⭐ New Features
- CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12651
- Document
@EnableWebFluxSecurityrequiring@Configurationin 6.0.0 #12444 - Move classpath checks to class member variable #11437
- Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12339
- Revisit Session Management Documentation #12680
- Spring Security 6.0 Migration Guide Should Mention
@ConfigurationMeta-Annotation Removal From Configuration Annotations #12498 - Update broken links, correct gradle command for Windows OS. #12336
🪲 Bug Fixes
- 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12548
@EnableReactiveMethodSecurity#useAuthorizationManager should be true #12506- A typo in form login doc #12678
- Adjusts setRequestHandler javadoc in CsrfWebFilter #12467
- AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12517
- DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #12671
- Document XMLObject retreival for Asserting Party metadata #12729
- Document XMLObject retreival for Asserting Party metadata #12728
- Duplicate words. #12471
- Fix CSRF protection provided by
@EnableWebSocketSecurity/ Stomp #12378 - gradlew nativeTest fails with Failed to instantiate [org.springframework.security.test.context.support.WithUserDetailsSecurityContextFactory]: No default constructor found #12614
- Jackson serialization of
DefaultSaml2AuthenticatedPrincipal:LinkedMultiValueMap is not in the allowlist#12459 - javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12616
- NimbusJwtDecoder unknown KID scenario is not correctly tested #12495
- No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12615
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12687
- Security observations are not setting their parent osbervation #12524
- SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12579
- Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12490
- SwitchUserFilter not working in Spring Security 6 #12511
- Update expression-based.adoc #12363
- Update multitenancy.adoc #12474
- WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12622
- Wrong name of the filter in the SecurityContextHolderFilter diagram #12527
🔨 Dependency Upgrades
- Update hibernate-core to 6.1.7.Final #12707
- Update io.projectreactor to 2022.0.3 #12701
- Update io.spring.nohttp to 0.0.11 #12703
- Update jackson-bom to 2.14.2 #12696
- Update jackson-databind to 2.14.2 #12697
- Update jackson-datatype-jsr310 to 2.14.2 #12698
- Update jakarta.servlet.jsp-api to 3.1.1 #12704
- Update junit-bom to 5.9.2 #12708
- Update junit-platform-launcher to 1.9.2 #12710
- Update maven-resolver-provider to 3.8.7 #12705
- Update micrometer-observation to 1.10.4 #12699
- Update mockk to 1.13.4 #12700
- Update org.aspectj to 1.9.19 #12706
- Update org.junit.jupiter to 5.9.2 #12709
- Update org.springframework to 6.0.5 #12711
- Update org.springframework.data to 2022.0.2 #12712
- Update reactor-netty to 1.1.3 #12702
- Update spring-ldap-core to 3.0.1 #12713
❤️ Contributors
We'd like to thank all the contributors who worked on this release!