⭐ New Features
- Constrain Nimbus dependencies to compatible majors #9400
- Misleading manifestation of error condition #9395
- Remove private BearerTokenAuthenticationWebFilter #9377
- Migrate SAML 2.0 Samples to Use PCFOne #9362
- Add manual trigger to CI workflow #9360
- Use Nimbus's SingleKeyJWSKeySelector #9348
- Extend CorsDsl with CorsConfigurationSource property #9333
- Make max-sessions configurable #9328
- Add Revved up by Gradle Enterprise badge to README #9327
- WebFlux oauth2Login with formLogin test #9326
- No converter found for RSAPublicKey #9316
- Extend CorsDsl with CorsConfigurationSource property #9314
- Removes unused code #9294
- Use constant time comparisons for CSRF tokens #9291
- Introduced DispatcherType request matcher #9278
- Add permissionsPolicy http header #9265
- Add permissionsPolicy header in HeadersConfigurers #9262
- Deprecate ClientAuthenticationMethod BASIC and POST #9220
- Fix javadoc in Pbkdf2PasswordEncoder #9219
- Added ClaimAccessor#hasClaim #9218
- Improve handling of non-String principal claim values #9215
- Improve handling of non-String principal claim values #9212
- getRemoteUser() returns principal name #9211
- Match requests based on servlet dispatcher type #9205
- Return type of oauth2.core.ClaimAccessor#containsClaim(String) could be a primitive boolean #9201
- Allow maximum age of csrf cookie to be configured #9196
- SecurityWebApplicationContextUtils cleanup gh-8868 #9194
- Decode cookie once in AbstractRememberMeServices #9192
- Add convenience constructor in OAuth2AuthenticationException #9190
- JwtIssuerAuthenticationManagerResolver should not resolve the bearer token #9186
- Make salt length configurable in Pbkdf2PasswordEncoder #9147
- Resource Server should identify unauthorized REST requests like HTTP Basic does #9100
- Add AuthorizationManager #8996
- OpenSamlAuthenticationProvider should validate Response Status #8955
- Build Github Actions CI pipeline #8698
🪲 Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9421
- Update saml2-login.adoc #9408
- Allow null or empty authorities for DefaultOAuth2User #9380
- Wrong example name in Spring Security documentation #9379
- Remove notEmpty check for authorities in DefaultOAuth2User #9366
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9337
- Make user info response status check error only #9336
- Fix bug with multiple AuthenticationManager beans #9329
- Fixed NullPointerException with WWW-Authenticate #9303
- Exception when declaring multiple AuthenticationManager beans #9256
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray or JSONObject #9222
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9210
- CookieRequestCache handles URL encoded query parameters incorrectly #9203
- Fix typo in JdbcDaoImpl Javadoc #9197
- WithSecurityContextTestExecutionListener should respect NestedTestConfiguration #9193
- Customizing the metadata endpoint does not work #9133
🔨 Dependency Upgrades
- Update to GAE 1.9.86 #9445
- Update to Kotlin 1.4.30 #9444
- Update to Spring Boot 2.4.2 #9443
- Update Gradle Enterprise Gradle Plugin #9335
❤️ Contributors
We'd like to thank all the contributors who worked on this release!