⭐ New Features
- Allow disabling dependency locking #7799
- Build task "snapshots" should not use locked dependencies #7798
- Add oauth2Login MockMvc Test Support #7789
- Manage Versions using Version Locking #7788
- Use Gradle Platform / Constraints #7787
- Idiomatic Kotlin DSL for configuring HTTP security in servlet based applications #7785
- Fix description of PasswordEncoder #7784
- Fix unchecked assignment and possible NPE #7773
- Resolve JavaType only once for whitelisted class #7755
- Set secure when cancelling remember-me cookie #7726
- Add JwtIssuerAuthenticationManagerResolver #7724
- Add opaque token test support #7712
- Remove redundant validation for redirect-uri #7706
- Reactive Implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7702
- Incomplete Documentation for Setting Up MockMvc and Spring Security #7688
- Add Oidc Login Reactive Test Support #7680
- Remove consecutive-word duplications in Javadocs #7673
- Fix InitializeAuthenticationProviderBeanManagerConfigurer Javadoc #7666
- Fix minor typo in HttpSecurity documentation #7663
- Check BCrypt hashed value of a byte array #7661
- Allow configuration of AuthenticationManager in saml2Login() #7654
- Add oidcLogin MockMvc Test Support #7618
- Add OidcUserInfo.Builder #7593
- Add OidcIdToken.Builder #7592
- Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #7569
- Specify return type in InitializeUserDetailsBeanManagerConfigurer method Javadoc #7557
- In Test @AuthenticationPrincipal is null because ServerWebExchange is not wrapped #6598
- Make MethodSecurityEvaluationContext Delegates to MethodBasedEvaluationContext #6249
- Override the key to avoid CookieTheftException #5509
- Add resource server support for multiple trusted JWT access token issuers #5385
- RememberMeConfigurer does not use the key from RememberMeServices #4140
- Option in BasicAuthenticationFilter to log more exception info #3308
🪲 Bug Fixes
- OidcLoginRequestPostProcessor should respect configuration order #7794
- Fix var typo and code readability in resource server documentation #7772
- Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor #7737
- Use the custom ServerRequestCache for Oauth2LoginSpec #7734
- CompositeServerHttpHeadersWriter Should Execute Sequentially #7731
- DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #7728
- DelegatingServerLogoutHandler Should Execute Sequentially #7723
- RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #7721
- Disabling logout in WebFlux does nothing #7682
- Saml2Authentication isn't serializable #7681
- Correctly configure authorization requests repository for OAuth2 login #7675
- Error in javadoc for oauth2ResourceServer #7670
- DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository #7544
- WebFlux oauth2Login returns 500 when bad client credentials #5562
🔨 Dependency Upgrades
⏪ Non-passive
- UsernamePasswordAuthenticationTokenDeserializer doesn't deserialize details to correct type #7482
❤️ Contributors
We'd like to thank all the contributors who worked on this release!