spring-projects/spring-security 5.2.0.M1 on GitHub

⭐ New Features

Update to spring-build-conventions 0.0.23.RELEASE #6440
customization support for StrictHttpFirewall #6439
Update to Spring Data Lovelace SR4 #6438
Update to Spring Framework 5.1.4 #6437
Update to Reactor Californium-SR4 #6436
Update to Spring Boot 2.1.2 #6435
Update to htmlunit-driver 2.33.3 #6434
Update to org.powermock 2.0.0 #6433
Update to hibernate-entitymanager 5.4.0.Final #6432
Update to ehcache 2.10.6 #6431
Update to com.squareup.okhttp3 3.12.1 #6430
Update to oauth2-oidc-sdk 6.5 #6429
Update to nimbus-jose-jwt 6.5.1 #6428
Update to jackson.core 2.9.8 #6427
Update to cglib-nodep 3.2.10 #6426
Update JwtTimestampValidator.java #6416
Extract the ID Token JwtDecoderFactory to enable user customization #6415
Expose ID Token JwtDecoderFactory #6379
ID Token validation supports clock skew #6375
Polish oauth2 client ExchangeFilterFunction's #6355
Improve error messages in OidcIdTokenValidator #6349
Polish tests #6346
Removed isServlet30 check #6331
Fixes typo in x,rnc files #6326
Typo in Spring Security spring-security-x.y.rnc Files #6325
Improve error messages in OidcIdTokenValidator #6323
Add hasAnyAuthority() and hasAnyRole() in AuthorizeExchangeSpec #6310
JdbcUserDetailsManager handles extra UserDetails attributes #6309
Add WebFlux support for spring security web jackson module. #6305
Add WebFlux support for spring security web jackson module #6303
authorization_uri Supports Query Parameters #6299
Extract OidcTokenValidator to an OAuth2TokenValidator #6298
Remove check for method HttpServletRequest#getHeader and related test #6290
Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6289
Validate Scopes in ClientRegistration.Builder #6285
Allow setting realm for Http Basic #6279
Add cookieDomain to CookieCsrfTokenRepository #6276
Add Anonymous Support to AuthenticatedReactiveAuthorizationManager #6267
Remove Servlet 3.0 Support in CacheControlHeadersWriter #6265
Remove Servlet 3.0 Support in AbstractRequestMatcherRegistry #6264
Remove Servlet 2.5 and 3.0 Support for Remember Me #6263
Remove Servlet Spec 2.5 and 3.0 Support for CSRF #6262
Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6261
Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter #6260
Remove Servlet 2.5 Support for Session Fixation #6259
Add DelegatingSecurityContextTaskScheduler #6257
Validate ClientRegistration.scopes #6256
RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #6241
Improve error message for Chinese #6240
Add WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient #6238
AuthenticatedReactiveAuthorizationManager support for AnonymousAuthenticationToken #6235
JwtDecodersTests and ClientRegistrationsTest should explicitly test for trailing slash #6234
Add Reactive Support for UserDetailsChecker #6229
SessionRegistryImpl uses computeIfAbsent #6221
Accept a case-insensitive "Bearer" keyword #6210
Restored Jacoco default task dependence #6200
Added support for Anonymous Authentication #6198
Update to Gradle 5.0 #6197
Make CachingUserDetailsService Public #6196
Bearer should be case-insensitive in ServerBearerTokenAuthenticationConverter #6195
Use SpringUtils to check scheme #6185
BasicAuthenticationFilter could check the scheme more efficiently #6183
ReactiveOAuth2AccessTokenResponseClients should support setting a custom WebClient #6182
According to RFC 2617 #1.2, the "Bearer" keyword should be case-insensitive #6150
Update to Gradle 5.0 #6148
Update com.squareup.okhttp3 deps to 3.12.0 #6142
Add GenericConversionService with support for UUID and Strings #6141
Remove unused dependency slf4j-api in javaconfig x509 sample application #6131
Remove unused compile dependency in javaconfig x509 sample #6130
Replace deprecated Gradle Task method in AspectJPlugin.groovy #6129
Replace deprecated Gradle Task.deleteAllActions() method in AspectJPlugin.groovy #6128
WebClient support should get new access token when expired and client_credentials #6127
AesBytesEncryptorTests should check available key strengths before running #6121
CookieClearingLogoutHandler enhancement #6116
Update to Gradle 4.10.2 #6114
Update to oauth2-oidc-sdk:6.2 #6101
Update webflux-form sample to use Built in CSRF Support #6097
Update to nimbus-jose-jwt:6.3 #6095
Updated Spring Boot version from 2.1.0.M4 to 2.1.0.RELEASE #6084
Update to Spring Boot 2.1.0.RELEASE #6082
Make AesBytesEncryptor public #6079
CookieClearingLogoutHandler for different Paths #6078
Upgrade to neko-htmlunit 2.33 #6074
Reactive OAuthResourceServerSpec should allow custom error handling #6052
AuthenticationConfiguration respects primary beans #6035
Migraged unit test from groovy to java #6016
Reactive Nimbus Jwt Decoder should convert claims #6015
Remove unnecessary concatenation of sql in JdbcUserDetailsManager #5999
Update to spring-build-conventions:0.0.20.RELEASE #5998
Add BCrypt Revision Support #5992
Fix JDK 10 Build #5982
Add NimbusJwtDecoder #5936
Replace OidcTokenValidator with OAuth2TokenValidator implementation #5930
Allow in-memory client registration repos to be constructed with a map #5918
WebClient support should get new access token when expired and client_credentials #5893
ID Token validation should support clock skew #5839
SessionRegistryImpl should use computeIfAbsent #5834
Allow configurable JwtDecoder for ID Token verification #5751
Allow configurable JwtDecoder for IdToken verification #5717
Nimbus Jwt Decoder Configurability #5648
Resource Server Sample should support a static key #5486
Allow configuration of RSA Public Key for Resource Server #5131
Custom Base64EncodingTextEncryptor not possible for Encryptors.queryableText() #5099
AclClassIdUtils should be public #4819
Make JdbcUserDetailsManager to be able to handle UserDetails'es: nonLocked, nonExpired, credentialsNonExpired #4399
Allow to set the cookie domain in class CookieCsrfTokenRepository #4315
AuthenticationConfiguration.lazyBean(AuthenticationManager.class) should honor @primary if multiple candidates are available #3912
SEC-3121: Support for bcrypt revision $2b$ #3320

🪲 Bug Fixes

Save query parameters in WebSessionServerRequestCache #6441
WebSessionServerRequestCache doesn't save URL query parameters #6421
Fix Typo cconfigured -> configured #6361
UrlAuthorizationConfigurer should not call hasRole(ROLE_ANONYMOUS) #6353
Fix UsernamePasswordAuthenticationTokenDeserializer with Customizations #6334
fixes setting paramName only when it is not null #6332
Fix LazyCsrfTokenRepository Javadoc Typo #6330
Add conditionally servlet based support for spring security web jackson module #6304
Add conditionally servlet based support for spring security web jackson module #6302
Fix LoginPageGeneratingWebFilter Markup #6295
Fix DefaultLoginPageGeneratingFilter Markup #6287
AuthenticationFailureBadCredentialsEvent published twice #6281
MethodSecurityEvaluationContext Should Check Parameter Names Are Not Null #6223
Fixed Git SCM book link #6203
SecurityContextCallableProcessingInterceptor thread visibility fix #6144
Fix typo in exception message #6136
WebClientReactiveClientCredentialsTokenResponseClient.getTokenRespons… #6105
http.requestCache().disable() not working #6102
WebClientReactiveClientCredentialsTokenResponseClient should fail if not 2xx status #6089
OAuth2AccessTokenResponseBodyExtractor should support Object values #6087
Fix Typo in Reference Docs #6085
Fix Typo in Reference Docs #6076
JwtIssuerValidator should use URL.toExternalForm #6073
Fix Maven Property spring-security.version in reference #6066
Fix Maven Property spring-security.version in reference #6065
Fix issue with PostgreSQL: org.postgresql.util.PSQLException #6050
InMemoryUserDetailsManager.updatePassword case-insenstive #6039
Facebook Login Failing in Spring Boot 2.1.0.RC1 #6017
AuthenticationSuccessEvent not published for oauth2Login() #6009
Fix CONTRIBUTING.md formatting #6000
Fixing X509 Principal Extractor regex examples #5770 #5988
Fix IllegalStateException message in OAuth2ResourceServerConfigurer #5986
adding query parameter to authorization_uri creates malformed url #5760
Spring Security ACL: No operator matches the given name and argument type #5508
Security-related HTTP headers not written if response is committed during INCLUDE dispatch #5499
RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #4876

❤️ Contributors

We'd like to thank all the contributors who worked on this release!