spring-projects/spring-security 6.1.0-M1

on GitHub

⭐ New Features

• Add EnableWebSecurity migration steps to 5.8 guide #12355
• Add a RelyingPartyRegistrationRepository constructor to Saml2MetadataFilter #11815
• Add an option to set the SameSite policy in the CookieCsrfTokenRepository #12086
• Add Authority String AuthorizationManager #12231
• Add configurable authorities split regex #12124
• Add configurable authorities split regex #12073
• add packages (dependencies) to playbook template in docs-build branch #12522
• Add the ability to set the SameSite policy to the CRSF Cookie #12109
• Allow authorization request resolver to be changed for the OAuth2 client configuration #12430
• AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up for a RoleHierarchy bean in the context #12505
• Consider replacing SecurityExpressionRoot.AuthenticationSupplier with SingletonSupplier #12489
• Document @EnableWebFluxSecurity requiring @Configuration in 6.0.0 #12445
• Inaccurate javadoc text in setRequestHandler method from CsrfWebFilter class #12484
• Inaccurate javadoc text in setRequestHandler method of CsrfFilter class #12515
• Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12441
• Replace deprecated set-state set-output GitHub Action's commands #12300
• SecuredAuthorizationManager should allow customizing underlying authorization manager #12233
• SecuredAuthorizationManager should cache annotation's value #12232
• Spring Security 6.0 Migration Guide Should Mention @Configuration Meta-Annotation Removal From Configuration Annotations #12499

🪲 Bug Fixes

• AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12518
• DefaultLdapAuthoritiesPopulator throws NullPointerException #12410
• Error in ACLS document #12406
• Fix AuthorizationFilter diagram in docs #12287
• Incorrect Javadoc for class ExpressionAuthorizationDecision #12436
• Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #12460
• JwtAuthenticationProvider should use provided authentication details #11822
• NimbusJwtDecoder unknown KID scenario is not correctly tested #12496
• ProxyFactoryBean on AuthenticationManager does not work in native mode #12372
• Reactive migration documentation for @EnableReactiveMethodSecurity is wrong (or implementation is wrong) #12514
• Security observations are not setting their parent osbervation #12525
• Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12493
• SwitchUserFilter not working in Spring Security 6 #12512
• Wrong name of the filter in the SecurityContextHolderFilter diagram #12528

🔨 Dependency Upgrades

• Update org.gretty:gretty to 4.0.3 #12277

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @evgeniycheban
• @jzheaux
• @mojavelinux
• @kumo829
• @PatrickWalter214