github spring-projects/spring-security 5.2.0.M1

latest releases: 6.4.0-RC1, 5.7.13, 5.8.15...
pre-release5 years ago

⭐ New Features

  • Update to spring-build-conventions 0.0.23.RELEASE #6440
  • customization support for StrictHttpFirewall #6439
  • Update to Spring Data Lovelace SR4 #6438
  • Update to Spring Framework 5.1.4 #6437
  • Update to Reactor Californium-SR4 #6436
  • Update to Spring Boot 2.1.2 #6435
  • Update to htmlunit-driver 2.33.3 #6434
  • Update to org.powermock 2.0.0 #6433
  • Update to hibernate-entitymanager 5.4.0.Final #6432
  • Update to ehcache 2.10.6 #6431
  • Update to com.squareup.okhttp3 3.12.1 #6430
  • Update to oauth2-oidc-sdk 6.5 #6429
  • Update to nimbus-jose-jwt 6.5.1 #6428
  • Update to jackson.core 2.9.8 #6427
  • Update to cglib-nodep 3.2.10 #6426
  • Update JwtTimestampValidator.java #6416
  • Extract the ID Token JwtDecoderFactory to enable user customization #6415
  • Expose ID Token JwtDecoderFactory #6379
  • ID Token validation supports clock skew #6375
  • Polish oauth2 client ExchangeFilterFunction's #6355
  • Improve error messages in OidcIdTokenValidator #6349
  • Polish tests #6346
  • Removed isServlet30 check #6331
  • Fixes typo in x,rnc files #6326
  • Typo in Spring Security spring-security-x.y.rnc Files #6325
  • Improve error messages in OidcIdTokenValidator #6323
  • Add hasAnyAuthority() and hasAnyRole() in AuthorizeExchangeSpec #6310
  • JdbcUserDetailsManager handles extra UserDetails attributes #6309
  • Add WebFlux support for spring security web jackson module. #6305
  • Add WebFlux support for spring security web jackson module #6303
  • authorization_uri Supports Query Parameters #6299
  • Extract OidcTokenValidator to an OAuth2TokenValidator #6298
  • Remove check for method HttpServletRequest#getHeader and related test #6290
  • Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6289
  • Validate Scopes in ClientRegistration.Builder #6285
  • Allow setting realm for Http Basic #6279
  • Add cookieDomain to CookieCsrfTokenRepository #6276
  • Add Anonymous Support to AuthenticatedReactiveAuthorizationManager #6267
  • Remove Servlet 3.0 Support in CacheControlHeadersWriter #6265
  • Remove Servlet 3.0 Support in AbstractRequestMatcherRegistry #6264
  • Remove Servlet 2.5 and 3.0 Support for Remember Me #6263
  • Remove Servlet Spec 2.5 and 3.0 Support for CSRF #6262
  • Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6261
  • Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter #6260
  • Remove Servlet 2.5 Support for Session Fixation #6259
  • Add DelegatingSecurityContextTaskScheduler #6257
  • Validate ClientRegistration.scopes #6256
  • RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #6241
  • Improve error message for Chinese #6240
  • Add WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient #6238
  • AuthenticatedReactiveAuthorizationManager support for AnonymousAuthenticationToken #6235
  • JwtDecodersTests and ClientRegistrationsTest should explicitly test for trailing slash #6234
  • Add Reactive Support for UserDetailsChecker #6229
  • SessionRegistryImpl uses computeIfAbsent #6221
  • Accept a case-insensitive "Bearer" keyword #6210
  • Restored Jacoco default task dependence #6200
  • Added support for Anonymous Authentication #6198
  • Update to Gradle 5.0 #6197
  • Make CachingUserDetailsService Public #6196
  • Bearer should be case-insensitive in ServerBearerTokenAuthenticationConverter #6195
  • Use SpringUtils to check scheme #6185
  • BasicAuthenticationFilter could check the scheme more efficiently #6183
  • ReactiveOAuth2AccessTokenResponseClients should support setting a custom WebClient #6182
  • According to RFC 2617 #1.2, the "Bearer" keyword should be case-insensitive #6150
  • Update to Gradle 5.0 #6148
  • Update com.squareup.okhttp3 deps to 3.12.0 #6142
  • Add GenericConversionService with support for UUID and Strings #6141
  • Remove unused dependency slf4j-api in javaconfig x509 sample application #6131
  • Remove unused compile dependency in javaconfig x509 sample #6130
  • Replace deprecated Gradle Task method in AspectJPlugin.groovy #6129
  • Replace deprecated Gradle Task.deleteAllActions() method in AspectJPlugin.groovy #6128
  • WebClient support should get new access token when expired and client_credentials #6127
  • AesBytesEncryptorTests should check available key strengths before running #6121
  • CookieClearingLogoutHandler enhancement #6116
  • Update to Gradle 4.10.2 #6114
  • Update to oauth2-oidc-sdk:6.2 #6101
  • Update webflux-form sample to use Built in CSRF Support #6097
  • Update to nimbus-jose-jwt:6.3 #6095
  • Updated Spring Boot version from 2.1.0.M4 to 2.1.0.RELEASE #6084
  • Update to Spring Boot 2.1.0.RELEASE #6082
  • Make AesBytesEncryptor public #6079
  • CookieClearingLogoutHandler for different Paths #6078
  • Upgrade to neko-htmlunit 2.33 #6074
  • Reactive OAuthResourceServerSpec should allow custom error handling #6052
  • AuthenticationConfiguration respects primary beans #6035
  • Migraged unit test from groovy to java #6016
  • Reactive Nimbus Jwt Decoder should convert claims #6015
  • Remove unnecessary concatenation of sql in JdbcUserDetailsManager #5999
  • Update to spring-build-conventions:0.0.20.RELEASE #5998
  • Add BCrypt Revision Support #5992
  • Fix JDK 10 Build #5982
  • Add NimbusJwtDecoder #5936
  • Replace OidcTokenValidator with OAuth2TokenValidator implementation #5930
  • Allow in-memory client registration repos to be constructed with a map #5918
  • WebClient support should get new access token when expired and client_credentials #5893
  • ID Token validation should support clock skew #5839
  • SessionRegistryImpl should use computeIfAbsent #5834
  • Allow configurable JwtDecoder for ID Token verification #5751
  • Allow configurable JwtDecoder for IdToken verification #5717
  • Nimbus Jwt Decoder Configurability #5648
  • Resource Server Sample should support a static key #5486
  • Allow configuration of RSA Public Key for Resource Server #5131
  • Custom Base64EncodingTextEncryptor not possible for Encryptors.queryableText() #5099
  • AclClassIdUtils should be public #4819
  • Make JdbcUserDetailsManager to be able to handle UserDetails'es: nonLocked, nonExpired, credentialsNonExpired #4399
  • Allow to set the cookie domain in class CookieCsrfTokenRepository #4315
  • AuthenticationConfiguration.lazyBean(AuthenticationManager.class) should honor @primary if multiple candidates are available #3912
  • SEC-3121: Support for bcrypt revision $2b$ #3320

🪲 Bug Fixes

  • Save query parameters in WebSessionServerRequestCache #6441
  • WebSessionServerRequestCache doesn't save URL query parameters #6421
  • Fix Typo cconfigured -> configured #6361
  • UrlAuthorizationConfigurer should not call hasRole(ROLE_ANONYMOUS) #6353
  • Fix UsernamePasswordAuthenticationTokenDeserializer with Customizations #6334
  • fixes setting paramName only when it is not null #6332
  • Fix LazyCsrfTokenRepository Javadoc Typo #6330
  • Add conditionally servlet based support for spring security web jackson module #6304
  • Add conditionally servlet based support for spring security web jackson module #6302
  • Fix LoginPageGeneratingWebFilter Markup #6295
  • Fix DefaultLoginPageGeneratingFilter Markup #6287
  • AuthenticationFailureBadCredentialsEvent published twice #6281
  • MethodSecurityEvaluationContext Should Check Parameter Names Are Not Null #6223
  • Fixed Git SCM book link #6203
  • SecurityContextCallableProcessingInterceptor thread visibility fix #6144
  • Fix typo in exception message #6136
  • WebClientReactiveClientCredentialsTokenResponseClient.getTokenRespons… #6105
  • http.requestCache().disable() not working #6102
  • WebClientReactiveClientCredentialsTokenResponseClient should fail if not 2xx status #6089
  • OAuth2AccessTokenResponseBodyExtractor should support Object values #6087
  • Fix Typo in Reference Docs #6085
  • Fix Typo in Reference Docs #6076
  • JwtIssuerValidator should use URL.toExternalForm #6073
  • Fix Maven Property spring-security.version in reference #6066
  • Fix Maven Property spring-security.version in reference #6065
  • Fix issue with PostgreSQL: org.postgresql.util.PSQLException #6050
  • InMemoryUserDetailsManager.updatePassword case-insenstive #6039
  • Facebook Login Failing in Spring Boot 2.1.0.RC1 #6017
  • AuthenticationSuccessEvent not published for oauth2Login() #6009
  • Fix CONTRIBUTING.md formatting #6000
  • Fixing X509 Principal Extractor regex examples #5770 #5988
  • Fix IllegalStateException message in OAuth2ResourceServerConfigurer #5986
  • adding query parameter to authorization_uri creates malformed url #5760
  • Spring Security ACL: No operator matches the given name and argument type #5508
  • Security-related HTTP headers not written if response is committed during INCLUDE dispatch #5499
  • RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #4876

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

Don't miss a new spring-security release

NewReleases is sending notifications on new releases.