Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
6.1.2
⭐ New Features
- Improve RequestMatcher Validation #13557
- Improve Security Filters Documentation #13414
- Optimize Querying of RequestCache -> continue parameter #13488
- Optimize Querying of RequestCache -> continue parameter #13482
🪲 Bug Fixes
- Error message should show underlying Client Authentication method #13498
- Javadoc for AuthorizationFilter#filterErrorDispatch is wrong #13465
- once-per-request="true" does not work in XML configuration #13494
- Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #13199
- Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration #13421
- Unable to Use
hasIpAddress()Method After Migrating toauthorizeHttpRequests()in Spring Security 6 #13478 - update l179 of jwt docs #13480
- Use default PathPatternParser instance #13464
🔨 Dependency Upgrades
- Update io.projectreactor to 2022.0.9 #13525
- Update jakarta.websocket to 2.1.1 #13526
- Update micrometer-observation to 1.10.9 #13524
- Update org.springframework to 6.0.11 #13527
- Update org.springframework.data to 2022.0.8 #13528
- Update org.springframework.data to 2022.0.8 #13522
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.5
⭐ New Features
- Improve RequestMatcher Validation #13556
- Improve Security Filters Documentation #13413
- Optimize Querying of RequestCache -> continue parameter #13487
- Optimize Querying of RequestCache -> continue parameter #13481
🪲 Bug Fixes
- Error message should show underlying Client Authentication method #13496
- Javadoc for AuthorizationFilter#filterErrorDispatch is wrong #13456
- once-per-request="true" does not work in XML configuration #13491
- Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #13198
- Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration #13420
- Unable to Use
hasIpAddress()Method After Migrating toauthorizeHttpRequests()in Spring Security 6 #13477 - Use default PathPatternParser instance #13463
🔨 Dependency Upgrades
5.8.5
5.7.10
5.6.12
6.1.1
⭐ New Features
- Add initial Native section to reference docs #13236
- Align Resource Server documentation with Boot's capabilities #13239
- Convert to Asciidoctor Tabs #13407
- Document How to Handle Method Security in Native Image #13237
- Improve javadoc about deprecation of .and() and non-Customizer methods #13273
- Make eclipse/vscode project import work #13284
- Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #13229
- mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #13254
- Use Antora name of security #13331
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13282
- AOT Fails to proxy #13369
- CasAuthenticationFilter.successfulAuthentication missing call to securityContextRepository.saveContext #13243
- DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #13223
- Deprecated hint on BasicAuthenticationFilter #13279
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13193
- Fix Antora Warnings #13294
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13221
- Fix Documentation Title #13318
- Fix legacy-websocket-configuration cross-reference #13206
- Fix type on method-security.adoc #13212
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13209
- Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #13218
- No longer maintained net.sourceforge.nekohtml with known security issues #13287
- Provide meaningful error when invalid client-authentication-method is provided #13309
- Proxy Server section is not linked in nav #13324
- Use consistent list of micrometer tags in web observation handler #13190
- UserBuilder does not allow authorities to be overridden #13290
🔨 Dependency Upgrades
- Update cas-client-core to 4.0.2 #13342
- Update com.nimbusds to 9.43.3 #13335
- Update hsqldb to 2.7.2 #13343
- Update io.projectreactor to 2022.0.8 #13338
- Update io.rsocket to 1.1.4 #13340
- Update io.spring.javaformat to 0.0.39 #13341
- Update logback-classic to 1.4.8 #13334
- Update micrometer-observation to 1.10.8 #13337
- Update org.jetbrains.kotlin to 1.8.22 #13344
- Update org.springframework to 6.0.10 #13345
- Update org.springframework.data to 2022.0.7 #13346
- Update reactor-netty to 1.1.8 #13339
- Update spring-ldap-core to 3.0.4 #13347
- Update unboundid-ldapsdk to 6.0.9 #13336
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
6.0.4
⭐ New Features
- Add initial Native section to reference docs #12029
- Align Resource Server documentation with Boot's capabilities #13238
- Convert to Asciidoctor Tabs #13406
- Document How to Handle Method Security in Native Image #13226
- Error On Unsupported Client Authentication Methods #13240
- Make eclipse/vscode project import work #12930
- Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #13228
- mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #13253
- Use Antora name of security #13330
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13281
- AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #13086
- AOT Fails to proxy #13368
- AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #13153
- Clarify that Kotlin DSL needs an import #13102
- DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #13222
- Delete duplicate line from oauth2/client/core.adoc #13233
- Deprecated hint on BasicAuthenticationFilter #13278
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13192
- Fix Antora Warnings #13293
- Fix code snippets in Authorize HttpServletRequest #13125
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13220
- Fix Documentation Title #13317
- Fix legacy-websocket-configuration cross-reference #13205
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13208
- java.lang.IllegalArgumentException: Context does not have an entry for key [class io.micrometer.core.instrument.Timer$Sample] #13133
- Links between migration docs are out of date #13156
- Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #13217
- No longer maintained net.sourceforge.nekohtml with known security issues #13286
- Proxy Server section is not linked in nav #13323
- RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #13127
- rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #13079
- SAML login fails in Internet Explorer 11 #13141
- SimpleAroundFilterObservation.wrap calls scope.close() duplicated #12787
- Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #13084
- Spring Security SAML signature validation issue #13182
- The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added. #13008
- Use consistent list of micrometer tags in web observation handler #13179
- X-XSS-Protection is now disabled #13129
🔨 Dependency Upgrades
- Update com.nimbusds to 9.43.3 #13352
- Update hsqldb to 2.7.2 #13359
- Update io.projectreactor to 2022.0.8 #13355
- Update io.rsocket to 1.1.4 #13357
- Update io.spring.javaformat to 0.0.39 #13358
- Update jackson-bom to 2.14.3 #13349
- Update jackson-databind to 2.14.3 #13350
- Update jackson-datatype-jsr310 to 2.14.3 #13351
- Update junit-bom to 5.9.3 #13360
- Update junit-platform-launcher to 1.9.3 #13362
- Update logback-classic to 1.4.8 #13348
- Update micrometer-observation to 1.10.8 #13354
- Update org.junit.jupiter to 5.9.3 #13361
- Update org.springframework to 6.0.10 #13363
- Update org.springframework.data to 2022.0.7 #13364
- Update reactor-netty to 1.1.8 #13356
- Update spring-ldap-core to 3.0.4 #13365
- Update unboundid-ldapsdk to 6.0.9 #13353
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.8.4
⭐ New Features
- Convert to Asciidoctor Tabs #13405
- Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #13227
- mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #13252
- Use Antora name of security #13329
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13280
- AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #13069
- AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #13132
- Clarify that Kotlin DSL needs an import #13101
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13191
- Fix Antora Warnings #13292
- Fix code snippets in Authorize HttpServletRequest #11522
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13219
- Fix Documentation Title #13316
- Fix legacy-websocket-configuration cross-reference #12969
- Fix typo in authorization.adoc #13135
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13207
- Links between migration docs are out of date #12675
- Proxy Server section is not linked in nav #13322
- RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #13104
- SAML 2.0 HTTP Redirect Binding query params may appear in any order #12963
- SAML login fails in Internet Explorer 11 #13106
- Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #13160
🔨 Dependency Upgrades
- Address CVE-2023-1370 #13146
- Update com.nimbusds to 9.43.3 #13374
- Update hsqldb to 2.7.2 #13388
- Update io.projectreactor to 2020.0.33 #13377
- Update io.rsocket to 1.1.4 #13383
- Update io.spring.javaformat to 0.0.39 #13386
- Update junit-bom to 5.9.3 #13391
- Update org.junit.jupiter to 5.9.3 #13393
- Update org.springframework to 5.3.28 #13395
- Update org.springframework.data to 2021.2.13 #13397
- Update reactor-netty to 1.0.33 #13380
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.7.9
⭐ New Features
🪲 Bug Fixes
- Additional filters registered when using Custom DSL #13203
- Clarify that Kotlin DSL needs an import #13092
- Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #13098
- Fix Antora Warnings #13291
- Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #13155
- Fix Documentation Title #13315
- Fix javadoc for migration from WebSecurityConfigurerAdapter #12996
- Fix typo in SecurityMockMvcResultMatchers.java #12793
- fix typo of modules.adoc #12921
- Fix typo overview.adoc #13269
- http://www.springframework.org/schema/security/spring-security.xsd returns 404 #13131
- Proxy Server section is not linked in nav #13313
- Typos in docs #13283
🔨 Dependency Upgrades
- Update io.projectreactor to 2020.0.33 #13373
- Update io.rsocket to 1.1.4 #13379
- Update org.springframework to 5.3.28 #13382
- Update org.springframework.data to 2021.2.13 #13385
- Update reactor-netty to 1.0.33 #13376
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.6.11
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
- Update blockhound to 1.0.8.RELEASE #13390
- Update hibernate-entitymanager to 5.6.15.Final #13400
- Update io.projectreactor to 2020.0.33 #13387
- Update io.rsocket to 1.1.4 #13392
- Update io.spring.nohttp to 0.0.11 #13394
- Update jackson-bom to 2.13.5 #13375
- Update jackson-databind to 2.13.5 #13378
- Update jackson-datatype-jsr310 to 2.13.5 #13381
- Update logback-classic to 1.2.12 #13372
- Update mockk to 1.12.8 #13384
- Update org.antora.gradle.plugin to 1.0.0 #13396
- Update org.aspectj to 1.9.19 #13398
- Update org.eclipse.jetty to 9.4.51.v20230217 #13399
- Update org.springframework to 5.3.28 #13401
- Update reactor-netty to 1.0.33 #13389