spring-projects/spring-security 5.4.0-M1 on GitHub

⭐ New Features

Jenkins does not need to build on JDK 9 and 10 #8482
Upgrade Freefair AspectJ plugin to v5.0.1 #8456
AesBytesEncryptor constructor that uses secret key #8443
Rename Preface to Introduction #8411
TestSaml2X509Credentials should only return Saml2X509Credential instances #8404
Saml2CryptoTestSupport and TestSaml2AuthenticationObjects should be one class #8403
Allow creating AesBytesEncryptor with key #8402
Add Flag to enable searching of LDAP groups on subtrees #8400
Documented dependencies for opaque Resource Server #8394
Allow expose JwtAuthenticationConverter as a bean for Resource Server #8379
Use Kotlin DSL Marker Annotations to prevent scope leaking in WebFlux DSL #8366
Saml2AuthenticationRequestContext should be extendible #8356 #8364
Add constructors receiving AuthenticationManager #8362
Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8361
Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default #8359
Validate ID Token Issuer #8357
Saml2AuthenticationRequestContext should be extendible #8356
Add authorize() DSL method that accepts HttpMethod #8350
Allow custom header during bearer token extraction #8341
Allow specify header in ServerBearerTokenAuthenticationConverter #8337
Provide possibility to use custom cache to store JWK Set #8332
Adding Map support to DefaultMethodSecurityExpressionHandler #8331
BCryptPasswordEncoder rawPassword cannot be null #8330
Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login #8324
Open ID Connect ID Token Issuer not validated #8321
Add addFilterAfter and addFilterBefore to Kotlin DSL #8319
Added setPrincipalClaimName to JwtAuthenticationConverter #8318
BCryptPasswordEncoder.encode() throws NPE #8317
HttpSecurityDsl does not support addFilterBefore and addFilterAfter #8316
AuthorizeRequestsDsl doesn't allow HTTP Method to be specified #8307
SpringTestContext returns ConfigurableWebApplicationContext #8233
Clarify use case for ServerBearerExchangeFilterFunction #8220
Update Encryptors documentation for standard and stronger #8208
Upgrade to Gradle Enterprise Plugin 3.2 #8205
Add Figures to Resource Server Docs #8184
Add Figures to Resource Server Docs #8182
Document JwtGrantedAuthoritiesConverter #8176
Fix userNameAttribute property case style #8171
userNameAttribute case style is different others #8169
Polish SAML 2.0 Login Sample #8163
Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8152
Assign sensible default for OAuth2AuthorizedClientProvider #8150
OpenSamlImplementation should not use reflection #8147
Allow port=0 for LDAP Servers #8139
LDAP server configuration should support port=0 #8138
Use io.spring.gradle-enterprise-conventions #8115
Replace VersionsResourceTasks with WriteProperties #8114
Improve Build Performance #8113
Document OAuth 2.0 Login XML Support #8110
Fix exception from empty basic auth header token #8109
Fix typo 'properites' -> 'properties' in documentation #8096
Document AuthenticationEventPublisher improvements #8081
Document AuthNRequest POST binding support #8079
Document AuthNRequest signature support #8078
Document OAuth 2.0 Resource Server XML Support #8077
Document Jackson serialization support for OAuth 2.0 Client #8075
Document OAuth 2.0 Client XML Support #8074
Document OAuth2Authorization success and failure handlers #8073
Document OIDC Logout Success Handler Improvements #8072
Document OAuth 2.0 Authorization Request improvements #8071
Add OAuth 2.0 Test Support Docs #8050
Add server request cache that uses cookie #8033
Basic auth header without user results in exception #7976
Add RequestRejectedHandler #7052
OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #5633
Idiomatic Kotlin DSL for configuring HTTP security #5558
SessionRegistryImpl is now aware of SessionIdChangedEvent #5439
SessionRegistryImpl is not aware of SessionIdChange events. #5438
SwitchUserFilter vulnerable to CSRF #4183

🪲 Bug Fixes

Fix Javadoc punctuation #8480
Fixed typos in documentation #8454
Support update when saving with JdbcOAuth2AuthorizedClientService #8435
JdbcOAuth2AuthorizedClientService should support update when saving #8425
OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8421
ActiveDirectoryLdapAuthenticationProvider uses InternalAuthenticationServiceException #8418
Fix mismatch between CONTRIBUTING.adoc and .editorconfig #8417
Fix Documentation to Refer to BasicAuthenticationFilter #8414
Add ROLE_INFRASTRUCTURE to infrastructure beans #8407
Fix typo with correct capitalization #8406
Global ServerSecurityContextRepository ignored by logout #8375
Fix example in javadoc of FilterChainProxy #8344
Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #8336
Fixes gh-8187 : OAuth2 ClientRegistrations UserInfo endpoint NPE fix #8206
OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8187
Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #8177
Make OAuth2ErrorHttpMessageConverter more resilient #8157
RSocket test should throw AccessDeniedException #8154
Fix typo in Javadoc of HttpSecurity#csrf() #8130
Fix Documentation to Refer to BasicAuthenticationFilter #8119
oauth2Login WebFlux should not auto-redirect for XHR request #8118
NPE thrown when token response contains a null value #8108
HttpServletRequest.logout() not functioning #4760
Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #4404

🔨 Dependency Upgrades

Update to aspectj-plugin:4.1.6 #8305

⏪ Non-passive

Transfer session's max inactive interval in SessionFixationProtectionStrategy #5441
SEC-2470: SessionFixationProtectionStrategy should migrate maxInactiveInterval #2693

❤️ Contributors

We'd like to thank all the contributors who worked on this release!