5.8.12

🪲 Bug Fixes

• Conditional check for data-source-ref is incorrect #14742

🔨 Dependency Upgrades

• Bump io.projectreactor.netty:reactor-netty from 1.0.43 to 1.0.44 #14878
• Bump io.projectreactor:reactor-bom from 2020.0.42 to 2020.0.43 #14877
• Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #14822
• Bump org.springframework:spring-framework-bom from 5.3.33 to 5.3.34 #14891

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @dependabot[bot]
• @sheriumair

6.3.0-M3

⭐ New Features

• Add ContinueOnError Support for Failed Authentications #14591
• Add DelegatingAuthenticationConverter #14655
• Add DelegatingServerAuthenticationConverter #14654
• Add JSON session support for SwitchUserGrantedAuthority #11758
• Add meta-annotation annotation parameter support #14494
• Add Programmatic Proxy Support for Method Security #14716
• Add support for configuring token-exchange via a bean #14701
• Add support for OAuth 2.0 Token Exchange Grant #14692
• Customize mapping the OidcUser from OidcUserRequest and OidcUserInfo #14672
• Fix Delegation-based Strategy with OidcUserService/OidcReactiveOAuth2UserService examples #12281
• Implement customization of rolePrefix in LdapUserDetailsManager #14574
• Introduce Customizable AuthorizationFailureHandler in OAuth2AuthorizationRequestRedirectFilter #14168
• Simplify configuration of reactive OAuth2 Client component model #13763

🪲 Bug Fixes

• Check for null Authentication #14667
• PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #14724
• Publishing PrePostTemplateDefaults creates circular dependency #14674

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.4.14 to 1.5.3 #14744
• Bump com.fasterxml.jackson:jackson-bom from 2.15.4 to 2.17.0 #14746
• Bump com.github.ben-manes:gradle-versions-plugin from 0.38.0 to 0.51.0 #14753
• Bump com.google.code.gson:gson from 2.8.9 to 2.10.1 #14737
• Bump com.gradle.enterprise from 3.12.6 to 3.16.2 #14760
• Bump com.nimbusds:oauth2-oidc-sdk from 9.43.3 to 9.43.4 #14695
• Bump io.freefair.gradle:aspectj-plugin from 8.4 to 8.6 #14755
• Bump io.github.gradle-nexus:publish-plugin from 1.1.0 to 1.3.0 #14761
• Bump io.micrometer:micrometer-observation from 1.12.3 to 1.12.4 #14718
• Bump io.mockk:mockk from 1.13.9 to 1.13.10 #14659
• Bump io.projectreactor:reactor-bom from 2023.0.3 to 2023.0.4 #14727
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #14707
• Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #14738
• Bump org.assertj:assertj-core from 3.24.2 to 3.25.3 #14748
• Bump org.gretty:gretty from 4.0.3 to 4.1.2 #14754
• Bump org.hibernate.orm:hibernate-core from 6.3.2.Final to 6.4.4.Final #14747
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.22 to 1.9.23 #14709
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.22 to 1.9.23 #14708
• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.7.3 to 1.8.0 #14739
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.4 to 4.33.13 #14735
• Bump org.mockito:mockito-bom from 5.5.0 to 5.11.0 #14736
• Bump org.sonarsource.scanner.gradle:sonarqube-gradle-plugin from 2.7.1 to 2.8.0.1969 #14752
• Bump org.springframework.data:spring-data-bom from 2023.1.3 to 2023.1.4 #14769
• Bump org.springframework:spring-framework-bom from 6.1.4 to 6.1.5 #14756
• Bump org.yaml:snakeyaml from 1.30 to 1.33 #14745

❤️ Contributors

Thank you to all the contributors who worked on this release:

@CrazyParanoid, @Haarolean, @daniel-shuy, @dependabot[bot], @jzheaux, @kse-music, @leewin12, @markusheiden, and @sjohnr

6.2.3

⭐ New Features

• Structure101 Plugin Should Ignore Deprecated Files #14640

🪲 Bug Fixes

• Check for null Authentication #14666
• Fix Package Tangle in CAS #14641
• LogoutConfigurer#createLogoutFilter sets the SecurityContextHolderStrategy twice #14648
• ObservationTextHandler class is not defined in a reactive context #14653
• PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #14723
• Spring security's ServerLogoutHandler order problem. #14682

🔨 Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.12.3 to 1.12.4 #14719
• Bump io.mockk:mockk from 1.13.9 to 1.13.10 #14661
• Bump io.projectreactor:reactor-bom from 2023.0.3 to 2023.0.4 #14726
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #14705
• Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #14734
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.22 to 1.9.23 #14706
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.22 to 1.9.23 #14704
• Bump org.springframework.data:spring-data-bom from 2023.1.3 to 2023.1.4 #14770
• Bump org.springframework:spring-framework-bom from 6.1.4 to 6.1.5 #14757

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot]

6.1.8

🪲 Bug Fixes

• Check for null Authentication #14665
• Fix Package Tangle in CAS #14627
• Fix Package Tangle in SAML 2.0 #14628
• LogoutConfigurer#createLogoutFilter sets the SecurityContextHolderStrategy twice #14647
• ObservationTextHandler class is not defined in a reactive context #14651
• PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #14722
• Spring security's ServerLogoutHandler order problem. #14681

🔨 Dependency Upgrades

• Bump io.mockk:mockk from 1.13.9 to 1.13.10 #14660
• Bump io.projectreactor:reactor-bom from 2022.0.16 to 2022.0.17 #14728
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #14703
• Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #14733
• Bump org.springframework:spring-framework-bom from 6.0.17 to 6.0.18 #14762

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot]

5.8.11

🪲 Bug Fixes

• Allow tab in HTTP header values. #14590
• Check for null Authentication #14664
• PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #14720
• Remove duplicate setSecurityContextHolderStrategy #14603
• Spring security's ServerLogoutHandler order problem. #14379

🔨 Dependency Upgrades

• Bump io.projectreactor.netty:reactor-netty from 1.0.41 to 1.0.43 #14730
• Bump io.projectreactor:reactor-bom from 2020.0.41 to 2020.0.42 #14729
• Bump org.springframework:spring-framework-bom from 5.3.32 to 5.3.33 #14759

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @chbecker2
• @kse-music
• @dependabot[bot]

5.7.12

🪲 Bug Fixes

• Check for null Authentication #14715

6.3.0-M2

⭐ New Features

• Add usernameParameter and passwordParameter to FormLoginDsl #14488
• Add argument resolver for SecurityContext #14449
• Add functionality to set custom web client in ReactiveOidcIdTokenDecoderFactory #13301
• Cleanup Saml2MetadataFilter #14476
• Customize when UserInfo is called #13259
• Implement providing a custom AuthoritiesPopulator in ADLdapAuthProvider #14539
• Migrate spring-security-rsa into spring-security-crypto #14202
• Nested username attribute in DefaultOAuth2User #14265
• Revise AuthorizationAnnotationUtils #14407
• Spring Security annotations on subclasses support intercepting parent class methods. #14516

🪲 Bug Fixes

• WebTestUtilsTestRuntimeHints should implement RuntimeHintsRegistrar #14469
• Cannot configure SecurityContextRepository in CasAuthenticationFilter #14537
• Fix wrong class name in JavaDoc #14466
• Fixed Interceptor name in Method Security reference document #14475
• Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #14471
• Typo: Update anonymous.adoc #14541
• Typo: Update rememberme.adoc #14542

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.15.4 #14619
• Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #14578
• Bump gradle/gradle-build-action from 2 to 3 #14502
• Bump io.micrometer:micrometer-observation from 1.12.2 to 1.12.3 #14588
• Bump io.projectreactor:reactor-bom from 2023.0.2 to 2023.0.3 #14613
• Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #14462
• Bump org-aspectj from 1.9.21 to 1.9.21.1 #14604
• Bump org-eclipse-jetty from 11.0.19 to 11.0.20 #14517
• Bump org.junit:junit-bom from 5.10.1 to 5.10.2 #14544
• Bump org.slf4j:slf4j-api from 2.0.11 to 2.0.12 #14556
• Bump org.springframework.data:spring-data-bom from 2023.1.2 to 2023.1.3 #14625
• Bump org.springframework.ldap:spring-ldap-core from 3.2.1 to 3.2.2 #14620
• Bump org.springframework:spring-framework-bom from 6.1.3 to 6.1.4 #14618
• Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #14501
• Bump spring-io/spring-github-workflows from eaf17a1890b1ef1b337f015d6eb263baaf8c6dab to 1e8b0587a1f4f01697f9753fa3339c3e0d30f396 #14579

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Haarolean, @NerminKarapandzic, @ahmd-nabil, @boulce, @dependabot[bot], @irerin07, @kse-music, @leshalv, @sbrannen, @sonallux, @ty-v1, and @ubaid4j

6.2.2

⭐ New Features

• Configuration examples in docs are out of date #14392

🪲 Bug Fixes

• "Span wasn't started - an observation must be started (not only created)" (Micrometer) due to observation handling in Spring Security Web? #14568
• HandlerMappingIntrospectorRequestTransformer is registered twice in AOT #14367
• OAuth2AuthorizationExchange is not serializable #14405
• WebTestUtilsTestRuntimeHints should implement RuntimeHintsRegistrar #14468
• Application context fails to load: Couldn't find FilterChainProxy #14380
• Back-Channel Logout should use localhost for internal logout request #14553
• Cannot configure SecurityContextRepository in CasAuthenticationFilter #14536
• Documentation about configuring SecuritySocketAcceptorInterceptor in Spring Boot is confusing #14348
• fix typo in anonymous.adoc #14424
• fix: typo in Authentication Architecture ProviderManager #14448
• Missing native-image reflection hint for HandlerMappingIntrospectorCachFilterFactoryBean #14377
• Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #14470
• ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor #14350
• SAML relying party logout filter is always ordered last #14551
• Spring Security 6.2 defaults to InMemoryOidcSessionRegistry causing memory leaks in distributed systems with external session storage #14558
• Test using @WithMockUser fails with 401 UNAUTHORIZED with 3.2 #14207
• Typo: Update authorize-http-requests.adoc #14563
• Unexpected Exception Handling in NimbusReactiveJwtDecoder decode Method #14496
• X-Xss-Protection header "1; mode=block" differs in Servlet and Reactive #14346

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.15.4 #14617
• Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #14582
• Bump Gradle Wrapper from 8.5 to 8.6 #14547
• Bump gradle/gradle-build-action from 2 to 3 #14503
• Bump io-spring-javaformat from 0.0.40 to 0.0.41 #14439
• Bump io.micrometer:micrometer-observation from 1.12.1 to 1.12.2 #14429
• Bump io.micrometer:micrometer-observation from 1.12.2 to 1.12.3 #14589
• Bump io.mockk:mockk from 1.13.8 to 1.13.9 #14412
• Bump io.projectreactor:reactor-bom from 2023.0.1 to 2023.0.2 #14430
• Bump io.projectreactor:reactor-bom from 2023.0.2 to 2023.0.3 #14612
• Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #14463
• Bump org-aspectj from 1.9.21 to 1.9.21.1 #14605
• Bump org-eclipse-jetty from 11.0.18 to 11.0.19 #14354
• Bump org-eclipse-jetty from 11.0.19 to 11.0.20 #14518
• Bump org.apereo.cas.client:cas-client-core from 4.0.3 to 4.0.4 #14440
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.21 to 1.9.22 #14364
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.21 to 1.9.22 #14363
• Bump org.junit:junit-bom from 5.10.1 to 5.10.2 #14543
• Bump org.slf4j:slf4j-api from 2.0.10 to 2.0.11 #14422
• Bump org.slf4j:slf4j-api from 2.0.11 to 2.0.12 #14554
• Bump org.slf4j:slf4j-api from 2.0.9 to 2.0.10 #14387
• Bump org.springframework.data:spring-data-bom from 2023.1.1 to 2023.1.2 #14455
• Bump org.springframework.data:spring-data-bom from 2023.1.2 to 2023.1.3 #14624
• Bump org.springframework.ldap:spring-ldap-core from 3.2.1 to 3.2.2 #14616
• Bump org.springframework:spring-framework-bom from 6.1.2 to 6.1.3 #14454
• Bump org.springframework:spring-framework-bom from 6.1.3 to 6.1.4 #14615
• Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #14504
• Bump spring-io/spring-github-workflows from eaf17a1890b1ef1b337f015d6eb263baaf8c6dab to 1e8b0587a1f4f01697f9753fa3339c3e0d30f396 #14583

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Amitmahato, @andreasbuechel, @boulce, and @dependabot[bot]

6.1.7

⭐ New Features

• Fix Spring initializr link in 'Getting Spring Security' #14375
• Refactor: Remove Irrelevant Documentation Lines #14374
• Typo fix in configuration.adoc #14372
• Updated the Configuration examples in docs #14391

🪲 Bug Fixes

• "Span wasn't started - an observation must be started (not only created)" (Micrometer) due to observation handling in Spring Security Web? #14445
• HandlerMappingIntrospectorRequestTransformer is registered twice in AOT #14362
• OAuth2AuthorizationExchange is not serializable #14402
• WebTestUtilsTestRuntimeHints should implement RuntimeHintsRegistrar #14399
• Application context fails to load: Couldn't find FilterChainProxy #14370
• Cannot configure SecurityContextRepository in CasAuthenticationFilter #14529
• Documentation about configuring SecuritySocketAcceptorInterceptor in Spring Boot is confusing #14347
• Fix broken sample code in Authorize HttpServletRequests #14386
• Fix command in CONTRIBUTING.adoc #14489
• Missing native-image reflection hint for HandlerMappingIntrospectorCachFilterFactoryBean #14359
• Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #14397
• ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor #14349
• SAML relying party logout filter is always ordered last #14550
• Typo: Update ldap.adoc #14509
• Typo: Update session-management.adoc #14515
• Unexpected Exception Handling in NimbusReactiveJwtDecoder decode Method #14495
• X-Xss-Protection header "1; mode=block" differs in Servlet and Reactive #14345

🔨 Dependency Upgrades

• Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #14581
• Bump Gradle Wrapper from 8.5 to 8.6 #14540
• Bump gradle/gradle-build-action from 2 to 3 #14500
• Bump io-spring-javaformat from 0.0.40 to 0.0.41 #14436
• Bump io.mockk:mockk from 1.13.8 to 1.13.9 #14413
• Bump io.projectreactor:reactor-bom from 2022.0.14 to 2022.0.15 #14428
• Bump io.projectreactor:reactor-bom from 2022.0.15 to 2022.0.16 #14611
• Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #14465
• Bump org-aspectj from 1.9.21 to 1.9.21.1 #14606
• Bump org-eclipse-jetty from 11.0.18 to 11.0.19 #14355
• Bump org-eclipse-jetty from 11.0.19 to 11.0.20 #14519
• Bump org.apereo.cas.client:cas-client-core from 4.0.3 to 4.0.4 #14437
• Bump org.slf4j:slf4j-api from 2.0.10 to 2.0.11 #14421
• Bump org.slf4j:slf4j-api from 2.0.11 to 2.0.12 #14555
• Bump org.slf4j:slf4j-api from 2.0.9 to 2.0.10 #14389
• Bump org.springframework:spring-framework-bom from 6.0.15 to 6.0.16 #14443
• Bump org.springframework:spring-framework-bom from 6.0.16 to 6.0.17 #14621
• Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #14499
• Bump spring-io/spring-github-workflows from eaf17a1890b1ef1b337f015d6eb263baaf8c6dab to 1e8b0587a1f4f01697f9753fa3339c3e0d30f396 #14580

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Siddharth1605, @acktsap, @boulce, @dependabot[bot], @github-actions[bot], @kcsurapaneni, @nkilchenmann, and @ty-v1

5.8.10

⭐ New Features

• Updated broken documentation link in javadocs #14329

🪲 Bug Fixes

• Fix security filter sort in javadoc #14552
• ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor #11596
• Saml2 LogoutFilter Should Come Before Common LogoutFilter #14549

🔨 Dependency Upgrades

• Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #14584
• Bump gradle/gradle-build-action from 2 to 3 #14505
• Bump io-spring-javaformat from 0.0.40 to 0.0.41 #14438
• Bump io.projectreactor.netty:reactor-netty from 1.0.40 to 1.0.41 #14432
• Bump io.projectreactor:reactor-bom from 2020.0.39 to 2020.0.40 #14431
• Bump io.projectreactor:reactor-bom from 2020.0.40 to 2020.0.41 #14614
• Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #14464
• Bump org-aspectj from 1.9.20.1 to 1.9.21.1 #14607
• Bump org-eclipse-jetty from 9.4.53.v20231009 to 9.4.54.v20240208 #14608
• Bump org.springframework:spring-framework-bom from 5.3.31 to 5.3.32 #14622
• Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #14506
• Bump spring-io/spring-github-workflows from eaf17a1890b1ef1b337f015d6eb263baaf8c6dab to 1e8b0587a1f4f01697f9753fa3339c3e0d30f396 #14585

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @kse-music
• @geirhe
• @aspan
• @dependabot[bot]