Skip to content

Releases: spring-projects/spring-security

5.2.0.M3

01 Oct 16:05
@jzheaux jzheaux
5.2.0.M3
77235e1
Compare
Choose a tag to compare
5.2.0.M3 Pre-release
Pre-release

⭐ New Features

  • Move log statement in SessionRegistryImpl #6979
  • Fix RoleHierarchy Javadoc #6973
  • Disable bean proxying in configuration classes #6970
  • Make Spring web configuration classes use proxyBeanMethods=false by default #6967
  • Migrate JeeConfigurerTests groovy->java #6957
  • Update to nohttp 0.0.2.RELEASE #6955
  • RoleHierarchy Comments are misleading #6954
  • Migrate RememberMeConfigurerTests groovy->java #6951
  • Migrate CorsConfigurerTests groovy->java #6946
  • Migrate ChannelSecurityConfigurerTests groovy->java #6944
  • Add success handler modification of OAuth2LoginSpec #6938
  • Migrate SessionManagementConfigurerTests groovy->java #6937
  • JenkinsFile should always indicate the JDK in use #6928
  • Add @transient to OAuth2IntrospectionAuthenticationToken #6918
  • Added null checks and tests to constructors #6915
  • Updates OAuth2ResourceServer configuration tests #6904
  • Migrate LogoutConfigurerTests from groovy to java #6902
  • Finer variables for OAuth2 redirectUriTemplate expansion #6900
  • Add null checks to constructors #6892
  • Fix JavaDoc for defaultSuccessUrl #6878
  • Add constructor to JwtAuthenticationToken that takes a principal name #6865
  • Add OAuth2LoginSpec.authenticationSuccessHandler #6863
  • Add Multi-tenancy support for Reactive Resource Server #6861
  • Git ignore .attach_pid* files #6860
  • Translate messages.properties into Japanese #6855
  • Replace bean method calls with injection #6853
  • Make scheduler configurable on ReactiveAuthenticationManagerAdapter #6852
  • Introduce Jwt.Builder #6851
  • OpaqueToken DSL should accept an AuthenticationManager #6849
  • Jwt DSL Configuration should accept an AuthenticationManager #6832
  • OAuth2IntrospectionAuthenticationToken should be marked as @transient #6829
  • Reactive JwkSource Builder Parameter Type Changed the parameter type from JWT to SignedJWT Fixes: gh-6771 #6827
  • Fix javadoc typo #6825
  • Support JwtValidationException on JwtReactiveAuthenticationManager #6823
  • Switch to proxy-less configuration by leveraging @configuration(proxyBeanMethods = false) #6818
  • Opaque Token Support for Custom Parameters #6798
  • Fix no check if the parameter is null. #6775
  • Expose bean setters in @configuration used by @EnableWebFluxSecurity #6761
  • Multi-tenancy for Reactive Resource Server #6727
  • Introduce ReactiveAuthenticationManagerResolver #6723
  • Introduce JWT Flow API in Test Support #6634
  • Opaque Token Intermediate Type #6632
  • Make it possible to use Spring Security with functional bean registration #6624
  • OAuth2ResourceServer configuration tests use deprecated extractAuthorities #6516
  • X509 Reactive Support #6336
  • Improve ClaimAccessor and externalize coercion #6245
  • Add scheme/protocol variable for OAuth2 redirectUriTemplate #6239
  • AccountStatusUserDetailsChecker implements MessageSourceAware #6151
  • Support Path Variables in Message Expressions #6110
  • WebSocket matchers ignore parameters #4469

🪲 Bug Fixes

  • ID Token validation should use JwtTimestampValidator #6964
  • Fix HttpSecurity Javadoc for jee() method #6959
  • Fix HttpSecurity jee() Javadoc example for mappableRoles #6958
  • DefaultServerOAuth2AuthorizationRequestResolver should use fromUri #6952
  • WebClientReactiveClientCredentialsTokenResponseClient should not set Authorization header when ClientAuthenticationMethod.POST #6911
  • Documentation fixes #6889
  • java.lang.IllegalAccessError when resource server introspect token from oauth2 server #6843
  • oauth2Login does not auto-redirect for XHR request #6812

🔨 Dependency Upgrades

  • Update to Spring 5.2.0.M2 #6869

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

Assets 2
Loading

5.2.0.M2

01 Oct 16:09
@jzheaux jzheaux
5.2.0.M2
e66e52d
Compare
Choose a tag to compare
5.2.0.M2 Pre-release
Pre-release

⭐ New Features

  • Add JDK 12 Build #6774
  • Update Gradle version to 5.3.1 #6747
  • Align JavaDoc in SecureRandomFactoryBean #6734
  • Fix a typo #6725
  • Introduce AuthenticationManagerResolver #6722
  • Defer downstream filter execution if no OAuth2AuthorizedClient is found #6719
  • Make UnAuthenticatedServerOAuth2AuthorizedClientRepository threadsafe #6717
  • URL Cleanup #6662
  • URL Cleanup #6655
  • Simplify MediaTypeRequestMatcher construction #6648
  • Polish #6635
  • Introduced placeholder support for headers tag attributes #6623
  • Allowing for a @bean of type OAuth2AccessTokenResponseClient<OAuth2Cl… #6606
  • Throw exception that was created but not thrown #6604
  • documentation: remove out-of-date #6603
  • OAuth2LoginSpec discovers ReactiveOAuth2AccessTokenResponseClient @bean #6587
  • OAuth2ClientConfiguration discovers client_credentials OAuth2AccessTokenResponseClient #6572
  • Multi tenancy for Resource Server #6563
  • Introduce @CurrentSecurityContext for method arguments #6562
  • Fix Broken Documentation Link #6555
  • Broken URL in documentation #6553
  • Add Support for Clear Site Data on Logout #6550
  • Introduce @CurrentSecurityContext for method arguments #6546
  • Reactive Opaque Token Support #6519
  • OidcIdTokenValidator ensures clockSkew is positive number #6514
  • Add Reactive Opaque Token Support to Resource Server #6513
  • Properties should reference scope not scopes #6510
  • HeaderWriterFilter writes headers at beginning #6509
  • Introduce OAuth2AuthorizationRequest.attributes #6508
  • Introduce Support for Reading RSA Keys #6505
  • NimbusReactiveJwtDecoder Takes Reactive Processor #6499
  • Support symmetric key for JwtDecoder #6495
  • Add RSA Key Converters #6494
  • Improve formatting of LDAP snippets in Reference Documentation #6486
  • Add client support for PKCE #6485
  • OAuth2LoginSpec discovers ReactiveOAuth2AccessTokenResponseClient @bean #6477
  • Add new configuration options for OAuth2LoginSpec #6462
  • Update to nimbus-jose-jwt:6.7 #6459
  • Consider having HeaderWriters check before writing #6456
  • Added CompositeHeaderWriter #6455
  • Consider having HeaderWriters check before writing #6454
  • Add a composite HeaderWriter class #6453
  • Support PKCE for Client #6446
  • OidcIdTokenValidator ensures clockSkew is positive number #6443
  • Save original request on oauth2Client filter #6418
  • Add Support for Opaque OAuth2 Tokens to Resource Server #6352
  • Add preload support to Strict-Transport-Security #6312
  • Remove Servlet Spec 2.5 and 3.0 support #6220
  • OAuth2ResourceServerConfigurerTests should avoid MockWebServer #6104
  • OAuth2AuthorizationRequest.additionalParameters should not contain registration_id #5940
  • NimbusReactiveJwtDecoder should accept a custom processor #5937
  • Improve OAuth2LoginSpec with more configuration options #5598
  • Provide support for symmetric key verification via JwtDecoder #5465
  • Support for OIDC Logout #5356
  • Multi-tenancy support for OAuth2 #5351
  • Support RP (Client) initiated logout #5350
  • Provide support for OAuth 2.0 Token Introspection #5200
  • Add Clear Site Data to Log Out #4187

🪲 Bug Fixes

  • ServletOAuth2AuthorizedClientExchangeFilterFunction supports chaining #6526
  • Update resource-server.adoc #6523
  • Fixed broken link #6522
  • Fix broken link in README.adoc #6521
  • Preserve existing refresh token if new refresh token not returned #6504
  • Refreshing access token may remove refresh token from AuthorizedClient #6503
  • ServletOAuth2AuthorizedClientExchangeFilterFunction Does Not Work For Chained Reactive Methods #6483
  • Missing spring: prefix on jwk-set-uri example #6479
  • Improve CsrfBeanDefinitionParser xml parsing #6451
  • HTML markup fixed in DefaultLoginPageGeneratingFilter #6448
  • XML configuration with multiple security:http register multiple requestDataValueProcessor #6423
  • Invalid html in default login page #6417
  • Webflux Oauth2 .oauth2Client() doesn't redirect back to the original request after authenticating in the auth server #6341
  • Fix OAuth2 Client with Ditributed Session #6215

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

Read more
Assets 2
Loading

5.2.0.M1

01 Oct 16:10
@jzheaux jzheaux
5.2.0.M1
fdd22e5
Compare
Choose a tag to compare
5.2.0.M1 Pre-release
Pre-release

⭐ New Features

  • Update to spring-build-conventions 0.0.23.RELEASE #6440
  • customization support for StrictHttpFirewall #6439
  • Update to Spring Data Lovelace SR4 #6438
  • Update to Spring Framework 5.1.4 #6437
  • Update to Reactor Californium-SR4 #6436
  • Update to Spring Boot 2.1.2 #6435
  • Update to htmlunit-driver 2.33.3 #6434
  • Update to org.powermock 2.0.0 #6433
  • Update to hibernate-entitymanager 5.4.0.Final #6432
  • Update to ehcache 2.10.6 #6431
  • Update to com.squareup.okhttp3 3.12.1 #6430
  • Update to oauth2-oidc-sdk 6.5 #6429
  • Update to nimbus-jose-jwt 6.5.1 #6428
  • Update to jackson.core 2.9.8 #6427
  • Update to cglib-nodep 3.2.10 #6426
  • Update JwtTimestampValidator.java #6416
  • Extract the ID Token JwtDecoderFactory to enable user customization #6415
  • Expose ID Token JwtDecoderFactory #6379
  • ID Token validation supports clock skew #6375
  • Polish oauth2 client ExchangeFilterFunction's #6355
  • Improve error messages in OidcIdTokenValidator #6349
  • Polish tests #6346
  • Removed isServlet30 check #6331
  • Fixes typo in x,rnc files #6326
  • Typo in Spring Security spring-security-x.y.rnc Files #6325
  • Improve error messages in OidcIdTokenValidator #6323
  • Add hasAnyAuthority() and hasAnyRole() in AuthorizeExchangeSpec #6310
  • JdbcUserDetailsManager handles extra UserDetails attributes #6309
  • Add WebFlux support for spring security web jackson module. #6305
  • Add WebFlux support for spring security web jackson module #6303
  • authorization_uri Supports Query Parameters #6299
  • Extract OidcTokenValidator to an OAuth2TokenValidator #6298
  • Remove check for method HttpServletRequest#getHeader and related test #6290
  • Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6289
  • Validate Scopes in ClientRegistration.Builder #6285
  • Allow setting realm for Http Basic #6279
  • Add cookieDomain to CookieCsrfTokenRepository #6276
  • Add Anonymous Support to AuthenticatedReactiveAuthorizationManager #6267
  • Remove Servlet 3.0 Support in CacheControlHeadersWriter #6265
  • Remove Servlet 3.0 Support in AbstractRequestMatcherRegistry #6264
  • Remove Servlet 2.5 and 3.0 Support for Remember Me #6263
  • Remove Servlet Spec 2.5 and 3.0 Support for CSRF #6262
  • Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6261
  • Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter #6260
  • Remove Servlet 2.5 Support for Session Fixation #6259
  • Add DelegatingSecurityContextTaskScheduler #6257
  • Validate ClientRegistration.scopes #6256
  • RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #6241
  • Improve error message for Chinese #6240
  • Add WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient #6238
  • AuthenticatedReactiveAuthorizationManager support for AnonymousAuthenticationToken #6235
  • JwtDecodersTests and ClientRegistrationsTest should explicitly test for trailing slash #6234
  • Add Reactive Support for UserDetailsChecker #6229
  • SessionRegistryImpl uses computeIfAbsent #6221
  • Accept a case-insensitive "Bearer" keyword #6210
  • Restored Jacoco default task dependence #6200
  • Added support for Anonymous Authentication #6198
  • Update to Gradle 5.0 #6197
  • Make CachingUserDetailsService Public #6196
  • Bearer should be case-insensitive in ServerBearerTokenAuthenticationConverter #6195
  • Use SpringUtils to check scheme #6185
  • BasicAuthenticationFilter could check the scheme more efficiently #6183
  • ReactiveOAuth2AccessTokenResponseClients should support setting a custom WebClient #6182
  • According to RFC 2617 #1.2, the "Bearer" keyword should be case-insensitive #6150
  • Update to Gradle 5.0 #6148
  • Update com.squareup.okhttp3 deps to 3.12.0 #6142
  • Add GenericConversionService with support for UUID and Strings #6141
  • Remove unused dependency slf4j-api in javaconfig x509 sample application #6131
  • Remove unused compile dependency in javaconfig x509 sample #6130
  • Replace deprecated Gradle Task method in AspectJPlugin.groovy #6129
  • Replace deprecated Gradle Task.deleteAllActions() method in AspectJPlugin.groovy #6128
  • WebClient support should get new access token when expired and client_credentials #6127
  • AesBytesEncryptorTests should check available key strengths before running #6121
  • CookieClearingLogoutHandler enhancement #6116
  • Update to Gradle 4.10.2 #6114
  • Update to oauth2-oidc-sdk:6.2 #6101
  • Update webflux-form sample to use Built in CSRF Support #6097
  • Update to nimbus-jose-jwt:6.3 #6095
  • Updated Spring Boot version from 2.1.0.M4 to 2.1.0.RELEASE #6084
  • Update to Spring Boot 2.1.0.RELEASE #6082
  • Make AesBytesEncryptor public #6079
  • CookieClearingLogoutHandler for differen...
Read more
Assets 2
Loading