github spring-projects/spring-security 5.8.0-M1

latest releases: 6.4.0-RC1, 5.7.13, 5.8.15...
pre-release2 years ago

⏪ Breaking Changes

  • SecurityExpressionHandler#createEvaluationContext should defer lookup of Authentication #9667

⭐ New Features

  • Add AuthorizationManager that uses ExpressionHandler #11105
  • Add AuthorizationManager XML Support for Filter Security #11305
  • Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri #11383
  • Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri #11229
  • Add Jackson Support for Saml2AuthenticationException #11176
  • Add MethodExpressionAuthorizationManager #11493
  • Add relyingPartyRegistrationId to AbstractSaml2AuthenticationRequest #11195
  • Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer #11393
  • Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer #11360
  • Add RoleHierarchyAuthorizationManager #11304
  • Add support AuthorizationManager + #11323
  • AnonymousAuthenticationFilter Accesses Session on Every Request #11457
  • AuthorizationManager for WebSocket Security #11076
  • Branch 5.8.x should point to samples branch 5.8.x #11203
  • Build modules using Java 8 #10816
  • Check Samples should run against the current artifacts #10344
  • Consider updating testing examples to use JUnit Jupiter #11294
  • Deprecate Resource Owner Password Credentials grant #11590
  • Ensure that SecurityContext is correctly preserved in MockMvc tests when using SecurityContextHolderStrategy @Bean #11444
  • HttpSessionRequestCache Causes Session Access on Every Request #11453
  • Improve docs on dispatcherTypeMatcher #11505
  • Improve docs on dispatcherTypeMatcher #11467
  • InterceptMethodsBeanDefinitionDecorator should allow using AuthorizationManager #11328
  • Missing reactive DelegatingRequestMatcherHeaderWriter #11073
  • OidcClientInitiatedServerLogoutSuccessHandler should understand redirect uri placeholders #11381
  • OidcClientInitiatedServerLogoutSuccessHandler should understand redirect uri placeholders #11378
  • OpenSaml4AuthenticationRequestResolver should have a customizable URI #10840
  • Password Encoding Improvements #11482
  • phoneNumberVerified field is Boolean type #11315
  • Provide alternative for MD5 hashing in remember me token #8549
  • Remove dependency on commons-codec by using java.util.Base64 (for 5.8.x) #11322
  • Support multiple SingleLogoutService bindings #11286
  • Update Saml2WebSsoAuthenticationFilter requestAuthentication for SAMLart #11192
  • Use SecurityContextHolderStrategy for defaults #11062

🪲 Bug Fixes

  • Docs example uses access(String) with authorizeHttpRequests() #11295
  • Failed signature verification on SAML2 LogoutRequest #11235
  • Fix OAuth2ResourceServerConfigurer member variable using Java 9+ feature #10695
  • Form Login not possible when a single OAuth2 Provider is configured #11375
  • Multiple .requestMatchers().mvcMatchers() override previous one #10956
  • OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11382
  • SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11262
  • ServerRequestCacheWebFilter causes WebSession to be read every request #7157
  • Should SAML metadata EntityDescriptor tag have the md: prefix? #11312
  • Some Security Expressions cause NPE when used within @Query #11196
  • Spring Security SAML2 Single Logout After Session Expiration Not Working from External App #11389
  • Use Base64 encoder with no CRLF in output for SAML 2.0 messages #11270

🔨 Dependency Upgrades

  • Update aspectj-plugin to 6.5.0.3 #11546
  • Update assertj-core to 3.23.1 #11552
  • Update com.nimbusds to 9.38.1 #11545
  • Update hibernate-entitymanager to 5.6.10.Final #11554
  • Update htmlunit to 2.63.0 #11551
  • Update htmlunit-driver to 2.63.0 #11559
  • Update io.projectreactor to 2020.0.21 #11548
  • Update io.spring.javaformat to 0.0.34 #11550
  • Update jackson-bom to 2.13.3 #11542
  • Update jackson-databind to 2.13.3 #11543
  • Update jackson-datatype-jsr310 to 2.13.3 #11544
  • Update jsonassert to 1.5.1 #11560
  • Update junit-bom to 5.9.0-RC1 #11557
  • Update mockk to 1.12.4 #11547
  • Update org.eclipse.jetty to 9.4.48.v20220622 #11553
  • Update org.jetbrains.kotlin to 1.7.10 #11555
  • Update org.jetbrains.kotlinx to 1.6.4 #11556
  • Update org.junit.jupiter to 5.9.0-RC1 #11558
  • Update org.springframework to 5.3.22 #11561
  • Update org.springframework.data to 2021.2.2 #11562
  • Update reactor-netty to 1.1.0-M4 #11549
  • Update spring-ldap-core to 2.4.1 #11563

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

Don't miss a new spring-security release

NewReleases is sending notifications on new releases.