⏪ Breaking Changes
- Change interface with constants to final class #10960
- Claims contain an instance of java.net.URL and are used in hash-based containers #10673
- Consider using OAuth2Token instead of AbstractOAuth2Token #10959
- FilterSecurityInterceptor applies to every request by default #11466
- Remove deprecated allowMultipleAuthorizationRequests #11564
- Remove deprecated converters in OAuth2AccessTokenResponseHttpMessageConverter #11513
- Remove deprecated CustomUserTypesOAuth2UserService #11511
- Remove deprecated implicit authorization grant type #11506
- Remove deprecated NimbusAuthorizationCodeTokenResponseClient #11512
- Remove deprecated NimbusJwtDecoderJwkSupport #11507
- Remove deprecated OAuth2IntrospectionClaimAccessor #11499
- Remove deprecated UnAuthenticatedServerOAuth2AuthorizedClientRepository #11508
- Remove deprecations in AbstractOAuth2AuthorizationGrantRequest #11517
- Remove deprecations in AuthorizationRequestRepository #11519
- Remove deprecations in ClaimAccessor #11585
- Remove deprecations in ClientAuthenticationMethod #11516
- Remove deprecations in ClientRegistration #11518
- Remove deprecations in JwtAuthenticationConverter #11587
- Remove deprecations in OAuth2AuthorizedClientArgumentResolver #11584
- Remove deprecations in OidcClientInitiatedLogoutSuccessHandler #11565
- Remove deprecations in OidcUserInfo #11586
- Remove deprecations in ServerOAuth2AuthorizedClientExchangeFilterFunction #11589
- Remove deprecations in ServletOAuth2AuthorizedClientExchangeFilterFunction #11588
⭐ New Features
- Add LDAP runtime hints #11438
- Add Runtime Hints for basic setup #11431
- AnonymousAuthenticationFilter Accesses Session on Every Request #11465
- Consider updating testing examples to use JUnit Jupiter #10934
- CookieServerCsrfTokenRepository doesn't support setting MaxAge #11432
- Remove dependency on conmmons-codec by using java.util.Base64 #11319
- SAML2 customizable URLs #8873
- Update DelegatingSecurityContextTaskScheduler to implement new Required Methods #11474
- Update java version to 17.0.3-tem #11370
- Update javadoc in CommonOAuth2Provider #11490
- Use JDK 17 on build #11324
🪲 Bug Fixes
- CsrfWebFilter null save content-type check #11205
- Docs example uses
access(String)withauthorizeHttpRequests()#11280 - Fix method call example on documentation #11380
- Fix saganCreateRelease saganDeleteRelease Required Permissions #11423
- Fix tests using root cause for exception messages #11372
- Fix title render issue of Digest Authentication document #11291
- Fix typo in BasicLookupStrategy Javadoc #11336
- Fix typo on NimbusJwtDecoderTests #11394
- Fixed typo in comment for changePassword method #11274
- KeyInfo missing in AuthnRequest when using OpenSaml4AuthenticationRequestResolver #11354
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11379
- Should SAML metadata EntityDescriptor tag have the
md:prefix? #11283 - Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11470
- Update usage of deprecated reactor.util.context.Context.putAll method #11476
- Use Collection in examples #11478
🔨 Dependency Upgrades
- Update aspectj-plugin to 6.5.0.3 #11524
- Update assertj-core to 3.23.1 #11531
- Update com.nimbusds to 9.38.1 #11523
- Update Gradle Enterprise plugin #11398
- Update hibernate-core-jakarta to 5.6.10.Final #11533
- Update htmlunit to 2.63.0 #11530
- Update htmlunit-driver to 2.63.0 #11538
- Update io.projectreactor to 3.5.0-M4 #11525
- Update io.r2dbc:r2dbc-h2 to 1.0.0.RC1 #11479
- Update io.spring.javaformat to 0.0.34 #11527
- Update jakarta.annotation-api to 2.1.1 #11528
- Update jakarta.servlet.jsp-api to 3.1.0 #11529
- Update jsonassert to 1.5.1 #11539
- Update junit-bom to 5.9.0-RC1 #11536
- Update org.eclipse.jetty to 11.0.11 #11532
- Update org.jetbrains.kotlin to 1.7.10 #11534
- Update org.jetbrains.kotlinx to 1.6.4 #11535
- Update org.junit.jupiter to 5.9.0-RC1 #11537
- Update org.springframework to 6.0.0-M5 #11594
- Update reactor-netty to 1.1.0-M4 #11526
- Update spring-data-jpa to 3.0.0-M5 #11540
- Update spring-ldap-core to 2.4.1 #11541
- Update to Kotlin 1.7 #11374
❤️ Contributors
We'd like to thank all the contributors who worked on this release!