⭐ New Features
- Update to spring-build-conventions 0.0.23.RELEASE #6440
- customization support for StrictHttpFirewall #6439
- Update to Spring Data Lovelace SR4 #6438
- Update to Spring Framework 5.1.4 #6437
- Update to Reactor Californium-SR4 #6436
- Update to Spring Boot 2.1.2 #6435
- Update to htmlunit-driver 2.33.3 #6434
- Update to org.powermock 2.0.0 #6433
- Update to hibernate-entitymanager 5.4.0.Final #6432
- Update to ehcache 2.10.6 #6431
- Update to com.squareup.okhttp3 3.12.1 #6430
- Update to oauth2-oidc-sdk 6.5 #6429
- Update to nimbus-jose-jwt 6.5.1 #6428
- Update to jackson.core 2.9.8 #6427
- Update to cglib-nodep 3.2.10 #6426
- Update JwtTimestampValidator.java #6416
- Extract the ID Token JwtDecoderFactory to enable user customization #6415
- Expose ID Token JwtDecoderFactory #6379
- ID Token validation supports clock skew #6375
- Polish oauth2 client ExchangeFilterFunction's #6355
- Improve error messages in OidcIdTokenValidator #6349
- Polish tests #6346
- Removed isServlet30 check #6331
- Fixes typo in x,rnc files #6326
- Typo in Spring Security spring-security-x.y.rnc Files #6325
- Improve error messages in OidcIdTokenValidator #6323
- Add hasAnyAuthority() and hasAnyRole() in AuthorizeExchangeSpec #6310
- JdbcUserDetailsManager handles extra UserDetails attributes #6309
- Add WebFlux support for spring security web jackson module. #6305
- Add WebFlux support for spring security web jackson module #6303
- authorization_uri Supports Query Parameters #6299
- Extract OidcTokenValidator to an OAuth2TokenValidator #6298
- Remove check for method HttpServletRequest#getHeader and related test #6290
- Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6289
- Validate Scopes in ClientRegistration.Builder #6285
- Allow setting realm for Http Basic #6279
- Add cookieDomain to CookieCsrfTokenRepository #6276
- Add Anonymous Support to AuthenticatedReactiveAuthorizationManager #6267
- Remove Servlet 3.0 Support in CacheControlHeadersWriter #6265
- Remove Servlet 3.0 Support in AbstractRequestMatcherRegistry #6264
- Remove Servlet 2.5 and 3.0 Support for Remember Me #6263
- Remove Servlet Spec 2.5 and 3.0 Support for CSRF #6262
- Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6261
- Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter #6260
- Remove Servlet 2.5 Support for Session Fixation #6259
- Add DelegatingSecurityContextTaskScheduler #6257
- Validate ClientRegistration.scopes #6256
- RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #6241
- Improve error message for Chinese #6240
- Add WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient #6238
- AuthenticatedReactiveAuthorizationManager support for AnonymousAuthenticationToken #6235
- JwtDecodersTests and ClientRegistrationsTest should explicitly test for trailing slash #6234
- Add Reactive Support for UserDetailsChecker #6229
- SessionRegistryImpl uses computeIfAbsent #6221
- Accept a case-insensitive "Bearer" keyword #6210
- Restored Jacoco default task dependence #6200
- Added support for Anonymous Authentication #6198
- Update to Gradle 5.0 #6197
- Make CachingUserDetailsService Public #6196
- Bearer should be case-insensitive in ServerBearerTokenAuthenticationConverter #6195
- Use SpringUtils to check scheme #6185
- BasicAuthenticationFilter could check the scheme more efficiently #6183
- ReactiveOAuth2AccessTokenResponseClients should support setting a custom WebClient #6182
- According to RFC 2617 #1.2, the "Bearer" keyword should be case-insensitive #6150
- Update to Gradle 5.0 #6148
- Update com.squareup.okhttp3 deps to 3.12.0 #6142
- Add GenericConversionService with support for UUID and Strings #6141
- Remove unused dependency slf4j-api in javaconfig x509 sample application #6131
- Remove unused compile dependency in javaconfig x509 sample #6130
- Replace deprecated Gradle Task method in AspectJPlugin.groovy #6129
- Replace deprecated Gradle Task.deleteAllActions() method in AspectJPlugin.groovy #6128
- WebClient support should get new access token when expired and client_credentials #6127
- AesBytesEncryptorTests should check available key strengths before running #6121
- CookieClearingLogoutHandler enhancement #6116
- Update to Gradle 4.10.2 #6114
- Update to oauth2-oidc-sdk:6.2 #6101
- Update webflux-form sample to use Built in CSRF Support #6097
- Update to nimbus-jose-jwt:6.3 #6095
- Updated Spring Boot version from 2.1.0.M4 to 2.1.0.RELEASE #6084
- Update to Spring Boot 2.1.0.RELEASE #6082
- Make AesBytesEncryptor public #6079
- CookieClearingLogoutHandler for different Paths #6078
- Upgrade to neko-htmlunit 2.33 #6074
- Reactive OAuthResourceServerSpec should allow custom error handling #6052
- AuthenticationConfiguration respects primary beans #6035
- Migraged unit test from groovy to java #6016
- Reactive Nimbus Jwt Decoder should convert claims #6015
- Remove unnecessary concatenation of sql in JdbcUserDetailsManager #5999
- Update to spring-build-conventions:0.0.20.RELEASE #5998
- Add BCrypt Revision Support #5992
- Fix JDK 10 Build #5982
- Add NimbusJwtDecoder #5936
- Replace OidcTokenValidator with OAuth2TokenValidator implementation #5930
- Allow in-memory client registration repos to be constructed with a map #5918
- WebClient support should get new access token when expired and client_credentials #5893
- ID Token validation should support clock skew #5839
- SessionRegistryImpl should use computeIfAbsent #5834
- Allow configurable JwtDecoder for ID Token verification #5751
- Allow configurable JwtDecoder for IdToken verification #5717
- Nimbus Jwt Decoder Configurability #5648
- Resource Server Sample should support a static key #5486
- Allow configuration of RSA Public Key for Resource Server #5131
- Custom Base64EncodingTextEncryptor not possible for Encryptors.queryableText() #5099
- AclClassIdUtils should be public #4819
- Make JdbcUserDetailsManager to be able to handle UserDetails'es: nonLocked, nonExpired, credentialsNonExpired #4399
- Allow to set the cookie domain in class CookieCsrfTokenRepository #4315
- AuthenticationConfiguration.lazyBean(AuthenticationManager.class) should honor @primary if multiple candidates are available #3912
- SEC-3121: Support for bcrypt revision $2b$ #3320
🪲 Bug Fixes
- Save query parameters in WebSessionServerRequestCache #6441
- WebSessionServerRequestCache doesn't save URL query parameters #6421
- Fix Typo cconfigured -> configured #6361
- UrlAuthorizationConfigurer should not call hasRole(ROLE_ANONYMOUS) #6353
- Fix UsernamePasswordAuthenticationTokenDeserializer with Customizations #6334
- fixes setting paramName only when it is not null #6332
- Fix LazyCsrfTokenRepository Javadoc Typo #6330
- Add conditionally servlet based support for spring security web jackson module #6304
- Add conditionally servlet based support for spring security web jackson module #6302
- Fix LoginPageGeneratingWebFilter Markup #6295
- Fix DefaultLoginPageGeneratingFilter Markup #6287
- AuthenticationFailureBadCredentialsEvent published twice #6281
- MethodSecurityEvaluationContext Should Check Parameter Names Are Not Null #6223
- Fixed Git SCM book link #6203
- SecurityContextCallableProcessingInterceptor thread visibility fix #6144
- Fix typo in exception message #6136
- WebClientReactiveClientCredentialsTokenResponseClient.getTokenRespons… #6105
- http.requestCache().disable() not working #6102
- WebClientReactiveClientCredentialsTokenResponseClient should fail if not 2xx status #6089
- OAuth2AccessTokenResponseBodyExtractor should support Object values #6087
- Fix Typo in Reference Docs #6085
- Fix Typo in Reference Docs #6076
- JwtIssuerValidator should use URL.toExternalForm #6073
- Fix Maven Property spring-security.version in reference #6066
- Fix Maven Property spring-security.version in reference #6065
- Fix issue with PostgreSQL: org.postgresql.util.PSQLException #6050
- InMemoryUserDetailsManager.updatePassword case-insenstive #6039
- Facebook Login Failing in Spring Boot 2.1.0.RC1 #6017
- AuthenticationSuccessEvent not published for oauth2Login() #6009
- Fix CONTRIBUTING.md formatting #6000
- Fixing X509 Principal Extractor regex examples #5770 #5988
- Fix IllegalStateException message in OAuth2ResourceServerConfigurer #5986
- adding query parameter to authorization_uri creates malformed url #5760
- Spring Security ACL: No operator matches the given name and argument type #5508
- Security-related HTTP headers not written if response is committed during INCLUDE dispatch #5499
- RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #4876
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
- @wangzw
- @dongmyo
- @ankurpathak
- @php-coder
- @rafaelrenanpacheco
- @vpavic
- @izeye
- @okohub
- @edeandrea
- @dbuos
- @lmagyar89
- @LukeButters
- @denisw
- @jzheaux
- @jgrandja
- @bhavikkumar
- @nenaraab
- @raphaelDL
- @mibo
- @farooqkhan003
- @shawnbiesan
- @maxcoinage
- @shraiysh
- @pvliss
- @rmartinus
- @d3jie
- @ajavorskidev
- @CQuarterz
- @warrenbailey
- @lin199231
- @ghillert
- @nlebas
- @evpaassen
- @valery1707
- @pwheel
- @sunflower-seed
- @richardvaldiviesomacias
- @ir73
- @bdemers
- @iHelin
- @drumonii
- @finke-ba
- @kagof
- @bou1der
- @ief2009
- @msdousti
- @jer051
- @ksdev-pl
- @dperezcabrera