Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.0.17.RELEASE
⭐ New Features
- HTTP Host header attack #8640
🪲 Bug Fixes
- Remove unused field 'digester' in Md4PasswordEncoder #8578
- ACL : AclImpl.hashCode leads to StackOverflowError #8572
- Blocking in WebSessionServerCsrfTokenRepository #8547
- Fix AntPathRequestMatcher Javadoc #8529
- Document NoOpPasswordEncoder will not be removed #8524
- Fix non-standard HTTP method for CsrfWebFilter #8518
🔨 Dependency Upgrades
4.2.17.RELEASE
5.4.0-M1
⭐ New Features
- Jenkins does not need to build on JDK 9 and 10 #8482
- Upgrade Freefair AspectJ plugin to v5.0.1 #8456
- AesBytesEncryptor constructor that uses secret key #8443
- Rename Preface to Introduction #8411
- TestSaml2X509Credentials should only return Saml2X509Credential instances #8404
- Saml2CryptoTestSupport and TestSaml2AuthenticationObjects should be one class #8403
- Allow creating AesBytesEncryptor with key #8402
- Add Flag to enable searching of LDAP groups on subtrees #8400
- Documented dependencies for opaque Resource Server #8394
- Allow expose JwtAuthenticationConverter as a bean for Resource Server #8379
- Use Kotlin DSL Marker Annotations to prevent scope leaking in WebFlux DSL #8366
- Saml2AuthenticationRequestContext should be extendible #8356 #8364
- Add constructors receiving AuthenticationManager #8362
- Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8361
- Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default #8359
- Validate ID Token Issuer #8357
- Saml2AuthenticationRequestContext should be extendible #8356
- Add authorize() DSL method that accepts HttpMethod #8350
- Allow custom header during bearer token extraction #8341
- Allow specify header in ServerBearerTokenAuthenticationConverter #8337
- Provide possibility to use custom cache to store JWK Set #8332
- Adding Map support to DefaultMethodSecurityExpressionHandler #8331
- BCryptPasswordEncoder rawPassword cannot be null #8330
- Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8324
- Open ID Connect ID Token Issuer not validated #8321
- Add addFilterAfter and addFilterBefore to Kotlin DSL #8319
- Added setPrincipalClaimName to JwtAuthenticationConverter #8318
- BCryptPasswordEncoder.encode() throws NPE #8317
- HttpSecurityDsl does not support addFilterBefore and addFilterAfter #8316
- AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307
- SpringTestContext returns ConfigurableWebApplicationContext #8233
- Clarify use case for
ServerBearerExchangeFilterFunction#8220 - Update Encryptors documentation for standard and stronger #8208
- Upgrade to Gradle Enterprise Plugin 3.2 #8205
- Add Figures to Resource Server Docs #8184
- Add Figures to Resource Server Docs #8182
- Document JwtGrantedAuthoritiesConverter #8176
- Fix userNameAttribute property case style #8171
- userNameAttribute case style is different others #8169
- Polish SAML 2.0 Login Sample #8163
- Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8152
- Assign sensible default for OAuth2AuthorizedClientProvider #8150
- OpenSamlImplementation should not use reflection #8147
- Allow port=0 for LDAP Servers #8139
- LDAP server configuration should support port=0 #8138
- Use io.spring.gradle-enterprise-conventions #8115
- Replace VersionsResourceTasks with WriteProperties #8114
- Improve Build Performance #8113
- Document OAuth 2.0 Login XML Support #8110
- Fix exception from empty basic auth header token #8109
- Fix typo 'properites' -> 'properties' in documentation #8096
- Document AuthenticationEventPublisher improvements #8081
- Document AuthNRequest POST binding support #8079
- Document AuthNRequest signature support #8078
- Document OAuth 2.0 Resource Server XML Support #8077
- Document Jackson serialization support for OAuth 2.0 Client #8075
- Document OAuth 2.0 Client XML Support #8074
- Document OAuth2Authorization success and failure handlers #8073
- Document OIDC Logout Success Handler Improvements #8072
- Document OAuth 2.0 Authorization Request improvements #8071
- Add OAuth 2.0 Test Support Docs #8050
- Add server request cache that uses cookie #8033
- Basic auth header without user results in exception #7976
- Add RequestRejectedHandler #7052
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #5633
- Idiomatic Kotlin DSL for configuring HTTP security #5558
- SessionRegistryImpl is now aware of SessionIdChangedEvent #5439
- SessionRegistryImpl is not aware of SessionIdChange events. #5438
- SwitchUserFilter vulnerable to CSRF #4183
🪲 Bug Fixes
- Fix Javadoc punctuation #8480
- Fixed typos in documentation #8454
- Support update when saving with JdbcOAuth2AuthorizedClientService #8435
- JdbcOAuth2AuthorizedClientService should support update when saving #8425
- OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8421
- ActiveDirectoryLdapAuthenticationProvider uses InternalAuthenticationServiceException #8418
- Fix mismatch between CONTRIBUTING.adoc and .editorconfig #8417
- Fix Documentation to Refer to BasicAuthenticationFilter #8414
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8407
- Fix typo with correct capitalization [#8406](https://github.com/spring-projects/s...
5.3.2.RELEASE
⭐ New Features
🪲 Bug Fixes
- Fix Javadoc punctuation #8490
- Fixed typos in documentation #8460
- JdbcOAuth2AuthorizedClientService should support update when saving #8448
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8437
- Fix Documentation to Refer to BasicAuthenticationFilter #8423
- Fix typo with correct capitalization #8408
- Global ServerSecurityContextRepository ignored by logout #8385
- Fix example in javadoc of FilterChainProxy #8351
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8311
🔨 Dependency Upgrades
- Update to aspectj-plugin:4.1.6 #8306
5.2.4.RELEASE
⭐ New Features
🪲 Bug Fixes
- Fix Javadoc punctuation #8494
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8438
- SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #8430
- OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8426
- Fix typo with correct capitalization #8409
- Global ServerSecurityContextRepository ignored by logout #8386
- Fix example in javadoc of FilterChainProxy #8352
- Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8338
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8312
🔨 Dependency Upgrades
- Update to Byte Buddy 1.9.16 #8481
- Upgrade to embedded Apache Tomcat 9.0.34 #8469
- Update RSocket to 1.0.0-RC7 #8468
- Update to GAE 1.9.80 #8467
- Update to Jackson 2.10.4 #8466
- Update to org.powermock 2.0.7 #8465
- Update to Reactor Dysprosium-SR7 #8464
- Update to Spring Framework 5.2.6.RELEASE #8463
- Update to Spring Data Moore-SR7 #8462
5.1.10.RELEASE
⭐ New Features
- BCryptPasswordEncoder.encode() throws NPE #8347
🪲 Bug Fixes
- Fix Javadoc punctuation #8496
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8440
- SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #8431
- Fix typo with correct capitalization #8410
- Global ServerSecurityContextRepository ignored by logout #8388
- Fix example in javadoc of FilterChainProxy #8353
- Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8339
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8313
🔨 Dependency Upgrades
5.0.16.RELEASE
⭐ New Features
- BCryptPasswordEncoder.encode() throws NPE #8348
🪲 Bug Fixes
- Fix Javadoc punctuation #8497
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8441
- SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #8432
- Fix example in javadoc of FilterChainProxy #8354
- Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8340
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8314
🔨 Dependency Upgrades
4.2.16.RELEASE
5.2.3.RELEASE
⏪ Non-passive
- SwitchUserFilter vulnerable to CSRF #8223
⭐ New Features
- SpringTestContext returns ConfigurableWebApplicationContext #8240
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8235
- Update Encryptors documentation for standard and stronger #8212
- Getting OAuth2AuthenticationException when Bearer token is empty #8207
- Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8159
- Basic auth header without user results in exception #8123
- Typo 'properites' -> 'properties' in documentation #8099
🪲 Bug Fixes
- Update tests to use absolute paths #8260
- HttpServletRequest.logout() not functioning #8241
- OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8210
- oauth2Login WebFlux should not auto-redirect for XHR request #8202
- Make OAuth2ErrorHttpMessageConverter more resilient #8180
- RSocket test should throw AccessDeniedException #8155
- Fix typo in Javadoc of HttpSecurity#csrf() #8137
- Empty RelayState causes errors with ADFS #8070
- Fix typo in AntPathRequestMatcher contructor comment #8045
- An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8040
- OAuth2 access token response parsing fails with nested JSON object #8021
- Fix typo in snippet code 'jwtAuthenticationConveter' -> 'jwtAuthenticationConverter' #7969
- OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7967
- OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7964
- Query parameters in authorization-url are double-encoded #7960
- Don't force downcasting of RequestAttributes to ServletRequestAttributes #7959
- ClassCastException for ServletRequestAttributes #7958
🔨 Dependency Upgrades
- Update RSocket to 1.0.0-RC6 #8280
- Update to reactive-streams 1.0.3 #8279
- Update to OpenSAML 3.4.5 #8278
- Update to hibernate-entitymanager 5.4.13.Final #8277
- Update to hibernate-core 5.2.18.Final #8276
- Update blockhound to 1.0.3.RELEASE #8275
- Update to unboundid-ldapsdk 4.0.14 #8274
- Update to okhttp 3.14.7 #8259
- Update to Jackson 2.10.3 #8258
- Update to mockwebserver 3.14.7 #8257
- Update to org.powermock 2.0.6 #8255
- Upgrade to embedded Apache Tomcat 9.0.33 #8254
- Update to httpclient 4.5.12 #8253
- Update to Spring Boot 2.2.6.RELEASE #8252
- Update to GAE 1.9.79 #8251
- Update to Reactor Dysprosium-SR6 #8250
- Update to Spring Framework 5.2.5 #8249
- Update to Spring Data Moore-SR6 #8248
- Update to Jetty 9.4.22.v20191022 #7507
5.1.9.RELEASE
⭐ New Features
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8236
- SwitchUserFilter vulnerable to CSRF #8224
- Update Encryptors documentation for standard and stronger #8215
- Typo 'properites' -> 'properties' in documentation #8100
- Typo 'hasPermision()' in GlobalMethodSecurityBeanDefinitionParser.java #8068
- Remove unwanted code #7949
🪲 Bug Fixes
- HttpServletRequest.logout() not functioning #8242
- oauth2Login WebFlux should not auto-redirect for XHR request #8203
- Make OAuth2ErrorHttpMessageConverter more resilient #8181
- Fix typo in Javadoc of HttpSecurity#csrf() #8135
- Fix typo in AntPathRequestMatcher contructor comment #8046
- An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8043
- OAuth2 access token response parsing fails with nested JSON object #8022
- OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7968
- OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7965
🔨 Dependency Upgrades
- Update to httpclient 4.5.12 #8294
- Update to hibernate-validator 6.0.19.Final #8293
- Update to reactive-streams 1.0.3 #8292
- Update to hibernate-core 5.2.18.Final #8291
- Update to groovy 2.4.19 #8290
- Update to unboundid-ldapsdk 4.0.14 #8289
- Update to okhttp 3.12.10 #8288
- Update to mockwebserver 3.12.10 #8287
- Update to org.powermock 2.0.6 #8286
- Update to Spring Boot 2.1.13.RELEASE #8285
- Update to GAE 1.9.79 #8284
- Update to Reactor Californium-SR17 #8283
- Update to Spring Data Lovelace-SR16 #8282
- Update to Spring Framework 5.1.14.RELEASE #8281
- Update to Jetty 9.4.22.v20191022 #8093
❤️ Contributors
We'd like to thank all the contributors who worked on this release!