Spring Security

Last update: Jan 5, 2023

Overview

Spring Security

Spring Security provides security services for the Spring IO Platform. Spring Security 5.0 requires Spring 5.0 as a minimum and also requires Java 8.

For a detailed list of features and access to the latest release, please visit Spring projects.

Code of Conduct

Please see our code of conduct

Downloading Artifacts

See Getting Spring Security for how to obtain Spring Security.

Documentation

Be sure to read the Spring Security Reference. Extensive JavaDoc for the Spring Security code is also available in the Spring Security API Documentation.

Quick Start

We recommend you visit Spring Security Reference and read the "Getting Started" page.

Building from Source

Spring Security uses a Gradle-based build system. In the instructions below, ./gradlew is invoked from the root of the source tree and serves as a cross-platform, self-contained bootstrap mechanism for the build.

Prerequisites

Git and the JDK11 build.

Be sure that your JAVA_HOME environment variable points to the jdk-11 folder extracted from the JDK download.

Check out sources

git clone [email protected]:spring-projects/spring-security.git

Install all spring-\* jars into your local Maven cache

./gradlew install

Compile and test; build all jars, distribution zips, and docs

./gradlew build

Discover more commands with ./gradlew tasks. See also the Gradle build and release FAQ.

Getting Support

Check out the Spring Security tags on Stack Overflow. Commercial support is available too.

Contributing

Pull requests are welcome; see the contributor guidelines for details.

License

Spring Security is Open Source software released under the Apache 2.0 license.

Comments

SEC-8: Windows NT Domain AuthenticationProvider

["Ben Alex":https://jira.spring.io/secure/ViewProfile.jspa?name=balex](Migrated from ["SEC-8":https://jira.spring.io/browse/SEC-8?redirect=false]) said:

http://opensource.cenqua.com/shaj/ provides a mechanism to authenticate against Windows NT Domains.

See also http://forum.springframework.org/viewtopic.php?p=22163

See also http://forum.springframework.org/viewtopic.php?t=4670 which discusses NTLM authentication and refers to some code that has already been written for this purpose.
in: core type: enhancement type: jira

opened by spring-projects-issues 73
Migration path for Spring SAML Extension users

Expected Behavior

We currently are using Spring SAML Extension 1.0.10 in SP mode. We integrate with different IDPs like OAM, OKTA, ADFS etc and it works smoothly. Now, we need to upgrade as the underlying OpenSAML is quite old. I see that Spring Security Core is the new place for SAML support and Spring SAML will not be available as a separate library. It seems not all functionality from Spring SAML has been ported to Spring Security. We are specifically interested in SP Metadata generation and Single Logout. When will this be available in Spring Security SAML? Is there a document that can be used for this migration path? ie From Spring SAML Extension to Spring Security SAML Feature set.

Current Behavior

Documentation for existing users of Spring SAML Extension is limited/ unable to find.

Context
type: enhancement in: saml2

opened by rajn 50
Support OAuth 2.0 Authorization Server
NOTE: Please see comment

The initial support for OAuth 2.0 Authorization Server will target the following features:

OAuth 2.0 Authorization Code Grant

OpenID Connect 1.0 (Authorization Code Flow)

PKCE #4943

OAuth 2.0 Client Credentials Grant

JWT Access Token format

JWK Set Endpoint

Opaque Access Token format

OAuth 2.0 Token Revocation #6133

type: enhancement in: oauth2
opened by jgrandja 47
WebAuthn support
Issue: #5238 Previous PR: #5665

This pull request adds W3C Web Authentication specification support to Spring Security.

It is consisted by 3 parts.

Add MultifactorAuthenticationToken (f5859e9c6d6c0fc6b726d17064bb65dbfe5870a2)

Implement W3C WebAuthentication specification (adb014ee3e47f163fea77a8a068f6fa54c6a16d9)

Add WebAuthn sample application (8808a2ceac7f86353b82751c6dab6b38e180cf9a)

Add MultifactorAuthenticationToken

Make a foundation for multi-factor(step) authentication including WebAuthn.

Changes

Add MultifactorAuthenticationToken to represent a user in the middle of multi factor(step) authentication process

Add MFATokenEvaluator/MFATokenEvaluatorImpl for Authentication type check

Make ExceptionTranslationFilter, AuthenticationTrustResolverImpl, and HttpSessionSecurityContextRepository use MFATokenEvaluator to support multi-factor authentication

Add MultiFactorAuthenticationProvider, which authenticates a user by delegating to another AuthenticationProvider and generates MultifactorAuthenticationToken

Implement W3C WebAuthentication specification

Adds Web Authentication specification support as spring-security-webauthn module. Nothing is changed in existing spring security modules.

Add WebAuthn sample application

It is a sample application demonstrates spring-security-webauthn module.

Please run with this command.

cd <project root dir> ./gradlew spring-security-samples-javaconfig-webauthn-spa:bootRun

Reference doc

Reference document is not included in this pull request, but the draft exists here: https://sharplab.github.io/spring-security-webauthn/en/ When the design is finailized after the pull request review, I'll rewrite it to fit Spring Security reference doc.

for reviewers

Sorry for the huge pull-request. LoC is increased by sample application to demonstrate concrete usecase. As the previous commit is not corrected in the later commit, please read commit by commit.
status: waiting-for-triage
opened by ynojima 46
Support Mono for Method Security SpEL expressions

Summary

Reactive method security requires the SpEL expression to return Boolean which does not work of the logic to determine access is blocking. We should allow the result to be Mono<Boolean>
status: duplicate in: core type: enhancement

opened by rwinch 41
Add support for OAuth 2.0 Client authentication methods

Currently, Spring Security only supports basic and post authentication methods between client and authorization server. Would it be possible to add other support for other OpenID authentication methods in a future version of Spring Security, in particular client_secret_jwt and private_key_jwt (see https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)?

Related #8175
status: duplicate in: oauth2

opened by beuvenar 38
Deprecate WebSecurityConfigurerAdapter
With the following issues closed we've added the ability to configure the security of an application without needing the WebSecurityConfigurerAdapter.

Related issues:

#8804

#8978

#10040

#10138

in: config type: enhancement
opened by eleftherias 36
BadCredentialsException is not serializable when using LDAP Authentication
Summary

When using Spring Security (using LDAP) and Spring Session (jdbc) in combination, I'm running into a serialization error only when authentication fails. When the user logs in with correct credentials, everything works as expected. Session is duplicated across all nodes. But when the user enters invalid credentials, the server throws up an exception that I'm not sure how to catch (or mitigate)

Actual Behavior

The user logs in incorrectly and this error is thrown:

Failed to convert from type [java.lang.Object] to type [byte[]] for value 'org.springframework.security.authentication.BadCredentialsException: Bad credentials'; nested exception is org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer; nested exception is java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx

Expected Behavior

The LdapCtx object should be serialized or ignored

Configuration

<dependency> <groupId>org.springframework.session</groupId> <artifactId>spring-session-jdbc</artifactId> </dependency>

spring.session.store-type=jdbc

Version

Spring Boot Starter version 1.5.10.RELEASE

I have been redirected here from the spring session repo https://github.com/spring-projects/spring-session/issues/685
in: ldap type: bug
opened by iKrushYou 34
SEC-977: Add support for CAS gateway feature

The opportunity and the implementation details of this new feature were discussed in Jira SEC-977.

The new filter TriggerCasGatewayAuthenticationFilter has been added to call the CasAuthenticationEntryPoint when we want try a silent CAS authentication (typically on a public page). The trigger criteria is done with a requestMatcher instance. The method unsuccessfulAuthentication has been overridden in CasAuthenticationFilter in order to redirect to the saved url if there was no SSO session (no service ticket sent from CAS). To avoid infinite loop, we use the DefaultGatewayResolverImpl from Jasig Cas Client.

I have signed and agree to the terms of the SpringSource Individual Contributor License Agreement.

opened by miremond 34

adding query parameter to authorization_uri creates malformed url

Summary

When creating the authorization uri to login with google, there is the option to add a query parameter in order to get back the refresh token. However, when the authorization_uri is set to:

https://accounts.google.com/o/oauth2/v2/auth?access_type=offline

The uri that I get redirect to is:

https://accounts.google.com/o/oauth2/v2/auth?access_type=offline?response_type=code&client_id=[my client id]&scope=[scopes]&state=[state]&redirect_uri=[redirect uri]

Note the ?access_type=offlince?response_type... This url is malformed and google complains saying response_type and basic query params are not passed in.

Actual Behavior

User goes to /login
User sees an error from Google due to malformed URL

Expected Behavior

User goes to /login
User sees the google login page and the following URL in the address bar: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&response_type=code&client_id=[my client id]&scope=[scopes]&state=[state]&redirect_uri=[redirect uri] The access_type query parameter is after the ? and following query parameters should have an & between them. The order of the query params does not matter.

Configuration

My application.yaml

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: xxxxx
            client-secret: yyyyy
            scope: profile,email,https://www.googleapis.com/auth/analytics
        provider:
          google:
            authorization-uri: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline

My WebSecurityConfigurationAdapter

@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/login").permitAll()
                .anyRequest().authenticated()
                .and()
                .oauth2Login()
                    //.loginPage("/login")
                        .defaultSuccessUrl("/dashboard")
                        .failureUrl("/loginFailure")
                    .authorizationEndpoint()
                        .authorizationRequestRepository(authorizationRequestRepository())
                    .and()
                        .tokenEndpoint().accessTokenResponseClient(accessTokenResponseClient());
    }

    @Bean
    public AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository() {
        HttpSessionOAuth2AuthorizationRequestRepository request = new HttpSessionOAuth2AuthorizationRequestRepository();
        return request;
    }

    @Bean
    public OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient() {
        return new NimbusAuthorizationCodeTokenResponseClient();
    }
}

My pom.xml (only including security and oauth2 dependencies)

<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
            <version>2.1.0.M2</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-jose</artifactId>
            <version>5.1.0.RC1</version>
        </dependency>

type: bug in: oauth2

opened by mlevkovsky 33

Ease controllers unit tests in OAuth2 secured apps
Summary

I faced a few difficulties unit testing my controllers in a RESTful app secured with OAuth2 (JWT) and wrote a lib that quite improved my developer experience. Just wanted to share this work, maybe will you pick some ideas / code ?

What I did can be reduced to a few steps:

create two annotations to decorate test cases with desired OAuth2 authentication: @WithMockOauth2Client and @WithMockOauth2User (later relies on first for client configuration and on @WithMockUser for username and password configuration)

mock ResourceServerTokenServices to intercept specific Authorization headers and populate OAuth2 security context according to authentication described with preceding annotations

wrap MockMvc to add a specific Authorization header to the request when any of the two annotations described at step 1. was used

this isn't security related (any kind of REST controller unit test could benefit it) but still in the same lib I wrote and maybe worth being contributed to the framework too (mvc-test ?). Wrap MockMvc to: 4.1. add Content-type header for each POST, PUT and PATCH request 4.2. add Accept header for each GET, POST and OPTION request 4.3. provide with fine grained MockHttpServletRequestBuilder factories (pre-configured for a get request, a post request with a body, etc.) 4.4. provide with shortcuts to create, configure, build and perform mocked MVC requests in one call 4.5. auto serialize requests payloads according to Content-type using registered message converters (see SerializationHelper)

Actual Behavior

Considering communities threads (stackoverflow being a sample), unit testing controllers in an app secured with OAuth2 is commonly considered as a painful task.

Expected Behavior

Annotations to configure any kind of OAuth2 authentication (client connecting on behalf of an end-user or not)

Security context being populated as described with such annotations

less boiler-plate code when using MockMvc

Sample

Overall result in some controller unit tests:

@WebMvcTest(UserController.class) @Import({ResourceServerConfig.class}) @EnableSpringDataWebSupport public class UserControllerTest extends OAuth2ControllerTest { @MockBean UserRepository userRepo; @Test @WithMockOAuth2User( client = @WithMockOAuth2Client(clientId = "webClient"), //of no use here, added for the show-case user = @WithMockUser(username = "admin", authorities = {"READ_USERS"})) public void whenAuthenticatedWithReadUserPrivilegeThenListUsersReturnsUsersPage() throws Exception { final List<User> users = Arrays.asList(admin, user); when(userRepo.findAll(any(Pageable.class))).thenAnswer(invocation -> new PageImpl<>(users, (Pageable) invocation.getArguments()[0], users.size())); api.get("/users/") .andExpect(status().isOk()) .andExpect(jsonPath("$._embedded.elements", hasSize(users.size()))) .andDo(document("users-collection", ignorePage(responseFields(), "elements"), links())); } }

In this sample:

api is a MockMvc wrapper instance

Authorization and Accept headers are transparently added

MockHttpServletRequestBuilder is created, configured, build and performed in one call

you can browse my source for additional samples involving further request builder configuration (cookies or additional headers)

P.S.

This is my first request to Spring framework, please point me to the right instructions if I do it the wrong way
in: test type: enhancement
opened by ch4mpy 31
SwitchUserFilter not working in Spring Security 6
Describe the bug When using Spring Security 6 (via the Spring Boot 3 BOM) the SwitchUserFilter is not working anymore. The currently logged in user is redirected to the SwitchUserUrl (that is configured in the SwitchUserFilter), but the user is not switched.

The attached log file shows the following line: "Failed to find original user"

To Reproduce

Have a Spring Boot 3 project with Spring Security

Define a SwitchUserFilter bean in a configuration class:

@Bean public SwitchUserFilter switchUserFilter() { SwitchUserFilter filter = new SwitchUserFilter(); filter.setUserDetailsService(userDetailsService); filter.setUsernameParameter("username"); filter.setSwitchUserUrl("/admin/switch_user"); filter.setExitUserUrl("/admin/switch_user_exit"); filter.setTargetUrl("/"); return filter; }

Use this bean in a SecurityFilterChain:

.addFilterAfter(switchUserFilter(), AuthorizationFilter.class)

Login as an admin user and try to switch to a different user

Expected behavior The user performing the switch should be logged in as the selected user.

Sample While I don't have a minimal example, I have an open source project that reproduces the issue. The relevant config is here: https://gitlab.com/skrupeltng/skrupel-tng/-/blob/issue-531_spring_boot_3/src/main/java/org/skrupeltng/config/SecurityConfig.java

The javadoc of the SwitchUserFilter still states: "Note that the filter must come after the FilterSecurityInteceptor in the chain" However, FilterSecurityIntercepter is deprecated. The deprecation text says one should use AuthorizationFilter, so I used this. Using the AuthorizationFilter was in fact working when using Spring Boot 2.7 and Spring Security 5.8. Maybe we have to put the SwitchUserFilter before/after a different Filter now?

switch_user.log
status: waiting-for-triage type: bug
opened by RobertBleyl 0
turn off scheduler for Deploy Docs workflow

This need is already filled by the push trigger. When a commit is pushed to a branch, the workflow automatically kicks off a partial build for that branch/version. A full build of the site occurs when a release is made or on demand. There's no reason to run this workflow otherwise.
status: waiting-for-triage

opened by mojavelinux 0
XML namespace with saml2-login configuration fails using Java 8 and spring-security 5.8
Describe the bug XML namespace with saml2-login configuration fails using Java 8 and spring-security 5.8.1:

"java.lang.UnsupportedClassVersionError: org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0"

With Spring Security 5.7.x it worked because the OpenSaml4* classes were compiled to Java 8 bytecode.

The problem is in these classes: org.springframework.security.config.http.Saml2LoginBeanDefinitionParserUtils org.springframework.security.config.http.Saml2LogoutBeanDefinitionParserUtils

They do not check the OpenSaml version like other spring-security classes that use OpenSaml4* classes, e.g.

static BeanDefinition createAuthenticationProvider() { return BeanDefinitionBuilder.rootBeanDefinition( "org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider") .getBeanDefinition(); }

To Reproduce Use XML namespace with saml2-login configuration, Java 8 and spring-security 5.8.x.

Expected behavior XML Namespace with saml2-login configuration should work using Java 8, OpenSaml 3 and spring-security 5.8
in: config type: bug
opened by MichaelVetter 1

Releases(6.0.1)

6.0.1(Dec 19, 2022)
:star: New Features

Add EnableWebSecurity migration steps to 5.8 guide #12354

Replace deprecated set-state set-output GitHub Action's commands #12299

:beetle: Bug Fixes

codes in spring security docs fail to work #12342

codes in spring security docs fail to work #12341

DefaultLdapAuthoritiesPopulator throws NullPointerException #12409

Error in ACLS document #12270

Fix AuthorizationFilter diagram in docs #12288

Incorrect Javadoc for class ExpressionAuthorizationDecision #12435

Incorrect sample code in securityMatcher migration docs #12303

Incorrect sample code in securityMatcher migration docs #12302

It's not possible to disable micrometer obversability #12268

ProxyFactoryBean on AuthenticationManager does not work in native mode #12367

SecurityContextHolderFilter does not apply to async dispatch #12369

SecurityContextHolderFilter does not apply to async dispatch #12368

:hammer: Dependency Upgrades

Update hibernate-core to 6.1.6.Final #12423

Update httpclient to 4.5.14 #12421

Update io.projectreactor to 2022.0.1 #12419

Update jackson-bom to 2.14.1 #12413

Update jackson-databind to 2.14.1 #12414

Update jackson-datatype-jsr310 to 2.14.1 #12415

Update logback-classic to 1.4.5 #12412

Update micrometer-observation to 1.10.2 #12417

Update mockk to 1.13.3 #12418

Update org.eclipse.jetty to 11.0.13 #12422

Update org.jetbrains.kotlin to 1.7.22 #12424

Update org.springframework to 6.0.3 #12426

Update reactor-netty to 1.1.1 #12420

Update slf4j-api to 2.0.6 #12425

Update unboundid-ldapsdk to 6.0.7 #12416

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@mojavelinux

Source code(tar.gz)
Source code(zip)
5.8.1(Dec 19, 2022)
:star: New Features

Add EnableWebSecurity migration steps to 5.8 guide #12334

Replace deprecated set-state set-output GitHub Action's commands #12298

:beetle: Bug Fixes

codes in spring security docs fail to work #11396

DefaultLdapAuthoritiesPopulator throws NullPointerException #12408

Fix AuthorizationFilter diagram in docs #12286

Fix password encoder migration guide #12318

Fix typo #12316

Incorrect Javadoc for class ExpressionAuthorizationDecision #12411

Incorrect sample code in securityMatcher migration docs #12296

SecurityContextHolderFilter does not apply to async dispatch #11962

:hammer: Dependency Upgrades

Update httpclient to 4.5.14 #12403

Update io.projectreactor to 2020.0.26 #12401

Update mockk to 1.13.3 #12400

Update org.eclipse.jetty to 9.4.50.v20221201 #12404

Update org.jetbrains.kotlin to 1.7.22 #12405

Update reactor-netty to 1.0.26 #12402

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@heowc

@mschneid

Source code(tar.gz)
Source code(zip)
5.7.6(Dec 19, 2022)
:star: New Features

Improve deprecation notice in WebSecurityConfigurerAdapter #12260

Replace deprecated set-state set-output GitHub Action's commands #12297

:beetle: Bug Fixes

DefaultLdapAuthoritiesPopulator throws NullPointerException #12407

Fix AuthorizationFilter diagram in docs #12285

Incorrect scope map fix #12205

SAML logout: Incorrect log messages #12208

Saml2MetadataFilter response should configure writer to UTF-8 #12221

SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12125

Update the RP-initiated Logout links #12121

:hammer: Dependency Upgrades

Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12153

Update Gradle to 7.5.1 #12157

Update hibernate-entitymanager to 5.6.14.Final #12397

Update httpclient to 4.5.14 #12395

Update io.projectreactor to 2020.0.26 #12393

Update jackson-bom to 2.13.4.20221013 #12391

Update jackson-databind to 2.13.4.2 #12392

Update org.eclipse.jetty to 9.4.50.v20221201 #12396

Update org.springframework to 5.3.24 #12398

Update org.springframework.data to 2021.2.6 #12399

Update reactor-netty to 1.0.26 #12394

Source code(tar.gz)
Source code(zip)
5.6.10(Dec 19, 2022)
:star: New Features

Replace deprecated set-state set-output GitHub Action's commands #12032

update generateAntora task to make prereleases unique #12083

:beetle: Bug Fixes

DefaultLdapAuthoritiesPopulator throws NullPointerException #12090

docs: fix realm typo #12120

Fix AuthorizationFilter diagram in docs #12274

Fix typo in DefaultLoginPageConfigurer Javadoc #12311

Fix typo on opaque-token.adoc #12114

Fix: Replace tenantRepository with tenants #12269

Incorrect scope map fix #12144

OAuth 2.0 Resource Server Multi-tenancy - documentation improvement #12295

Outdated example in Javadoc of UrlAuthorizationConfigurer #11487

Saml2MetadataFilter response should configure writer to UTF-8 #12026

SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #3065

Update the RP-initiated Logout links #12081

:hammer: Dependency Upgrades

Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12152

Update Gradle to 7.5.1 #11779

Update hibernate-entitymanager to 5.6.14.Final #12388

Update httpclient to 4.5.14 #12386

Update io.projectreactor to 2020.0.26 #12384

Update jackson-bom to 2.13.4.20221013 #12381

Update jackson-databind to 2.13.4.2 #12382

Update mockk to 1.12.8 #12383

Update org.eclipse.jetty to 9.4.50.v20221201 #12387

Update org.springframework to 5.3.24 #12389

Update org.springframework.data to 2021.1.10 #12390

Update reactor-netty to 1.0.26 #12385

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@markkovari

@ghusta

@mojavelinux

@selllami

@cbot59

Source code(tar.gz)
Source code(zip)
6.0.0(Nov 21, 2022)
:rewind: Breaking Changes

CsrfAuthenticationStrategy is not consistent with CsrfFilter #12235

Register FilterChainProxy for all dispatcher types #12180

:star: New Features

Add test runtime hints for annotations using @WithSecurityContext #12215

Add WebTestUtils test runtime hints #12216

Align with Servlet API 6 #12146

Document Configure Default SessionAuthenticationStrategy #12192

Document DelegatingSecurityContextRepository #12185

Improve deprecation notice in WebSecurityConfigurerAdapter #12262

Log a warning when AuthorizationGrantType does not exactly match a pre-defined constant #12234

Migration guide for the removal of CAS #12163

Polish Span and Meter Names #12225

Register FilterChainProxy for All Dispatcher Types Migration Steps #12212

Restructure 6.0 Migration Guide #12242

Support Jakarta WebSocket 2.1 #12148

:beetle: Bug Fixes

CsrfAuthenticationStrategy does not check for existing token #12241

Ensure instrumentation names align with semantic conventions #12156

Incorrect scope map fix #12207

SAML logout: Incorrect log messages #12210

Saml2MetadataFilter response should configure writer to UTF-8 #12223

:hammer: Dependency Upgrades

Update micrometer-observation to 1.10.1 #12250

Update org.springframework to 6.0.0 #12255

Update org.springframework.data to 2022.0.0 #12256

Update r2dbc-h2 to 1.0.0.RELEASE #12251

Update slf4j-api to 2.0.4 #12254

Update spring-ldap-core to 3.0.0 #12257

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@jzheaux

Source code(tar.gz)
Source code(zip)
5.8.0(Nov 21, 2022)
:star: New Features

Add Kotlin example showing integration with WebTestClient #11611

Add MethodExpressionAuthorizationManager #11502

Add Polish localization to error messages from ExceptionTranslationFi… #12201

Add support AuthorizationManager + #11503

AnonymousAuthenticationFilter should cache its Supplier #11900

CookieServerCsrfTokenRepository doesn't support setting MaxAge #11441

DefaultFilterChainValidator should check AuthorizationFilter #11473

Deprecate Resource Owner Password Credentials grant #11591

Document Configure Default CsrfToken BREACH Protection #12107

Document Defer load CsrfToken #12105

Document DelegatingSecurityContextRepository #12069

Document deprecations in oauth2-client #12193

Document how to opt-in for SHA256 in RememberMe #12097

Document how to use the new requestMatchers and securityMatchers #12100

Document Migration to SecurityContextHolderFilter #12098

Document new oauth2Login() authority defaults #12188

Document reactive CSRF migration steps #12226

Document Saved Requests Spring Security 6 Migration #12089

Document Update to 5.8 for Migration Guide #12196

Fix Javadoc in EnableWebSocketSecurity #12211

Improve deprecation notice in WebSecurityConfigurerAdapter #12261

InterceptMethodsBeanDefinitionDecorator should allow using AuthorizationManager #11469

Migration guide for CAS support removal #12240

Preparation and Migration Guides should point to each other #12093

Preparation Guide should follow Reference Manual standards #12096

Preparation Guide should show opt-out steps after opt-in steps #12104

Provide guide for migrating from FilterSecurityInterceptor to AuthorizationFilter #11337

Register FilterChainProxy for All Dispatcher Types Migration Steps #12186

SAML: OpenSaml4AuthenticationProvider.createDefaultAssertionValidator() should make it easier to add ValidationContext static parameters #11675

trigger partial docs build on push (5.8.x) #12195

:beetle: Bug Fixes

AuthenticationServiceException propagation flag is unconfigurable in 5.8 #12132

CsrfAuthenticationStrategy does not check for existing token #12236

CsrfAuthenticationStrategy does not regenerate CsrfToken with CookieCsrfTokenRepository #12141

fix deploy docs workflow (5.8.x) #12197

Fix saganCreateRelease saganDeleteRelease Required Permissions #11424

Incorrect scope map fix #12206

IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #12076

org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11604

SAML logout: Incorrect log messages #12209

Saml2MetadataFilter response should configure writer to UTF-8 #12222

SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12126

SecurityContextRepository.loadContext(HttpServletRequest) cache result #11391

Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11483

Update the RP-initiated Logout links #12122

:hammer: Dependency Upgrades

Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12154

Update aspectj-plugin to 6.5.0.3 #11583

Update assertj-core to 3.23.1 #11572

Update com.nimbusds to 9.38.1 #11570

Update Gradle to 7.5.1 #12158

Update hibernate-entitymanager to 5.6.10.Final #11578

Update hibernate-entitymanager to 5.6.14.Final #12245

Update hsqldb to 2.7.1 #12246

Update htmlunit to 2.63.0 #11575

Update htmlunit-driver to 2.63.0 #11580

Update io.projectreactor to 2020.0.21 #11567

Update io.projectreactor to 2020.0.25 #12243

Update io.spring.javaformat to 0.0.34 #11573

Update jackson-bom to 2.13.3 #11574

Update jsonassert to 1.5.1 #11581

Update junit-bom to 5.9.0-RC1 #11571

Update mockk to 1.12.4 #11568

Update org.eclipse.jetty to 9.4.48.v20220622 #11576

Update org.jetbrains.kotlin to 1.7.10 #11582

Update org.jetbrains.kotlin to 1.7.21 #12247

Update org.jetbrains.kotlinx to 1.6.4 #11566

Update org.springframework to 5.3.22 #11569

Update org.springframework to 5.3.24 #12248

Update org.springframework.data to 2021.2.2 #11579

Update org.springframework.data to 2021.2.6 #12249

Update reactor-netty to 1.0.25 #12244

Update spring-ldap-core to 2.4.1 #11577

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@sjohnr

@LeovR

@mojavelinux

@marcusdacoregio

@kylevessPL

Source code(tar.gz)
Source code(zip)
6.0.0-RC2(Nov 9, 2022)
:star: New Features

Add release line extension #12078

Add SpringTestContext.addFilter #12071

Document Defer load CsrfToken #12106

Document how to opt-in for SHA256 in RememberMe #12119

Document how to use the new requestMatchers and securityMatchers #12151

Document Saved Requests Spring Security 6 Migration #12091

SAML: OpenSaml4AuthenticationProvider.createDefaultAssertionValidator() should make it easier to add ValidationContext static parameters #12149

sync local-antora-playbook.yml with antora-playbook.yml #12085

:beetle: Bug Fixes

AuthenticationServiceException propagation flag is unconfigurable in 5.8 #12133

CsrfAuthenticationStrategy does not regenerate CsrfToken with CookieCsrfTokenRepository #12142

IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #12077

Remove antMatcher usage from Multiple HttpSecurity docs #12150

SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12127

Unauthorized when authenticated user is shown an error page #12070

Update the RP-initiated Logout links #12123

:hammer: Dependency Upgrades

Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12155

Update Gradle to 7.5.1 #12159

Update hibernate-core to 6.1.5.Final #12173

Update hsqldb to 2.7.1 #12174

Update htmlunit to 2.66.0 #12172

Update htmlunit-driver to 2.66.0 #12176

Update io.projectreactor to 2022.0.0 #12170

Update jackson-bom to 2.14.0 #12166

Update jackson-databind to 2.14.0 #12167

Update jackson-datatype-jsr310 to 2.14.0 #12168

Update micrometer-observation to 1.10.0 #12169

Update org.jetbrains.kotlin to 1.7.21 #12175

Update org.springframework to 6.0.0-RC4 #12178

Update reactor-netty to 1.1.0 #12171

Update spring-data-jpa to 3.0.0-RC2 #12177

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@grafjo

@mojavelinux

Source code(tar.gz)
Source code(zip)
5.7.5(Oct 31, 2022)
:beetle: Bug Fixes

Fix AuthorizationFilter incorrectly extending OncePerRequestFilter #12113

Fix scope mapping #12112

IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #11888

Source code(tar.gz)
Source code(zip)
5.6.9(Oct 31, 2022)
:beetle: Bug Fixes

Fix AuthorizationFilter incorrectly extending OncePerRequestFilter #12102

Fix scope mapping #12101

Source code(tar.gz)
Source code(zip)
6.0.0-RC1(Oct 18, 2022)
:rewind: Breaking Changes

RequestMatcherDelegatingAuthorizationManager should deny when no match #11958

Authentication(Web)Filter should return a 500 on AuthenticationServiceExceptions #9429

BasicAuthenticationFilter skips re-authentication if username changes and Authentication object is not UsernamePasswordAuthenticationToken #10347

Default to DelegatingSecurityContextRepository in SecurityContextConfigurer #12049

Default to Xor CSRF protection #11960

Default use of RequestAttributeSecurityContextRepository instead of NullSecurityContextRepository #11026

OidcUserAuthority should not automatically include ROLE_USER authority #7856

Remove deprecated constructors in PasswordEncoders #11985

Remove deprecated CsrfSpec.tokenFromMultipartDataEnabled #12020

Remove deprecated CsrfWebFilter.setTokenFromMultipartDataEnabled #12019

Remove Deprecated OpenSAML 3 Support #11789

Remove deprecated RequestMatcher methods from Java Configuration #11939

Remove OpenSAML3 support #10556

Remove WebSecurityConfigurerAdapter #11923

Remove WebSecurityConfigurerAdapter #10902

Resource Server Package Name Inconsistencies #7349

SAML 2.0 filters should be in the web package #8819

Update Defaults for Smarter Session Access #11454

Use MvcRequestMatcher by default if Spring MVC is present #11899

WebAuthenticationDetails#hashCode often returns zero #4133

XSS protection should be set to 0 by default per updated OWASP recommendation #9631

:star: New Features

Add 'securityMatcher' as an alias of 'requestMatcher' #11945

Add native hint for OAuth2 Client's schemas #11920

Add native hint for the users JDBC schema #11907

Add static factory methods to RequestMatcher implementations #11978

Add XML support for shouldFilterAllDispatcherTypes #11971

automatically manage docs version (with collector) #11957

Change XML default use-authorization-manager="true" #11929

Default to shouldFilterAllDispatcherTypes=true in XML #11970

Deprecate HPKP security header #11937

Enabling authenticationIsRequired to be overridden for custom checks.… #10971

HttpSecurityConfiguration should configure ContentNegotiationStrategy #11922

Observability #11906

SessionManagementDsl.requireExplicitAuthenticationStrategy #11928

Simplify Java Configuration RequestMatcher Usage #11940

Smarter HttpSession Access #6125

Update What's New in 6.0 #12024

:beetle: Bug Fixes

Build fails with missing project property cloneOutputDirectory #11981

Possible misconfiguration of SecurityContextRepository #12023

SAML Logout move onload script to body tag #11881

SecurityContextImpl does not have hints to resolve the Authentication #11987

:hammer: Dependency Upgrades

Update to Spring Data 2022.0.0-RC1 #12066

Update to Spring LDAP 3.0.0-RC1 #12067

Upgrade to Update hibernate-core to 6.1.4.Final #12038

Upgrade to Update htmlunit to 2.65.1 #12039

Upgrade to Update htmlunit-driver to 2.65.0 #12034

Upgrade to Update io.spring.javaformat to 0.0.35 #12040

Upgrade to Update jackson-bom to 2.13.4.20221013 #12042

Upgrade to Update junit-bom to 5.9.1 #12036

Upgrade to Update logback-classic to 1.4.4 #12043

Upgrade to Update mockk to 1.13.2 #12041

Upgrade to Update org.jetbrains.kotlin to 1.7.20 #12037

Upgrade to Update org.mockito to 4.8.1 #12035

Upgrade to Update org.slf4j to 2.0.3 #12033

Upgrade to Update to Micrometer 1.10.0-RC1 #12046

Upgrade to Update to Reactor 2022.0.0-RC1 #12045

Upgrade to Update to Spring Framework 6.0.0-RC1 #12047

Upgrade Unboundid to 6.0.6 #10210

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@rwinch

@shazin

@jzheaux

@marcusdacoregio

@sjohnr

Source code(tar.gz)
Source code(zip)
5.8.0-RC1(Oct 18, 2022)
:rewind: Breaking Changes

Make X-Xss-Protection header value configurable in ServerHttpSecurity #11908

:star: New Features

Add 'securityMatcher' as an alias of 'requestMatcher' #9159

Add CsrfTokenRepository.loadDeferredToken(HttpServletRequest, HttpServletResponse) #11918

Add csrfTokenRequestHandler to Kotlin DSL #11952

Add DeferredSecurityContext and DelegatingSecurityContextRepository #12044

Add opt-in strategy in for Authentication(Web)Filter should return a 500 on AuthenticationServiceExceptions #11932

Add reactive support for BREACH to CsrfWebFilter #11959

Add SecurityContextHolderStrategy to RequestAttributeSecurityContextRepository #11895

Add static factory method to AntPathRequestMather and RegexRequestMather #11965

Add static factory methods to RequestMatcher implementations #11938

Add X-Xss-Protection headerValue to XML config #11936

Add XML support for shouldFilterAllDispatcherTypes #11492

automatically manage docs version (with collector) #11956

Cache Xor CSRF token in supplier #11988

CSRF tokens are vulnerable to a BREACH attack #4001

Deprecate AccessDecisionManager and related classes #11302

Deprecate HPKP security header #10144

HttpSecurityConfiguration should configure ContentNegotiationStrategy #11916

ListeningSecurityContextHolderStrategy should work with deferred contexts #11817

Oauth2 client: Allow deescalating logged ERROR for invalid client registration ID #11344

Provide common super class for AuthorizationDeniedEvent and AuthorizationGrantedEvent #11972

SessionManagementDsl.requireExplicitAuthenticationStrategy #11927

Simplify AuthorizationManager composition #11625

Simplify Java Configuration RequestMatcher Usage #11347

Update default configuration for Pbkdf2PasswordEncoder #10489

Update PasswordEncoder Minimums #10506

Update What's New for 5.8 #12021

:beetle: Bug Fixes

Build fails with missing project property cloneOutputDirectory #11980

SAML Logout move onload script to body tag #11879

:hammer: Dependency Upgrades

Update hibernate-entitymanager to 5.6.12.Final #12059

Update htmlunit to 2.65.1 #12058

Update htmlunit-driver to 2.65.0 #12064

Update io.projectreactor to 2020.0.24 #12055

Update io.spring.javaformat to 0.0.35 #12057

Update jackson-bom to 2.13.4.20221013 #12052

Update jackson-databind to 2.13.4.2 #12053

Update junit-bom to 5.9.1 #12061

Update mockk to 1.13.2 #12054

Update org.jetbrains.kotlin to 1.7.20 #12060

Update org.junit.jupiter to 5.9.1 #12062

Update org.mockito to 4.8.1 #12063

Update org.springframework.data to 2021.2.5 #12065

Update reactor-netty to 1.1.0-M6 #12056

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@sjohnr

@marcusdacoregio

@Kehrlann

Source code(tar.gz)
Source code(zip)
5.7.4(Oct 18, 2022)
:star: New Features

automatically manage docs version (with collector) #11955

:beetle: Bug Fixes

AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #11729

Build fails with missing project property cloneOutputDirectory #11979

GitHubMilestoneApiTests due_on Should Use LocalDate #11707

HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #11727

NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #11711

RemoteJwkSet is not refreshed when encountering an unknown KID #11723

RequestRejectedHandler does not reliable prevent Internal Server Error #11744

:hammer: Dependency Upgrades

Update Gradle Enterprise plugin to 3.11.1 #11830

Update hibernate-entitymanager to 5.6.10.Final #11745

Update hibernate-entitymanager to 5.6.12.Final #12016

Update io.projectreactor to 2020.0.22 #11743

Update io.projectreactor to 2020.0.24 #12012

Update io.rsocket to 1.1.3 #12014

Update jackson-bom to 2.13.4.20221012 #12008

Update jackson-databind to 2.13.4.1 #12009

Update jackson-datatype-jsr310 to 2.13.4 #12010

Update jsonassert to 1.5.1 #11741

Update mockk to 1.12.8 #12011

Update org.eclipse.jetty to 9.4.48.v20220622 #11740

Update org.eclipse.jetty to 9.4.49.v20220914 #12015

Update org.springframework to 5.3.22 #11739

Update org.springframework to 5.3.23 #12017

Update org.springframework.data to 2021.1.6 #11742

Update org.springframework.data to 2021.2.4 #12018

Update reactor-netty to 1.0.24 #12013

Source code(tar.gz)
Source code(zip)
5.6.8(Oct 18, 2022)
:star: New Features

automatically manage docs version (with collector) #11943

:beetle: Bug Fixes

Add rncToXsd task description to CONTRIBUTING.adoc #11935

AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #11730

Build fails with missing project property cloneOutputDirectory #11969

GitHubMilestoneApiTests due_on Should Use LocalDate #11708

HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #11728

NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #11712

RemoteJwkSet is not refreshed when encountering an unknown KID #11724

Updated reference to architecture page #11778

:hammer: Dependency Upgrades

Update Gradle Enterprise plugin to 3.11.1 #11827

Update hibernate-entitymanager to 5.6.12.Final #12005

Update io.projectreactor to 2020.0.24 #12001

Update io.rsocket to 1.1.3 #12003

Update jackson-bom to 2.13.4.20221012 #11997

Update jackson-databind to 2.13.4.1 #11998

Update jackson-datatype-jsr310 to 2.13.4 #11999

Update mockk to 1.12.8 #12000

Update org.eclipse.jetty to 9.4.49.v20220914 #12004

Update org.springframework to 5.3.23 #12006

Update org.springframework.data to 2021.1.8 #12007

Update reactor-netty to 1.0.24 #12002

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@rwinch

@underground-hill

@mojavelinux

@jprinet

@Kehrlann

Source code(tar.gz)
Source code(zip)
6.0.0-M7(Sep 19, 2022)
:rewind: Breaking Changes

csrfRequestAttributeName = _csrf #11764

Remove Configuration meta-annotation from Enable* annotations #11653

Remove unsafe/deprecated Encryptors.querableText(CharSequence,CharSequence) #8980

Use SHA256 by default in Remember Me #11520

:star: New Features

Add native hints for basic @PostAuthorize usage #11737

Add native-image support for PreAuthorize #11446

Performance enhancement in HttpSessionRequestCache #11750

Remove FilterSecurityInterceptor from WebSecurity #11325

Remove setAuthenticationManager from HttpSecurityConfiguration #11776

:beetle: Bug Fixes

Document in xsd security-context-explicit-save defaults to true #11773

Fix IP address parse error message in IpAddressMatcher#parseAddress() #11713

NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #11710

org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11042

Sources and javadocs missing in latest snapshots #10602

Update javadoc of HttpSecurity, WebSecurityConfiguration and WebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #11288

:hammer: Dependency Upgrades

Update aspectj-plugin to 6.5.1 #11859

Update com.nimbusds to 9.43.1 #11858

Update Gradle Enterprise plugin to 3.11.1 #11832

Update hibernate-core to 6.1.3.Final #11867

Update hsqldb to 2.7.0 #11868

Update htmlunit to 2.64.0 #11865

Update htmlunit-driver to 2.64.0 #11872

Update io.projectreactor to 3.5.0-M6 #11861

Update io.rsocket to 1.1.3 #11863

Update jackson-bom to 2.13.4 #11855

Update jackson-databind to 2.13.4 #11856

Update jackson-datatype-jsr310 to 2.13.4 #11857

Update jakarta.inject to 2.0.1 #11864

Update junit-bom to 5.9.0 #11870

Update logback-classic to 1.4.1 #11854

Update mockk to 1.12.8 #11860

Update org.eclipse.jetty to 11.0.12 #11866

Update org.mockito to 4.8.0 #11871

Update org.springframework to 6.0.0-M6 #11833

Update reactor-netty to 1.1.0-M6 #11862

Update to mockito 4.7.0 #11749

Upgrade to Spring LDAP 3.0.0-M3 #11718

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@ch4mpy

@mojavelinux

@jsattler

@cyb3r4nt

Source code(tar.gz)
Source code(zip)
5.8.0-M3(Sep 19, 2022)
:star: New Features

@WithMockUser Supported as Merged Annotation #11782

Add AspectJ support to @EnableMethodSecurity #11326

Add CsrfFilter.csrfAttributeName #11699

add information to README describing how to build the reference docs #11876

Add new interfaces for CSRF request processing #11781

Add remaining methods from ExpressionUrlAuthorizationConfigurer to Me… #11667

Add Support for LazyCsrfTokenRepository to Defer Loading CsrfTokens #11700

Configurable authentication converter for resource-servers with token introspection #11661

CsrfFilter Accesses Session on Every Request #11456

Document that Method Security Co-routine Support Skips Downstream Interceptors #10920

HttpSecurityDsl should support apply method #11754

Javadoc typo 'sue' -> 'use' #11794

Mistake in Kotlin code representation is fixed #11753

ReactiveAuthorizationManager + Reactive Method Security #9867

Update javadoc of Kotlin DSL to reflect the deprecation of WebSecurityConfigurerAdapter #11646

webflux logout not working when project defines a context path (spring.webflux.base-path) #11716

:beetle: Bug Fixes

AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #11726

GitHubMilestoneApiTests due_on Should Use LocalDate #11706

HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #11449

Modify words #11709

SAML2 Login fails with CSP in chrome based browsers #11676

:hammer: Dependency Upgrades

Update aspectj-plugin to 6.5.1 #11839

Update com.nimbusds to 9.43.1 #11838

Update Gradle Enterprise plugin to 3.11.1 #11831

Update hibernate-entitymanager to 5.6.11.Final #11846

Update hsqldb to 2.7.0 #11847

Update htmlunit to 2.64.0 #11844

Update htmlunit-driver to 2.64.0 #11850

Update io.projectreactor to 2020.0.23 #11841

Update io.rsocket to 1.1.3 #11843

Update jackson-bom to 2.13.4 #11835

Update jackson-databind to 2.13.4 #11836

Update jackson-datatype-jsr310 to 2.13.4 #11837

Update junit-bom to 5.9.0 #11848

Update logback-classic to 1.4.1 #11834

Update mockk to 1.12.8 #11840

Update org.eclipse.jetty to 9.4.49.v20220914 #11845

Update org.mockito to 4.8.0 #11849

Update org.springframework to 5.3.23 #11851

Update reactor-netty to 1.1.0-M6 #11842

Update to mockito 4.7.0 #11748

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@aSemy

@jujunchen

@MariuszCwikla

@sjohnr

@evgeniycheban

@jzheaux

@mojavelinux

@he1ex-tG

@ch4mpy

Source code(tar.gz)
Source code(zip)
5.8.0-M2(Aug 15, 2022)
:star: New Features

Add hash-based Content-Security-Policy for SAML post pages #11631

Allow customization of redirect strategy #11387

Receive AuthnRequest Id and Response InResponseTo in Saml2AuthenticationRequestRepository #11468

Set permissions for GitHub actions #11367

:beetle: Bug Fixes

"Well-Know" should be "Well-Known" #11613

Add Deprecated annotation to WebSecurity#securityInterceptor #11634

RequestRejectedHandler does not reliable prevent Internal Server Error #11645

Spring Security SAML fails in Chrome because of favicon request #11657

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@desmond-silveira

@igorbolic

@naveensrinivasan

Source code(tar.gz)
Source code(zip)
5.7.3(Aug 15, 2022)
:star: New Features

Add Kotlin example showing integration with WebTestClient #9998

Set permissions for GitHub actions #11642

Update javadoc of EnableWebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #11650

:beetle: Bug Fixes

Add Deprecated annotation to WebSecurity#securityInterceptor #11637

Check saganCreateRelease saganDeleteRelease Required Permissions #11425

org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11605

RequestAttributeSecurityContextRepository.loadContext(HttpServletRequest) should never return null SecurityContext #11606

RequestRejectedHandler does not reliable prevent Internal Server Error #11672

Sources and javadocs missing in latest snapshots #11628

Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11484

Update javadoc of HttpSecurity, WebSecurityConfiguration and WebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #11651

:hammer: Dependency Upgrades

Update hibernate-entitymanager to 5.6.10.Final #11694

Update io.projectreactor to 2020.0.22 #11691

Update jsonassert to 1.5.1 #11696

Update mockk to 1.12.5 #11690

Update org.eclipse.jetty to 9.4.48.v20220622 #11693

Update org.jetbrains.kotlinx to 1.6.4 #11695

Update org.springframework to 5.3.22 #11697

Update org.springframework.data to 2021.2.2 #11698

Source code(tar.gz)
Source code(zip)
5.6.7(Aug 15, 2022)
:star: New Features

Add Kotlin example showing integration with WebTestClient #11612

Set permissions for GitHub actions #11644

:beetle: Bug Fixes

Add Deprecated annotation to WebSecurity#securityInterceptor #11636

Fix saganCreateRelease saganDeleteRelease Required Permissions #11426

org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11608

RequestRejectedHandler does not reliable prevent Internal Server Error #11673

Sources and javadocs missing in latest snapshots #11629

Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11485

:hammer: Dependency Upgrades

Update hibernate-entitymanager to 5.6.10.Final #11683

Update io.projectreactor to 2020.0.22 #11680

Update jsonassert to 1.5.1 #11684

Update mockk to 1.12.5 #11679

Update org.eclipse.jetty to 9.4.48.v20220622 #11682

Update org.springframework to 5.3.22 #11685

Update org.springframework.data to 2021.1.6 #11686

Update reactor-netty to 1.0.22 #11681

Source code(tar.gz)
Source code(zip)
6.0.0-M6(Jul 18, 2022)
:rewind: Breaking Changes

Change interface with constants to final class #10960

Claims contain an instance of java.net.URL and are used in hash-based containers #10673

Consider using OAuth2Token instead of AbstractOAuth2Token #10959

FilterSecurityInterceptor applies to every request by default #11466

Remove deprecated allowMultipleAuthorizationRequests #11564

Remove deprecated converters in OAuth2AccessTokenResponseHttpMessageConverter #11513

Remove deprecated CustomUserTypesOAuth2UserService #11511

Remove deprecated implicit authorization grant type #11506

Remove deprecated NimbusAuthorizationCodeTokenResponseClient #11512

Remove deprecated NimbusJwtDecoderJwkSupport #11507

Remove deprecated OAuth2IntrospectionClaimAccessor #11499

Remove deprecated UnAuthenticatedServerOAuth2AuthorizedClientRepository #11508

Remove deprecations in AbstractOAuth2AuthorizationGrantRequest #11517

Remove deprecations in AuthorizationRequestRepository #11519

Remove deprecations in ClaimAccessor #11585

Remove deprecations in ClientAuthenticationMethod #11516

Remove deprecations in ClientRegistration #11518

Remove deprecations in JwtAuthenticationConverter #11587

Remove deprecations in OAuth2AuthorizedClientArgumentResolver #11584

Remove deprecations in OidcClientInitiatedLogoutSuccessHandler #11565

Remove deprecations in OidcUserInfo #11586

Remove deprecations in ServerOAuth2AuthorizedClientExchangeFilterFunction #11589

Remove deprecations in ServletOAuth2AuthorizedClientExchangeFilterFunction #11588

:star: New Features

Add LDAP runtime hints #11438

Add Runtime Hints for basic setup #11431

AnonymousAuthenticationFilter Accesses Session on Every Request #11465

Consider updating testing examples to use JUnit Jupiter #10934

CookieServerCsrfTokenRepository doesn't support setting MaxAge #11432

Remove dependency on conmmons-codec by using java.util.Base64 #11319

SAML2 customizable URLs #8873

Update DelegatingSecurityContextTaskScheduler to implement new Required Methods #11474

Update java version to 17.0.3-tem #11370

Update javadoc in CommonOAuth2Provider #11490

Use JDK 17 on build #11324

:beetle: Bug Fixes

CsrfWebFilter null save content-type check #11205

Docs example uses access(String) with authorizeHttpRequests() #11280

Fix method call example on documentation #11380

Fix saganCreateRelease saganDeleteRelease Required Permissions #11423

Fix tests using root cause for exception messages #11372

Fix title render issue of Digest Authentication document #11291

Fix typo in BasicLookupStrategy Javadoc #11336

Fix typo on NimbusJwtDecoderTests #11394

Fixed typo in comment for changePassword method #11274

KeyInfo missing in AuthnRequest when using OpenSaml4AuthenticationRequestResolver #11354

OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11379

Should SAML metadata EntityDescriptor tag have the md: prefix? #11283

Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11470

Update usage of deprecated reactor.util.context.Context.putAll method #11476

Use Collection in examples #11478

:hammer: Dependency Upgrades

Update aspectj-plugin to 6.5.0.3 #11524

Update assertj-core to 3.23.1 #11531

Update com.nimbusds to 9.38.1 #11523

Update Gradle Enterprise plugin #11398

Update hibernate-core-jakarta to 5.6.10.Final #11533

Update htmlunit to 2.63.0 #11530

Update htmlunit-driver to 2.63.0 #11538

Update io.projectreactor to 3.5.0-M4 #11525

Update io.r2dbc:r2dbc-h2 to 1.0.0.RC1 #11479

Update io.spring.javaformat to 0.0.34 #11527

Update jakarta.annotation-api to 2.1.1 #11528

Update jakarta.servlet.jsp-api to 3.1.0 #11529

Update jsonassert to 1.5.1 #11539

Update junit-bom to 5.9.0-RC1 #11536

Update org.eclipse.jetty to 11.0.11 #11532

Update org.jetbrains.kotlin to 1.7.10 #11534

Update org.jetbrains.kotlinx to 1.6.4 #11535

Update org.junit.jupiter to 5.9.0-RC1 #11537

Update org.springframework to 6.0.0-M5 #11594

Update reactor-netty to 1.1.0-M4 #11526

Update spring-data-jpa to 3.0.0-M5 #11540

Update spring-ldap-core to 2.4.1 #11541

Update to Kotlin 1.7 #11374

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@skaifun

@j3graham

@vkhashimoto

@jprinet

@eddumelendez

@timtebeek

@ZhivkoDelchev

@Koshux

@shirohoo

@cbot59

Source code(tar.gz)
Source code(zip)
5.8.0-M1(Jul 18, 2022)
:rewind: Breaking Changes

SecurityExpressionHandler#createEvaluationContext should defer lookup of Authentication #9667

:star: New Features

Add AuthorizationManager that uses ExpressionHandler #11105

Add AuthorizationManager XML Support for Filter Security #11305

Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri #11383

Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri #11229

Add Jackson Support for Saml2AuthenticationException #11176

Add MethodExpressionAuthorizationManager #11493

Add relyingPartyRegistrationId to AbstractSaml2AuthenticationRequest #11195

Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer #11393

Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer #11360

Add RoleHierarchyAuthorizationManager #11304

Add support AuthorizationManager + #11323

AnonymousAuthenticationFilter Accesses Session on Every Request #11457

AuthorizationManager for WebSocket Security #11076

Branch 5.8.x should point to samples branch 5.8.x #11203

Build modules using Java 8 #10816

Check Samples should run against the current artifacts #10344

Consider updating testing examples to use JUnit Jupiter #11294

Deprecate Resource Owner Password Credentials grant #11590

Ensure that SecurityContext is correctly preserved in MockMvc tests when using SecurityContextHolderStrategy @Bean #11444

HttpSessionRequestCache Causes Session Access on Every Request #11453

Improve docs on dispatcherTypeMatcher #11505

Improve docs on dispatcherTypeMatcher #11467

InterceptMethodsBeanDefinitionDecorator should allow using AuthorizationManager #11328

Missing reactive DelegatingRequestMatcherHeaderWriter #11073

OidcClientInitiatedServerLogoutSuccessHandler should understand redirect uri placeholders #11381

OidcClientInitiatedServerLogoutSuccessHandler should understand redirect uri placeholders #11378

OpenSaml4AuthenticationRequestResolver should have a customizable URI #10840

Password Encoding Improvements #11482

phoneNumberVerified field is Boolean type #11315

Provide alternative for MD5 hashing in remember me token #8549

Remove dependency on commons-codec by using java.util.Base64 (for 5.8.x) #11322

Support multiple SingleLogoutService bindings #11286

Update Saml2WebSsoAuthenticationFilter requestAuthentication for SAMLart #11192

Use SecurityContextHolderStrategy for defaults #11062

:beetle: Bug Fixes

Docs example uses access(String) with authorizeHttpRequests() #11295

Failed signature verification on SAML2 LogoutRequest #11235

Fix OAuth2ResourceServerConfigurer member variable using Java 9+ feature #10695

Form Login not possible when a single OAuth2 Provider is configured #11375

Multiple .requestMatchers().mvcMatchers() override previous one #10956

OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11382

SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11262

ServerRequestCacheWebFilter causes WebSession to be read every request #7157

Should SAML metadata EntityDescriptor tag have the md: prefix? #11312

Some Security Expressions cause NPE when used within @Query #11196

Spring Security SAML2 Single Logout After Session Expiration Not Working from External App #11389

Use Base64 encoder with no CRLF in output for SAML 2.0 messages #11270

:hammer: Dependency Upgrades

Update aspectj-plugin to 6.5.0.3 #11546

Update assertj-core to 3.23.1 #11552

Update com.nimbusds to 9.38.1 #11545

Update hibernate-entitymanager to 5.6.10.Final #11554

Update htmlunit to 2.63.0 #11551

Update htmlunit-driver to 2.63.0 #11559

Update io.projectreactor to 2020.0.21 #11548

Update io.spring.javaformat to 0.0.34 #11550

Update jackson-bom to 2.13.3 #11542

Update jackson-databind to 2.13.3 #11543

Update jackson-datatype-jsr310 to 2.13.3 #11544

Update jsonassert to 1.5.1 #11560

Update junit-bom to 5.9.0-RC1 #11557

Update mockk to 1.12.4 #11547

Update org.eclipse.jetty to 9.4.48.v20220622 #11553

Update org.jetbrains.kotlin to 1.7.10 #11555

Update org.jetbrains.kotlinx to 1.6.4 #11556

Update org.junit.jupiter to 5.9.0-RC1 #11558

Update org.springframework to 5.3.22 #11561

Update org.springframework.data to 2021.2.2 #11562

Update reactor-netty to 1.1.0-M4 #11549

Update spring-ldap-core to 2.4.1 #11563

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@j3graham

@MPriess

@ugrave

@jzheaux

@andresbermeoq

@junytse

Source code(tar.gz)
Source code(zip)
5.7.2(Jun 20, 2022)
:star: New Features

Consider updating testing examples to use JUnit Jupiter #11293

:beetle: Bug Fixes

Some Security Expressions cause NPE when used within @Query #11289

CsrfWebFilter null save content-type check #11341

Docs example uses access(String) with authorizeHttpRequests() #11296

Fix typo in BasicLookupStrategy Javadoc #11339

KeyInfo missing in AuthnRequest when using OpenSaml4AuthenticationRequestResolver #11358

OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11384

SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11284

SecurityContextRepository.loadContext(HttpServletRequest) cache result #11390

Should SAML metadata EntityDescriptor tag have the md: prefix? #11311

Update opaque-token.adoc #11303

:hammer: Dependency Upgrades

Update aspectj-plugin to 6.4.3.1 #11402

Update hibernate-entitymanager to 5.6.9.Final #11405

Update io.projectreactor to 2020.0.20 #11403

Update jackson-bom to 2.13.3 #11399

Update jackson-databind to 2.13.3 #11400

Update jackson-datatype-jsr310 to 2.13.3 #11401

Update org.jetbrains.kotlinx to 1.6.3 #11406

Update org.opensaml:opensaml-core4 to 4.1.1 #11410

Update org.springframework to 5.3.21 #11407

Update org.springframework.data to 2021.2.1 #11408

Update reactor-netty to 1.0.20 #11404

Update spring-ldap-core to 2.4.1 #11409

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@andrelugomes

Source code(tar.gz)
Source code(zip)
5.6.6(Jun 20, 2022)
:star: New Features

Consider updating testing examples to use JUnit Jupiter #11292

:beetle: Bug Fixes

CsrfWebFilter null save content-type check #11342

Docs example uses access(String) with authorizeHttpRequests() #11297

Fix typo in BasicLookupStrategy Javadoc #11340

OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #11385

SAML request encoding: on redirect binding, base64 encoded message contains CRLF #11285

Should SAML metadata EntityDescriptor tag have the md: prefix? #11310

Some Security Expressions cause NPE when used within @Query #11290

:hammer: Dependency Upgrades

Update hibernate-entitymanager to 5.6.9.Final #11416

Update io.projectreactor to 2020.0.20 #11414

Update jackson-bom to 2.13.3 #11411

Update jackson-databind to 2.13.3 #11412

Update jackson-datatype-jsr310 to 2.13.3 #11413

Update org.opensaml:opensaml-core4 to 4.1.1 #11420

Update org.springframework to 5.3.21 #11417

Update org.springframework.data to 2021.1.5 #11418

Update reactor-netty to 1.0.20 #11415

Update spring-ldap-core to 2.3.8.RELEASE #11419

Source code(tar.gz)
Source code(zip)
6.0.0-M5(May 18, 2022)
:beetle: Bug Fixes

StrictHttpFirewall incorrectly rejects valid CJKV characters #11264

Source code(tar.gz)
Source code(zip)
5.7.1(May 18, 2022)
:beetle: Bug Fixes

StrictHttpFirewall incorrectly rejects valid CJKV characters #11266

Source code(tar.gz)
Source code(zip)
5.6.5(May 18, 2022)
:beetle: Bug Fixes

StrictHttpFirewall incorrectly rejects valid CJKV characters #11267

Source code(tar.gz)
Source code(zip)
5.5.8(May 18, 2022)
:beetle: Bug Fixes

StrictHttpFirewall incorrectly rejects valid CJKV characters #11268

Source code(tar.gz)
Source code(zip)
6.0.0-M4(May 16, 2022)
:rewind: Breaking Changes

Authorization on Every Dispatch Type #11027

Change the default of shouldFilterAllDispatchTypes to true #11107

Default to SecurityContextHolderFilter instead of SecurityContextPersistenceFilter #11110

Remove MessageSourceAware from ExceptionTranslationWebFilter #11057

RequestRejectedException should be 400 by default #7568

:star: New Features

Fix tests in AntPathRequestMatcherTests #11090

messages.properties cleanup #11172

Optimize AntRegexRequestMatcher #11234

Remove SAML Deprecations #11077

Replace removed Reactor context-related operators #11194

:beetle: Bug Fixes

release-next-version.yml should not fail when there is no release #11158

Use HttpStatusCode #11091

:hammer: Dependency Upgrades

Update aspectj-plugin to 6.4.3 #11240

Update com.nimbusds to 9.35 #11239

Update Gradle Enterprise plugin to 3.9 #11104

Update hibernate-core-jakarta to 5.6.9.Final #11249

Update htmlunit to 2.61.0 #11246

Update htmlunit-driver to 2.61.0 #11254

Update io.projectreactor to 2020.0.19 #11242

Update jackson-bom to 2.13.3 #11236

Update jackson-databind to 2.13.3 #11237

Update jackson-datatype-jsr310 to 2.13.3 #11238

Update jakarta.annotation-api to 2.1.0 #11244

Update jakarta.persistence-api to 3.1.0 #11245

Update junit-bom to 5.9.0-M1 #11252

Update mockk to 1.12.4 #11241

Update org.aspectj to 1.9.9.1 #11247

Update org.eclipse.jetty to 11.0.9 #11248

Update org.jetbrains.kotlin to 1.6.21 #11250

Update org.jetbrains.kotlinx to 1.6.1 #11251

Update org.junit.jupiter to 5.9.0-M1 #11253

Update reactor-netty to 1.1.0-M2 #11243

Update Spring Framework to 6.0.0-M4 #11260

Update spring-data-jpa to 3.0.0-M4 #11255

Update spring-ldap-core to 2.4.0 #11256

Update to Gradle 7.4.2 #11101

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@Emkas

@jprinet

Source code(tar.gz)
Source code(zip)
5.7.0(May 16, 2022)
:star: New Features

Check Samples should run against the current artifacts #11199

Consider replacing an inner loop with Set of authority strings in AuthorityAuthorizationManager#isAuthorized #11188

Remember me should detect UserDetailsService bean #11170

WebSessionServerSecurityContextRepository provides Mono.cache option #8422

X509 should detect UserDetailsService bean #11174

:beetle: Bug Fixes

@EnableMethodSecurity doesn't resolve annotations on interfaces through a Proxy #11177

Add shouldFilterAllDispatcherTypes to Kotlin DSL #11153

Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator #11165

Multiple .requestMatchers().mvcMatchers() override previous one #11185

:hammer: Dependency Upgrades

Update aspectj-plugin to 6.4.3 #11218

Update com.nimbusds to 9.35 #11217

Update htmlunit to 2.61.0 #11222

Update htmlunit-driver to 2.61.0 #11224

Update io.projectreactor to 2020.0.19 #11220

Update mockk to 1.12.4 #11219

Update org.jetbrains.kotlin to 1.6.21 #11223

Update org.springframework to 5.3.20 #11225

Update org.springframework.data to 2021.2.0 #11228

Update reactor-netty to 1.1.0-M2 #11221

Update spring-data-jpa to 2.7.0-RC1 #11226

Update spring-ldap-core to 2.4.0 #11227

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

@evgeniycheban

Source code(tar.gz)
Source code(zip)
5.6.4(May 16, 2022)
:star: New Features

Check Samples should run against the current artifacts #11200

:beetle: Bug Fixes

Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator #11166

Multiple .requestMatchers().mvcMatchers() override previous one #11186

:hammer: Dependency Upgrades

Update io.projectreactor to 2020.0.19 #11207

Update mockk to 1.12.4 #11206

Update org.springframework to 5.3.20 #11209

Update org.springframework.data to 2021.1.4 #11210

Update reactor-netty to 1.0.19 #11208

Source code(tar.gz)
Source code(zip)
5.5.7(May 16, 2022)
:hammer: Dependency Upgrades

Update com.fasterxml.jackson.core to 2.13.2.2 #11211

Update com.fasterxml.jackson.datatype to 2.13.2 #11212

Update io.projectreactor to 2020.0.19 #11213

Update org.springframework to 5.3.20 #11215

Update org.springframework.data to 2021.0.11 #11216

Update reactor-netty to 1.0.19 #11214

Source code(tar.gz)
Source code(zip)