Changes since 24.0.0.alpha4
Breaking changes
-
Use authorizeHttpRequests instead of deprecated authorizeRequests
Commit · Pull requestThis requires all applications to also change any usage of authorizeRequests to authorizeHttpRequests
-
Upgrade to SLF4J 2.0
Commit · Pull requestSpring Boot 3 RC1 and newer depend on SLF4J 2
-
Remove VaadinWebSecurityConfigurerAdapter
Commit · Pull requestWebSecurityConfigurerAdapter was removed in spring-projects/spring-security#10902
Fixes
-
Clean commented css before handling
Commit · Pull request · IssueRemove any comment blocks in CSS before creating link references.
-
Send new csrf cookie in login response
Commit · Pull requestThis is needed when the login response is an xhr and does not cause a page reload. The csrf token is needed immediately after the login request e.g. to be able to query the user info from an endpoint in Hilla In earlier Spring Security versions, the new csrf was automatically generated and sent in CsrfAuthenticationStrategy: https://github.com/spring-projects/spring-security/blob/aed7a869dfbba4f545ecd59174a83e19728227a9/web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java#L59-L60 when authentication succeeded but this was removed in Spring Security 6.0 RC1
-
Run npm install if folder changes
Commit · Pull request · IssueIf application folder changes we should execute npm install to get any folder references updated.
-
Enforce the deprecated CSRF handler temporarily
Commit · Pull request -
Make Jwt security work with new Spring Security
Commit · Pull request -
Long parameter regex
Commit · Pull request · IssueHasUrlParameter now accepts all valid long values and throws in the case where value is out of Long range.
-
Allow Hilla push request without Spring CSRF
Commit · Pull request