⏪ Breaking Changes
- SecurityExpressionHandler#createEvaluationContext should defer lookup of Authentication #9667
⭐ New Features
- Add AuthorizationManager that uses ExpressionHandler #11105
- Add AuthorizationManager XML Support for Filter Security #11305
- Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri #11383
- Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri #11229
- Add Jackson Support for Saml2AuthenticationException #11176
- Add MethodExpressionAuthorizationManager #11493
- Add relyingPartyRegistrationId to AbstractSaml2AuthenticationRequest #11195
- Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer #11393
- Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer #11360
- Add RoleHierarchyAuthorizationManager #11304
- Add support AuthorizationManager + #11323
- AnonymousAuthenticationFilter Accesses Session on Every Request #11457
- AuthorizationManager for WebSocket Security #11076
- Branch 5.8.x should point to samples branch 5.8.x #11203
- Build modules using Java 8 #10816
- Check Samples should run against the current artifacts #10344
- Consider updating testing examples to use JUnit Jupiter #11294
- Deprecate Resource Owner Password Credentials grant #11590
- Ensure that SecurityContext is correctly preserved in MockMvc tests when using SecurityContextHolderStrategy
@Bean
#11444 - HttpSessionRequestCache Causes Session Access on Every Request #11453
- Improve docs on dispatcherTypeMatcher #11505
- Improve docs on dispatcherTypeMatcher #11467
- InterceptMethodsBeanDefinitionDecorator should allow using AuthorizationManager #11328
- Missing reactive DelegatingRequestMatcherHeaderWriter #11073
- OidcClientInitiatedServerLogoutSuccessHandler should understand redirect uri placeholders #11381
- OidcClientInitiatedServerLogoutSuccessHandler should understand redirect uri placeholders #11378
- OpenSaml4AuthenticationRequestResolver should have a customizable URI #10840
- Password Encoding Improvements #11482
- phoneNumberVerified field is Boolean type #11315
- Provide alternative for MD5 hashing in remember me token #8549
- Remove dependency on commons-codec by using java.util.Base64 (for 5.8.x) #11322
- Support multiple SingleLogoutService bindings #11286
- Update Saml2WebSsoAuthenticationFilter requestAuthentication for SAMLart #11192
- Use SecurityContextHolderStrategy for defaults #11062
🪲 Bug Fixes
- Docs example uses access(String) with authorizeHttpRequests() #11295
- Failed signature verification on SAML2 LogoutRequest #11235
- Fix
OAuth2ResourceServerConfigurer
member variable using Java 9+ feature #10695 - Form Login not possible when a single OAuth2 Provider is configured #11375
- Multiple .requestMatchers().mvcMatchers() override previous one #10956
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11382
- SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11262
- ServerRequestCacheWebFilter causes WebSession to be read every request #7157
- Should SAML metadata EntityDescriptor tag have the md: prefix? #11312
- Some Security Expressions cause NPE when used within
@Query
#11196 - Spring Security SAML2 Single Logout After Session Expiration Not Working from External App #11389
- Use Base64 encoder with no CRLF in output for SAML 2.0 messages #11270
🔨 Dependency Upgrades
- Update aspectj-plugin to 6.5.0.3 #11546
- Update assertj-core to 3.23.1 #11552
- Update com.nimbusds to 9.38.1 #11545
- Update hibernate-entitymanager to 5.6.10.Final #11554
- Update htmlunit to 2.63.0 #11551
- Update htmlunit-driver to 2.63.0 #11559
- Update io.projectreactor to 2020.0.21 #11548
- Update io.spring.javaformat to 0.0.34 #11550
- Update jackson-bom to 2.13.3 #11542
- Update jackson-databind to 2.13.3 #11543
- Update jackson-datatype-jsr310 to 2.13.3 #11544
- Update jsonassert to 1.5.1 #11560
- Update junit-bom to 5.9.0-RC1 #11557
- Update mockk to 1.12.4 #11547
- Update org.eclipse.jetty to 9.4.48.v20220622 #11553
- Update org.jetbrains.kotlin to 1.7.10 #11555
- Update org.jetbrains.kotlinx to 1.6.4 #11556
- Update org.junit.jupiter to 5.9.0-RC1 #11558
- Update org.springframework to 5.3.22 #11561
- Update org.springframework.data to 2021.2.2 #11562
- Update reactor-netty to 1.1.0-M4 #11549
- Update spring-ldap-core to 2.4.1 #11563
❤️ Contributors
We'd like to thank all the contributors who worked on this release!