 OAuth2LoginConfigurer should discover OAuth2UserService beans #7232
- 🔒 Make ldap integration tests independent #7231
- ✂ Remove unused imports #7229
- 🔒 ServerHttpSecurity: oauth2Login() ignores securityContextRepository() #7222
- 🔒 Use the 'io.freefair.aspectj' gradle plugin #7183
- ➕ Add RequestMatcher.matcher(HttpServletRequest) #7172
- 🔒 ignore Multipart requests in HttpSessionRequestCache.requestMatcher #7167
- ➕ Add test examples for Oauth2 Resource Server sample #7159
- ➕ Add unbounid support in xml #7149
- 🔒 OAuth2AuthorizedClientManager implementation works outside of request #7122
- 👌 Improve OAuth2 Resource Server tests #7118
- 🔒 Introduce Reactive OAuth2AuthorizedClient Manager/Provider #7116
- 👍 Allow configurable Clock in OAuth2AuthorizedClientProvider impls #7114
- 🔒 JwtGrantedAuthoritiesConverter should allow configuring the authority prefix #7101
- 🔒 JwtGrantedAuthoritiesConverter should allow configuring the authorities claim name #7100
- ➕ Add authenticationFailureHandler method in OAuth2LoginSpec #7071
- 🔒 v5.2.0.M3 docs contain Deprecated example code #7062
- 🔒 Multipartfile request with no authentication is still consumed even after an AccessDeniedException is thrown #7060
- ➕ Add OAuth2LoginSpec.authenticationFailureHandler #7051
- ➕ Add Argon2PasswordEncoder #7045
- 🛠 Fix docs typo WebSecurityConfigurationAdapter->WebSecurityConfigurerAdapter #7026
- ➕ Add support for Resource Owner Password Credentials grant #7013
- 🔒 Jwt decoding should support multiple algorithms #6883
- 💅 Polish Resource Server DSL Error Messaging #6876
- ✂ Remove Invalid WebMvcConfigurer from Sample Documentation #6822
- 🔒 Align code in oauth2-client extensions for WebClient #6811
- 🔒 OAuth2 Client Credentials Flow: Getting access tokens in the service/data tier #6780
- 🔒 Provide Servlet equivalent of UnAuthenticatedServerOAuth2AuthorizedClientRepository #6683
- 🔒 Spring Boot + spring-security-oauth2-resource-server should not throw a ClassNotFoundException once it supports more than one token format #6209
- 👌 Support Resource Owner Password Credentials grant #6003
- ➕ Add Argon2PasswordEncoder #5354
- ➕ Add BearerExchangeFilterFunction #5334
🍱 🐞 Bug Fixes
- ✂ Remove package tangle in headers #7380
- ✂ Remove OAuth2AuthorizationRequest when a distributed session is used #7334
- 🔒 OAuth2AuthorizationRequest not removed from session #7327
- 🔒 Use ConcurrentHashMap in InMemoryReactiveClientRegistrationRepository #7308
- 🛠 fix footnotes markup #7305
- ➕ add media type jwk-set+json to accept header #7304
- 🔒 InMemoryReactiveClientRegistrationRepository should not use ConcurrentReferenceHashMap #7299
- 🛠 Fix WebClient Memory Leaks #7293
- 🔒 NimbusJwtDecoderJwkSupport only sets 'application/json' Accept header #7290
- 🛠 Fix typo in docs #7277
- 🛠 Fix UserDetailsPasswordService JavaDoc #7266
- 🔒 Ensure filter order is maintained when using springSecurity() along with other filters #7265
- 🔒 OnCommittedResponseWrapper fails on static resources served by Tomcat 8.5 #7261
- 🔒 Expire as many sessions as exceed maximum allowed #7258
- 🔒 Use UTF-8 for compilation #7254
- 🛠 Fix NPE in RequestContextSubscriber #7235
- 🔒 RequestContextSubscriber could put null value in Reactor Context #7228
- 🛠 Fix docs typo WebSecurityConfigurationAdapter->WebSecurityConfigurerAdapter #7181
- 🔒 SessionRegistryImpl uses Map.compute #7178
- 🔒 SessionAuthenticationStrategy make HttpSecurity.sessionManagement().maximumSessions(1) unavailability #7166
- 📚 Misleading documentation for websocket security #4845
- 🔒 SEC-2980: Possible race condition in SessionRegistryImpl #3189
- 🔒 SEC-2971: Footnotes are messed up in online docs #3180
⬆️ 🔨 Dependency Upgrades
- ⚡️ Update to Gretty 2.3.1 #7389
- ⚡️ Update to OpenSaml 3.3.1 #7388
- ⚡️ Update to cglib 3.3.0 #7387
- ⚡️ Update to Spring Data Moore RC3 #7386
- ⚡️ Update to Spring Framework 5.2.0.RC2 #7371
- ⚡️ Update to Spring Boot 2.2.0.M5 #7320
- ⚡️ Update to org.seleniumhq.selenium:htmlunit-driver 2.36.0 #7319
- ⚡️ Update to hibernate-entitymanager 5.4.4.Final #7318
- ⚡️ Update to net.sourceforge.htmlunit:htmlunit 2.36.0 #7317
- ⚡️ Update to commons-codec 1.13 #7316
- ⚡️ Update to nimbus-jose-jwt 7.8 #7315
- ⚡️ Update to GAE 1.9.76 #7314
🍱 ❤️ Contributors

🚀 We'd like to thank all the contributors who worked on this release!
- @kostya05983
- @ilgrosso
- @simmac
- @robotmrv
- @jzheaux
- @jgrandja
- @adamzimny
- @michael-simons
- @eleftherias
- @aaguilera
- @AndreasKl
- @BoukeNijhuis
- @fhanik
- @danielwegener
- @larsgrefer
- @eberttc
- @eddumelendez
- @henriquels25
- @mahaker
- @a-sayyed
- @jeffrey-easyesi
- @andifalk
v5.2.0.M4
August 05, 2019
v5.2.0.M3
June 14, 2019
v5.2.0.M2
April 15, 2019
v5.2.0.M1
January 16, 2019

Spring Security changelog

Spring Security

Changelog History Page 3

v5.2.4.RELEASE Changes

🍱 ⭐ New Features

🍱 🐞 Bug Fixes

⬆️ 🔨 Dependency Upgrades

v5.2.3.RELEASE Changes

🍱 ⭐️ New Features

🍱 🐞 Bug Fixes

⬆️ 🔨 Dependency Upgrades

v5.2.2.RELEASE Changes

🍱 ⭐️ New Features

🍱 🐞 Bug Fixes

⬆️ 🔨 Dependency Upgrades

🍱 ❤️ Contributors

v5.2.1.RELEASE Changes

🍱 ⭐️ New Features

🍱 🐞 Bug Fixes

⬆️ 🔨 Dependency Upgrades

🍱 ❤️ Contributors

v5.2.0.RELEASE

v5.2.0.RC1 Changes

🍱 ⭐️ New Features

🍱 🐞 Bug Fixes

⬆️ 🔨 Dependency Upgrades

🍱 ❤️ Contributors

v5.2.0.M4

v5.2.0.M3

v5.2.0.M2

v5.2.0.M1

Changelog History

Page 3