spring-projects/spring-security 5.4.0-M2 on GitHub

⭐ New Features

Add reified function variants to security DSL #8771
OAuth2AccessTokenResponse.Builder.expiresIn works after withResponse #8766
LDAP Integration Tests Should Use Random Port #8762
Use memory-saving Collections.singletonList in JdbcAclService.readAclById() #8756
Merge Spring security with dependencies #8755
Add Configurable secure flag in CookieCsrfTokenRepository #8749
Fix typo in OAuth2AccessTokenResponse #8746
Allow customizing JWTProcessor passed to NimbusJwtDecoder #8745
Use Spring Snapshots in Snapshot Build Again #8712
Update pipeline to run for PRs to all branches #8711
Remove Travis pipeline and README badge #8710
Reject the NULL character in paths in StrictHttpFirewall #8703
OAuth2AccessTokenResponse.expiresIn() is ignored when initialized from another response #8702
OAuth2AuthorizedClientArgumentResolver could use OAuth2AuthorizedClientManager registered in context #8700
Kotlin Configuration DSL: Use reified types wherever a class is used as a parameter #8697
ProviderManager Should Use CollectionUtils#contains #8695
ProviderManager#checkState() throws NullPointerException #8689
Set up Github Actions pipeline for PRs #8680
Deprecate X-Frame-Options ALLOW-FROM #8677
Replace whitelist/blacklist with allowlist/blocklist #8676
Register OAuth2AuthorizedClientArgumentResolver for XML Config #8669
Getting response attributes from Saml2AuthenticatedPrincipal #8667
Ability to easily read attribute values from SAML response #8661
DefaultOAuth2AuthorizationRequestResolver Should Not Consume Request Body #8651
StrictHttpFirewall: Validate headers and parameters #8644
JwtDecoder should use Nimbus multiple-algorithm support #8623
Remove ClientRegistrationRepository Mock Beans from Samples #8606
oauth2Client Test Support should not require an HttpSessionOAuth2AuthorizedClientRepository #8603
Add tokenFromMultipartDataEnabled to server CSRF Kotlin DSL #8602
Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter #8587
FilterInvocation Support Default Methods on HttpServletRequest #8566
Update to JQuery 3.5.1 #8557
Saml2WebSsoAuthenticationRequesFilter should be post-processed #8552
Move TestRelyingPartyRegistrations #8551
Configuration defaults to SessionRegistry bean #8548
Update BCryptPasswordEncoder documentation with default strength #8542
authorization_code grant should use same ServerRequestCache #8536
Avoid using "/path/**/other" patterns in WebFlux PathPatternParser #8513
Add debug logging to Reactive Web #8504
Add issuerUri to ClientRegistration.providerDetails #8501
Use Opaquetoken properties to configure timeouts #8488
Update Traditional Chinese translation. #8483
Allow port=0 for ApacheDSContainer #8416
Throw exception if URL does not include context path when context relative #8399
Added setter to make RequestCache injectable #8392
Consider adding ClientRegistration.providerDetails.issuerUri #8326
Merge Project Modules and Dependencies Section of the docs #8199
Add RequestCache setter in OAuth2AuthorizationCodeGrantFilter #8120
formLogin() does not work with REST Docs #7572

🪲 Bug Fixes

SwitchUserFilter.setExitUserMatcher Javadoc is incorrect #8744
SwitchUserFilter.setUserDetailsChecker is missing Javadoc #8743
Fix SecurityContext creation for TEST_EXECUTION #8738
ReactorContext not available in PayloadSocketAcceptor delegate.accept #8654
DefaultWebSecurityExpressionHandler uses RoleHierarchy bean #8652
DefaultOAuth2AuthorizationRequestResolver erroneously consumes POST request body #8650
Fix broken link in spring security reference document #8618
Delay AuthenticationPrincipalArgumentResolver Lookup #8613
OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8609
spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0 clash over version of transitive dependency json-smart #8608
Fix typos in BCryptPasswordEncoder documentation #8586
Fixing typo in SAML 2.0 Sample README #8581
Message Compose in JavaConfig hellojs Sample Fails #8556
Java Config hellojs Sample Login Fails #8555
XML OpenID sample should POST to logout #8554
Remove unused field 'digester' in Md4PasswordEncoder #8553
Polish JDBC Authentication documentation #8550
Fix Kotlin Sample Documentation #8540
Object ID Identicy conversion to long fails on old schema #8538
Create the CSRF token on the bounded elactic scheduler #8534
Fix AntPathRequestMatcher Javadoc #8512
Document NoOpPasswordEncoder will not be removed #8508
Document NoOpPasswordEncoder will not be removed #8506
Fix code snippets to configure timeouts #8487
Fix non-standard HTTP method for CsrfWebFilter #8452
Blocking in WebSessionServerCsrfTokenRepository #8128
Object ID Identity conversion to long fails on old schema #7621
RoleHierarchy is not used by AbstractAuthorizeTag #7059
Prevent StackOverflowError for AccessControlEntryImpl.hashCode #6820
ACL : AclImpl.hashCode leads to StackOverflowError #5401

🔨 Dependency Upgrades

Update to Spring Boot 2.4.0-M1 #8787
Update to Kotlin 1.3.72 #8786
Update to Google App Engine 1.7.80 #8785
Update to spring-build-conventions:0.0.33.RELEASE #8759
Update to Spring Boot 2.3.0 #8605
Update to Gradle 6.4.1 #8604
Update to spring-build-conventions:0.0.32.RELEASE #8499

❤️ Contributors

We'd like to thank all the contributors who worked on this release!