spring-projects/spring-security 6.0.0-RC1

on GitHub

⏪ Breaking Changes

• RequestMatcherDelegatingAuthorizationManager should deny when no match #11958
• Authentication(Web)Filter should return a 500 on AuthenticationServiceExceptions #9429
• BasicAuthenticationFilter skips re-authentication if username changes and Authentication object is not UsernamePasswordAuthenticationToken #10347
• Default to DelegatingSecurityContextRepository in SecurityContextConfigurer #12049
• Default to Xor CSRF protection #11960
• Default use of RequestAttributeSecurityContextRepository instead of NullSecurityContextRepository #11026
• OidcUserAuthority should not automatically include ROLE_USER authority #7856
• Remove deprecated constructors in PasswordEncoders #11985
• Remove deprecated CsrfSpec.tokenFromMultipartDataEnabled #12020
• Remove deprecated CsrfWebFilter.setTokenFromMultipartDataEnabled #12019
• Remove Deprecated OpenSAML 3 Support #11789
• Remove deprecated RequestMatcher methods from Java Configuration #11939
• Remove OpenSAML3 support #10556
• Remove WebSecurityConfigurerAdapter #11923
• Remove WebSecurityConfigurerAdapter #10902
• Resource Server Package Name Inconsistencies #7349
• SAML 2.0 filters should be in the web package #8819
• Update Defaults for Smarter Session Access #11454
• Use MvcRequestMatcher by default if Spring MVC is present #11899
• WebAuthenticationDetails#hashCode often returns zero #4133
• XSS protection should be set to 0 by default per updated OWASP recommendation #9631

⭐ New Features

• Add 'securityMatcher' as an alias of 'requestMatcher' #11945
• Add native hint for OAuth2 Client's schemas #11920
• Add native hint for the users JDBC schema #11907
• Add static factory methods to RequestMatcher implementations #11978
• Add XML support for shouldFilterAllDispatcherTypes #11971
• automatically manage docs version (with collector) #11957
• Change XML default use-authorization-manager="true" #11929
• Default to shouldFilterAllDispatcherTypes=true in XML #11970
• Deprecate HPKP security header #11937
• Enabling authenticationIsRequired to be overridden for custom checks.… #10971
• HttpSecurityConfiguration should configure ContentNegotiationStrategy #11922
• Observability #11906
• SessionManagementDsl.requireExplicitAuthenticationStrategy #11928
• Simplify Java Configuration RequestMatcher Usage #11940
• Smarter HttpSession Access #6125
• Update What's New in 6.0 #12024

🪲 Bug Fixes

• Build fails with missing project property cloneOutputDirectory #11981
• Possible misconfiguration of SecurityContextRepository #12023
• SAML Logout move onload script to body tag #11881
• SecurityContextImpl does not have hints to resolve the Authentication #11987

🔨 Dependency Upgrades

• Update to Spring Data 2022.0.0-RC1 #12066
• Update to Spring LDAP 3.0.0-RC1 #12067
• Upgrade to Update hibernate-core to 6.1.4.Final #12038
• Upgrade to Update htmlunit to 2.65.1 #12039
• Upgrade to Update htmlunit-driver to 2.65.0 #12034
• Upgrade to Update io.spring.javaformat to 0.0.35 #12040
• Upgrade to Update jackson-bom to 2.13.4.20221013 #12042
• Upgrade to Update junit-bom to 5.9.1 #12036
• Upgrade to Update logback-classic to 1.4.4 #12043
• Upgrade to Update mockk to 1.13.2 #12041
• Upgrade to Update org.jetbrains.kotlin to 1.7.20 #12037
• Upgrade to Update org.mockito to 4.8.1 #12035
• Upgrade to Update org.slf4j to 2.0.3 #12033
• Upgrade to Update to Micrometer 1.10.0-RC1 #12046
• Upgrade to Update to Reactor 2022.0.0-RC1 #12045
• Upgrade to Update to Spring Framework 6.0.0-RC1 #12047
• Upgrade Unboundid to 6.0.6 #10210

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @rwinch
• @shazin
• @jzheaux
• @marcusdacoregio
• @sjohnr