Spring Security v5.3.0.M1 Release Notes

Release Date: 2020-01-08 // 16 days ago
  • 🍱 ⭐️ New Features

    • 👍 Allow disabling dependency locking #7799
    • 🔒 Build task "snapshots" should not use locked dependencies #7798
    • ➕ Add oauth2Login MockMvc Test Support #7789
    • 🔒 Manage Versions using Version Locking #7788
    • 🔒 Use Gradle Platform / Constraints #7787
    • 🔒 Idiomatic Kotlin DSL for configuring HTTP security in servlet based applications #7785
    • 🛠 Fix description of PasswordEncoder #7784
    • 🛠 Fix unchecked assignment and possible NPE #7773
    • 🔒 Resolve JavaType only once for whitelisted class #7755
    • 🔒 Set secure when cancelling remember-me cookie #7726
    • ➕ Add JwtIssuerAuthenticationManagerResolver #7724
    • ➕ Add opaque token test support #7712
    • ✂ Remove redundant validation for redirect-uri #7706
    • 🔒 Reactive Implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7702
    • 🔒 Enable AuthenticationManager configuration in saml2Login #7693
    • 📚 Incomplete Documentation for Setting Up MockMvc and Spring Security #7688
    • ➕ Add Oidc Login Reactive Test Support #7680
    • ✂ Remove consecutive-word duplications in Javadocs #7673
    • 🛠 Fix InitializeAuthenticationProviderBeanManagerConfigurer Javadoc #7666
    • 🛠 Fix minor typo in HttpSecurity documentation #7663
    • 🔒 Check BCrypt hashed value of a byte array #7661
    • 👍 Allow configuring authenticationManagerResolver for SAML2 #7654
    • ➕ Add oidcLogin MockMvc Test Support #7618
    • ➕ Add OidcUserInfo.Builder #7593
    • ➕ Add OidcIdToken.Builder #7592
    • 🔒 Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7569
    • 🔒 Specify return type in InitializeUserDetailsBeanManagerConfigurer method Javadoc #7557
    • 🔒 In Test @AuthenticationPrincipal is null because ServerWebExchange is not wrapped #6598
    • 🔒 Make MethodSecurityEvaluationContext Delegates to MethodBasedEvaluationContext #6249
    • 🔒 Override the key to avoid CookieTheftException #5509
    • ➕ Add resource server support for multiple trusted JWT access token issuers #5385
    • 🔒 RememberMeConfigurer does not use the key from RememberMeServices #4140
    • 🔒 Option in BasicAuthenticationFilter to log more exception info #3308

    🍱 🐞 Bug Fixes

    • 🔒 OidcLoginRequestPostProcessor should respect configuration order #7794
    • 🛠 Fix var typo and code readability in resource server documentation #7772
    • 📄 Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor #7737
    • 🔒 Use the custom ServerRequestCache for Oauth2LoginSpec #7734
    • 🔒 CompositeServerHttpHeadersWriter Should Execute Sequentially #7731
    • 🔒 DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #7728
    • 🔒 DelegatingServerLogoutHandler Should Execute Sequentially #7723
    • 🔒 RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #7721
    • 🔒 Disabling logout in WebFlux does nothing #7682
    • 🔒 Saml2Authentication isn't serializable #7681
    • 🔒 Correctly configure authorization requests repository for OAuth2 login #7675
    • 🔒 Error in javadoc for oauth2ResourceServer #7670
    • 🔒 DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository #7544
    • 🔒 WebFlux oauth2Login returns 500 when bad client credentials #5562

    ⬆️ 🔨 Dependency Upgrades

    • 🚀 Update to Spring Boot 2.2.2.RELEASE #7797
    • 🔒 Upgrade com.nimbusds:nimbus-jose-jwt dependency #7720

    🍱 ⏪ Non-passive

    • 🔒 UsernamePasswordAuthenticationTokenDeserializer doesn't deserialize details to correct type #7482

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!


Previous changes from v5.2.1.RELEASE

  • 🍱 ⭐️ New Features

    • 🛠 Fix variable reference in sample code #7571
    • 🔒 spring-security-saml2-service-provider impossible to use different format of assertionConsumerServiceUrlTemplate #7565
    • ➕ Add Resource Server Multi-tenancy Documentation #7532
    • ⚡️ Update SAML sample to use boot auto config #7521
    • ➕ Add Reactive CSRF Documentation #6487

    🍱 🐞 Bug Fixes

    • 🔒 Restore Removed Throws Clauses #7580
    • 🔒 CsrfWebFilter should handle multipart/form-data #7576
    • 🔒 Make saveAuthorizedClient save the authorized client #7551
    • 🔒 DefaultReactiveOAuth2AuthorizedClientManager.saveAuthorizedClient does not save authorized client #7546
    • 🔒 throws Exception was removed from WebSecurityConfigurerAdapter#configure(WebSecurity) #7541
    • 🔒 SAML2 Provider SubjectConfirmation validation failure #7514
    • 🔒 SAML2 Provider AuthNRequest Hardcoded Protocol Binding #7513
    • 🔒 Clock skew to check access token expiration has wrong sign #7511

    ⬆️ 🔨 Dependency Upgrades

    • 🚀 Upgrade to Spring Boot 2.2.0.RELEASE #7566

    🍱 ❤️ Contributors

    🚀 We'd like to thank all the contributors who worked on this release!