5.2.9.RELEASE

⭐ New Features

• Improve HttpSessionSecurityContextSessionRepository Performance #9390
• Migrate SAML 2.0 Samples to Use PCFOne #9371
• Use constant time comparisons for CSRF tokens #9359

🪲 Bug Fixes

• OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9428
• Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9406
• Remove notEmpty check for authorities in DefaultOAuth2User #9398
• CsrfWebFilter creates CsrfException with incorrect message when no token is found #9340
• webflux-x509 sample cert needs renewal #9321
• OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9260

🔨 Dependency Upgrades

• Update to GAE 1.9.86 #9442
• Update to Tomcat 9.0.43 #9441
• Update to Jetty 9.4.36.v20210114 #9440
• Update to hibernate-validator 6.1.7.Final #9439
• Update to hibernate-entitymanager 5.4.28.Final #9438
• Update to thymeleaf-spring5 3.0.12 #9437
• Update to Spring Data Moore-SR12 #9436
• Update to Reactor Dysprosium-SR16 #9435
• Update to Spring Framework 5.2.12.RELEASE #9434
• Update to Spring Boot 2.2.13.RELEASE #9433

4.2.20.RELEASE

🔨 Dependency Upgrades

• Update to Spring LDAP 2.3.3 #9274
• Update to GAE 1.9.83 #9273
• Update to Spring Framework 4.3.30 #9272

5.4.2

⭐ New Features

• Update snapshot build dependencies #9254
• Update to Gradle 6.6.1 #9232

🪲 Bug Fixes

• Tests should not combine Authentication and @AuthenticationPrincipal #9255
• Remove empty Appendix Section from docs #9253
• CookieRequestCache handles URL encoded query parameters incorrectly #9252
• Improve Metadata URL Documentation #9251

🔨 Dependency Upgrades

• Update to Google App Engine 1.9.83 #9250
• Update to Kotlin 1.4.20 #9249
• Update to Spring Boot 2.4.0 #9248
• 5.4.x Snapshot Build Should Point to Other Maintenance Branches #9162

5.3.6.RELEASE

🪲 Bug Fixes

• Remove empty Appendix Section from docs #9161
• Tests should not combine Authentication and @AuthenticationPrincipal #9125

🔨 Dependency Upgrades

• Update to Google App Engine 1.9.83 #9247
• Update to Spring Boot 2.2.11 #9246

5.2.8.RELEASE

🪲 Bug Fixes

• Remove empty Appendix Section from docs #9172
• Tests should not combine Authentication and @AuthenticationPrincipal #9126

🔨 Dependency Upgrades

• Update to Spring LDAP Core 2.3.3 #9245
• Update to Powermock 2.0.9 #9244
• Update to HSQLDB 2.5.1 #9243
• Update to Hibernate EntityManager 5.4.25 #9242
• Update to Jetty 9.4.35 #9241
• Update to HttpComponents HttpClient 4.5.13 #9240
• Update to RSocket 1.0.3 #9239
• Update to Reactor Dysprosium-SR14 #9238
• Update to Google App Engine 1.9.83 #9237
• Update to Jackson Databind 2.10.5.1 #9236
• Update to Spring Data Moore-SR11 #9235
• Update to Spring 5.2.11 #9234
• Update to Spring Boot 2.2.11 #9233

5.5.0-M1

⭐ New Features

• Add unsupported_token_type in OAuth2ErrorCodes #9184
• Add token and token_type_hint to OAuth2ParameterNames #9183
• Introduce JwaAlgorithm #9182
• WithSecurityContextTestExecutionListener Should Support Nested Classes #9179
• Add WebFlux Documentation for Multiple Filter Chains #9178
• SAML 2.0 Asserting Party Metadata resolution should read SigningMethod elements #9177
• Enable customization of BearerTokenResolver by adding a setter for JwtClaimIssuerConverter on JwtIssuerAuthenticationManagerResolver #9168
• Reactive doc points to unit tests #9157
• Invoke Kotlin MockMvc result matchers with parentheses #9155
• Change guard expressions order #9153
• It is not necessary to fetch all user sessions if unlimited sessions are set in the ConcurrentSessionControlAuthenticationStrategy. #9152
• Add refresh token expiration support #9146
• JwtIssuerValidator handles issuer (iss) claim values as Strings and URLs #9137
• OpenSamlAuthenticationProvider should decrypt attributes #9131
• Update snapshot build dependencies #9124
• spring-security-test should include jackson-datatype-jsr310 as a test dependency #9123
• Update to Gradle 6.6.1 #9122
• Use LobHandler in JdbcOAuth2AuthorizedClientService #9070
• Changed metadata converter to accept files as well #9056
• Add HSM Support for Decrypting Assertions #9055
• File-based Configuration for Asserting Party Metadata #9028
• Prevent PR builds from running on forks #8993
• Provide a R2dbc implementation of ReactiveOuath2AuthorizedClientService #8765
• Add support for dynamic JWS signature algorithm with JWKs (2) - Issue 7160 #8752
• Support customization of BearerTokenResolver in JwtIssuerAuthenticationManagerResolver #8535
• Provide reactive JDBC implementation of ReactiveOAuth2AuthorizedClientService #7890
• JwtDecoders and ReactiveJwtDecoders should determine algorithm from JWK Set Endpoint #7160
• OAuth2Token interface for AbstractOAuth2Token #5502

🪲 Bug Fixes

• [docs]Add white space before strong notation. #9145
• Bug with JwtValidators.createDefaultWithIssuer(String)? #9136
• Tests should not combine Authentication and @AuthenticationPrincipal #9121
• Closes gh-8196 appendix indentation #9118
• Fixes in documentation #9099

🔨 Dependency Upgrades

• Set rsocketVersion to 1.1.0 #9167
• Set reactorVersion to 2020.0.+ #9166
• Set springVersion to 5.3.+ #9165

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @ryan13mt
• @avpoloz
• @akohli96
• @mluppi
• @cmouttet
• @elliedori
• @ovidiupopa91
• @hitchan
• @alek-sys
• @mahaker
• @gberche-orange
• @candrews
• @arvidOtt

5.4.1

⭐ New Features

• Replace expired msdn link with latest web archive copy #9050
• Add documentation for StrictHttpFirewall enhancements #9038
• Replace Tomcat6 URL for SSL Guide to Tomcat 10 #9034
• Use AssertJ for exception testing #9013

🪲 Bug Fixes

• Add try-with-resources to close stream #9053
• RelyingPartyRegistrations Fails to Read Keycloak Metadata #9051
• fix miswritten comment of FormLoginDsl.kt #9042
• Adapt to WebClient's new exception wrapping #9031
• StandardInterceptUrlRegistry should not refer to ExpressionUrlAuthorizationConfigurer #9026
• Fix broken Mono chain #9022
• Use Schedulers.boundedElastic for UUID.randomUUID #9021
• CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9018
• WebSessionServerCsrfTokenRepository#generateToken() don't use Schedulers.boundedElastic() #9017
• NullPointerException SessionRegistryImpl.onApplicationEvent(SessionRegistryImpl.java:111) #9011
• Quick javadoc fix for DelegatingPasswordEncoder #8890

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @muRn
• @b12f10w
• @uy-rrodriguez
• @geonu1109
• @tt4g
• @philwebb
• @MeTPP

5.3.5.RELEASE

🪲 Bug Fixes

• SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9057
• CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9024

🔨 Dependency Upgrades

• Update to AspectJ 1.9.6 #9106
• Update to Google App Engine 1.9.82 #9105
• Update to Spring Boot 2.2.10.RELEASE #9104

5.2.7.RELEASE

🪲 Bug Fixes

• SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9058
• CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9025

🔨 Dependency Upgrades

• Update to Spring Data Moore-SR10 #9088
• Update to Hibernate Entity manager 5.4.22 #9087
• Update to Hibernate Validator 6.1.6 #9086
• Upgrade to embedded Apache Tomcat 9.0.38 #9085
• Update to RSocket 1.0.2 #9084
• Update to Spring Framework 5.2.9 #9083
• Update to Reactor Dysprosium-SR12 #9082
• Update to Spring Boot 2.2.10 #9081
• Update to GAE 1.9.82 #9080
• Update to org.aspectj 1.9.6 #9079

5.1.13.RELEASE

🪲 Bug Fixes

• SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9059

🔨 Dependency Upgrades

• Update to Spring Boot 2.1.17.RELEASE #9078
• Update to Hibernate Validator 6.0.21 #9077
• Update to org.aspectj 1.9.6 #9076
• Update to GAE 1.9.82 #9075
• Update to Jackson Databind 2.9.10.6 #9074
• Update to Spring Data Lovelace-SR20 #9073
• Update to Spring Framework 5.1.18 #9072
• Update to Reactor Californium-SR21 #9071