Spring Security v5.4.0-M1 Release Notes

Release Date: 2020-05-06 // 25 days ago
  • 🍱 ⭐ New Features

    • 🔒 Jenkins does not need to build on JDK 9 and 10 #8482
    • 🔒 Upgrade Freefair AspectJ plugin to v5.0.1 #8456
    • 🔒 AesBytesEncryptor constructor that uses secret key #8443
    • 🔒 Rename Preface to Introduction #8411
    • 🔒 TestSaml2X509Credentials should only return Saml2X509Credential instances #8404
    • 🔒 Saml2CryptoTestSupport and TestSaml2AuthenticationObjects should be one class #8403
    • 👍 Allow creating AesBytesEncryptor with key #8402
    • ➕ Add Flag to enable searching of LDAP groups on subtrees #8400
    • 🔒 Documented dependencies for opaque Resource Server #8394
    • 👍 Allow expose JwtAuthenticationConverter as a bean for Resource Server #8379
    • 🔒 Use Kotlin DSL Marker Annotations to prevent scope leaking in WebFlux DSL #8366
    • 🔒 Saml2AuthenticationRequestContext should be extendible #8356 #8364
    • ➕ Add constructors receiving AuthenticationManager #8362
    • 👍 Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8361
    • 🔒 Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default #8359
    • 🔒 Validate ID Token Issuer #8357
    • 🔒 Saml2AuthenticationRequestContext should be extendible #8356
    • ➕ Add authorize() DSL method that accepts HttpMethod #8350
    • 👍 Allow custom header during bearer token extraction #8341
    • 👍 Allow specify header in ServerBearerTokenAuthenticationConverter #8337
    • 🔒 Provide possibility to use custom cache to store JWK Set #8332
    • ➕ Adding Map support to DefaultMethodSecurityExpressionHandler #8331
    • 🔒 BCryptPasswordEncoder rawPassword cannot be null #8330
    • 👍 Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8324
    • 🔒 Open ID Connect ID Token Issuer not validated #8321
    • ➕ Add addFilterAfter and addFilterBefore to Kotlin DSL #8319
    • ➕ Added setPrincipalClaimName to JwtAuthenticationConverter #8318
    • 🔒 BCryptPasswordEncoder.encode() throws NPE #8317
    • 🔒 HttpSecurityDsl does not support addFilterBefore and addFilterAfter #8316
    • 🔒 AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307
    • 🔒 SpringTestContext returns ConfigurableWebApplicationContext #8233
    • 🔒 Clarify use case for ServerBearerExchangeFilterFunction #8220
    • 📚 Update Encryptors documentation for standard and stronger #8208
    • 🔒 Upgrade to Gradle Enterprise Plugin 3.2 #8205
    • ➕ Add Figures to Resource Server Docs #8184
    • ➕ Add Figures to Resource Server Docs #8182
    • 🔒 Document JwtGrantedAuthoritiesConverter #8176
    • 🛠 Fix userNameAttribute property case style #8171
    • 💅 userNameAttribute case style is different others #8169
    • 💅 Polish SAML 2.0 Login Sample #8163
    • 🔒 Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8152
    • 🔒 Assign sensible default for OAuth2AuthorizedClientProvider #8150
    • 🔒 OpenSamlImplementation should not use reflection #8147
    • 👍 Allow port=0 for LDAP Servers #8139
    • 🔒 LDAP server configuration should support port=0 #8138
    • 🔒 Use io.spring.gradle-enterprise-conventions #8115
    • 🔒 Replace VersionsResourceTasks with WriteProperties #8114
    • 👌 Improve Build Performance #8113
    • 🔒 Document OAuth 2.0 Login XML Support #8110
    • 🛠 Fix exception from empty basic auth header token #8109
    • 🛠 Fix typo 'properites' -> 'properties' in documentation #8096
    • 🔒 Document AuthenticationEventPublisher improvements #8081
    • 🔒 Document AuthNRequest POST binding support #8079
    • 🔒 Document AuthNRequest signature support #8078
    • 🔒 Document OAuth 2.0 Resource Server XML Support #8077
    • 🔒 Document Jackson serialization support for OAuth 2.0 Client #8075
    • 🔒 Document OAuth 2.0 Client XML Support #8074
    • 🔒 Document OAuth2Authorization success and failure handlers #8073
    • 🔒 Document OIDC Logout Success Handler Improvements #8072
    • 🔒 Document OAuth 2.0 Authorization Request improvements #8071
    • ➕ Add OAuth 2.0 Test Support Docs #8050
    • ➕ Add server request cache that uses cookie #8033
    • 🔒 Basic auth header without user results in exception #7976
    • ➕ Add RequestRejectedHandler #7052
    • 🔒 OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #5633
    • 🔒 Idiomatic Kotlin DSL for configuring HTTP security #5558
    • 🔒 SessionRegistryImpl is now aware of SessionIdChangedEvent #5439
    • 🔒 SessionRegistryImpl is not aware of SessionIdChange events. #5438
    • 🔒 SwitchUserFilter vulnerable to CSRF #4183

    🍱 🐞 Bug Fixes

    • 🛠 Fix Javadoc punctuation #8480
    • 🛠 Fixed typos in documentation #8454
    • 👌 Support update when saving with JdbcOAuth2AuthorizedClientService #8435
    • ⚡️ JdbcOAuth2AuthorizedClientService should support update when saving #8425
    • 🔒 OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8421
    • 🔒 ActiveDirectoryLdapAuthenticationProvider uses InternalAuthenticationServiceException #8418
    • 🛠 Fix mismatch between CONTRIBUTING.adoc and .editorconfig #8417
    • 🛠 Fix Documentation to Refer to BasicAuthenticationFilter #8414
    • ➕ Add ROLE_INFRASTRUCTURE to infrastructure beans #8407
    • 🛠 Fix typo with correct capitalization #8406
    • 🔒 Global ServerSecurityContextRepository ignored by logout #8375
    • 🛠 Fix example in javadoc of FilterChainProxy #8344
    • 🛠 Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8336
    • 🛠 Fixes gh-8187 : OAuth2 ClientRegistrations UserInfo endpoint NPE fix #8206
    • 🔒 OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8187
    • 🛠 Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8177
    • 🔒 Make OAuth2ErrorHttpMessageConverter more resilient #8157
    • 🔒 RSocket test should throw AccessDeniedException #8154
    • 🛠 Fix typo in Javadoc of HttpSecurity#csrf() #8130
    • 🛠 Fix Documentation to Refer to BasicAuthenticationFilter #8119
    • 🔒 oauth2Login WebFlux should not auto-redirect for XHR request #8118
    • 🔒 NPE thrown when token response contains a null value #8108
    • 🔒 HttpServletRequest.logout() not functioning #4760
    • 🔒 Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #4404

    ⬆️ 🔨 Dependency Upgrades

    • ⚡️ Update to aspectj-plugin:4.1.6 #8305

    🍱 ⏪ Non-passive

    • 🔒 Transfer session's max inactive interval in SessionFixationProtectionStrategy #5441
    • 🔒 SEC-2470: SessionFixationProtectionStrategy should migrate maxInactiveInterval #2693

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!


Previous changes from v5.3.1.RELEASE

  • 🍱 ⭐️ New Features

    • 🔒 SpringTestContext returns ConfigurableWebApplicationContext #8237
    • 🔒 OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8234
    • 🔒 SwitchUserFilter vulnerable to CSRF #8222
    • 🔒 Clarify use case for ServerBearerExchangeFilterFunction #8221
    • 📚 Update Encryptors documentation for standard and stronger #8211
    • 🔒 Document JwtGrantedAuthoritiesConverter #8183
    • 💅 userNameAttribute case style is different others #8179
    • 🔒 Document AuthNRequest POST binding support #8165
    • 💅 Polish SAML 2.0 Login Sample #8164
    • 🔒 OpenSamlImplementation should not use reflection #8161
    • 🔒 Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8153
    • 🔒 Assign sensible default for OAuth2AuthorizedClientProvider #8151
    • 🔒 Document OAuth2Authorization success and failure handlers #8146
    • 🔒 Document Jackson serialization support for OAuth 2.0 Client #8145
    • 🔒 Document OAuth 2.0 Authorization Request improvements #8133
    • 🔒 Document OAuth 2.0 Login XML Support #8132
    • 🔒 Document OAuth 2.0 Client XML Support #8131
    • 🔒 Basic auth header without user results in exception #8122
    • 🔒 Document AuthenticationEventPublisher improvements #8103
    • 📚 Typo 'properites' -> 'properties' in documentation #8098
    • 🔒 Document OAuth 2.0 Resource Server XML Support #8094
    • 🔒 Provide spring-security-5*.xsd for https://www.springframework.org/schema/security/ #8091
    • 🔒 Document OIDC Logout Success Handler Improvements #8088
    • ➕ Add OAuth 2.0 Test Support Docs #8087
    • ⚡️ Update test to have comment about secure salt length #8084
    • 🔒 Document JwtClaimValidator #8076

    🍱 🐞 Bug Fixes

    • 🔒 HttpServletRequest.logout() not functioning #8238
    • 🔒 OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8209
    • 🔒 oauth2Login WebFlux should not auto-redirect for XHR request #8201
    • 🛠 Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8178
    • 🔒 RSocket test should throw AccessDeniedException #8160
    • 🔒 Make OAuth2ErrorHttpMessageConverter more resilient #8158
    • 🛠 Fix typo in Javadoc of HttpSecurity#csrf() #8134
    • 🔒 NPE thrown when token response contains a null value #8121
    • 🔒 Google's top result for "Spring Security Reference" returns a 404 #8086
    • 📚 5.3.0 Documentation What's New has some broken links #8069

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!