Releases: spring-projects/spring-security
Releases · spring-projects/spring-security
5.3.2.RELEASE
⭐ New Features
🪲 Bug Fixes
- Fix Javadoc punctuation #8490
- Fixed typos in documentation #8460
- JdbcOAuth2AuthorizedClientService should support update when saving #8448
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8437
- Fix Documentation to Refer to BasicAuthenticationFilter #8423
- Fix typo with correct capitalization #8408
- Global ServerSecurityContextRepository ignored by logout #8385
- Fix example in javadoc of FilterChainProxy #8351
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8311
🔨 Dependency Upgrades
- Update to aspectj-plugin:4.1.6 #8306
5.2.4.RELEASE
⭐ New Features
🪲 Bug Fixes
- Fix Javadoc punctuation #8494
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8438
- SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #8430
- OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8426
- Fix typo with correct capitalization #8409
- Global ServerSecurityContextRepository ignored by logout #8386
- Fix example in javadoc of FilterChainProxy #8352
- Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8338
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8312
🔨 Dependency Upgrades
- Update to Byte Buddy 1.9.16 #8481
- Upgrade to embedded Apache Tomcat 9.0.34 #8469
- Update RSocket to 1.0.0-RC7 #8468
- Update to GAE 1.9.80 #8467
- Update to Jackson 2.10.4 #8466
- Update to org.powermock 2.0.7 #8465
- Update to Reactor Dysprosium-SR7 #8464
- Update to Spring Framework 5.2.6.RELEASE #8463
- Update to Spring Data Moore-SR7 #8462
5.1.10.RELEASE
⭐ New Features
- BCryptPasswordEncoder.encode() throws NPE #8347
🪲 Bug Fixes
- Fix Javadoc punctuation #8496
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8440
- SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #8431
- Fix typo with correct capitalization #8410
- Global ServerSecurityContextRepository ignored by logout #8388
- Fix example in javadoc of FilterChainProxy #8353
- Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8339
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8313
🔨 Dependency Upgrades
5.0.16.RELEASE
⭐ New Features
- BCryptPasswordEncoder.encode() throws NPE #8348
🪲 Bug Fixes
- Fix Javadoc punctuation #8497
- Add ROLE_INFRASTRUCTURE to infrastructure beans #8441
- SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #8432
- Fix example in javadoc of FilterChainProxy #8354
- Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8340
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #8314
🔨 Dependency Upgrades
4.2.16.RELEASE
5.2.3.RELEASE
⏪ Non-passive
- SwitchUserFilter vulnerable to CSRF #8223
⭐ New Features
- SpringTestContext returns ConfigurableWebApplicationContext #8240
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8235
- Update Encryptors documentation for standard and stronger #8212
- Getting OAuth2AuthenticationException when Bearer token is empty #8207
- Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8159
- Basic auth header without user results in exception #8123
- Typo 'properites' -> 'properties' in documentation #8099
🪲 Bug Fixes
- Update tests to use absolute paths #8260
- HttpServletRequest.logout() not functioning #8241
- OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8210
- oauth2Login WebFlux should not auto-redirect for XHR request #8202
- Make OAuth2ErrorHttpMessageConverter more resilient #8180
- RSocket test should throw AccessDeniedException #8155
- Fix typo in Javadoc of HttpSecurity#csrf() #8137
- Empty RelayState causes errors with ADFS #8070
- Fix typo in AntPathRequestMatcher contructor comment #8045
- An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8040
- OAuth2 access token response parsing fails with nested JSON object #8021
- Fix typo in snippet code 'jwtAuthenticationConveter' -> 'jwtAuthenticationConverter' #7969
- OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7967
- OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7964
- Query parameters in authorization-url are double-encoded #7960
- Don't force downcasting of RequestAttributes to ServletRequestAttributes #7959
- ClassCastException for ServletRequestAttributes #7958
🔨 Dependency Upgrades
- Update RSocket to 1.0.0-RC6 #8280
- Update to reactive-streams 1.0.3 #8279
- Update to OpenSAML 3.4.5 #8278
- Update to hibernate-entitymanager 5.4.13.Final #8277
- Update to hibernate-core 5.2.18.Final #8276
- Update blockhound to 1.0.3.RELEASE #8275
- Update to unboundid-ldapsdk 4.0.14 #8274
- Update to okhttp 3.14.7 #8259
- Update to Jackson 2.10.3 #8258
- Update to mockwebserver 3.14.7 #8257
- Update to org.powermock 2.0.6 #8255
- Upgrade to embedded Apache Tomcat 9.0.33 #8254
- Update to httpclient 4.5.12 #8253
- Update to Spring Boot 2.2.6.RELEASE #8252
- Update to GAE 1.9.79 #8251
- Update to Reactor Dysprosium-SR6 #8250
- Update to Spring Framework 5.2.5 #8249
- Update to Spring Data Moore-SR6 #8248
- Update to Jetty 9.4.22.v20191022 #7507
5.1.9.RELEASE
⭐ New Features
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8236
- SwitchUserFilter vulnerable to CSRF #8224
- Update Encryptors documentation for standard and stronger #8215
- Typo 'properites' -> 'properties' in documentation #8100
- Typo 'hasPermision()' in GlobalMethodSecurityBeanDefinitionParser.java #8068
- Remove unwanted code #7949
🪲 Bug Fixes
- HttpServletRequest.logout() not functioning #8242
- oauth2Login WebFlux should not auto-redirect for XHR request #8203
- Make OAuth2ErrorHttpMessageConverter more resilient #8181
- Fix typo in Javadoc of HttpSecurity#csrf() #8135
- Fix typo in AntPathRequestMatcher contructor comment #8046
- An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8043
- OAuth2 access token response parsing fails with nested JSON object #8022
- OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7968
- OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7965
🔨 Dependency Upgrades
- Update to httpclient 4.5.12 #8294
- Update to hibernate-validator 6.0.19.Final #8293
- Update to reactive-streams 1.0.3 #8292
- Update to hibernate-core 5.2.18.Final #8291
- Update to groovy 2.4.19 #8290
- Update to unboundid-ldapsdk 4.0.14 #8289
- Update to okhttp 3.12.10 #8288
- Update to mockwebserver 3.12.10 #8287
- Update to org.powermock 2.0.6 #8286
- Update to Spring Boot 2.1.13.RELEASE #8285
- Update to GAE 1.9.79 #8284
- Update to Reactor Californium-SR17 #8283
- Update to Spring Data Lovelace-SR16 #8282
- Update to Spring Framework 5.1.14.RELEASE #8281
- Update to Jetty 9.4.22.v20191022 #8093
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
5.0.15.RELEASE
⭐ New Features
- SwitchUserFilter vulnerable to CSRF #8225
- Update Encryptors documentation for standard and stronger #8218
- Typo 'properites' -> 'properties' in documentation #8101
- Remove unwanted code #7950
🪲 Bug Fixes
- HttpServletRequest.logout() not functioning #8243
- Fix typo in Javadoc of HttpSecurity#csrf() #8136
- Fix typo in AntPathRequestMatcher contructor comment #8047
- Typo in Spring Security 5.0.x docs #5254
🔨 Dependency Upgrades
- Update to httpclient 4.5.12 #8304
- Update to hibernate-validator 6.0.19.Final #8303
- Update to reactive-streams 1.0.3 #8302
- Update to hibernate-core 5.2.18.Final #8301
- Update to groovy 2.4.19 #8300
- Update to unboundid-ldapsdk 4.0.14 #8299
- Update to okhttp 3.12.10 #8298
- Update to mockwebserver 3.12.10 #8297
- Update to org.powermock 2.0.6 #8296
- Update to GAE 1.9.79 #8295
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
4.2.15.RELEASE
⭐ New Features
- SwitchUserFilter vulnerable to CSRF #8226
- Update Encryptors documentation for standard and stronger #8219
- Typo 'properites' -> 'properties' in documentation #8102
🪲 Bug Fixes
- HttpServletRequest.logout() not functioning #8244
- Spring Security BOM 4.2.14.RELEASE is missing #7975
🔨 Dependency Upgrades
- Update to jackson-databind:2.8.11.6 #8273
- Update to appengine:1.9.79 #8272
- Update to spring-io-plugin:0.0.8.RELEASE #8271
- Update to nekohtml:1.9.22 #8270
- Update to thymeleaf-layout-dialect:2.0.5 #8269
- Update to httpclient:4.2.6 #8268
- Update to taglibs-standard-jstlel:1.2.5 #8267
- Update to Jetty 8.1.22.v20160922 #8266
- Update to Tomcat 7.0.103 #8265
- Update to asciidoctor-gradle-plugin:1.5.7 #8264
- Update to Groovy 2.4.19 #8263
- Update to spring-boot-gradle-plugin:1.5.22.RELEASE #8262
5.3.1.RELEASE
⭐ New Features
- SpringTestContext returns ConfigurableWebApplicationContext #8237
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8234
- SwitchUserFilter vulnerable to CSRF #8222
- Clarify use case for
ServerBearerExchangeFilterFunction#8221 - Update Encryptors documentation for standard and stronger #8211
- Document JwtGrantedAuthoritiesConverter #8183
- userNameAttribute case style is different others #8179
- Document AuthNRequest POST binding support #8165
- Polish SAML 2.0 Login Sample #8164
- OpenSamlImplementation should not use reflection #8161
- Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8153
- Assign sensible default for OAuth2AuthorizedClientProvider #8151
- Document OAuth2Authorization success and failure handlers #8146
- Document Jackson serialization support for OAuth 2.0 Client #8145
- Document OAuth 2.0 Authorization Request improvements #8133
- Document OAuth 2.0 Login XML Support #8132
- Document OAuth 2.0 Client XML Support #8131
- Basic auth header without user results in exception #8122
- Document AuthenticationEventPublisher improvements #8103
- Typo 'properites' -> 'properties' in documentation #8098
- Document OAuth 2.0 Resource Server XML Support #8094
- Provide spring-security-5*.xsd for https://www.springframework.org/schema/security/ #8091
- Document OIDC Logout Success Handler Improvements #8088
- Add OAuth 2.0 Test Support Docs #8087
- Update test to have comment about secure salt length #8084
- Document JwtClaimValidator #8076
🪲 Bug Fixes
- HttpServletRequest.logout() not functioning #8238
- OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8209
- oauth2Login WebFlux should not auto-redirect for XHR request #8201
- Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8178
- RSocket test should throw AccessDeniedException #8160
- Make OAuth2ErrorHttpMessageConverter more resilient #8158
- Fix typo in Javadoc of HttpSecurity#csrf() #8134
- NPE thrown when token response contains a null value #8121
- Google's top result for "Spring Security Reference" returns a 404 #8086
- 5.3.0 Documentation What's New has some broken links #8069
❤️ Contributors
We'd like to thank all the contributors who worked on this release!