Skip to content

Releases: spring-projects/spring-security

5.8.12

15 Apr 15:58
Compare
Choose a tag to compare

🪲 Bug Fixes

  • Conditional check for data-source-ref is incorrect #14742

🔨 Dependency Upgrades

  • Bump io.projectreactor.netty:reactor-netty from 1.0.43 to 1.0.44 #14878
  • Bump io.projectreactor:reactor-bom from 2020.0.42 to 2020.0.43 #14877
  • Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #14822
  • Bump org.springframework:spring-framework-bom from 5.3.33 to 5.3.34 #14891

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

6.3.0-M3

18 Mar 11:34
Compare
Choose a tag to compare
6.3.0-M3 Pre-release
Pre-release

⭐ New Features

  • Add ContinueOnError Support for Failed Authentications #14591
  • Add DelegatingAuthenticationConverter #14655
  • Add DelegatingServerAuthenticationConverter #14654
  • Add JSON session support for SwitchUserGrantedAuthority #11758
  • Add meta-annotation annotation parameter support #14494
  • Add Programmatic Proxy Support for Method Security #14716
  • Add support for configuring token-exchange via a bean #14701
  • Add support for OAuth 2.0 Token Exchange Grant #14692
  • Customize mapping the OidcUser from OidcUserRequest and OidcUserInfo #14672
  • Fix Delegation-based Strategy with OidcUserService/OidcReactiveOAuth2UserService examples #12281
  • Implement customization of rolePrefix in LdapUserDetailsManager #14574
  • Introduce Customizable AuthorizationFailureHandler in OAuth2AuthorizationRequestRedirectFilter #14168
  • Simplify configuration of reactive OAuth2 Client component model #13763

🪲 Bug Fixes

  • Check for null Authentication #14667
  • PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #14724
  • Publishing PrePostTemplateDefaults creates circular dependency #14674

🔨 Dependency Upgrades

  • Bump ch.qos.logback:logback-classic from 1.4.14 to 1.5.3 #14744
  • Bump com.fasterxml.jackson:jackson-bom from 2.15.4 to 2.17.0 #14746
  • Bump com.github.ben-manes:gradle-versions-plugin from 0.38.0 to 0.51.0 #14753
  • Bump com.google.code.gson:gson from 2.8.9 to 2.10.1 #14737
  • Bump com.gradle.enterprise from 3.12.6 to 3.16.2 #14760
  • Bump com.nimbusds:oauth2-oidc-sdk from 9.43.3 to 9.43.4 #14695
  • Bump io.freefair.gradle:aspectj-plugin from 8.4 to 8.6 #14755
  • Bump io.github.gradle-nexus:publish-plugin from 1.1.0 to 1.3.0 #14761
  • Bump io.micrometer:micrometer-observation from 1.12.3 to 1.12.4 #14718
  • Bump io.mockk:mockk from 1.13.9 to 1.13.10 #14659
  • Bump io.projectreactor:reactor-bom from 2023.0.3 to 2023.0.4 #14727
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #14707
  • Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #14738
  • Bump org.assertj:assertj-core from 3.24.2 to 3.25.3 #14748
  • Bump org.gretty:gretty from 4.0.3 to 4.1.2 #14754
  • Bump org.hibernate.orm:hibernate-core from 6.3.2.Final to 6.4.4.Final #14747
  • Bump org.jetbrains.kotlin:kotlin-bom from 1.9.22 to 1.9.23 #14709
  • Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.22 to 1.9.23 #14708
  • Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.7.3 to 1.8.0 #14739
  • Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.4 to 4.33.13 #14735
  • Bump org.mockito:mockito-bom from 5.5.0 to 5.11.0 #14736
  • Bump org.sonarsource.scanner.gradle:sonarqube-gradle-plugin from 2.7.1 to 2.8.0.1969 #14752
  • Bump org.springframework.data:spring-data-bom from 2023.1.3 to 2023.1.4 #14769
  • Bump org.springframework:spring-framework-bom from 6.1.4 to 6.1.5 #14756
  • Bump org.yaml:snakeyaml from 1.30 to 1.33 #14745

❤️ Contributors

Thank you to all the contributors who worked on this release:

@CrazyParanoid, @Haarolean, @daniel-shuy, @dependabot[bot], @jzheaux, @kse-music, @leewin12, @markusheiden, and @sjohnr

6.2.3

18 Mar 12:23
Compare
Choose a tag to compare

⭐ New Features

  • Structure101 Plugin Should Ignore Deprecated Files #14640

🪲 Bug Fixes

  • Check for null Authentication #14666
  • Fix Package Tangle in CAS #14641
  • LogoutConfigurer#createLogoutFilter sets the SecurityContextHolderStrategy twice #14648
  • ObservationTextHandler class is not defined in a reactive context #14653
  • PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #14723
  • Spring security's ServerLogoutHandler order problem. #14682

🔨 Dependency Upgrades

  • Bump io.micrometer:micrometer-observation from 1.12.3 to 1.12.4 #14719
  • Bump io.mockk:mockk from 1.13.9 to 1.13.10 #14661
  • Bump io.projectreactor:reactor-bom from 2023.0.3 to 2023.0.4 #14726
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #14705
  • Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #14734
  • Bump org.jetbrains.kotlin:kotlin-bom from 1.9.22 to 1.9.23 #14706
  • Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.22 to 1.9.23 #14704
  • Bump org.springframework.data:spring-data-bom from 2023.1.3 to 2023.1.4 #14770
  • Bump org.springframework:spring-framework-bom from 6.1.4 to 6.1.5 #14757

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot]

6.1.8

18 Mar 12:23
Compare
Choose a tag to compare

🪲 Bug Fixes

  • Check for null Authentication #14665
  • Fix Package Tangle in CAS #14627
  • Fix Package Tangle in SAML 2.0 #14628
  • LogoutConfigurer#createLogoutFilter sets the SecurityContextHolderStrategy twice #14647
  • ObservationTextHandler class is not defined in a reactive context #14651
  • PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #14722
  • Spring security's ServerLogoutHandler order problem. #14681

🔨 Dependency Upgrades

  • Bump io.mockk:mockk from 1.13.9 to 1.13.10 #14660
  • Bump io.projectreactor:reactor-bom from 2022.0.16 to 2022.0.17 #14728
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #14703
  • Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #14733
  • Bump org.springframework:spring-framework-bom from 6.0.17 to 6.0.18 #14762

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot]

5.8.11

18 Mar 11:47
Compare
Choose a tag to compare

🪲 Bug Fixes

  • Allow tab in HTTP header values. #14590
  • Check for null Authentication #14664
  • PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #14720
  • Remove duplicate setSecurityContextHolderStrategy #14603
  • Spring security's ServerLogoutHandler order problem. #14379

🔨 Dependency Upgrades

  • Bump io.projectreactor.netty:reactor-netty from 1.0.41 to 1.0.43 #14730
  • Bump io.projectreactor:reactor-bom from 2020.0.41 to 2020.0.42 #14729
  • Bump org.springframework:spring-framework-bom from 5.3.32 to 5.3.33 #14759

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

5.7.12

18 Mar 11:38
Compare
Choose a tag to compare

🪲 Bug Fixes

  • Check for null Authentication #14715

6.3.0-M2

16 Feb 19:03
Compare
Choose a tag to compare
6.3.0-M2 Pre-release
Pre-release

⭐ New Features

  • Add usernameParameter and passwordParameter to FormLoginDsl #14488
  • Add argument resolver for SecurityContext #14449
  • Add functionality to set custom web client in ReactiveOidcIdTokenDecoderFactory #13301
  • Cleanup Saml2MetadataFilter #14476
  • Customize when UserInfo is called #13259
  • Implement providing a custom AuthoritiesPopulator in ADLdapAuthProvider #14539
  • Migrate spring-security-rsa into spring-security-crypto #14202
  • Nested username attribute in DefaultOAuth2User #14265
  • Revise AuthorizationAnnotationUtils #14407
  • Spring Security annotations on subclasses support intercepting parent class methods. #14516

🪲 Bug Fixes

  • WebTestUtilsTestRuntimeHints should implement RuntimeHintsRegistrar #14469
  • Cannot configure SecurityContextRepository in CasAuthenticationFilter #14537
  • Fix wrong class name in JavaDoc #14466
  • Fixed Interceptor name in Method Security reference document #14475
  • Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #14471
  • Typo: Update anonymous.adoc #14541
  • Typo: Update rememberme.adoc #14542

🔨 Dependency Upgrades

  • Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.15.4 #14619
  • Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #14578
  • Bump gradle/gradle-build-action from 2 to 3 #14502
  • Bump io.micrometer:micrometer-observation from 1.12.2 to 1.12.3 #14588
  • Bump io.projectreactor:reactor-bom from 2023.0.2 to 2023.0.3 #14613
  • Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #14462
  • Bump org-aspectj from 1.9.21 to 1.9.21.1 #14604
  • Bump org-eclipse-jetty from 11.0.19 to 11.0.20 #14517
  • Bump org.junit:junit-bom from 5.10.1 to 5.10.2 #14544
  • Bump org.slf4j:slf4j-api from 2.0.11 to 2.0.12 #14556
  • Bump org.springframework.data:spring-data-bom from 2023.1.2 to 2023.1.3 #14625
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.1 to 3.2.2 #14620
  • Bump org.springframework:spring-framework-bom from 6.1.3 to 6.1.4 #14618
  • Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #14501
  • Bump spring-io/spring-github-workflows from eaf17a1890b1ef1b337f015d6eb263baaf8c6dab to 1e8b0587a1f4f01697f9753fa3339c3e0d30f396 #14579

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Haarolean, @NerminKarapandzic, @ahmd-nabil, @boulce, @dependabot[bot], @irerin07, @kse-music, @leshalv, @sbrannen, @sonallux, @ty-v1, and @ubaid4j

6.2.2

16 Feb 19:28
Compare
Choose a tag to compare

⭐ New Features

  • Configuration examples in docs are out of date #14392

🪲 Bug Fixes

  • "Span wasn't started - an observation must be started (not only created)" (Micrometer) due to observation handling in Spring Security Web? #14568
  • HandlerMappingIntrospectorRequestTransformer is registered twice in AOT #14367
  • OAuth2AuthorizationExchange is not serializable #14405
  • WebTestUtilsTestRuntimeHints should implement RuntimeHintsRegistrar #14468
  • Application context fails to load: Couldn't find FilterChainProxy #14380
  • Back-Channel Logout should use localhost for internal logout request #14553
  • Cannot configure SecurityContextRepository in CasAuthenticationFilter #14536
  • Documentation about configuring SecuritySocketAcceptorInterceptor in Spring Boot is confusing #14348
  • fix typo in anonymous.adoc #14424
  • fix: typo in Authentication Architecture ProviderManager #14448
  • Missing native-image reflection hint for HandlerMappingIntrospectorCachFilterFactoryBean #14377
  • Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #14470
  • ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor #14350
  • SAML relying party logout filter is always ordered last #14551
  • Spring Security 6.2 defaults to InMemoryOidcSessionRegistry causing memory leaks in distributed systems with external session storage #14558
  • Test using @WithMockUser fails with 401 UNAUTHORIZED with 3.2 #14207
  • Typo: Update authorize-http-requests.adoc #14563
  • Unexpected Exception Handling in NimbusReactiveJwtDecoder decode Method #14496
  • X-Xss-Protection header "1; mode=block" differs in Servlet and Reactive #14346

🔨 Dependency Upgrades

  • Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.15.4 #14617
  • Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #14582
  • Bump Gradle Wrapper from 8.5 to 8.6 #14547
  • Bump gradle/gradle-build-action from 2 to 3 #14503
  • Bump io-spring-javaformat from 0.0.40 to 0.0.41 #14439
  • Bump io.micrometer:micrometer-observation from 1.12.1 to 1.12.2 #14429
  • Bump io.micrometer:micrometer-observation from 1.12.2 to 1.12.3 #14589
  • Bump io.mockk:mockk from 1.13.8 to 1.13.9 #14412
  • Bump io.projectreactor:reactor-bom from 2023.0.1 to 2023.0.2 #14430
  • Bump io.projectreactor:reactor-bom from 2023.0.2 to 2023.0.3 #14612
  • Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #14463
  • Bump org-aspectj from 1.9.21 to 1.9.21.1 #14605
  • Bump org-eclipse-jetty from 11.0.18 to 11.0.19 #14354
  • Bump org-eclipse-jetty from 11.0.19 to 11.0.20 #14518
  • Bump org.apereo.cas.client:cas-client-core from 4.0.3 to 4.0.4 #14440
  • Bump org.jetbrains.kotlin:kotlin-bom from 1.9.21 to 1.9.22 #14364
  • Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.21 to 1.9.22 #14363
  • Bump org.junit:junit-bom from 5.10.1 to 5.10.2 #14543
  • Bump org.slf4j:slf4j-api from 2.0.10 to 2.0.11 #14422
  • Bump org.slf4j:slf4j-api from 2.0.11 to 2.0.12 #14554
  • Bump org.slf4j:slf4j-api from 2.0.9 to 2.0.10 #14387
  • Bump org.springframework.data:spring-data-bom from 2023.1.1 to 2023.1.2 #14455
  • Bump org.springframework.data:spring-data-bom from 2023.1.2 to 2023.1.3 #14624
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.1 to 3.2.2 #14616
  • Bump org.springframework:spring-framework-bom from 6.1.2 to 6.1.3 #14454
  • Bump org.springframework:spring-framework-bom from 6.1.3 to 6.1.4 #14615
  • Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #14504
  • Bump spring-io/spring-github-workflows from eaf17a1890b1ef1b337f015d6eb263baaf8c6dab to 1e8b0587a1f4f01697f9753fa3339c3e0d30f396 #14583

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Amitmahato, @andreasbuechel, @boulce, and @dependabot[bot]

6.1.7

16 Feb 19:29
Compare
Choose a tag to compare

⭐ New Features

  • Fix Spring initializr link in 'Getting Spring Security' #14375
  • Refactor: Remove Irrelevant Documentation Lines #14374
  • Typo fix in configuration.adoc #14372
  • Updated the Configuration examples in docs #14391

🪲 Bug Fixes

  • "Span wasn't started - an observation must be started (not only created)" (Micrometer) due to observation handling in Spring Security Web? #14445
  • HandlerMappingIntrospectorRequestTransformer is registered twice in AOT #14362
  • OAuth2AuthorizationExchange is not serializable #14402
  • WebTestUtilsTestRuntimeHints should implement RuntimeHintsRegistrar #14399
  • Application context fails to load: Couldn't find FilterChainProxy #14370
  • Cannot configure SecurityContextRepository in CasAuthenticationFilter #14529
  • Documentation about configuring SecuritySocketAcceptorInterceptor in Spring Boot is confusing #14347
  • Fix broken sample code in Authorize HttpServletRequests #14386
  • Fix command in CONTRIBUTING.adoc #14489
  • Missing native-image reflection hint for HandlerMappingIntrospectorCachFilterFactoryBean #14359
  • Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #14397
  • ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor #14349
  • SAML relying party logout filter is always ordered last #14550
  • Typo: Update ldap.adoc #14509
  • Typo: Update session-management.adoc #14515
  • Unexpected Exception Handling in NimbusReactiveJwtDecoder decode Method #14495
  • X-Xss-Protection header "1; mode=block" differs in Servlet and Reactive #14345

🔨 Dependency Upgrades

  • Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #14581
  • Bump Gradle Wrapper from 8.5 to 8.6 #14540
  • Bump gradle/gradle-build-action from 2 to 3 #14500
  • Bump io-spring-javaformat from 0.0.40 to 0.0.41 #14436
  • Bump io.mockk:mockk from 1.13.8 to 1.13.9 #14413
  • Bump io.projectreactor:reactor-bom from 2022.0.14 to 2022.0.15 #14428
  • Bump io.projectreactor:reactor-bom from 2022.0.15 to 2022.0.16 #14611
  • Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #14465
  • Bump org-aspectj from 1.9.21 to 1.9.21.1 #14606
  • Bump org-eclipse-jetty from 11.0.18 to 11.0.19 #14355
  • Bump org-eclipse-jetty from 11.0.19 to 11.0.20 #14519
  • Bump org.apereo.cas.client:cas-client-core from 4.0.3 to 4.0.4 #14437
  • Bump org.slf4j:slf4j-api from 2.0.10 to 2.0.11 #14421
  • Bump org.slf4j:slf4j-api from 2.0.11 to 2.0.12 #14555
  • Bump org.slf4j:slf4j-api from 2.0.9 to 2.0.10 #14389
  • Bump org.springframework:spring-framework-bom from 6.0.15 to 6.0.16 #14443
  • Bump org.springframework:spring-framework-bom from 6.0.16 to 6.0.17 #14621
  • Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #14499
  • Bump spring-io/spring-github-workflows from eaf17a1890b1ef1b337f015d6eb263baaf8c6dab to 1e8b0587a1f4f01697f9753fa3339c3e0d30f396 #14580

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Siddharth1605, @acktsap, @boulce, @dependabot[bot], @github-actions[bot], @kcsurapaneni, @nkilchenmann, and @ty-v1

5.8.10

16 Feb 19:29
Compare
Choose a tag to compare

⭐ New Features

  • Updated broken documentation link in javadocs #14329

🪲 Bug Fixes

  • Fix security filter sort in javadoc #14552
  • ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor #11596
  • Saml2 LogoutFilter Should Come Before Common LogoutFilter #14549

🔨 Dependency Upgrades

  • Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #14584
  • Bump gradle/gradle-build-action from 2 to 3 #14505
  • Bump io-spring-javaformat from 0.0.40 to 0.0.41 #14438
  • Bump io.projectreactor.netty:reactor-netty from 1.0.40 to 1.0.41 #14432
  • Bump io.projectreactor:reactor-bom from 2020.0.39 to 2020.0.40 #14431
  • Bump io.projectreactor:reactor-bom from 2020.0.40 to 2020.0.41 #14614
  • Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #14464
  • Bump org-aspectj from 1.9.20.1 to 1.9.21.1 #14607
  • Bump org-eclipse-jetty from 9.4.53.v20231009 to 9.4.54.v20240208 #14608
  • Bump org.springframework:spring-framework-bom from 5.3.31 to 5.3.32 #14622
  • Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #14506
  • Bump spring-io/spring-github-workflows from eaf17a1890b1ef1b337f015d6eb263baaf8c6dab to 1e8b0587a1f4f01697f9753fa3339c3e0d30f396 #14585

❤️ Contributors

We'd like to thank all the contributors who worked on this release!