spring-projects/spring-security (org.springframework.security:spring-security-web)
### [`v5.4.11`](https://togithub.com/spring-projects/spring-security/compare/5.4.10...5.4.11)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.10...5.4.11)
### [`v5.4.10`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.10)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.9...5.4.10)
#### :beetle: Bug Fixes
- StaticServerHttpHeadersWriter should work with case-insensitive header names [#10583](https://togithub.com/spring-projects/spring-security/issues/10583)
- Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors [#10562](https://togithub.com/spring-projects/spring-security/issues/10562)
- MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session [#10532](https://togithub.com/spring-projects/spring-security/issues/10532)
- Documentation has wrong code example in the 'Customizing OpenSAML’s AuthnRequest Instance' section [#10528](https://togithub.com/spring-projects/spring-security/issues/10528)
- Multi-tenancy Documentation - `com.nimbusds.jwt.proc.JWTProcessor` does not have a ` setJWTClaimSetJWSKeySelector ` method [#10521](https://togithub.com/spring-projects/spring-security/issues/10521)
- Multi-tenancy Documentation - JwtDecoder sample has multiple errors [#10517](https://togithub.com/spring-projects/spring-security/issues/10517)
- Oauth2 Resource Server will not retry on first failure with Multi-tenancy [#10485](https://togithub.com/spring-projects/spring-security/issues/10485)
- WebInvocationPrivilegeEvaluator does not provide a way to pass a ServletContext [#10437](https://togithub.com/spring-projects/spring-security/issues/10437)
### [`v5.4.9`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.9)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.8...5.4.9)
#### :star: New Features
- Add Documentation for Static Methods Classes for `mockJwt()` and `jwt()` [#10266](https://togithub.com/spring-projects/spring-security/issues/10266)
#### :beetle: Bug Fixes
- SAML 2.0 Login should allow `loginProcessingUrl` without `{registrationId}` when providing an `AuthenticationConverter` [#10342](https://togithub.com/spring-projects/spring-security/issues/10342)
- JwtTimeStampValidator uses wrong error on token expiration [#10329](https://togithub.com/spring-projects/spring-security/issues/10329)
- Fix typo [#10314](https://togithub.com/spring-projects/spring-security/issues/10314)
- Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type [#10258](https://togithub.com/spring-projects/spring-security/issues/10258)
- MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented [#10209](https://togithub.com/spring-projects/spring-security/issues/10209)
#### :hammer: Dependency Upgrades
- Update to Spring Boot 2.4.11 [#10418](https://togithub.com/spring-projects/spring-security/issues/10418)
### [`v5.4.8`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.8)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.7...5.4.8)
#### :star: New Features
- Remove -PdeployDocsHost=docs-ip.spring.io from Build [#10021](https://togithub.com/spring-projects/spring-security/issues/10021)
#### :beetle: Bug Fixes
- Regression with URL encode client credentials [#10126](https://togithub.com/spring-projects/spring-security/issues/10126)
- AuthenticationFailureEvent does not exist [#10107](https://togithub.com/spring-projects/spring-security/issues/10107)
- Fix a typo in some class names in the oauth documentation [#10052](https://togithub.com/spring-projects/spring-security/issues/10052)
- Fix Saml2WebSsoAuthenticationRequestFilter javadoc [#10027](https://togithub.com/spring-projects/spring-security/issues/10027)
- Update to use s01.oss.sonatype.org Maven Publishing [#10015](https://togithub.com/spring-projects/spring-security/issues/10015)
- Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher [#10009](https://togithub.com/spring-projects/spring-security/issues/10009)
- logoutSuccessUrl in DefaultLoginPageGeneratingFilter is not set [#9997](https://togithub.com/spring-projects/spring-security/issues/9997)
#### :hammer: Dependency Upgrades
- Update to Spring Boot 2.4.8 [#10181](https://togithub.com/spring-projects/spring-security/issues/10181)
- Update to spring-build-conventions:0.0.38 [#10020](https://togithub.com/spring-projects/spring-security/issues/10020)
### [`v5.4.7`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.7)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.6...5.4.7)
#### :star: New Features
- Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository [#9920](https://togithub.com/spring-projects/spring-security/issues/9920)
#### :beetle: Bug Fixes
- Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout [#9942](https://togithub.com/spring-projects/spring-security/issues/9942)
- Missing log of "caused by" exception when OP document metadata cannot be reached [#9940](https://togithub.com/spring-projects/spring-security/issues/9940)
- Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath [#9930](https://togithub.com/spring-projects/spring-security/issues/9930)
- Adding filters relative to custom ones is broken [#9908](https://togithub.com/spring-projects/spring-security/issues/9908)
- SEC-3139: Anonymous authentication token not passed to Controller [#9891](https://togithub.com/spring-projects/spring-security/issues/9891)
- Clarify quick start section in README [#9886](https://togithub.com/spring-projects/spring-security/issues/9886)
- RSocket and WebClient with Security refCount: 0 [#9871](https://togithub.com/spring-projects/spring-security/issues/9871)
- Client credentials not correctly encoded in Basic Auth [#9861](https://togithub.com/spring-projects/spring-security/issues/9861)
- Docs should state default value for Resource Server validation clock skew is 60 seconds [#9848](https://togithub.com/spring-projects/spring-security/issues/9848)
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice [#9820](https://togithub.com/spring-projects/spring-security/issues/9820)
- DefaultSpringSecurityContextSource can't handle spaces in baseDn [#9807](https://togithub.com/spring-projects/spring-security/issues/9807)
- OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response [#9802](https://togithub.com/spring-projects/spring-security/issues/9802)
- NPE in HttpSessionSecurityContextRepository.isTransientAuthentication [#9800](https://togithub.com/spring-projects/spring-security/issues/9800)
- docs.af.pivotal.io->docs-ip.spring.io [#9686](https://togithub.com/spring-projects/spring-security/issues/9686)
- Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter [#9681](https://togithub.com/spring-projects/spring-security/issues/9681)
- NullPointerException in StrictHttpFirewall spring-security-web version 5.4.5 [#9674](https://togithub.com/spring-projects/spring-security/issues/9674)
- WebFlux httpBasic() should match on XHR requests [#9662](https://togithub.com/spring-projects/spring-security/issues/9662)
- HttpSecurity.addFilter\* with same Filter in Different Position Places in Incorrect Location [#9643](https://togithub.com/spring-projects/spring-security/issues/9643)
- oauth2Login() generates authorization links for "client_credentials" grant type [#9637](https://togithub.com/spring-projects/spring-security/issues/9637)
### [`v5.4.6`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.6)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.5...5.4.6)
#### :beetle: Bug Fixes
- Add null check in CsrfFilter and CsrfWebFilter [#9592](https://togithub.com/spring-projects/spring-security/issues/9592)
- [@Order](https://togithub.com/Order) annotations cannot be used with [@Bean](https://togithub.com/Bean) methods [#9517](https://togithub.com/spring-projects/spring-security/issues/9517)
#### :hammer: Dependency Upgrades
- Update to Spring Boot 2.4.4 [#9613](https://togithub.com/spring-projects/spring-security/issues/9613)
### [`v5.4.5`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.5)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.4...5.4.5)
#### :beetle: Bug Fixes
- Downgrade to Nimbus JOSE JWT 8.+ [#9453](https://togithub.com/spring-projects/spring-security/pull/9453)
#### :heart: Contributors
We'd like to thank all the contributors who worked on this release!
- [@wilkinsona](https://togithub.com/wilkinsona)
### [`v5.4.4`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.4)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.3...5.4.4)
This release fixes a problem with the release of 5.4.3
#### :star: New Features
- Migrate SAML 2.0 Samples to Use PCFOne [#9369](https://togithub.com/spring-projects/spring-security/issues/9369)
- Resolve artifacts from Maven Central first [#9367](https://togithub.com/spring-projects/spring-security/issues/9367)
- Use constant time comparisons for CSRF tokens [#9357](https://togithub.com/spring-projects/spring-security/issues/9357)
- Improve HttpSessionSecurityContextSessionRepository Performance [#9388](https://togithub.com/spring-projects/spring-security/issues/9388)
#### :beetle: Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail [#9426](https://togithub.com/spring-projects/spring-security/issues/9426)
- Fix custom marshaller example [#9409](https://togithub.com/spring-projects/spring-security/issues/9409)
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. [#9403](https://togithub.com/spring-projects/spring-security/issues/9403)
- CurrentSecurityContextArgumentResolver should configure BeanResolver [#9402](https://togithub.com/spring-projects/spring-security/issues/9402)
- Consider downgrading to Nimbus 8 [#9399](https://togithub.com/spring-projects/spring-security/issues/9399)
- Remove notEmpty check for authorities in DefaultOAuth2User [#9396](https://togithub.com/spring-projects/spring-security/issues/9396)
- Wrong example name in Spring Security documentation [#9383](https://togithub.com/spring-projects/spring-security/issues/9383)
- Make user info response status check error only [#9376](https://togithub.com/spring-projects/spring-security/issues/9376)
- Malformed WWW-Authenticate Causes NPE [#9364](https://togithub.com/spring-projects/spring-security/issues/9364)
- CsrfWebFilter creates CsrfException with incorrect message when no token is found [#9338](https://togithub.com/spring-projects/spring-security/issues/9338)
- Exception when declaring multiple AuthenticationManager beans [#9332](https://togithub.com/spring-projects/spring-security/issues/9332)
- webflux-x509 sample cert needs renewal [#9322](https://togithub.com/spring-projects/spring-security/issues/9322)
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray [#9258](https://togithub.com/spring-projects/spring-security/issues/9258)
#### :hammer: Dependency Upgrades
- Update to GAE 1.9.86 [#9448](https://togithub.com/spring-projects/spring-security/issues/9448)
- Update to Spring Boot 2.4.2 [#9447](https://togithub.com/spring-projects/spring-security/issues/9447)
- Update to Kotlin 1.4.30 [#9446](https://togithub.com/spring-projects/spring-security/issues/9446)
### [`v5.4.3`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.3)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.2...5.4.3)
#### :star: New Features
- Migrate SAML 2.0 Samples to Use PCFOne [#9369](https://togithub.com/spring-projects/spring-security/issues/9369)
- Resolve artifacts from Maven Central first [#9367](https://togithub.com/spring-projects/spring-security/issues/9367)
- Use constant time comparisons for CSRF tokens [#9357](https://togithub.com/spring-projects/spring-security/issues/9357)
- Improve HttpSessionSecurityContextSessionRepository Performance [#9388](https://togithub.com/spring-projects/spring-security/issues/9388)
#### :beetle: Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail [#9426](https://togithub.com/spring-projects/spring-security/issues/9426)
- Fix custom marshaller example [#9409](https://togithub.com/spring-projects/spring-security/issues/9409)
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. [#9403](https://togithub.com/spring-projects/spring-security/issues/9403)
- CurrentSecurityContextArgumentResolver should configure BeanResolver [#9402](https://togithub.com/spring-projects/spring-security/issues/9402)
- Consider downgrading to Nimbus 8 [#9399](https://togithub.com/spring-projects/spring-security/issues/9399)
- Remove notEmpty check for authorities in DefaultOAuth2User [#9396](https://togithub.com/spring-projects/spring-security/issues/9396)
- Wrong example name in Spring Security documentation [#9383](https://togithub.com/spring-projects/spring-security/issues/9383)
- Make user info response status check error only [#9376](https://togithub.com/spring-projects/spring-security/issues/9376)
- Malformed WWW-Authenticate Causes NPE [#9364](https://togithub.com/spring-projects/spring-security/issues/9364)
- CsrfWebFilter creates CsrfException with incorrect message when no token is found [#9338](https://togithub.com/spring-projects/spring-security/issues/9338)
- Exception when declaring multiple AuthenticationManager beans [#9332](https://togithub.com/spring-projects/spring-security/issues/9332)
- webflux-x509 sample cert needs renewal [#9322](https://togithub.com/spring-projects/spring-security/issues/9322)
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray [#9258](https://togithub.com/spring-projects/spring-security/issues/9258)
#### :hammer: Dependency Upgrades
- Update to GAE 1.9.86 [#9448](https://togithub.com/spring-projects/spring-security/issues/9448)
- Update to Spring Boot 2.4.2 [#9447](https://togithub.com/spring-projects/spring-security/issues/9447)
- Update to Kotlin 1.4.30 [#9446](https://togithub.com/spring-projects/spring-security/issues/9446)
### [`v5.4.2`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.2)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.1...5.4.2)
#### :star: New Features
- Update snapshot build dependencies [#9254](https://togithub.com/spring-projects/spring-security/issues/9254)
- Update to Gradle 6.6.1 [#9232](https://togithub.com/spring-projects/spring-security/issues/9232)
#### :beetle: Bug Fixes
- Tests should not combine Authentication and [@AuthenticationPrincipal](https://togithub.com/AuthenticationPrincipal) [#9255](https://togithub.com/spring-projects/spring-security/issues/9255)
- Remove empty Appendix Section from docs [#9253](https://togithub.com/spring-projects/spring-security/issues/9253)
- CookieRequestCache handles URL encoded query parameters incorrectly [#9252](https://togithub.com/spring-projects/spring-security/issues/9252)
- Improve Metadata URL Documentation [#9251](https://togithub.com/spring-projects/spring-security/issues/9251)
#### :hammer: Dependency Upgrades
- Update to Google App Engine 1.9.83 [#9250](https://togithub.com/spring-projects/spring-security/issues/9250)
- Update to Kotlin 1.4.20 [#9249](https://togithub.com/spring-projects/spring-security/issues/9249)
- Update to Spring Boot 2.4.0 [#9248](https://togithub.com/spring-projects/spring-security/issues/9248)
- 5.4.x Snapshot Build Should Point to Other Maintenance Branches [#9162](https://togithub.com/spring-projects/spring-security/issues/9162)
### [`v5.4.1`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.1)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.0...5.4.1)
#### :star: New Features
- Replace expired msdn link with latest web archive copy [#9050](https://togithub.com/spring-projects/spring-security/pull/9050)
- Add documentation for StrictHttpFirewall enhancements [#9038](https://togithub.com/spring-projects/spring-security/issues/9038)
- Replace Tomcat6 URL for SSL Guide to Tomcat 10 [#9034](https://togithub.com/spring-projects/spring-security/pull/9034)
- Use AssertJ for exception testing [#9013](https://togithub.com/spring-projects/spring-security/pull/9013)
#### :beetle: Bug Fixes
- Add try-with-resources to close stream [#9053](https://togithub.com/spring-projects/spring-security/pull/9053)
- RelyingPartyRegistrations Fails to Read Keycloak Metadata [#9051](https://togithub.com/spring-projects/spring-security/issues/9051)
- fix miswritten comment of FormLoginDsl.kt [#9042](https://togithub.com/spring-projects/spring-security/pull/9042)
- Adapt to WebClient's new exception wrapping [#9031](https://togithub.com/spring-projects/spring-security/issues/9031)
- StandardInterceptUrlRegistry should not refer to ExpressionUrlAuthorizationConfigurer [#9026](https://togithub.com/spring-projects/spring-security/issues/9026)
- Fix broken Mono chain [#9022](https://togithub.com/spring-projects/spring-security/pull/9022)
- Use Schedulers.boundedElastic for UUID.randomUUID [#9021](https://togithub.com/spring-projects/spring-security/pull/9021)
- CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic [#9018](https://togithub.com/spring-projects/spring-security/issues/9018)
- WebSessionServerCsrfTokenRepository#generateToken() don't use Schedulers.boundedElastic() [#9017](https://togithub.com/spring-projects/spring-security/issues/9017)
- NullPointerException SessionRegistryImpl.onApplicationEvent(SessionRegistryImpl.java:111) [#9011](https://togithub.com/spring-projects/spring-security/issues/9011)
- Quick javadoc fix for DelegatingPasswordEncoder [#8890](https://togithub.com/spring-projects/spring-security/pull/8890)
#### :heart: Contributors
We'd like to thank all the contributors who worked on this release!
- [@muRn](https://togithub.com/muRn)
- [@b12f10w](https://togithub.com/b12f10w)
- [@uy-rrodriguez](https://togithub.com/uy-rrodriguez)
- [@geonu1109](https://togithub.com/geonu1109)
- [@tt4g](https://togithub.com/tt4g)
- [@philwebb](https://togithub.com/philwebb)
- [@MeTPP](https://togithub.com/MeTPP)
### [`v5.4.0`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.0)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.13.RELEASE...5.4.0)
#### :star: New Features
- Add What's New in 5.4 [#9002](https://togithub.com/spring-projects/spring-security/pull/9002)
- Add What's New in 5.4 Section to Docs [#9001](https://togithub.com/spring-projects/spring-security/issues/9001)
- Add Resource Server Servlet Logging [#9000](https://togithub.com/spring-projects/spring-security/issues/9000)
- Simplify saml2Login Samples [#8990](https://togithub.com/spring-projects/spring-security/issues/8990)
- Remove Framework Tests from saml2Login Sample [#8989](https://togithub.com/spring-projects/spring-security/issues/8989)
- Add authenticationManagerResolver to resource server Kotlin DSL [#8981](https://togithub.com/spring-projects/spring-security/issues/8981)
- Generalize SAML 2.0 Assertion Validation Support [#8970](https://togithub.com/spring-projects/spring-security/issues/8970)
- Update abstract-authentication-processing-filter.adoc [#8965](https://togithub.com/spring-projects/spring-security/pull/8965)
- Add spring-javaformat checkstyle and formatting [#8946](https://togithub.com/spring-projects/spring-security/pull/8946)
- Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL [#8926](https://togithub.com/spring-projects/spring-security/pull/8926)
- Add hasAnyAuthority(String...) and hasAnyRole(String...) to authorizeRequests in Kotlin DSL [#8892](https://togithub.com/spring-projects/spring-security/issues/8892)
- Resolve oauth2 client-id, client-secret placeholders [#8880](https://togithub.com/spring-projects/spring-security/pull/8880)
- Restructure SAML 2.0 documentation [#8763](https://togithub.com/spring-projects/spring-security/issues/8763)
- security:client-registrations doesn't take propertyconfigurer properties [#8453](https://togithub.com/spring-projects/spring-security/issues/8453)
#### :beetle: Bug Fixes
- Clickjacking demo in docs: YouTube link in X-Frame-Options section leads to private video [#8986](https://togithub.com/spring-projects/spring-security/issues/8986)
- NoClassDefFoundError: AuthMetadataFlyweight at o.s.s.r.m.SimpleAuthenticationEncoder [#8948](https://togithub.com/spring-projects/spring-security/issues/8948)
- SAML attributes not parsed correctly with prefixed XML elements [#8864](https://togithub.com/spring-projects/spring-security/issues/8864)
- Don't use oidc scopes_supported for scope as default in ClientRegistrations [#8790](https://togithub.com/spring-projects/spring-security/pull/8790)
- scopes_supported metadata should not be used as default in ClientRegistrations [#8514](https://togithub.com/spring-projects/spring-security/issues/8514)
#### :hammer: Dependency Upgrades
- Set springDataVersion to Neumann-SR+ [#9007](https://togithub.com/spring-projects/spring-security/issues/9007)
- Set rsocketVersion to 1.0.+ [#9006](https://togithub.com/spring-projects/spring-security/issues/9006)
#### :heart: Contributors
We'd like to thank all the contributors who worked on this release!
- [@evgeniycheban](https://togithub.com/evgeniycheban)
- [@jzheaux](https://togithub.com/jzheaux)
- [@taoroot](https://togithub.com/taoroot)
- [@philwebb](https://togithub.com/philwebb)
- [@koishikawa11](https://togithub.com/koishikawa11)
- [@martin-v](https://togithub.com/martin-v)
### [`v5.3.13.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.13.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.12.RELEASE...5.3.13.RELEASE)
#### :beetle: Bug Fixes
- Reactive resource server tests failing [#10660](https://togithub.com/spring-projects/spring-security/issues/10660)
- Gretty samples fail when using logback 1.2.9 [#10643](https://togithub.com/spring-projects/spring-security/issues/10643)
- StaticServerHttpHeadersWriter should work with case-insensitive header names [#10584](https://togithub.com/spring-projects/spring-security/issues/10584)
- Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors [#10563](https://togithub.com/spring-projects/spring-security/issues/10563)
- MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session [#10533](https://togithub.com/spring-projects/spring-security/issues/10533)
- Multi-tenancy Documentation - `com.nimbusds.jwt.proc.JWTProcessor` does not have a ` setJWTClaimSetJWSKeySelector ` method [#10522](https://togithub.com/spring-projects/spring-security/issues/10522)
- Multi-tenancy Documentation - JwtDecoder sample has multiple errors [#10518](https://togithub.com/spring-projects/spring-security/issues/10518)
- Oauth2 Resource Server will not retry on first failure with Multi-tenancy [#10486](https://togithub.com/spring-projects/spring-security/issues/10486)
#### :hammer: Dependency Upgrades
- Update to AspectJ 1.9.7 [#10645](https://togithub.com/spring-projects/spring-security/issues/10645)
- Update to Google App Engine 1.9.93 [#10644](https://togithub.com/spring-projects/spring-security/issues/10644)
### [`v5.3.12.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.12.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.11.RELEASE...5.3.12.RELEASE)
#### :star: New Features
- Add Documentation for Static Methods Classes for `mockJwt()` and `jwt()` [#10267](https://togithub.com/spring-projects/spring-security/issues/10267)
#### :beetle: Bug Fixes
- JwtTimeStampValidator uses wrong error on token expiration [#10330](https://togithub.com/spring-projects/spring-security/issues/10330)
- Fix typo [#10315](https://togithub.com/spring-projects/spring-security/issues/10315)
- Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type [#10259](https://togithub.com/spring-projects/spring-security/issues/10259)
- MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented [#10179](https://togithub.com/spring-projects/spring-security/issues/10179)
#### :hammer: Dependency Upgrades
- Update to Google App Engine 1.9.88 [#10381](https://togithub.com/spring-projects/spring-security/issues/10381)
- Update to nohttp 0.0.10 [#10380](https://togithub.com/spring-projects/spring-security/issues/10380)
### [`v5.3.11.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.11.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.10.RELEASE...5.3.11.RELEASE)
#### :star: New Features
- Remove -PdeployDocsHost=docs-ip.spring.io from Build [#10023](https://togithub.com/spring-projects/spring-security/issues/10023)
#### :beetle: Bug Fixes
- Regression with URL encode client credentials [#10127](https://togithub.com/spring-projects/spring-security/issues/10127)
- AuthenticationFailureEvent does not exist [#10108](https://togithub.com/spring-projects/spring-security/issues/10108)
- Update to use s01.oss.sonatype.org Maven Publishing [#10024](https://togithub.com/spring-projects/spring-security/issues/10024)
- Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher [#10010](https://togithub.com/spring-projects/spring-security/issues/10010)
#### :hammer: Dependency Upgrades
- Update to spring-build-conventions:0.0.38 [#10022](https://togithub.com/spring-projects/spring-security/issues/10022)
### [`v5.3.10.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.10.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.9.RELEASE...5.3.10.RELEASE)
#### :star: New Features
- Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository [#9915](https://togithub.com/spring-projects/spring-security/issues/9915)
#### :beetle: Bug Fixes
- Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout [#9945](https://togithub.com/spring-projects/spring-security/issues/9945)
- Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath [#9932](https://togithub.com/spring-projects/spring-security/issues/9932)
- Adding filters relative to custom ones is broken [#9909](https://togithub.com/spring-projects/spring-security/issues/9909)
- SEC-3139: Anonymous authentication token not passed to Controller [#9892](https://togithub.com/spring-projects/spring-security/issues/9892)
- Clarify quick start section in README [#9887](https://togithub.com/spring-projects/spring-security/issues/9887)
- RSocket and WebClient with Security refCount: 0 [#9872](https://togithub.com/spring-projects/spring-security/issues/9872)
- Client credentials not correctly encoded in Basic Auth [#9862](https://togithub.com/spring-projects/spring-security/issues/9862)
- Docs should state default value for Resource Server validation clock skew is 60 seconds [#9850](https://togithub.com/spring-projects/spring-security/issues/9850)
- OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice [#9821](https://togithub.com/spring-projects/spring-security/issues/9821)
- DefaultSpringSecurityContextSource can't handle spaces in baseDn [#9808](https://togithub.com/spring-projects/spring-security/issues/9808)
- OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response [#9803](https://togithub.com/spring-projects/spring-security/issues/9803)
- NPE in HttpSessionSecurityContextRepository.isTransientAuthentication [#9799](https://togithub.com/spring-projects/spring-security/issues/9799)
- docs.af.pivotal.io->docs-ip.spring.io [#9687](https://togithub.com/spring-projects/spring-security/issues/9687)
- Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter [#9682](https://togithub.com/spring-projects/spring-security/issues/9682)
- WebFlux httpBasic() should match on XHR requests [#9664](https://togithub.com/spring-projects/spring-security/issues/9664)
- HttpSecurity.addFilter\* with same Filter in Different Position Places in Incorrect Location [#9644](https://togithub.com/spring-projects/spring-security/issues/9644)
- oauth2Login() generates authorization links for "client_credentials" grant type [#9638](https://togithub.com/spring-projects/spring-security/issues/9638)
### [`v5.3.9.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.9.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.8.RELEASE...5.3.9.RELEASE)
#### :beetle: Bug Fixes
- Add null check in CsrfFilter and CsrfWebFilter [#9593](https://togithub.com/spring-projects/spring-security/issues/9593)
#### :hammer: Dependency Upgrades
- Update to Spring Boot 2.2.13 [#9614](https://togithub.com/spring-projects/spring-security/issues/9614)
### [`v5.3.8.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.8.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.7.RELEASE...5.3.8.RELEASE)
This release fixes a problem with the release of 5.3.7.
#### :star: New Features
- Improve HttpSessionSecurityContextSessionRepository Performance [#9391](https://togithub.com/spring-projects/spring-security/issues/9391)
- Improve HttpSessionSecurityContextSessionRepository Performance [#9389](https://togithub.com/spring-projects/spring-security/issues/9389)
- Migrate SAML 2.0 Samples to Use PCFOne [#9370](https://togithub.com/spring-projects/spring-security/issues/9370)
- Resolve artifacts from Maven Central first [#9368](https://togithub.com/spring-projects/spring-security/issues/9368)
- Use constant time comparisons for CSRF tokens [#9358](https://togithub.com/spring-projects/spring-security/issues/9358)
#### :beetle: Bug Fixes
- Fix the 5.3.7.RELEASE
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail [#9427](https://togithub.com/spring-projects/spring-security/issues/9427)
- CurrentSecurityContextArgumentResolver should configure BeanResolver [#9405](https://togithub.com/spring-projects/spring-security/issues/9405)
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. [#9404](https://togithub.com/spring-projects/spring-security/issues/9404)
- Remove notEmpty check for authorities in DefaultOAuth2User [#9397](https://togithub.com/spring-projects/spring-security/issues/9397)
- Wrong example name in Spring Security documentation [#9384](https://togithub.com/spring-projects/spring-security/issues/9384)
- CsrfWebFilter creates CsrfException with incorrect message when no token is found [#9339](https://togithub.com/spring-projects/spring-security/issues/9339)
- webflux-x509 sample cert needs renewal [#9323](https://togithub.com/spring-projects/spring-security/issues/9323)
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray [#9259](https://togithub.com/spring-projects/spring-security/issues/9259)
### [`v5.3.7.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.7.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.6.RELEASE...5.3.7.RELEASE)
#### :star: New Features
- Improve HttpSessionSecurityContextSessionRepository Performance [#9391](https://togithub.com/spring-projects/spring-security/issues/9391)
- Improve HttpSessionSecurityContextSessionRepository Performance [#9389](https://togithub.com/spring-projects/spring-security/issues/9389)
- Migrate SAML 2.0 Samples to Use PCFOne [#9370](https://togithub.com/spring-projects/spring-security/issues/9370)
- Resolve artifacts from Maven Central first [#9368](https://togithub.com/spring-projects/spring-security/issues/9368)
- Use constant time comparisons for CSRF tokens [#9358](https://togithub.com/spring-projects/spring-security/issues/9358)
#### :beetle: Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail [#9427](https://togithub.com/spring-projects/spring-security/issues/9427)
- CurrentSecurityContextArgumentResolver should configure BeanResolver [#9405](https://togithub.com/spring-projects/spring-security/issues/9405)
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. [#9404](https://togithub.com/spring-projects/spring-security/issues/9404)
- Remove notEmpty check for authorities in DefaultOAuth2User [#9397](https://togithub.com/spring-projects/spring-security/issues/9397)
- Wrong example name in Spring Security documentation [#9384](https://togithub.com/spring-projects/spring-security/issues/9384)
- CsrfWebFilter creates CsrfException with incorrect message when no token is found [#9339](https://togithub.com/spring-projects/spring-security/issues/9339)
- webflux-x509 sample cert needs renewal [#9323](https://togithub.com/spring-projects/spring-security/issues/9323)
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray [#9259](https://togithub.com/spring-projects/spring-security/issues/9259)
### [`v5.3.6.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.6.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.5.RELEASE...5.3.6.RELEASE)
#### :beetle: Bug Fixes
- Remove empty Appendix Section from docs [#9161](https://togithub.com/spring-projects/spring-security/issues/9161)
- Tests should not combine Authentication and [@AuthenticationPrincipal](https://togithub.com/AuthenticationPrincipal) [#9125](https://togithub.com/spring-projects/spring-security/issues/9125)
#### :hammer: Dependency Upgrades
- Update to Google App Engine 1.9.83 [#9247](https://togithub.com/spring-projects/spring-security/issues/9247)
- Update to Spring Boot 2.2.11 [#9246](https://togithub.com/spring-projects/spring-security/issues/9246)
### [`v5.3.5.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.5.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.4.RELEASE...5.3.5.RELEASE)
#### :beetle: Bug Fixes
- SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. [#9057](https://togithub.com/spring-projects/spring-security/issues/9057)
- CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic [#9024](https://togithub.com/spring-projects/spring-security/issues/9024)
#### :hammer: Dependency Upgrades
- Update to AspectJ 1.9.6 [#9106](https://togithub.com/spring-projects/spring-security/issues/9106)
- Update to Google App Engine 1.9.82 [#9105](https://togithub.com/spring-projects/spring-security/issues/9105)
- Update to Spring Boot 2.2.10.RELEASE [#9104](https://togithub.com/spring-projects/spring-security/issues/9104)
### [`v5.3.4.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.4.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.3.RELEASE...5.3.4.RELEASE)
#### :star: New Features
- Add logging [#8888](https://togithub.com/spring-projects/spring-security/issues/8888)
- Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) [#8855](https://togithub.com/spring-projects/spring-security/issues/8855)
- formLogin() does not work with REST Docs [#8748](https://togithub.com/spring-projects/spring-security/issues/8748)
- Use Github Actions PR pipeline and remove Travis for 5.3.x [#8724](https://togithub.com/spring-projects/spring-security/pull/8724)
#### :beetle: Bug Fixes
- ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error [#8896](https://togithub.com/spring-projects/spring-security/issues/8896)
- OAuth2AuthenticationException should be in allowlist [#8863](https://togithub.com/spring-projects/spring-security/issues/8863)
- Resolved bearer token has no padding indicators [#8837](https://togithub.com/spring-projects/spring-security/issues/8837)
- Fix ProviderManager Javadoc typo [#8811](https://togithub.com/spring-projects/spring-security/issues/8811)
- LoginPageGeneratingWebFilter should honor context path [#8808](https://togithub.com/spring-projects/spring-security/issues/8808)
- OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" [#8803](https://togithub.com/spring-projects/spring-security/issues/8803)
- RoleHierarchy is not used by AbstractAuthorizeTag [#8678](https://togithub.com/spring-projects/spring-security/issues/8678)
- OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException [#8672](https://togithub.com/spring-projects/spring-security/issues/8672)
- ReactorContext not available in PayloadSocketAcceptor delegate.accept [#8655](https://togithub.com/spring-projects/spring-security/issues/8655)
#### :hammer: Dependency Upgrades
- Update to spring-build-conventions:0.0.34.RELEASE [#8925](https://togithub.com/spring-projects/spring-security/issues/8925)
- Update to nohttp 0.0.5.RELEASE [#8924](https://togithub.com/spring-projects/spring-security/issues/8924)
- Update to GAE 1.9.81 [#8923](https://togithub.com/spring-projects/spring-security/issues/8923)
- Update to Spring Boot 2.2.9.RELEASE [#8922](https://togithub.com/spring-projects/spring-security/issues/8922)
- Update to spring-build-conventions:0.0.33.RELEASE [#8760](https://togithub.com/spring-projects/spring-security/issues/8760)
#### :heart: Contributors
We'd like to thank all the contributors who worked on this release!
- [@elliedori](https://togithub.com/elliedori)
### [`v5.3.3.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.3.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.2.RELEASE...5.3.3.RELEASE)
#### :star: New Features
- Update BCryptPasswordEncoder documentation with default strength [#8574](https://togithub.com/spring-projects/spring-security/issues/8574)
#### :beetle: Bug Fixes
- Delay AuthenticationPrincipalArgumentResolver Lookup [#8614](https://togithub.com/spring-projects/spring-security/issues/8614)
- Fix typos in BCryptPasswordEncoder documentation [#8601](https://togithub.com/spring-projects/spring-security/issues/8601)
- Fixing typo in SAML 2.0 Sample README [#8600](https://togithub.com/spring-projects/spring-security/issues/8600)
- Mock request with non-standard HTTP method in test [#8597](https://togithub.com/spring-projects/spring-security/issues/8597)
- Remove unused field 'digester' in Md4PasswordEncoder [#8575](https://togithub.com/spring-projects/spring-security/issues/8575)
- Polish JDBC Authentication documentation [#8573](https://togithub.com/spring-projects/spring-security/issues/8573)
- ACL : AclImpl.hashCode leads to StackOverflowError [#8569](https://togithub.com/spring-projects/spring-security/issues/8569)
- Fix Kotlin Sample Documentation [#8565](https://togithub.com/spring-projects/spring-security/issues/8565)
- Object ID Identity conversion to long fails on old schema [#8558](https://togithub.com/spring-projects/spring-security/issues/8558)
- Blocking in WebSessionServerCsrfTokenRepository [#8544](https://togithub.com/spring-projects/spring-security/issues/8544)
- Fix AntPathRequestMatcher Javadoc [#8526](https://togithub.com/spring-projects/spring-security/issues/8526)
- Document NoOpPasswordEncoder will not be removed [#8521](https://togithub.com/spring-projects/spring-security/issues/8521)
- Fix non-standard HTTP method for CsrfWebFilter [#8515](https://togithub.com/spring-projects/spring-security/issues/8515)
#### :hammer: Dependency Upgrades
- Update to AppEngine 1.9.80 [#8647](https://togithub.com/spring-projects/spring-security/issues/8647)
- Update to Spring Boot 2.2.7.RELEASE [#8646](https://togithub.com/spring-projects/spring-security/issues/8646)
- Update to Kotlin 1.3.72 [#8645](https://togithub.com/spring-projects/spring-security/issues/8645)
### [`v5.3.2.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.2.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.1.RELEASE...5.3.2.RELEASE)
#### :star: New Features
- SAML Authentication Provider assertions [#8491](https://togithub.com/spring-projects/spring-security/issues/8491)
- BCryptPasswordEncoder.encode() throws NPE [#8345](https://togithub.com/spring-projects/spring-security/issues/8345)
#### :beetle: Bug Fixes
- Fix Javadoc punctuation [#8490](https://togithub.com/spring-projects/spring-security/issues/8490)
- Fixed typos in documentation [#8460](https://togithub.com/spring-projects/spring-security/issues/8460)
- JdbcOAuth2AuthorizedClientService should support update when saving [#8448](https://togithub.com/spring-projects/spring-security/issues/8448)
- Add ROLE_INFRASTRUCTURE to infrastructure beans [#8437](https://togithub.com/spring-projects/spring-security/issues/8437)
- Fix Documentation to Refer to BasicAuthenticationFilter [#8423](https://togithub.com/spring-projects/spring-security/issues/8423)
- Fix typo with correct capitalization [#8408](https://togithub.com/spring-projects/spring-security/issues/8408)
- Global ServerSecurityContextRepository ignored by logout [#8385](https://togithub.com/spring-projects/spring-security/issues/8385)
- Fix example in javadoc of FilterChainProxy [#8351](https://togithub.com/spring-projects/spring-security/issues/8351)
- Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors [#8311](https://togithub.com/spring-projects/spring-security/issues/8311)
#### :hammer: Dependency Upgrades
- Update to aspectj-plugin:4.1.6 [#8306](https://togithub.com/spring-projects/spring-security/issues/8306)
### [`v5.3.1.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.1.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.0.RELEASE...5.3.1.RELEASE)
#### :star: New Features
- SpringTestContext returns ConfigurableWebApplicationContext [#8237](https://togithub.com/spring-projects/spring-security/issues/8237)
- OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider [#8234](https://togithub.com/spring-projects/spring-security/issues/8234)
- SwitchUserFilter vulnerable to CSRF [#8222](https://togithub.com/spring-projects/spring-security/issues/8222)
- Clarify use case for `ServerBearerExchangeFilterFunction` [#8221](https://togithub.com/spring-projects/spring-security/issues/8221)
- Update Encryptors documentation for standard and stronger [#8211](https://togithub.com/spring-projects/spring-security/issues/8211)
- Document JwtGrantedAuthoritiesConverter [#8183](https://togithub.com/spring-projects/spring-security/issues/8183)
- userNameAttribute case style is different others [#8179](https://togithub.com/spring-projects/spring-security/issues/8179)
- Document AuthNRequest POST binding support [#8165](https://togithub.com/spring-projects/spring-security/issues/8165)
- Polish SAML 2.0 Login Sample [#8164](https://togithub.com/spring-projects/spring-security/issues/8164)
- OpenSamlImplementation should not use reflection [#8161](https://togithub.com/spring-projects/spring-security/issues/8161)
- Document AuthorizedClientServiceOAuth2AuthorizedClientManager [#8153](https://togithub.com/spring-projects/spring-security/issues/8153)
- Assign sensible default for OAuth2AuthorizedClientProvider [#8151](https://togithub.com/spring-projects/spring-security/issues/8151)
- Document OAuth2Authorization success and failure handlers [#8146](https://togithub.com/spring-projects/spring-security/issues/8146)
- Document Jackson serialization support for OAuth 2.0 Client [#8145](https://togithub.com/spring-projects/spring-security/issues/8145)
- Document OAuth 2.0 Authorization Request improvements [#8133](https://togithub.com/spring-projects/spring-security/issues/8133)
- Document OAuth 2.0 Login XML Support [#8132](https://togithub.com/spring-projects/spring-security/issues/8132)
- Document OAuth 2.0 Client XML Support [#8131](https://togithub.com/spring-projects/spring-security/issues/8131)
- Basic auth header without user results in exception [#8122](https://togithub.com/spring-projects/spring-security/issues/8122)
- Document AuthenticationEventPublisher improvements [#8103](https://togithub.com/spring-projects/spring-security/issues/8103)
- Typo 'properites' -> 'properties' in documentation [#8098](https://togithub.com/spring-projects/spring-security/issues/8098)
- Document OAuth 2.0 Resource Server XML Support [#8094](https://togithub.com/spring-projects/spring-security/issues/8094)
- Provide spring-security-5\*.xsd for https://www.springframework.org/schema/security/ [#8091](https://togithub.com/spring-projects/spring-security/issues/8091)
- Document OIDC Logout Success Handler Improvements [#8088](https://togithub.com/spring-projects/spring-security/issues/8088)
- Add OAuth 2.0 Test Support Docs [#8087](https://togithub.com/spring-projects/spring-security/issues/8087)
- Update test to have comment about secure salt length [#8084](https://togithub.com/spring-projects/spring-security/pull/8084)
- Document JwtClaimValidator [#8076](https://togithub.com/spring-projects/spring-security/issues/8076)
#### :beetle: Bug Fixes
- HttpServletRequest.logout() not functioning [#8238](https://togithub.com/spring-projects/spring-security/issues/8238)
- OAuth2 ClientRegistrations NPE when UserInfo endpoint missing [#8209](https://togithub.com/spring-projects/spring-security/issues/8209)
- oauth2Login WebFlux should not auto-redirect for XHR request [#8201](https://togithub.com/spring-projects/spring-security/issues/8201)
- Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer [#8178](https://togithub.com/spring-projects/spring-security/issues/8178)
- RSocket test should throw AccessDeniedException [#8160](https://togithub.com/spring-projects/spring-security/issues/8160)
- Make OAuth2ErrorHttpMessageConverter more resilient [#8158](https://togithub.com/spring-projects/spring-security/issues/8158)
- Fix typo in Javadoc of HttpSecurity#csrf() [#8134](https://togithub.com/spring-projects/spring-security/issues/8134)
- NPE thrown when token response contains a null value [#8121](https://togithub.com/spring-projects/spring-security/issues/8121)
- Google's top result for "Spring Security Reference" returns a 404 [#8086](https://togithub.com/spring-projects/spring-security/issues/8086)
- 5.3.0 Documentation What's New has some broken links [#8069](https://togithub.com/spring-projects/spring-security/issues/8069)
#### :heart: Contributors
We'd like to thank all the contributors who worked on this release!
- [@YYTVicky](https://togithub.com/YYTVicky)
### [`v5.3.0.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.0.RELEASE)
[Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.2.15.RELEASE...5.3.0.RELEASE)
#### :star: New Features
- Update What's New Section [#8062](https://togithub.com/spring-projects/spring-security/issues/8062)
- Document JdbcOAuth2AuthorizedClientService [#8061](https://togithub.com/spring-projects/spring-security/issues/8061)
- Add oauth2login xml sample [#8060](https://togithub.com/spring-projects/spring-security/issues/8060)
- Update doc diagram palette to use sans-serif font [#8057](https://togithub.com/spring-projects/spring-security/issues/8057)
- Add SecurityFilterChain Figure [#8055](https://togithub.com/spring-projects/spring-security/issues/8055)
- oauth2Client Test Support should allow configuration of principal name [#8054](https://togithub.com/spring-projects/spring-security/issues/8054)
- Add Kotlin Configuration section to docs [#8051](https://togithub.com/spring-projects/spring-security/pull/8051)
- Add anchors to SAML 2.0 documentation [#8049](https://togithub.com/spring-projects/spring-security/issues/8049)
- Update UserDetailsService Docs [#8048](https://togithub.com/spring-projects/spring-security/issues/8048)
- Add Figures to Basic Authentication Docs [#8039](https://togithub.com/spring-projects/spring-security/issues/8039)
- Add Link to DispatcherServlet in Filter Review Doc [#8036](https://togithub.com/spring-projects/spring-security/issues/8036)
- Add Figures to Form Log In Docs [#8035](https://togithub.com/spring-projects/spring-security/issues/8035)
- Add Figure for AuthenticationEntryPoint Docs [#8030](https://togithub.com/spring-projects/spring-security/issues/8030)
- Add ProviderManager to Docs [#8029](https://togithub.com/spring-projects/spring-security/issues/8029)
- Custom ServerHttpHeadersWriter to HeaderSpec [#8028](https://togithub.com/spring-projects/spring-security/pull/8028)
- Add hasRole(String) to authorizeRequests in Kotlin DSL [#8023](https://togithub.com/spring-projects/spring-security/issues/8023)
- Add missing [@FunctionalInterface](https://togithub.com/FunctionalInterface) in oauth2 modules [#8020](https://togithub.com/spring-projects/spring-security/issues/8020)
- Provide configurable Clock in OidcIdTokenValidator [#8019](https://togithub.com/spring-projects/spring-security/issues/8019)
- Add OAuth2AuthorizeRequest.Builder.principal(String) [#8018](https://togithub.com/spring-projects/spring-security/issues/8018)
- Extract AuthenticationManager Docs [#8006](https://togithub.com/spring-projects/spring-security/issues/8006)
- Extract SecurityContextHolder, SecurityContext, Authentication, and GrantedAuthority Docs [#8005](https://togithub.com/spring-projects/spring-security/issues/8005)
- Add AbstractAuthenticationProcessingFilter Docs [#8004](https://togithub.com/spring-projects/spring-security/issues/8004)
- Extract AuthenticationEntryPoint Docs [#8003](https://togithub.com/spring-projects/spring-security/issues/8003)
- Extract ExceptionTranslationFilter Docs [#8002](https://togithub.com/spring-projects/spring-security/issues/8002)
- Extract FilterSecurityInterceptor Docs [#8001](https://togithub.com/spring-projects/spring-security/issues/8001)
- Use Color Palette that is Accessible for Color Blind [#8000](https://togithub.com/spring-projects/spring-security/issues/8000)
- Create a palette.odg [#7999](https://togithub.com/spring-projects/spring-security/issues/7999)
- Add Numbers Icons [#7998](https://togithub.com/spring-projects/spring-security/issues/7998)
- Instantiate exceptions lazily [#7996](https://togithub.com/spring-projects/spring-security/pull/7996)
- JwtIssuerReactiveAuthenticationManagerResolver eagerly creates Exceptions [#7995](https://togithub.com/spring-projects/spring-security/issues/7995)
- OAuth2AuthorizationRequest.Builder should configure additional parameters with a consumer [#7993](https://togithub.com/spring-projects/spring-security/issues/7993)
- Add OAuth2Authorization success/failure handlers [#7986](https://togithub.com/spring-projects/spring-security/pull/7986)
- Refactor Duplicate Security Filter Chain Doc [#7979](https://togithub.com/spring-projects/spring-security/issues/7979)
- Fix Asciidoctor Warnings [#7973](https://togithub.com/spring-projects/spring-security/issues/7973)
- Use Kotlin DSL Marker Annotations to prevent scope leaking [#7971](https://togithub.com/spring-projects/spring-security/issues/7971)
- Add JwtClaimValidator [#7962](https://togithub.com/spring-projects/spring-security/pull/7962)
- Support custom filter in Kotlin DSL [#7951](https://togithub.com/spring-projects/spring-security/issues/7951)
- Option for default event in DefaultAuthenticationEventPublisher [#7937](https://togithub.com/spring-projects/spring-security/pull/7937)
- DefaultAuthenticationEventPublisher is now configurable via a Map [#7925](https://togithub.com/spring-projects/spring-security/pull/7925)
- Add oauth2Client WebTestClient Test Support [#7910](https://togithub.com/spring-projects/spring-security/issues/7910)
- Nimbus OpaqueTokenIntrospectors should differentiate token and service errors [#7902](https://togithub.com/spring-projects/spring-security/issues/7902)
- OAuth 2.0 Client supports application clustering [#7889](https://togithub.com/spring-projects/spring-security/issues/7889)
- Add JwtIssuerReactiveAuthenticationManagerResolver [#7887](https://togithub.com/spring-projects/spring-security/pull/7887)
- Consider adding JwtClaimValidator [#7860](https://togithub.com/spring-projects/spring-security/issues/7860)
- Add ReactiveJwtIssuerAuthenticationManagerResolver and Reactive Multi Tentant Examples [#7857](https://togithub.com/spring-projects/spring-security/issues/7857)
- Add JDBC implementation of OAuth2AuthorizedClientService [#7855](https://togithub.com/spring-projects/spring-security/pull/7855)
- Set default redirect in OidcClientInitiatedServerLogoutSuccessHandler [#7842](https://togithub.com/spring-projects/spring-security/issues/7842)
- Introduce OAuth2Authorization success/failure handlers [#7840](https://togithub.com/spring-projects/spring-security/issues/7840)
- Add Opaque Token Reactive Test Support [#7827](https://togithub.com/spring-projects/spring-security/issues/7827)
- DefaultAuthenticationEventPublisher should allow configuring a default event [#7825](https://togithub.com/spring-projects/spring-security/issues/7825)
- DefaultAuthenticationEventPublisher should be configurable via Map [#7824](https://togithub.com/spring-projects/spring-security/issues/7824)
- Oauth2login xmlconfig implementation [#7821](https://togithub.com/spring-projects/spring-security/pull/7821)
- OAuth 2.0 Resource Server XML Support [#7775](https://togithub.com/spring-projects/spring-security/pull/7775)
- SAML AuthNRequest Signatures - Step 2 [#7759](https://togithub.com/spring-projects/spring-security/pull/7759)
- SAML AuthNReque
This PR contains the following updates:
4.2.13.RELEASE->5.4.11By merging this PR, the issue #109 will be automatically resolved and closed:
Release Notes
spring-projects/spring-security (org.springframework.security:spring-security-web)
### [`v5.4.11`](https://togithub.com/spring-projects/spring-security/compare/5.4.10...5.4.11) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.10...5.4.11) ### [`v5.4.10`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.10) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.9...5.4.10) #### :beetle: Bug Fixes - StaticServerHttpHeadersWriter should work with case-insensitive header names [#10583](https://togithub.com/spring-projects/spring-security/issues/10583) - Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors [#10562](https://togithub.com/spring-projects/spring-security/issues/10562) - MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session [#10532](https://togithub.com/spring-projects/spring-security/issues/10532) - Documentation has wrong code example in the 'Customizing OpenSAML’s AuthnRequest Instance' section [#10528](https://togithub.com/spring-projects/spring-security/issues/10528) - Multi-tenancy Documentation - `com.nimbusds.jwt.proc.JWTProcessor` does not have a ` setJWTClaimSetJWSKeySelector ` method [#10521](https://togithub.com/spring-projects/spring-security/issues/10521) - Multi-tenancy Documentation - JwtDecoder sample has multiple errors [#10517](https://togithub.com/spring-projects/spring-security/issues/10517) - Oauth2 Resource Server will not retry on first failure with Multi-tenancy [#10485](https://togithub.com/spring-projects/spring-security/issues/10485) - WebInvocationPrivilegeEvaluator does not provide a way to pass a ServletContext [#10437](https://togithub.com/spring-projects/spring-security/issues/10437) ### [`v5.4.9`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.9) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.8...5.4.9) #### :star: New Features - Add Documentation for Static Methods Classes for `mockJwt()` and `jwt()` [#10266](https://togithub.com/spring-projects/spring-security/issues/10266) #### :beetle: Bug Fixes - SAML 2.0 Login should allow `loginProcessingUrl` without `{registrationId}` when providing an `AuthenticationConverter` [#10342](https://togithub.com/spring-projects/spring-security/issues/10342) - JwtTimeStampValidator uses wrong error on token expiration [#10329](https://togithub.com/spring-projects/spring-security/issues/10329) - Fix typo [#10314](https://togithub.com/spring-projects/spring-security/issues/10314) - Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type [#10258](https://togithub.com/spring-projects/spring-security/issues/10258) - MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented [#10209](https://togithub.com/spring-projects/spring-security/issues/10209) #### :hammer: Dependency Upgrades - Update to Spring Boot 2.4.11 [#10418](https://togithub.com/spring-projects/spring-security/issues/10418) ### [`v5.4.8`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.8) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.7...5.4.8) #### :star: New Features - Remove -PdeployDocsHost=docs-ip.spring.io from Build [#10021](https://togithub.com/spring-projects/spring-security/issues/10021) #### :beetle: Bug Fixes - Regression with URL encode client credentials [#10126](https://togithub.com/spring-projects/spring-security/issues/10126) - AuthenticationFailureEvent does not exist [#10107](https://togithub.com/spring-projects/spring-security/issues/10107) - Fix a typo in some class names in the oauth documentation [#10052](https://togithub.com/spring-projects/spring-security/issues/10052) - Fix Saml2WebSsoAuthenticationRequestFilter javadoc [#10027](https://togithub.com/spring-projects/spring-security/issues/10027) - Update to use s01.oss.sonatype.org Maven Publishing [#10015](https://togithub.com/spring-projects/spring-security/issues/10015) - Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher [#10009](https://togithub.com/spring-projects/spring-security/issues/10009) - logoutSuccessUrl in DefaultLoginPageGeneratingFilter is not set [#9997](https://togithub.com/spring-projects/spring-security/issues/9997) #### :hammer: Dependency Upgrades - Update to Spring Boot 2.4.8 [#10181](https://togithub.com/spring-projects/spring-security/issues/10181) - Update to spring-build-conventions:0.0.38 [#10020](https://togithub.com/spring-projects/spring-security/issues/10020) ### [`v5.4.7`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.7) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.6...5.4.7) #### :star: New Features - Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository [#9920](https://togithub.com/spring-projects/spring-security/issues/9920) #### :beetle: Bug Fixes - Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout [#9942](https://togithub.com/spring-projects/spring-security/issues/9942) - Missing log of "caused by" exception when OP document metadata cannot be reached [#9940](https://togithub.com/spring-projects/spring-security/issues/9940) - Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath [#9930](https://togithub.com/spring-projects/spring-security/issues/9930) - Adding filters relative to custom ones is broken [#9908](https://togithub.com/spring-projects/spring-security/issues/9908) - SEC-3139: Anonymous authentication token not passed to Controller [#9891](https://togithub.com/spring-projects/spring-security/issues/9891) - Clarify quick start section in README [#9886](https://togithub.com/spring-projects/spring-security/issues/9886) - RSocket and WebClient with Security refCount: 0 [#9871](https://togithub.com/spring-projects/spring-security/issues/9871) - Client credentials not correctly encoded in Basic Auth [#9861](https://togithub.com/spring-projects/spring-security/issues/9861) - Docs should state default value for Resource Server validation clock skew is 60 seconds [#9848](https://togithub.com/spring-projects/spring-security/issues/9848) - OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice [#9820](https://togithub.com/spring-projects/spring-security/issues/9820) - DefaultSpringSecurityContextSource can't handle spaces in baseDn [#9807](https://togithub.com/spring-projects/spring-security/issues/9807) - OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response [#9802](https://togithub.com/spring-projects/spring-security/issues/9802) - NPE in HttpSessionSecurityContextRepository.isTransientAuthentication [#9800](https://togithub.com/spring-projects/spring-security/issues/9800) - docs.af.pivotal.io->docs-ip.spring.io [#9686](https://togithub.com/spring-projects/spring-security/issues/9686) - Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter [#9681](https://togithub.com/spring-projects/spring-security/issues/9681) - NullPointerException in StrictHttpFirewall spring-security-web version 5.4.5 [#9674](https://togithub.com/spring-projects/spring-security/issues/9674) - WebFlux httpBasic() should match on XHR requests [#9662](https://togithub.com/spring-projects/spring-security/issues/9662) - HttpSecurity.addFilter\* with same Filter in Different Position Places in Incorrect Location [#9643](https://togithub.com/spring-projects/spring-security/issues/9643) - oauth2Login() generates authorization links for "client_credentials" grant type [#9637](https://togithub.com/spring-projects/spring-security/issues/9637) ### [`v5.4.6`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.6) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.5...5.4.6) #### :beetle: Bug Fixes - Add null check in CsrfFilter and CsrfWebFilter [#9592](https://togithub.com/spring-projects/spring-security/issues/9592) - [@Order](https://togithub.com/Order) annotations cannot be used with [@Bean](https://togithub.com/Bean) methods [#9517](https://togithub.com/spring-projects/spring-security/issues/9517) #### :hammer: Dependency Upgrades - Update to Spring Boot 2.4.4 [#9613](https://togithub.com/spring-projects/spring-security/issues/9613) ### [`v5.4.5`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.5) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.4...5.4.5) #### :beetle: Bug Fixes - Downgrade to Nimbus JOSE JWT 8.+ [#9453](https://togithub.com/spring-projects/spring-security/pull/9453) #### :heart: Contributors We'd like to thank all the contributors who worked on this release! - [@wilkinsona](https://togithub.com/wilkinsona) ### [`v5.4.4`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.4) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.3...5.4.4) This release fixes a problem with the release of 5.4.3 #### :star: New Features - Migrate SAML 2.0 Samples to Use PCFOne [#9369](https://togithub.com/spring-projects/spring-security/issues/9369) - Resolve artifacts from Maven Central first [#9367](https://togithub.com/spring-projects/spring-security/issues/9367) - Use constant time comparisons for CSRF tokens [#9357](https://togithub.com/spring-projects/spring-security/issues/9357) - Improve HttpSessionSecurityContextSessionRepository Performance [#9388](https://togithub.com/spring-projects/spring-security/issues/9388) #### :beetle: Bug Fixes - OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail [#9426](https://togithub.com/spring-projects/spring-security/issues/9426) - Fix custom marshaller example [#9409](https://togithub.com/spring-projects/spring-security/issues/9409) - Fix beanResolver missing in CurrentSecurityContextArgumentResolver. [#9403](https://togithub.com/spring-projects/spring-security/issues/9403) - CurrentSecurityContextArgumentResolver should configure BeanResolver [#9402](https://togithub.com/spring-projects/spring-security/issues/9402) - Consider downgrading to Nimbus 8 [#9399](https://togithub.com/spring-projects/spring-security/issues/9399) - Remove notEmpty check for authorities in DefaultOAuth2User [#9396](https://togithub.com/spring-projects/spring-security/issues/9396) - Wrong example name in Spring Security documentation [#9383](https://togithub.com/spring-projects/spring-security/issues/9383) - Make user info response status check error only [#9376](https://togithub.com/spring-projects/spring-security/issues/9376) - Malformed WWW-Authenticate Causes NPE [#9364](https://togithub.com/spring-projects/spring-security/issues/9364) - CsrfWebFilter creates CsrfException with incorrect message when no token is found [#9338](https://togithub.com/spring-projects/spring-security/issues/9338) - Exception when declaring multiple AuthenticationManager beans [#9332](https://togithub.com/spring-projects/spring-security/issues/9332) - webflux-x509 sample cert needs renewal [#9322](https://togithub.com/spring-projects/spring-security/issues/9322) - OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray [#9258](https://togithub.com/spring-projects/spring-security/issues/9258) #### :hammer: Dependency Upgrades - Update to GAE 1.9.86 [#9448](https://togithub.com/spring-projects/spring-security/issues/9448) - Update to Spring Boot 2.4.2 [#9447](https://togithub.com/spring-projects/spring-security/issues/9447) - Update to Kotlin 1.4.30 [#9446](https://togithub.com/spring-projects/spring-security/issues/9446) ### [`v5.4.3`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.3) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.2...5.4.3) #### :star: New Features - Migrate SAML 2.0 Samples to Use PCFOne [#9369](https://togithub.com/spring-projects/spring-security/issues/9369) - Resolve artifacts from Maven Central first [#9367](https://togithub.com/spring-projects/spring-security/issues/9367) - Use constant time comparisons for CSRF tokens [#9357](https://togithub.com/spring-projects/spring-security/issues/9357) - Improve HttpSessionSecurityContextSessionRepository Performance [#9388](https://togithub.com/spring-projects/spring-security/issues/9388) #### :beetle: Bug Fixes - OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail [#9426](https://togithub.com/spring-projects/spring-security/issues/9426) - Fix custom marshaller example [#9409](https://togithub.com/spring-projects/spring-security/issues/9409) - Fix beanResolver missing in CurrentSecurityContextArgumentResolver. [#9403](https://togithub.com/spring-projects/spring-security/issues/9403) - CurrentSecurityContextArgumentResolver should configure BeanResolver [#9402](https://togithub.com/spring-projects/spring-security/issues/9402) - Consider downgrading to Nimbus 8 [#9399](https://togithub.com/spring-projects/spring-security/issues/9399) - Remove notEmpty check for authorities in DefaultOAuth2User [#9396](https://togithub.com/spring-projects/spring-security/issues/9396) - Wrong example name in Spring Security documentation [#9383](https://togithub.com/spring-projects/spring-security/issues/9383) - Make user info response status check error only [#9376](https://togithub.com/spring-projects/spring-security/issues/9376) - Malformed WWW-Authenticate Causes NPE [#9364](https://togithub.com/spring-projects/spring-security/issues/9364) - CsrfWebFilter creates CsrfException with incorrect message when no token is found [#9338](https://togithub.com/spring-projects/spring-security/issues/9338) - Exception when declaring multiple AuthenticationManager beans [#9332](https://togithub.com/spring-projects/spring-security/issues/9332) - webflux-x509 sample cert needs renewal [#9322](https://togithub.com/spring-projects/spring-security/issues/9322) - OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray [#9258](https://togithub.com/spring-projects/spring-security/issues/9258) #### :hammer: Dependency Upgrades - Update to GAE 1.9.86 [#9448](https://togithub.com/spring-projects/spring-security/issues/9448) - Update to Spring Boot 2.4.2 [#9447](https://togithub.com/spring-projects/spring-security/issues/9447) - Update to Kotlin 1.4.30 [#9446](https://togithub.com/spring-projects/spring-security/issues/9446) ### [`v5.4.2`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.2) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.1...5.4.2) #### :star: New Features - Update snapshot build dependencies [#9254](https://togithub.com/spring-projects/spring-security/issues/9254) - Update to Gradle 6.6.1 [#9232](https://togithub.com/spring-projects/spring-security/issues/9232) #### :beetle: Bug Fixes - Tests should not combine Authentication and [@AuthenticationPrincipal](https://togithub.com/AuthenticationPrincipal) [#9255](https://togithub.com/spring-projects/spring-security/issues/9255) - Remove empty Appendix Section from docs [#9253](https://togithub.com/spring-projects/spring-security/issues/9253) - CookieRequestCache handles URL encoded query parameters incorrectly [#9252](https://togithub.com/spring-projects/spring-security/issues/9252) - Improve Metadata URL Documentation [#9251](https://togithub.com/spring-projects/spring-security/issues/9251) #### :hammer: Dependency Upgrades - Update to Google App Engine 1.9.83 [#9250](https://togithub.com/spring-projects/spring-security/issues/9250) - Update to Kotlin 1.4.20 [#9249](https://togithub.com/spring-projects/spring-security/issues/9249) - Update to Spring Boot 2.4.0 [#9248](https://togithub.com/spring-projects/spring-security/issues/9248) - 5.4.x Snapshot Build Should Point to Other Maintenance Branches [#9162](https://togithub.com/spring-projects/spring-security/issues/9162) ### [`v5.4.1`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.1) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.4.0...5.4.1) #### :star: New Features - Replace expired msdn link with latest web archive copy [#9050](https://togithub.com/spring-projects/spring-security/pull/9050) - Add documentation for StrictHttpFirewall enhancements [#9038](https://togithub.com/spring-projects/spring-security/issues/9038) - Replace Tomcat6 URL for SSL Guide to Tomcat 10 [#9034](https://togithub.com/spring-projects/spring-security/pull/9034) - Use AssertJ for exception testing [#9013](https://togithub.com/spring-projects/spring-security/pull/9013) #### :beetle: Bug Fixes - Add try-with-resources to close stream [#9053](https://togithub.com/spring-projects/spring-security/pull/9053) - RelyingPartyRegistrations Fails to Read Keycloak Metadata [#9051](https://togithub.com/spring-projects/spring-security/issues/9051) - fix miswritten comment of FormLoginDsl.kt [#9042](https://togithub.com/spring-projects/spring-security/pull/9042) - Adapt to WebClient's new exception wrapping [#9031](https://togithub.com/spring-projects/spring-security/issues/9031) - StandardInterceptUrlRegistry should not refer to ExpressionUrlAuthorizationConfigurer [#9026](https://togithub.com/spring-projects/spring-security/issues/9026) - Fix broken Mono chain [#9022](https://togithub.com/spring-projects/spring-security/pull/9022) - Use Schedulers.boundedElastic for UUID.randomUUID [#9021](https://togithub.com/spring-projects/spring-security/pull/9021) - CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic [#9018](https://togithub.com/spring-projects/spring-security/issues/9018) - WebSessionServerCsrfTokenRepository#generateToken() don't use Schedulers.boundedElastic() [#9017](https://togithub.com/spring-projects/spring-security/issues/9017) - NullPointerException SessionRegistryImpl.onApplicationEvent(SessionRegistryImpl.java:111) [#9011](https://togithub.com/spring-projects/spring-security/issues/9011) - Quick javadoc fix for DelegatingPasswordEncoder [#8890](https://togithub.com/spring-projects/spring-security/pull/8890) #### :heart: Contributors We'd like to thank all the contributors who worked on this release! - [@muRn](https://togithub.com/muRn) - [@b12f10w](https://togithub.com/b12f10w) - [@uy-rrodriguez](https://togithub.com/uy-rrodriguez) - [@geonu1109](https://togithub.com/geonu1109) - [@tt4g](https://togithub.com/tt4g) - [@philwebb](https://togithub.com/philwebb) - [@MeTPP](https://togithub.com/MeTPP) ### [`v5.4.0`](https://togithub.com/spring-projects/spring-security/releases/tag/5.4.0) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.13.RELEASE...5.4.0) #### :star: New Features - Add What's New in 5.4 [#9002](https://togithub.com/spring-projects/spring-security/pull/9002) - Add What's New in 5.4 Section to Docs [#9001](https://togithub.com/spring-projects/spring-security/issues/9001) - Add Resource Server Servlet Logging [#9000](https://togithub.com/spring-projects/spring-security/issues/9000) - Simplify saml2Login Samples [#8990](https://togithub.com/spring-projects/spring-security/issues/8990) - Remove Framework Tests from saml2Login Sample [#8989](https://togithub.com/spring-projects/spring-security/issues/8989) - Add authenticationManagerResolver to resource server Kotlin DSL [#8981](https://togithub.com/spring-projects/spring-security/issues/8981) - Generalize SAML 2.0 Assertion Validation Support [#8970](https://togithub.com/spring-projects/spring-security/issues/8970) - Update abstract-authentication-processing-filter.adoc [#8965](https://togithub.com/spring-projects/spring-security/pull/8965) - Add spring-javaformat checkstyle and formatting [#8946](https://togithub.com/spring-projects/spring-security/pull/8946) - Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL [#8926](https://togithub.com/spring-projects/spring-security/pull/8926) - Add hasAnyAuthority(String...) and hasAnyRole(String...) to authorizeRequests in Kotlin DSL [#8892](https://togithub.com/spring-projects/spring-security/issues/8892) - Resolve oauth2 client-id, client-secret placeholders [#8880](https://togithub.com/spring-projects/spring-security/pull/8880) - Restructure SAML 2.0 documentation [#8763](https://togithub.com/spring-projects/spring-security/issues/8763) - security:client-registrations doesn't take propertyconfigurer properties [#8453](https://togithub.com/spring-projects/spring-security/issues/8453) #### :beetle: Bug Fixes - Clickjacking demo in docs: YouTube link in X-Frame-Options section leads to private video [#8986](https://togithub.com/spring-projects/spring-security/issues/8986) - NoClassDefFoundError: AuthMetadataFlyweight at o.s.s.r.m.SimpleAuthenticationEncoder [#8948](https://togithub.com/spring-projects/spring-security/issues/8948) - SAML attributes not parsed correctly with prefixed XML elements [#8864](https://togithub.com/spring-projects/spring-security/issues/8864) - Don't use oidc scopes_supported for scope as default in ClientRegistrations [#8790](https://togithub.com/spring-projects/spring-security/pull/8790) - scopes_supported metadata should not be used as default in ClientRegistrations [#8514](https://togithub.com/spring-projects/spring-security/issues/8514) #### :hammer: Dependency Upgrades - Set springDataVersion to Neumann-SR+ [#9007](https://togithub.com/spring-projects/spring-security/issues/9007) - Set rsocketVersion to 1.0.+ [#9006](https://togithub.com/spring-projects/spring-security/issues/9006) #### :heart: Contributors We'd like to thank all the contributors who worked on this release! - [@evgeniycheban](https://togithub.com/evgeniycheban) - [@jzheaux](https://togithub.com/jzheaux) - [@taoroot](https://togithub.com/taoroot) - [@philwebb](https://togithub.com/philwebb) - [@koishikawa11](https://togithub.com/koishikawa11) - [@martin-v](https://togithub.com/martin-v) ### [`v5.3.13.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.13.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.12.RELEASE...5.3.13.RELEASE) #### :beetle: Bug Fixes - Reactive resource server tests failing [#10660](https://togithub.com/spring-projects/spring-security/issues/10660) - Gretty samples fail when using logback 1.2.9 [#10643](https://togithub.com/spring-projects/spring-security/issues/10643) - StaticServerHttpHeadersWriter should work with case-insensitive header names [#10584](https://togithub.com/spring-projects/spring-security/issues/10584) - Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors [#10563](https://togithub.com/spring-projects/spring-security/issues/10563) - MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session [#10533](https://togithub.com/spring-projects/spring-security/issues/10533) - Multi-tenancy Documentation - `com.nimbusds.jwt.proc.JWTProcessor` does not have a ` setJWTClaimSetJWSKeySelector ` method [#10522](https://togithub.com/spring-projects/spring-security/issues/10522) - Multi-tenancy Documentation - JwtDecoder sample has multiple errors [#10518](https://togithub.com/spring-projects/spring-security/issues/10518) - Oauth2 Resource Server will not retry on first failure with Multi-tenancy [#10486](https://togithub.com/spring-projects/spring-security/issues/10486) #### :hammer: Dependency Upgrades - Update to AspectJ 1.9.7 [#10645](https://togithub.com/spring-projects/spring-security/issues/10645) - Update to Google App Engine 1.9.93 [#10644](https://togithub.com/spring-projects/spring-security/issues/10644) ### [`v5.3.12.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.12.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.11.RELEASE...5.3.12.RELEASE) #### :star: New Features - Add Documentation for Static Methods Classes for `mockJwt()` and `jwt()` [#10267](https://togithub.com/spring-projects/spring-security/issues/10267) #### :beetle: Bug Fixes - JwtTimeStampValidator uses wrong error on token expiration [#10330](https://togithub.com/spring-projects/spring-security/issues/10330) - Fix typo [#10315](https://togithub.com/spring-projects/spring-security/issues/10315) - Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type [#10259](https://togithub.com/spring-projects/spring-security/issues/10259) - MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented [#10179](https://togithub.com/spring-projects/spring-security/issues/10179) #### :hammer: Dependency Upgrades - Update to Google App Engine 1.9.88 [#10381](https://togithub.com/spring-projects/spring-security/issues/10381) - Update to nohttp 0.0.10 [#10380](https://togithub.com/spring-projects/spring-security/issues/10380) ### [`v5.3.11.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.11.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.10.RELEASE...5.3.11.RELEASE) #### :star: New Features - Remove -PdeployDocsHost=docs-ip.spring.io from Build [#10023](https://togithub.com/spring-projects/spring-security/issues/10023) #### :beetle: Bug Fixes - Regression with URL encode client credentials [#10127](https://togithub.com/spring-projects/spring-security/issues/10127) - AuthenticationFailureEvent does not exist [#10108](https://togithub.com/spring-projects/spring-security/issues/10108) - Update to use s01.oss.sonatype.org Maven Publishing [#10024](https://togithub.com/spring-projects/spring-security/issues/10024) - Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher [#10010](https://togithub.com/spring-projects/spring-security/issues/10010) #### :hammer: Dependency Upgrades - Update to spring-build-conventions:0.0.38 [#10022](https://togithub.com/spring-projects/spring-security/issues/10022) ### [`v5.3.10.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.10.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.9.RELEASE...5.3.10.RELEASE) #### :star: New Features - Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository [#9915](https://togithub.com/spring-projects/spring-security/issues/9915) #### :beetle: Bug Fixes - Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout [#9945](https://togithub.com/spring-projects/spring-security/issues/9945) - Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath [#9932](https://togithub.com/spring-projects/spring-security/issues/9932) - Adding filters relative to custom ones is broken [#9909](https://togithub.com/spring-projects/spring-security/issues/9909) - SEC-3139: Anonymous authentication token not passed to Controller [#9892](https://togithub.com/spring-projects/spring-security/issues/9892) - Clarify quick start section in README [#9887](https://togithub.com/spring-projects/spring-security/issues/9887) - RSocket and WebClient with Security refCount: 0 [#9872](https://togithub.com/spring-projects/spring-security/issues/9872) - Client credentials not correctly encoded in Basic Auth [#9862](https://togithub.com/spring-projects/spring-security/issues/9862) - Docs should state default value for Resource Server validation clock skew is 60 seconds [#9850](https://togithub.com/spring-projects/spring-security/issues/9850) - OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice [#9821](https://togithub.com/spring-projects/spring-security/issues/9821) - DefaultSpringSecurityContextSource can't handle spaces in baseDn [#9808](https://togithub.com/spring-projects/spring-security/issues/9808) - OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response [#9803](https://togithub.com/spring-projects/spring-security/issues/9803) - NPE in HttpSessionSecurityContextRepository.isTransientAuthentication [#9799](https://togithub.com/spring-projects/spring-security/issues/9799) - docs.af.pivotal.io->docs-ip.spring.io [#9687](https://togithub.com/spring-projects/spring-security/issues/9687) - Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter [#9682](https://togithub.com/spring-projects/spring-security/issues/9682) - WebFlux httpBasic() should match on XHR requests [#9664](https://togithub.com/spring-projects/spring-security/issues/9664) - HttpSecurity.addFilter\* with same Filter in Different Position Places in Incorrect Location [#9644](https://togithub.com/spring-projects/spring-security/issues/9644) - oauth2Login() generates authorization links for "client_credentials" grant type [#9638](https://togithub.com/spring-projects/spring-security/issues/9638) ### [`v5.3.9.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.9.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.8.RELEASE...5.3.9.RELEASE) #### :beetle: Bug Fixes - Add null check in CsrfFilter and CsrfWebFilter [#9593](https://togithub.com/spring-projects/spring-security/issues/9593) #### :hammer: Dependency Upgrades - Update to Spring Boot 2.2.13 [#9614](https://togithub.com/spring-projects/spring-security/issues/9614) ### [`v5.3.8.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.8.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.7.RELEASE...5.3.8.RELEASE) This release fixes a problem with the release of 5.3.7. #### :star: New Features - Improve HttpSessionSecurityContextSessionRepository Performance [#9391](https://togithub.com/spring-projects/spring-security/issues/9391) - Improve HttpSessionSecurityContextSessionRepository Performance [#9389](https://togithub.com/spring-projects/spring-security/issues/9389) - Migrate SAML 2.0 Samples to Use PCFOne [#9370](https://togithub.com/spring-projects/spring-security/issues/9370) - Resolve artifacts from Maven Central first [#9368](https://togithub.com/spring-projects/spring-security/issues/9368) - Use constant time comparisons for CSRF tokens [#9358](https://togithub.com/spring-projects/spring-security/issues/9358) #### :beetle: Bug Fixes - Fix the 5.3.7.RELEASE - OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail [#9427](https://togithub.com/spring-projects/spring-security/issues/9427) - CurrentSecurityContextArgumentResolver should configure BeanResolver [#9405](https://togithub.com/spring-projects/spring-security/issues/9405) - Fix beanResolver missing in CurrentSecurityContextArgumentResolver. [#9404](https://togithub.com/spring-projects/spring-security/issues/9404) - Remove notEmpty check for authorities in DefaultOAuth2User [#9397](https://togithub.com/spring-projects/spring-security/issues/9397) - Wrong example name in Spring Security documentation [#9384](https://togithub.com/spring-projects/spring-security/issues/9384) - CsrfWebFilter creates CsrfException with incorrect message when no token is found [#9339](https://togithub.com/spring-projects/spring-security/issues/9339) - webflux-x509 sample cert needs renewal [#9323](https://togithub.com/spring-projects/spring-security/issues/9323) - OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray [#9259](https://togithub.com/spring-projects/spring-security/issues/9259) ### [`v5.3.7.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.7.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.6.RELEASE...5.3.7.RELEASE) #### :star: New Features - Improve HttpSessionSecurityContextSessionRepository Performance [#9391](https://togithub.com/spring-projects/spring-security/issues/9391) - Improve HttpSessionSecurityContextSessionRepository Performance [#9389](https://togithub.com/spring-projects/spring-security/issues/9389) - Migrate SAML 2.0 Samples to Use PCFOne [#9370](https://togithub.com/spring-projects/spring-security/issues/9370) - Resolve artifacts from Maven Central first [#9368](https://togithub.com/spring-projects/spring-security/issues/9368) - Use constant time comparisons for CSRF tokens [#9358](https://togithub.com/spring-projects/spring-security/issues/9358) #### :beetle: Bug Fixes - OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail [#9427](https://togithub.com/spring-projects/spring-security/issues/9427) - CurrentSecurityContextArgumentResolver should configure BeanResolver [#9405](https://togithub.com/spring-projects/spring-security/issues/9405) - Fix beanResolver missing in CurrentSecurityContextArgumentResolver. [#9404](https://togithub.com/spring-projects/spring-security/issues/9404) - Remove notEmpty check for authorities in DefaultOAuth2User [#9397](https://togithub.com/spring-projects/spring-security/issues/9397) - Wrong example name in Spring Security documentation [#9384](https://togithub.com/spring-projects/spring-security/issues/9384) - CsrfWebFilter creates CsrfException with incorrect message when no token is found [#9339](https://togithub.com/spring-projects/spring-security/issues/9339) - webflux-x509 sample cert needs renewal [#9323](https://togithub.com/spring-projects/spring-security/issues/9323) - OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray [#9259](https://togithub.com/spring-projects/spring-security/issues/9259) ### [`v5.3.6.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.6.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.5.RELEASE...5.3.6.RELEASE) #### :beetle: Bug Fixes - Remove empty Appendix Section from docs [#9161](https://togithub.com/spring-projects/spring-security/issues/9161) - Tests should not combine Authentication and [@AuthenticationPrincipal](https://togithub.com/AuthenticationPrincipal) [#9125](https://togithub.com/spring-projects/spring-security/issues/9125) #### :hammer: Dependency Upgrades - Update to Google App Engine 1.9.83 [#9247](https://togithub.com/spring-projects/spring-security/issues/9247) - Update to Spring Boot 2.2.11 [#9246](https://togithub.com/spring-projects/spring-security/issues/9246) ### [`v5.3.5.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.5.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.4.RELEASE...5.3.5.RELEASE) #### :beetle: Bug Fixes - SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. [#9057](https://togithub.com/spring-projects/spring-security/issues/9057) - CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic [#9024](https://togithub.com/spring-projects/spring-security/issues/9024) #### :hammer: Dependency Upgrades - Update to AspectJ 1.9.6 [#9106](https://togithub.com/spring-projects/spring-security/issues/9106) - Update to Google App Engine 1.9.82 [#9105](https://togithub.com/spring-projects/spring-security/issues/9105) - Update to Spring Boot 2.2.10.RELEASE [#9104](https://togithub.com/spring-projects/spring-security/issues/9104) ### [`v5.3.4.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.4.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.3.RELEASE...5.3.4.RELEASE) #### :star: New Features - Add logging [#8888](https://togithub.com/spring-projects/spring-security/issues/8888) - Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) [#8855](https://togithub.com/spring-projects/spring-security/issues/8855) - formLogin() does not work with REST Docs [#8748](https://togithub.com/spring-projects/spring-security/issues/8748) - Use Github Actions PR pipeline and remove Travis for 5.3.x [#8724](https://togithub.com/spring-projects/spring-security/pull/8724) #### :beetle: Bug Fixes - ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error [#8896](https://togithub.com/spring-projects/spring-security/issues/8896) - OAuth2AuthenticationException should be in allowlist [#8863](https://togithub.com/spring-projects/spring-security/issues/8863) - Resolved bearer token has no padding indicators [#8837](https://togithub.com/spring-projects/spring-security/issues/8837) - Fix ProviderManager Javadoc typo [#8811](https://togithub.com/spring-projects/spring-security/issues/8811) - LoginPageGeneratingWebFilter should honor context path [#8808](https://togithub.com/spring-projects/spring-security/issues/8808) - OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" [#8803](https://togithub.com/spring-projects/spring-security/issues/8803) - RoleHierarchy is not used by AbstractAuthorizeTag [#8678](https://togithub.com/spring-projects/spring-security/issues/8678) - OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException [#8672](https://togithub.com/spring-projects/spring-security/issues/8672) - ReactorContext not available in PayloadSocketAcceptor delegate.accept [#8655](https://togithub.com/spring-projects/spring-security/issues/8655) #### :hammer: Dependency Upgrades - Update to spring-build-conventions:0.0.34.RELEASE [#8925](https://togithub.com/spring-projects/spring-security/issues/8925) - Update to nohttp 0.0.5.RELEASE [#8924](https://togithub.com/spring-projects/spring-security/issues/8924) - Update to GAE 1.9.81 [#8923](https://togithub.com/spring-projects/spring-security/issues/8923) - Update to Spring Boot 2.2.9.RELEASE [#8922](https://togithub.com/spring-projects/spring-security/issues/8922) - Update to spring-build-conventions:0.0.33.RELEASE [#8760](https://togithub.com/spring-projects/spring-security/issues/8760) #### :heart: Contributors We'd like to thank all the contributors who worked on this release! - [@elliedori](https://togithub.com/elliedori) ### [`v5.3.3.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.3.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.2.RELEASE...5.3.3.RELEASE) #### :star: New Features - Update BCryptPasswordEncoder documentation with default strength [#8574](https://togithub.com/spring-projects/spring-security/issues/8574) #### :beetle: Bug Fixes - Delay AuthenticationPrincipalArgumentResolver Lookup [#8614](https://togithub.com/spring-projects/spring-security/issues/8614) - Fix typos in BCryptPasswordEncoder documentation [#8601](https://togithub.com/spring-projects/spring-security/issues/8601) - Fixing typo in SAML 2.0 Sample README [#8600](https://togithub.com/spring-projects/spring-security/issues/8600) - Mock request with non-standard HTTP method in test [#8597](https://togithub.com/spring-projects/spring-security/issues/8597) - Remove unused field 'digester' in Md4PasswordEncoder [#8575](https://togithub.com/spring-projects/spring-security/issues/8575) - Polish JDBC Authentication documentation [#8573](https://togithub.com/spring-projects/spring-security/issues/8573) - ACL : AclImpl.hashCode leads to StackOverflowError [#8569](https://togithub.com/spring-projects/spring-security/issues/8569) - Fix Kotlin Sample Documentation [#8565](https://togithub.com/spring-projects/spring-security/issues/8565) - Object ID Identity conversion to long fails on old schema [#8558](https://togithub.com/spring-projects/spring-security/issues/8558) - Blocking in WebSessionServerCsrfTokenRepository [#8544](https://togithub.com/spring-projects/spring-security/issues/8544) - Fix AntPathRequestMatcher Javadoc [#8526](https://togithub.com/spring-projects/spring-security/issues/8526) - Document NoOpPasswordEncoder will not be removed [#8521](https://togithub.com/spring-projects/spring-security/issues/8521) - Fix non-standard HTTP method for CsrfWebFilter [#8515](https://togithub.com/spring-projects/spring-security/issues/8515) #### :hammer: Dependency Upgrades - Update to AppEngine 1.9.80 [#8647](https://togithub.com/spring-projects/spring-security/issues/8647) - Update to Spring Boot 2.2.7.RELEASE [#8646](https://togithub.com/spring-projects/spring-security/issues/8646) - Update to Kotlin 1.3.72 [#8645](https://togithub.com/spring-projects/spring-security/issues/8645) ### [`v5.3.2.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.2.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.1.RELEASE...5.3.2.RELEASE) #### :star: New Features - SAML Authentication Provider assertions [#8491](https://togithub.com/spring-projects/spring-security/issues/8491) - BCryptPasswordEncoder.encode() throws NPE [#8345](https://togithub.com/spring-projects/spring-security/issues/8345) #### :beetle: Bug Fixes - Fix Javadoc punctuation [#8490](https://togithub.com/spring-projects/spring-security/issues/8490) - Fixed typos in documentation [#8460](https://togithub.com/spring-projects/spring-security/issues/8460) - JdbcOAuth2AuthorizedClientService should support update when saving [#8448](https://togithub.com/spring-projects/spring-security/issues/8448) - Add ROLE_INFRASTRUCTURE to infrastructure beans [#8437](https://togithub.com/spring-projects/spring-security/issues/8437) - Fix Documentation to Refer to BasicAuthenticationFilter [#8423](https://togithub.com/spring-projects/spring-security/issues/8423) - Fix typo with correct capitalization [#8408](https://togithub.com/spring-projects/spring-security/issues/8408) - Global ServerSecurityContextRepository ignored by logout [#8385](https://togithub.com/spring-projects/spring-security/issues/8385) - Fix example in javadoc of FilterChainProxy [#8351](https://togithub.com/spring-projects/spring-security/issues/8351) - Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors [#8311](https://togithub.com/spring-projects/spring-security/issues/8311) #### :hammer: Dependency Upgrades - Update to aspectj-plugin:4.1.6 [#8306](https://togithub.com/spring-projects/spring-security/issues/8306) ### [`v5.3.1.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.1.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.3.0.RELEASE...5.3.1.RELEASE) #### :star: New Features - SpringTestContext returns ConfigurableWebApplicationContext [#8237](https://togithub.com/spring-projects/spring-security/issues/8237) - OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider [#8234](https://togithub.com/spring-projects/spring-security/issues/8234) - SwitchUserFilter vulnerable to CSRF [#8222](https://togithub.com/spring-projects/spring-security/issues/8222) - Clarify use case for `ServerBearerExchangeFilterFunction` [#8221](https://togithub.com/spring-projects/spring-security/issues/8221) - Update Encryptors documentation for standard and stronger [#8211](https://togithub.com/spring-projects/spring-security/issues/8211) - Document JwtGrantedAuthoritiesConverter [#8183](https://togithub.com/spring-projects/spring-security/issues/8183) - userNameAttribute case style is different others [#8179](https://togithub.com/spring-projects/spring-security/issues/8179) - Document AuthNRequest POST binding support [#8165](https://togithub.com/spring-projects/spring-security/issues/8165) - Polish SAML 2.0 Login Sample [#8164](https://togithub.com/spring-projects/spring-security/issues/8164) - OpenSamlImplementation should not use reflection [#8161](https://togithub.com/spring-projects/spring-security/issues/8161) - Document AuthorizedClientServiceOAuth2AuthorizedClientManager [#8153](https://togithub.com/spring-projects/spring-security/issues/8153) - Assign sensible default for OAuth2AuthorizedClientProvider [#8151](https://togithub.com/spring-projects/spring-security/issues/8151) - Document OAuth2Authorization success and failure handlers [#8146](https://togithub.com/spring-projects/spring-security/issues/8146) - Document Jackson serialization support for OAuth 2.0 Client [#8145](https://togithub.com/spring-projects/spring-security/issues/8145) - Document OAuth 2.0 Authorization Request improvements [#8133](https://togithub.com/spring-projects/spring-security/issues/8133) - Document OAuth 2.0 Login XML Support [#8132](https://togithub.com/spring-projects/spring-security/issues/8132) - Document OAuth 2.0 Client XML Support [#8131](https://togithub.com/spring-projects/spring-security/issues/8131) - Basic auth header without user results in exception [#8122](https://togithub.com/spring-projects/spring-security/issues/8122) - Document AuthenticationEventPublisher improvements [#8103](https://togithub.com/spring-projects/spring-security/issues/8103) - Typo 'properites' -> 'properties' in documentation [#8098](https://togithub.com/spring-projects/spring-security/issues/8098) - Document OAuth 2.0 Resource Server XML Support [#8094](https://togithub.com/spring-projects/spring-security/issues/8094) - Provide spring-security-5\*.xsd for https://www.springframework.org/schema/security/ [#8091](https://togithub.com/spring-projects/spring-security/issues/8091) - Document OIDC Logout Success Handler Improvements [#8088](https://togithub.com/spring-projects/spring-security/issues/8088) - Add OAuth 2.0 Test Support Docs [#8087](https://togithub.com/spring-projects/spring-security/issues/8087) - Update test to have comment about secure salt length [#8084](https://togithub.com/spring-projects/spring-security/pull/8084) - Document JwtClaimValidator [#8076](https://togithub.com/spring-projects/spring-security/issues/8076) #### :beetle: Bug Fixes - HttpServletRequest.logout() not functioning [#8238](https://togithub.com/spring-projects/spring-security/issues/8238) - OAuth2 ClientRegistrations NPE when UserInfo endpoint missing [#8209](https://togithub.com/spring-projects/spring-security/issues/8209) - oauth2Login WebFlux should not auto-redirect for XHR request [#8201](https://togithub.com/spring-projects/spring-security/issues/8201) - Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer [#8178](https://togithub.com/spring-projects/spring-security/issues/8178) - RSocket test should throw AccessDeniedException [#8160](https://togithub.com/spring-projects/spring-security/issues/8160) - Make OAuth2ErrorHttpMessageConverter more resilient [#8158](https://togithub.com/spring-projects/spring-security/issues/8158) - Fix typo in Javadoc of HttpSecurity#csrf() [#8134](https://togithub.com/spring-projects/spring-security/issues/8134) - NPE thrown when token response contains a null value [#8121](https://togithub.com/spring-projects/spring-security/issues/8121) - Google's top result for "Spring Security Reference" returns a 404 [#8086](https://togithub.com/spring-projects/spring-security/issues/8086) - 5.3.0 Documentation What's New has some broken links [#8069](https://togithub.com/spring-projects/spring-security/issues/8069) #### :heart: Contributors We'd like to thank all the contributors who worked on this release! - [@YYTVicky](https://togithub.com/YYTVicky) ### [`v5.3.0.RELEASE`](https://togithub.com/spring-projects/spring-security/releases/tag/5.3.0.RELEASE) [Compare Source](https://togithub.com/spring-projects/spring-security/compare/5.2.15.RELEASE...5.3.0.RELEASE) #### :star: New Features - Update What's New Section [#8062](https://togithub.com/spring-projects/spring-security/issues/8062) - Document JdbcOAuth2AuthorizedClientService [#8061](https://togithub.com/spring-projects/spring-security/issues/8061) - Add oauth2login xml sample [#8060](https://togithub.com/spring-projects/spring-security/issues/8060) - Update doc diagram palette to use sans-serif font [#8057](https://togithub.com/spring-projects/spring-security/issues/8057) - Add SecurityFilterChain Figure [#8055](https://togithub.com/spring-projects/spring-security/issues/8055) - oauth2Client Test Support should allow configuration of principal name [#8054](https://togithub.com/spring-projects/spring-security/issues/8054) - Add Kotlin Configuration section to docs [#8051](https://togithub.com/spring-projects/spring-security/pull/8051) - Add anchors to SAML 2.0 documentation [#8049](https://togithub.com/spring-projects/spring-security/issues/8049) - Update UserDetailsService Docs [#8048](https://togithub.com/spring-projects/spring-security/issues/8048) - Add Figures to Basic Authentication Docs [#8039](https://togithub.com/spring-projects/spring-security/issues/8039) - Add Link to DispatcherServlet in Filter Review Doc [#8036](https://togithub.com/spring-projects/spring-security/issues/8036) - Add Figures to Form Log In Docs [#8035](https://togithub.com/spring-projects/spring-security/issues/8035) - Add Figure for AuthenticationEntryPoint Docs [#8030](https://togithub.com/spring-projects/spring-security/issues/8030) - Add ProviderManager to Docs [#8029](https://togithub.com/spring-projects/spring-security/issues/8029) - Custom ServerHttpHeadersWriter to HeaderSpec [#8028](https://togithub.com/spring-projects/spring-security/pull/8028) - Add hasRole(String) to authorizeRequests in Kotlin DSL [#8023](https://togithub.com/spring-projects/spring-security/issues/8023) - Add missing [@FunctionalInterface](https://togithub.com/FunctionalInterface) in oauth2 modules [#8020](https://togithub.com/spring-projects/spring-security/issues/8020) - Provide configurable Clock in OidcIdTokenValidator [#8019](https://togithub.com/spring-projects/spring-security/issues/8019) - Add OAuth2AuthorizeRequest.Builder.principal(String) [#8018](https://togithub.com/spring-projects/spring-security/issues/8018) - Extract AuthenticationManager Docs [#8006](https://togithub.com/spring-projects/spring-security/issues/8006) - Extract SecurityContextHolder, SecurityContext, Authentication, and GrantedAuthority Docs [#8005](https://togithub.com/spring-projects/spring-security/issues/8005) - Add AbstractAuthenticationProcessingFilter Docs [#8004](https://togithub.com/spring-projects/spring-security/issues/8004) - Extract AuthenticationEntryPoint Docs [#8003](https://togithub.com/spring-projects/spring-security/issues/8003) - Extract ExceptionTranslationFilter Docs [#8002](https://togithub.com/spring-projects/spring-security/issues/8002) - Extract FilterSecurityInterceptor Docs [#8001](https://togithub.com/spring-projects/spring-security/issues/8001) - Use Color Palette that is Accessible for Color Blind [#8000](https://togithub.com/spring-projects/spring-security/issues/8000) - Create a palette.odg [#7999](https://togithub.com/spring-projects/spring-security/issues/7999) - Add Numbers Icons [#7998](https://togithub.com/spring-projects/spring-security/issues/7998) - Instantiate exceptions lazily [#7996](https://togithub.com/spring-projects/spring-security/pull/7996) - JwtIssuerReactiveAuthenticationManagerResolver eagerly creates Exceptions [#7995](https://togithub.com/spring-projects/spring-security/issues/7995) - OAuth2AuthorizationRequest.Builder should configure additional parameters with a consumer [#7993](https://togithub.com/spring-projects/spring-security/issues/7993) - Add OAuth2Authorization success/failure handlers [#7986](https://togithub.com/spring-projects/spring-security/pull/7986) - Refactor Duplicate Security Filter Chain Doc [#7979](https://togithub.com/spring-projects/spring-security/issues/7979) - Fix Asciidoctor Warnings [#7973](https://togithub.com/spring-projects/spring-security/issues/7973) - Use Kotlin DSL Marker Annotations to prevent scope leaking [#7971](https://togithub.com/spring-projects/spring-security/issues/7971) - Add JwtClaimValidator [#7962](https://togithub.com/spring-projects/spring-security/pull/7962) - Support custom filter in Kotlin DSL [#7951](https://togithub.com/spring-projects/spring-security/issues/7951) - Option for default event in DefaultAuthenticationEventPublisher [#7937](https://togithub.com/spring-projects/spring-security/pull/7937) - DefaultAuthenticationEventPublisher is now configurable via a Map [#7925](https://togithub.com/spring-projects/spring-security/pull/7925) - Add oauth2Client WebTestClient Test Support [#7910](https://togithub.com/spring-projects/spring-security/issues/7910) - Nimbus OpaqueTokenIntrospectors should differentiate token and service errors [#7902](https://togithub.com/spring-projects/spring-security/issues/7902) - OAuth 2.0 Client supports application clustering [#7889](https://togithub.com/spring-projects/spring-security/issues/7889) - Add JwtIssuerReactiveAuthenticationManagerResolver [#7887](https://togithub.com/spring-projects/spring-security/pull/7887) - Consider adding JwtClaimValidator [#7860](https://togithub.com/spring-projects/spring-security/issues/7860) - Add ReactiveJwtIssuerAuthenticationManagerResolver and Reactive Multi Tentant Examples [#7857](https://togithub.com/spring-projects/spring-security/issues/7857) - Add JDBC implementation of OAuth2AuthorizedClientService [#7855](https://togithub.com/spring-projects/spring-security/pull/7855) - Set default redirect in OidcClientInitiatedServerLogoutSuccessHandler [#7842](https://togithub.com/spring-projects/spring-security/issues/7842) - Introduce OAuth2Authorization success/failure handlers [#7840](https://togithub.com/spring-projects/spring-security/issues/7840) - Add Opaque Token Reactive Test Support [#7827](https://togithub.com/spring-projects/spring-security/issues/7827) - DefaultAuthenticationEventPublisher should allow configuring a default event [#7825](https://togithub.com/spring-projects/spring-security/issues/7825) - DefaultAuthenticationEventPublisher should be configurable via Map [#7824](https://togithub.com/spring-projects/spring-security/issues/7824) - Oauth2login xmlconfig implementation [#7821](https://togithub.com/spring-projects/spring-security/pull/7821) - OAuth 2.0 Resource Server XML Support [#7775](https://togithub.com/spring-projects/spring-security/pull/7775) - SAML AuthNRequest Signatures - Step 2 [#7759](https://togithub.com/spring-projects/spring-security/pull/7759) - SAML AuthNReque