5.3.10.RELEASE

⭐ New Features

• Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #9915

🪲 Bug Fixes

• Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #9945
• Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #9932
• Adding filters relative to custom ones is broken #9909
• SEC-3139: Anonymous authentication token not passed to Controller #9892
• Clarify quick start section in README #9887
• RSocket and WebClient with Security refCount: 0 #9872
• Client credentials not correctly encoded in Basic Auth #9862
• Docs should state default value for Resource Server validation clock skew is 60 seconds #9850
• OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #9821
• DefaultSpringSecurityContextSource can't handle spaces in baseDn #9808
• OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #9803
• NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #9799
• docs.af.pivotal.io->docs-ip.spring.io #9687
• Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter #9682
• WebFlux httpBasic() should match on XHR requests #9664
• HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #9644
• oauth2Login() generates authorization links for "client_credentials" grant type #9638

5.5.1

⭐ New Features

• Consider adding a link checker to build #9972
• Use Job Outputs to Transmit Error #9928
• Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #9917
• Combine different OS Build in one CI Job #9798
• Use GPG_PRIVATE_KEY directly #9778

🪲 Bug Fixes

• Update links to point to migrated samples #9971
• Add messaging to documentation about sample migration #9970
• Fix broken links in docs #9969
• CORS section is missing in Reactive reference documentation #9952
• RSocket documentation mentions non-existent class #9950
• Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #9941
• Missing log of "caused by" exception when OP document metadata cannot be reached #9939
• Missing support for private_key_jwt in ClientRegistrations #9936
• Allow client registration from issuer uri with no authorize_endpoint #9935
• Missing support for urn:ietf:params:oauth:grant-type:jwt-bearer in ClientRegistrations #9934
• Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #9929
• Jwt client authentication converter should detect new key #9927
• Adding filters relative to custom ones is broken #9906
• SEC-3139: Anonymous authentication token not passed to Controller #9890
• Clarify quick start section in README #9885
• RSocket and WebClient with Security refCount: 0 #9870
• spring-security-config kotlin-stdlib-jdk8 dependency isn't optional #9864
• Client credentials not correctly encoded in Basic Auth #9858
• Docs should state default value for Resource Server validation clock skew is 60 seconds #9849
• OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #9819
• DefaultSpringSecurityContextSource can't handle spaces in baseDn #9806
• OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #9805
• NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #9801
• Fix Build Scan in Build Windows CI Job #9797
• GitHub Actions only Activated for main #9777
• Artifactory missing mavenJava publication #9774
• spring-security-core depends on spring-security-crypto #9773

🔨 Dependency Upgrades

• Update org.springframework to 5.3.8 #9984
• Update org.slf4j to 1.7.31 #9983
• Update org.jetbrains.kotlin to 1.5.10 #9982
• Update hibernate-entitymanager to 5.4.32.Final #9981
• Update org.eclipse.jetty to 9.4.42.v20210604 #9980
• Update io.rsocket to 1.1.1 #9979
• Remove commons-codec constraint #9977
• Update to OpenSAML 4.1.1 #9976
• Update to nimbus-jose-jwt 9.10 #9975
• Update to oauth2-oidc-sdk 9.9 #9974

5.4.7

⭐ New Features

• Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #9920

🪲 Bug Fixes

• Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #9942
• Missing log of "caused by" exception when OP document metadata cannot be reached #9940
• Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #9930
• Adding filters relative to custom ones is broken #9908
• SEC-3139: Anonymous authentication token not passed to Controller #9891
• Clarify quick start section in README #9886
• RSocket and WebClient with Security refCount: 0 #9871
• Client credentials not correctly encoded in Basic Auth #9861
• Docs should state default value for Resource Server validation clock skew is 60 seconds #9848
• OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #9820
• DefaultSpringSecurityContextSource can't handle spaces in baseDn #9807
• OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #9802
• NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #9800
• docs.af.pivotal.io->docs-ip.spring.io #9686
• Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter #9681
• NullPointerException in StrictHttpFirewall spring-security-web version 5.4.5 #9674
• WebFlux httpBasic() should match on XHR requests #9662
• HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #9643
• oauth2Login() generates authorization links for "client_credentials" grant type #9637

5.2.11.RELEASE

⭐ New Features

• Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #9921

🪲 Bug Fixes

• Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #9948
• Adding filters relative to custom ones is broken #9910
• SEC-3139: Anonymous authentication token not passed to Controller #9893
• Clarify quick start section in README #9888
• RSocket and WebClient with Security refCount: 0 #9873
• URL encode client credentials #9866
• Client credentials not correctly encoded in Basic Auth #9863
• Docs should state default value for Resource Server validation clock skew is 60 seconds #9851
• DefaultSpringSecurityContextSource can't handle spaces in baseDn #9809
• OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #9804
• docs.af.pivotal.io->docs-ip.spring.io #9688
• WebFlux httpBasic() should match on XHR requests #9665
• HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #9645
• oauth2Login() generates authorization links for "client_credentials" grant type #9639

🔨 Dependency Upgrades

• Update to Spring LDAP Core 2.3.4.RELEASE #9968
• Update to org.slf4j 1.7.31 #9967
• Update to HSQLDB 2.5.2 #9966
• Update to hibernate-entitymanager 5.4.32.Final #9965
• Update to Jetty 9.4.42.v20210604 #9964
• Update to embedded Apache Tomcat 9.0.48 #9963
• Update to embedded Tomcat websocket 8.5.68 #9962
• Update ehcache to 2.10.9.2 #9961
• Update to jaxb-impl 2.3.4 #9960
• Update to RSocket 1.0.5 #9959
• Update to Spring Framework 5.2.15.RELEASE #9958
• Update to Reactor Dysprosium-SR20 #9957
• Upgrade to nohttp 0.0.8 #9956

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @sjohnr

5.5.0

⭐ New Features

• Configure user name used for Gradle CI builds #9747
• HttpSessionOAuth2AuthorizationRequestRepository storing one OAuth2AuthorizationRequest #9649
• Incorrect javadoc in AuthorizationCodeOAuth2AuthorizedClientProvider #9708
• Restore Dependency Constraints for commons-codec and commons-logging #8836
• Stop CI Jobs on Forks #9717
• Update javadoc AuthorizationCodeOAuth2AuthorizedClientProvider #9730

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.7 #9750
• Update io.spring.nohttp to 0.0.8 #9753
• Update org.springframework to 5.3.7 #9754
• Update org.springframework.data to 2021.0.1 #9755
• Update r2dbc-spi-test to 0.8.5.RELEASE #9752
• Update spring-ldap-core to 2.3.4.RELEASE #9756
• Update to com.gradle.enterprise 3.6.1 #9764
• Update to Gradle. 6.9 #9758
• Update to Kotlin 1.5.0 #9763

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @jzheaux
• @talentedasian
• @candrews
• @marcusdacoregio

5.5.0-RC2

⏪ Breaking Changes

• Rename DelegatingAuthorizationManager to RequestMatcherDelegatingAuthorizationManager #9692
• Inline ResourceKeyConverterAdapter #9689

⭐ New Features

• Add Ability to Exclude Minor Version Bump #9709
• Add Task to Check if All Issues in GitHub Milestone are closed #9693
• rename master->main #9683
• Make Csrf cookie secure flag configurable (WebFlux) #9679
• Make the cookie secure flag configurable in CookieServerCsrfTokenRepository #9678
• Add RELEASE.adoc #9627

🔨 Dependency Upgrades

• Update ehcache to 2.10.9.2 #9712
• Update hibernate-entitymanager to 5.4.31.Final #9714
• Update io.spring.javaformat to 0.0.28 #9710
• Update io.spring.nohttp to 0.0.7 #9711
• Update MockK to 1.11.0 #9691
• Update org.eclipse.jetty to 9.4.40.v20210413 #9713
• Update org.springframework to 5.3.6 #9715
• Update org.springframework.data to 2021.0.0 #9716

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @tiborkoch
• @candrews
• @denisw
• @ThomasVitale

5.5.0-RC1

⭐ New Features

• Add Sections to What's New #9596
• Add AfterMethodAuthorizationManager #9591
• Add Kotlin DSL section to What's New #9589
• Add Configuration section to What's New #9588
• Add coroutine support to pre/post authorize #9586
• Make OAuth2AuthorizationResponseType constructor public #9584
• Deprecate OAuth2AuthorizationResponseType.TOKEN #9582
• Support Create/Delete Release on spring.io #9577
• Update to commons-codec 1.15 #9575
• Fix deprecation warnings in DocsPlugin #9547
• Fix deprecation warnings for SchemaZipPlugin #9546
• Use Checkstyle.configDirectory #9545
• Re-enable Gradle dependency cache #9544
• Use Gradle Constraints + platform instead of DependencyManagementPlugin #9541
• Use new api/implementation configurations #9540
• Extract Build Conventions to buildSrc #9539
• Update javadoc for AesBytesEncryptor constructors #9536
• Add jwt-bearer authorization grant #9535
• Change build to use GPG_PRIVATE_KEY_NO_HEADER #9531
• Update ComparableVersion to version from Maven 3.6.3 #9521
• Add Jwt Client Authentication support #9520
• Add javadoc at constructors. #9518
• Add Saml2MessageBinding#from #9515
• Test method in PasswordOAuth2AuthorizedClientProviderTests has incorrect setup of token expiry #9506
• Upgrade to Gradle 6.8.2 #9458
• Update Spring Security build to require JDK 11 #9419
• Add JavaDoc to AesBytesEncryptor #9361
• Add OpenSAML 4 support #9267
• Add OpenSaml 4 support #9095
• Support JWT for Client Authentication #8175
• Make EnableReactiveMethodSecurity compatible with Kotlin Coroutines #8143
• Support JWT as an Authorization Grant for client #6053

🪲 Bug Fixes

• Fix package tangle in Resource Server #9576
• Add package-list #9562
• Add null check in CsrfFilter and CsrfWebFilter #9561
• Fix javadoc in crypto/encrypt/Encryptors.java #9537
• Fix Javadoc errors in spring-security-saml2-service-provider #9530
• @Order annotations cannot be used with @Bean methods #9154

🔨 Dependency Upgrades

• Update htmlunit-driver to 2.49.1 #9624
• Update htmlunit to 2.49.1 #9623
• Update io.spring.nohttp to 0.0.6.RELEASE #9622
• Update reactor-netty to 1.0.6 #9621
• Update io.projectreactor to 2020.0.6 #9620
• Update com.nimbusds to 9.3.3 #9619
• Update jackson-datatype-jsr310 to 2.12.3 #9618
• Update jackson-databind to 2.12.3 #9617
• Update jackson-bom to 2.12.3 #9616
• Update spring-data-bom to 2020.0.7 #9574
• Update mockito-core to 3.9.0 #9573
• Update hsqldb to 2.6.0 #9572
• Update blockhound to 1.0.6.RELEASE #9571
• Update aspectj-plugin to 5.3.3.3 #9570
• Update com.nimbusds to 9.3.1 #9569
• Update org.jetbrains.kotlin to 1.4.32 #9555
• Update nohttp-checkstyle to 0.0.5.RELEASE #9554
• Update io.spring.javaformat to 0.0.27 #9553
• Update spring-doc-resources to 0.2.5 #9552
• Update r2dbc-spi-test to 0.8.4.RELEASE #9551
• Update aspectj-plugin to 5.3.0 #9550

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @manousos
• @jzheaux
• @prashanttholia
• @jgrandja
• @Exclamation-mark
• @candrews
• @eleftherias

5.4.6

🪲 Bug Fixes

• Add null check in CsrfFilter and CsrfWebFilter #9592
• @order annotations cannot be used with @bean methods #9517

🔨 Dependency Upgrades

• Update to Spring Boot 2.4.4 #9613

5.3.9.RELEASE

🪲 Bug Fixes

• Add null check in CsrfFilter and CsrfWebFilter #9593

🔨 Dependency Upgrades

• Update to Spring Boot 2.2.13 #9614

5.2.10.RELEASE

🪲 Bug Fixes

• Add null check in CsrfFilter and CsrfWebFilter #9594

🔨 Dependency Upgrades

• Update to nohttp 0.0.6.RELEASE #9609
• Update to GAE 1.9.88 #9608
• Update to OpenSAML 3.4.6 #9607
• Update to hibernate-entitymanager 5.4.30.Final #9606
• Update to Groovy 2.4.21 #9605
• Update to embedded Apache Tomcat 9.0.45 #9604
• Update blockhound to 1.0.6.RELEASE #9603
• Update to RSocket 1.0.4 #9602
• Update to Spring Data Moore-SR13 #9601
• Update to Spring Framework 5.2.13.RELEASE #9600
• Update to Reactor Dysprosium-SR18 #9599