search

amaybaum-dev / remediate-test

0 stars 1 forks source link

Update dependency org.springframework.security:spring-security-web to v5 #9

Open dev-mend-for-github-com[bot] opened 9 months ago

dev-mend-for-github-com[bot] commented 9 months ago

This PR contains the following updates:

Package Type Update Change
org.springframework.security:spring-security-web (source) compile major 4.0.1.RELEASE -> 5.2.14.RELEASE

By merging this PR, the issue #19 will be automatically resolved and closed:

Severity CVSS Score CVE Reachability
High High 8.8 CVE-2021-22112
High High 7.5 CVE-2016-5007
High High 7.5 CVE-2016-9879
High High 7.3 CVE-2019-11272
Medium Medium 6.6 WS-2017-3767
Medium Medium 5.9 WS-2016-7107
Medium Medium 5.9 WS-2020-0293

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-web) ### [`v5.2.14.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.14.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.13.RELEASE...5.2.14.RELEASE) #### :beetle: Bug Fixes - StaticServerHttpHeadersWriter should work with case-insensitive header names [#​10585](https://redirect.github.com/spring-projects/spring-security/issues/10585) - MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session [#​10534](https://redirect.github.com/spring-projects/spring-security/issues/10534) - Multi-tenancy Documentation - `com.nimbusds.jwt.proc.JWTProcessor` does not have a ` setJWTClaimSetJWSKeySelector ` method [#​10523](https://redirect.github.com/spring-projects/spring-security/issues/10523) - Multi-tenancy Documentation - JwtDecoder sample has multiple errors [#​10519](https://redirect.github.com/spring-projects/spring-security/issues/10519) #### :hammer: Dependency Upgrades - Update to GAE 1.9.93 [#​10628](https://redirect.github.com/spring-projects/spring-security/issues/10628) - Upgrade httpmime to 4.5.13 [#​10627](https://redirect.github.com/spring-projects/spring-security/issues/10627) - Upgrade httpcore to 4.4.15 [#​10626](https://redirect.github.com/spring-projects/spring-security/issues/10626) - Upgrade attoparser to 2.0.5.RELEASE [#​10625](https://redirect.github.com/spring-projects/spring-security/issues/10625) - Update to hibernate-entitymanager 5.4.33 [#​10624](https://redirect.github.com/spring-projects/spring-security/issues/10624) - Upgrade jboss logging to 3.3.3.Final [#​10623](https://redirect.github.com/spring-projects/spring-security/issues/10623) - Upgrade jboss jandex to 2.0.5.Final [#​10622](https://redirect.github.com/spring-projects/spring-security/issues/10622) - Upgrade Unbescape to 1.1.6.RELEASE [#​10621](https://redirect.github.com/spring-projects/spring-security/issues/10621) - Update to thymeleaf-spring5 3.0.14 [#​10620](https://redirect.github.com/spring-projects/spring-security/issues/10620) - Update to embedded Tomcat websocket 8.5.73 [#​10619](https://redirect.github.com/spring-projects/spring-security/issues/10619) - Upgrade to embedded Apache Tomcat 9.0.56 [#​10618](https://redirect.github.com/spring-projects/spring-security/issues/10618) - Upgrade Reactor to Dysprosium-SR25 [#​10617](https://redirect.github.com/spring-projects/spring-security/issues/10617) - Upgrade Spring Framework to 5.2.19.RELEASE [#​10616](https://redirect.github.com/spring-projects/spring-security/issues/10616) ### [`v5.2.13.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.13.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.12.RELEASE...5.2.13.RELEASE) #### :beetle: Bug Fixes - Fix typo [#​10316](https://redirect.github.com/spring-projects/spring-security/issues/10316) - MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented [#​10180](https://redirect.github.com/spring-projects/spring-security/issues/10180) #### :hammer: Dependency Upgrades - Update to embedded Tomcat websocket 8.5.72 [#​10379](https://redirect.github.com/spring-projects/spring-security/issues/10379) - Update to Jetty 9.4.44.v20210927 [#​10378](https://redirect.github.com/spring-projects/spring-security/issues/10378) - Update to nohttp 0.0.10 [#​10377](https://redirect.github.com/spring-projects/spring-security/issues/10377) - Upgrade to embedded Apache Tomcat 9.0.54 [#​10376](https://redirect.github.com/spring-projects/spring-security/issues/10376) - Upgrade Spring Framework to 5.2.18.RELEASE [#​10375](https://redirect.github.com/spring-projects/spring-security/issues/10375) - Upgrade Reactor to Dysprosium-SR24 [#​10374](https://redirect.github.com/spring-projects/spring-security/issues/10374) ### [`v5.2.12.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.12.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.11.RELEASE...5.2.12.RELEASE) #### :beetle: Bug Fixes - Regression with URL encode client credentials [#​10128](https://redirect.github.com/spring-projects/spring-security/issues/10128) - Update to use s01.oss.sonatype.org Maven Publishing [#​10030](https://redirect.github.com/spring-projects/spring-security/issues/10030) - Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher [#​10012](https://redirect.github.com/spring-projects/spring-security/issues/10012) #### :hammer: Dependency Upgrades - Update to embedded Tomcat websocket 8.5.69 [#​10170](https://redirect.github.com/spring-projects/spring-security/issues/10170) - Update to org.aspectj 1.9.7 [#​10169](https://redirect.github.com/spring-projects/spring-security/issues/10169) - Update to org.slf4j 1.7.32 [#​10168](https://redirect.github.com/spring-projects/spring-security/issues/10168) - Update to Jetty 9.4.43.v20210629 [#​10167](https://redirect.github.com/spring-projects/spring-security/issues/10167) - Update to embedded Apache Tomcat 9.0.52 [#​10166](https://redirect.github.com/spring-projects/spring-security/issues/10166) - Update to jaxb-impl 2.3.5 [#​10165](https://redirect.github.com/spring-projects/spring-security/issues/10165) - Update to Spring Framework 5.2.16.RELEASE [#​10164](https://redirect.github.com/spring-projects/spring-security/issues/10164) - Update to Reactor Dysprosium-SR22 [#​10163](https://redirect.github.com/spring-projects/spring-security/issues/10163) - Update to spring-build-conventions:0.0.23.2.RELEASE [#​10029](https://redirect.github.com/spring-projects/spring-security/issues/10029) ### [`v5.2.11.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.11.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.10.RELEASE...5.2.11.RELEASE) #### :star: New Features - Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository [#​9921](https://redirect.github.com/spring-projects/spring-security/issues/9921) #### :beetle: Bug Fixes - Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout [#​9948](https://redirect.github.com/spring-projects/spring-security/issues/9948) - Adding filters relative to custom ones is broken [#​9910](https://redirect.github.com/spring-projects/spring-security/issues/9910) - SEC-3139: Anonymous authentication token not passed to Controller [#​9893](https://redirect.github.com/spring-projects/spring-security/issues/9893) - Clarify quick start section in README [#​9888](https://redirect.github.com/spring-projects/spring-security/issues/9888) - RSocket and WebClient with Security refCount: 0 [#​9873](https://redirect.github.com/spring-projects/spring-security/issues/9873) - URL encode client credentials [#​9866](https://redirect.github.com/spring-projects/spring-security/pull/9866) - Client credentials not correctly encoded in Basic Auth [#​9863](https://redirect.github.com/spring-projects/spring-security/issues/9863) - Docs should state default value for Resource Server validation clock skew is 60 seconds [#​9851](https://redirect.github.com/spring-projects/spring-security/issues/9851) - DefaultSpringSecurityContextSource can't handle spaces in baseDn [#​9809](https://redirect.github.com/spring-projects/spring-security/issues/9809) - OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response [#​9804](https://redirect.github.com/spring-projects/spring-security/issues/9804) - docs.af.pivotal.io->docs-ip.spring.io [#​9688](https://redirect.github.com/spring-projects/spring-security/issues/9688) - WebFlux httpBasic() should match on XHR requests [#​9665](https://redirect.github.com/spring-projects/spring-security/issues/9665) - HttpSecurity.addFilter\* with same Filter in Different Position Places in Incorrect Location [#​9645](https://redirect.github.com/spring-projects/spring-security/issues/9645) - oauth2Login() generates authorization links for "client_credentials" grant type [#​9639](https://redirect.github.com/spring-projects/spring-security/issues/9639) #### :hammer: Dependency Upgrades - Update to Spring LDAP Core 2.3.4.RELEASE [#​9968](https://redirect.github.com/spring-projects/spring-security/issues/9968) - Update to org.slf4j 1.7.31 [#​9967](https://redirect.github.com/spring-projects/spring-security/issues/9967) - Update to HSQLDB 2.5.2 [#​9966](https://redirect.github.com/spring-projects/spring-security/issues/9966) - Update to hibernate-entitymanager 5.4.32.Final [#​9965](https://redirect.github.com/spring-projects/spring-security/issues/9965) - Update to Jetty 9.4.42.v20210604 [#​9964](https://redirect.github.com/spring-projects/spring-security/issues/9964) - Update to embedded Apache Tomcat 9.0.48 [#​9963](https://redirect.github.com/spring-projects/spring-security/issues/9963) - Update to embedded Tomcat websocket 8.5.68 [#​9962](https://redirect.github.com/spring-projects/spring-security/issues/9962) - Update ehcache to 2.10.9.2 [#​9961](https://redirect.github.com/spring-projects/spring-security/issues/9961) - Update to jaxb-impl 2.3.4 [#​9960](https://redirect.github.com/spring-projects/spring-security/issues/9960) - Update to RSocket 1.0.5 [#​9959](https://redirect.github.com/spring-projects/spring-security/issues/9959) - Update to Spring Framework 5.2.15.RELEASE [#​9958](https://redirect.github.com/spring-projects/spring-security/issues/9958) - Update to Reactor Dysprosium-SR20 [#​9957](https://redirect.github.com/spring-projects/spring-security/issues/9957) - Upgrade to nohttp 0.0.8 [#​9956](https://redirect.github.com/spring-projects/spring-security/issues/9956) #### :heart: Contributors We'd like to thank all the contributors who worked on this release! - [@​sjohnr](https://redirect.github.com/sjohnr) ### [`v5.2.10.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.10.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.9.RELEASE...5.2.10.RELEASE) #### :beetle: Bug Fixes - Add null check in CsrfFilter and CsrfWebFilter [#​9594](https://redirect.github.com/spring-projects/spring-security/issues/9594) #### :hammer: Dependency Upgrades - Update to nohttp 0.0.6.RELEASE [#​9609](https://redirect.github.com/spring-projects/spring-security/issues/9609) - Update to GAE 1.9.88 [#​9608](https://redirect.github.com/spring-projects/spring-security/issues/9608) - Update to OpenSAML 3.4.6 [#​9607](https://redirect.github.com/spring-projects/spring-security/issues/9607) - Update to hibernate-entitymanager 5.4.30.Final [#​9606](https://redirect.github.com/spring-projects/spring-security/issues/9606) - Update to Groovy 2.4.21 [#​9605](https://redirect.github.com/spring-projects/spring-security/issues/9605) - Update to embedded Apache Tomcat 9.0.45 [#​9604](https://redirect.github.com/spring-projects/spring-security/issues/9604) - Update blockhound to 1.0.6.RELEASE [#​9603](https://redirect.github.com/spring-projects/spring-security/issues/9603) - Update to RSocket 1.0.4 [#​9602](https://redirect.github.com/spring-projects/spring-security/issues/9602) - Update to Spring Data Moore-SR13 [#​9601](https://redirect.github.com/spring-projects/spring-security/issues/9601) - Update to Spring Framework 5.2.13.RELEASE [#​9600](https://redirect.github.com/spring-projects/spring-security/issues/9600) - Update to Reactor Dysprosium-SR18 [#​9599](https://redirect.github.com/spring-projects/spring-security/issues/9599) ### [`v5.2.9.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.9.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.8.RELEASE...5.2.9.RELEASE) #### :star: New Features - Improve HttpSessionSecurityContextSessionRepository Performance [#​9390](https://redirect.github.com/spring-projects/spring-security/issues/9390) - Migrate SAML 2.0 Samples to Use PCFOne [#​9371](https://redirect.github.com/spring-projects/spring-security/issues/9371) - Use constant time comparisons for CSRF tokens [#​9359](https://redirect.github.com/spring-projects/spring-security/issues/9359) #### :beetle: Bug Fixes - OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail [#​9428](https://redirect.github.com/spring-projects/spring-security/issues/9428) - Fix beanResolver missing in CurrentSecurityContextArgumentResolver. [#​9406](https://redirect.github.com/spring-projects/spring-security/issues/9406) - Remove notEmpty check for authorities in DefaultOAuth2User [#​9398](https://redirect.github.com/spring-projects/spring-security/issues/9398) - CsrfWebFilter creates CsrfException with incorrect message when no token is found [#​9340](https://redirect.github.com/spring-projects/spring-security/issues/9340) - webflux-x509 sample cert needs renewal [#​9321](https://redirect.github.com/spring-projects/spring-security/issues/9321) - OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray [#​9260](https://redirect.github.com/spring-projects/spring-security/issues/9260) #### :hammer: Dependency Upgrades - Update to GAE 1.9.86 [#​9442](https://redirect.github.com/spring-projects/spring-security/issues/9442) - Update to Tomcat 9.0.43 [#​9441](https://redirect.github.com/spring-projects/spring-security/issues/9441) - Update to Jetty 9.4.36.v20210114 [#​9440](https://redirect.github.com/spring-projects/spring-security/issues/9440) - Update to hibernate-validator 6.1.7.Final [#​9439](https://redirect.github.com/spring-projects/spring-security/issues/9439) - Update to hibernate-entitymanager 5.4.28.Final [#​9438](https://redirect.github.com/spring-projects/spring-security/issues/9438) - Update to thymeleaf-spring5 3.0.12 [#​9437](https://redirect.github.com/spring-projects/spring-security/issues/9437) - Update to Spring Data Moore-SR12 [#​9436](https://redirect.github.com/spring-projects/spring-security/issues/9436) - Update to Reactor Dysprosium-SR16 [#​9435](https://redirect.github.com/spring-projects/spring-security/issues/9435) - Update to Spring Framework 5.2.12.RELEASE [#​9434](https://redirect.github.com/spring-projects/spring-security/issues/9434) - Update to Spring Boot 2.2.13.RELEASE [#​9433](https://redirect.github.com/spring-projects/spring-security/issues/9433) ### [`v5.2.8.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.8.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.7.RELEASE...5.2.8.RELEASE) #### :beetle: Bug Fixes - Remove empty Appendix Section from docs [#​9172](https://redirect.github.com/spring-projects/spring-security/issues/9172) - Tests should not combine Authentication and [@​AuthenticationPrincipal](https://redirect.github.com/AuthenticationPrincipal) [#​9126](https://redirect.github.com/spring-projects/spring-security/issues/9126) #### :hammer: Dependency Upgrades - Update to Spring LDAP Core 2.3.3 [#​9245](https://redirect.github.com/spring-projects/spring-security/issues/9245) - Update to Powermock 2.0.9 [#​9244](https://redirect.github.com/spring-projects/spring-security/issues/9244) - Update to HSQLDB 2.5.1 [#​9243](https://redirect.github.com/spring-projects/spring-security/issues/9243) - Update to Hibernate EntityManager 5.4.25 [#​9242](https://redirect.github.com/spring-projects/spring-security/issues/9242) - Update to Jetty 9.4.35 [#​9241](https://redirect.github.com/spring-projects/spring-security/issues/9241) - Update to HttpComponents HttpClient 4.5.13 [#​9240](https://redirect.github.com/spring-projects/spring-security/issues/9240) - Update to RSocket 1.0.3 [#​9239](https://redirect.github.com/spring-projects/spring-security/issues/9239) - Update to Reactor Dysprosium-SR14 [#​9238](https://redirect.github.com/spring-projects/spring-security/issues/9238) - Update to Google App Engine 1.9.83 [#​9237](https://redirect.github.com/spring-projects/spring-security/issues/9237) - Update to Jackson Databind 2.10.5.1 [#​9236](https://redirect.github.com/spring-projects/spring-security/issues/9236) - Update to Spring Data Moore-SR11 [#​9235](https://redirect.github.com/spring-projects/spring-security/issues/9235) - Update to Spring 5.2.11 [#​9234](https://redirect.github.com/spring-projects/spring-security/issues/9234) - Update to Spring Boot 2.2.11 [#​9233](https://redirect.github.com/spring-projects/spring-security/issues/9233) ### [`v5.2.7.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.7.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.6.RELEASE...5.2.7.RELEASE) #### :beetle: Bug Fixes - SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. [#​9058](https://redirect.github.com/spring-projects/spring-security/issues/9058) - CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic [#​9025](https://redirect.github.com/spring-projects/spring-security/issues/9025) #### :hammer: Dependency Upgrades - Update to Spring Data Moore-SR10 [#​9088](https://redirect.github.com/spring-projects/spring-security/issues/9088) - Update to Hibernate Entity manager 5.4.22 [#​9087](https://redirect.github.com/spring-projects/spring-security/issues/9087) - Update to Hibernate Validator 6.1.6 [#​9086](https://redirect.github.com/spring-projects/spring-security/issues/9086) - Upgrade to embedded Apache Tomcat 9.0.38 [#​9085](https://redirect.github.com/spring-projects/spring-security/issues/9085) - Update to RSocket 1.0.2 [#​9084](https://redirect.github.com/spring-projects/spring-security/issues/9084) - Update to Spring Framework 5.2.9 [#​9083](https://redirect.github.com/spring-projects/spring-security/issues/9083) - Update to Reactor Dysprosium-SR12 [#​9082](https://redirect.github.com/spring-projects/spring-security/issues/9082) - Update to Spring Boot 2.2.10 [#​9081](https://redirect.github.com/spring-projects/spring-security/issues/9081) - Update to GAE 1.9.82 [#​9080](https://redirect.github.com/spring-projects/spring-security/issues/9080) - Update to org.aspectj 1.9.6 [#​9079](https://redirect.github.com/spring-projects/spring-security/issues/9079) ### [`v5.2.6.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.6.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.5.RELEASE...5.2.6.RELEASE) #### :star: New Features - Add logging [#​8889](https://redirect.github.com/spring-projects/spring-security/issues/8889) - Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) [#​8856](https://redirect.github.com/spring-projects/spring-security/issues/8856) - Use Github Actions PR pipeline and remove Travis for 5.2.x [#​8723](https://redirect.github.com/spring-projects/spring-security/pull/8723) #### :beetle: Bug Fixes - ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error [#​8897](https://redirect.github.com/spring-projects/spring-security/issues/8897) - Resolved bearer token has no padding indicators [#​8838](https://redirect.github.com/spring-projects/spring-security/issues/8838) - Fix ProviderManager Javadoc typo [#​8812](https://redirect.github.com/spring-projects/spring-security/issues/8812) - LoginPageGeneratingWebFilter should honor context path [#​8809](https://redirect.github.com/spring-projects/spring-security/issues/8809) - RoleHierarchy is not used by AbstractAuthorizeTag [#​8679](https://redirect.github.com/spring-projects/spring-security/issues/8679) - OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException [#​8673](https://redirect.github.com/spring-projects/spring-security/issues/8673) - ReactorContext not available in PayloadSocketAcceptor delegate.accept [#​8656](https://redirect.github.com/spring-projects/spring-security/issues/8656) #### :hammer: Dependency Upgrades - Update to nohttp 0.0.5.RELEASE [#​8927](https://redirect.github.com/spring-projects/spring-security/issues/8927) - Update to Spring Boot 2.2.9.RELEASE [#​8921](https://redirect.github.com/spring-projects/spring-security/issues/8921) - Update to Reactor Dysprosium-SR10 [#​8920](https://redirect.github.com/spring-projects/spring-security/issues/8920) - Update to Spring Framework 5.2.8.RELEASE [#​8919](https://redirect.github.com/spring-projects/spring-security/issues/8919) - Update to Spring Data Moore-SR9 [#​8918](https://redirect.github.com/spring-projects/spring-security/issues/8918) - Update to PowerMock Mockito2 2.0.7 [#​8917](https://redirect.github.com/spring-projects/spring-security/issues/8917) - Update blockhound to 1.0.4.RELEASE [#​8916](https://redirect.github.com/spring-projects/spring-security/issues/8916) - Update to groovy 2.4.20 [#​8915](https://redirect.github.com/spring-projects/spring-security/issues/8915) - Update to embedded Tomcat websocket 8.5.57 [#​8914](https://redirect.github.com/spring-projects/spring-security/issues/8914) - Upgrade to embedded Apache Tomcat 9.0.37 [#​8913](https://redirect.github.com/spring-projects/spring-security/issues/8913) - Update to jaxb-impl 2.3.3 [#​8912](https://redirect.github.com/spring-projects/spring-security/issues/8912) - Update to GAE 1.9.81 [#​8911](https://redirect.github.com/spring-projects/spring-security/issues/8911) - Update to Jackson 2.10.5 [#​8910](https://redirect.github.com/spring-projects/spring-security/issues/8910) - Update to spring-build-conventions:0.0.33.RELEASE [#​8761](https://redirect.github.com/spring-projects/spring-security/issues/8761) - Update to RSocket 1.0.1 [#​8664](https://redirect.github.com/spring-projects/spring-security/issues/8664) #### :heart: Contributors We'd like to thank all the contributors who worked on this release! - [@​elliedori](https://redirect.github.com/elliedori) ### [`v5.2.5.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.5.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.4.RELEASE...5.2.5.RELEASE) #### :beetle: Bug Fixes - Delay AuthenticationPrincipalArgumentResolver Lookup [#​8615](https://redirect.github.com/spring-projects/spring-security/issues/8615) - Mock request with non-standard HTTP method in test [#​8595](https://redirect.github.com/spring-projects/spring-security/issues/8595) - Remove unused field 'digester' in Md4PasswordEncoder [#​8576](https://redirect.github.com/spring-projects/spring-security/issues/8576) - ACL : AclImpl.hashCode leads to StackOverflowError [#​8570](https://redirect.github.com/spring-projects/spring-security/issues/8570) - Object ID Identity conversion to long fails on old schema [#​8559](https://redirect.github.com/spring-projects/spring-security/issues/8559) - Blocking in WebSessionServerCsrfTokenRepository [#​8545](https://redirect.github.com/spring-projects/spring-security/issues/8545) - Fix AntPathRequestMatcher Javadoc [#​8527](https://redirect.github.com/spring-projects/spring-security/issues/8527) - Document NoOpPasswordEncoder will not be removed [#​8522](https://redirect.github.com/spring-projects/spring-security/issues/8522) - Fix non-standard HTTP method for CsrfWebFilter [#​8516](https://redirect.github.com/spring-projects/spring-security/issues/8516) #### :hammer: Dependency Upgrades - Update to Spring Boot 2.2.7 [#​8630](https://redirect.github.com/spring-projects/spring-security/issues/8630) - Update to okhttp 3.14.9 [#​8629](https://redirect.github.com/spring-projects/spring-security/issues/8629) - Update to Jython 2.5.3 [#​8628](https://redirect.github.com/spring-projects/spring-security/issues/8628) - Update to mockwebserver 3.14.9 [#​8627](https://redirect.github.com/spring-projects/spring-security/issues/8627) - Update to RSocket 1.0.0 [#​8626](https://redirect.github.com/spring-projects/spring-security/issues/8626) - Update to groovy 2.4.19 [#​8625](https://redirect.github.com/spring-projects/spring-security/issues/8625) ### [`v5.2.4.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.4.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.3.RELEASE...5.2.4.RELEASE) #### :star: New Features - SAML Authentication Provider assertions [#​8495](https://redirect.github.com/spring-projects/spring-security/issues/8495) - BCryptPasswordEncoder.encode() throws NPE [#​8346](https://redirect.github.com/spring-projects/spring-security/issues/8346) #### :beetle: Bug Fixes - Fix Javadoc punctuation [#​8494](https://redirect.github.com/spring-projects/spring-security/issues/8494) - Add ROLE_INFRASTRUCTURE to infrastructure beans [#​8438](https://redirect.github.com/spring-projects/spring-security/issues/8438) - SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException [#​8430](https://redirect.github.com/spring-projects/spring-security/issues/8430) - OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" [#​8426](https://redirect.github.com/spring-projects/spring-security/issues/8426) - Fix typo with correct capitalization [#​8409](https://redirect.github.com/spring-projects/spring-security/issues/8409) - Global ServerSecurityContextRepository ignored by logout [#​8386](https://redirect.github.com/spring-projects/spring-security/issues/8386) - Fix example in javadoc of FilterChainProxy [#​8352](https://redirect.github.com/spring-projects/spring-security/issues/8352) - Fix typo in Javadoc of ServerHttpSecurity#hasAuthority [#​8338](https://redirect.github.com/spring-projects/spring-security/issues/8338) - Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors [#​8312](https://redirect.github.com/spring-projects/spring-security/issues/8312) #### :hammer: Dependency Upgrades - Update to Byte Buddy 1.9.16 [#​8481](https://redirect.github.com/spring-projects/spring-security/issues/8481) - Upgrade to embedded Apache Tomcat 9.0.34 [#​8469](https://redirect.github.com/spring-projects/spring-security/issues/8469) - Update RSocket to 1.0.0-RC7 [#​8468](https://redirect.github.com/spring-projects/spring-security/issues/8468) - Update to GAE 1.9.80 [#​8467](https://redirect.github.com/spring-projects/spring-security/issues/8467) - Update to Jackson 2.10.4 [#​8466](https://redirect.github.com/spring-projects/spring-security/issues/8466) - Update to org.powermock 2.0.7 [#​8465](https://redirect.github.com/spring-projects/spring-security/issues/8465) - Update to Reactor Dysprosium-SR7 [#​8464](https://redirect.github.com/spring-projects/spring-security/issues/8464) - Update to Spring Framework 5.2.6.RELEASE [#​8463](https://redirect.github.com/spring-projects/spring-security/issues/8463) - Update to Spring Data Moore-SR7 [#​8462](https://redirect.github.com/spring-projects/spring-security/issues/8462) ### [`v5.2.3.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.3.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.2.RELEASE...5.2.3.RELEASE) #### :rewind: Non-passive - SwitchUserFilter vulnerable to CSRF [#​8223](https://redirect.github.com/spring-projects/spring-security/issues/8223) #### :star: New Features - SpringTestContext returns ConfigurableWebApplicationContext [#​8240](https://redirect.github.com/spring-projects/spring-security/issues/8240) - OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider [#​8235](https://redirect.github.com/spring-projects/spring-security/issues/8235) - Update Encryptors documentation for standard and stronger [#​8212](https://redirect.github.com/spring-projects/spring-security/issues/8212) - Getting OAuth2AuthenticationException when Bearer token is empty [#​8207](https://redirect.github.com/spring-projects/spring-security/issues/8207) - Document AuthorizedClientServiceOAuth2AuthorizedClientManager [#​8159](https://redirect.github.com/spring-projects/spring-security/issues/8159) - Basic auth header without user results in exception [#​8123](https://redirect.github.com/spring-projects/spring-security/issues/8123) - Typo 'properites' -> 'properties' in documentation [#​8099](https://redirect.github.com/spring-projects/spring-security/issues/8099) #### :beetle: Bug Fixes - Update tests to use absolute paths [#​8260](https://redirect.github.com/spring-projects/spring-security/issues/8260) - HttpServletRequest.logout() not functioning [#​8241](https://redirect.github.com/spring-projects/spring-security/issues/8241) - OAuth2 ClientRegistrations NPE when UserInfo endpoint missing [#​8210](https://redirect.github.com/spring-projects/spring-security/issues/8210) - oauth2Login WebFlux should not auto-redirect for XHR request [#​8202](https://redirect.github.com/spring-projects/spring-security/issues/8202) - Make OAuth2ErrorHttpMessageConverter more resilient [#​8180](https://redirect.github.com/spring-projects/spring-security/issues/8180) - RSocket test should throw AccessDeniedException [#​8155](https://redirect.github.com/spring-projects/spring-security/issues/8155) - Fix typo in Javadoc of HttpSecurity#csrf() [#​8137](https://redirect.github.com/spring-projects/spring-security/issues/8137) - Empty RelayState causes errors with ADFS [#​8070](https://redirect.github.com/spring-projects/spring-security/issues/8070) - Fix typo in AntPathRequestMatcher contructor comment [#​8045](https://redirect.github.com/spring-projects/spring-security/issues/8045) - An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable [#​8040](https://redirect.github.com/spring-projects/spring-security/issues/8040) - OAuth2 access token response parsing fails with nested JSON object [#​8021](https://redirect.github.com/spring-projects/spring-security/issues/8021) - Fix typo in snippet code 'jwtAuthenticationConveter' -> 'jwtAuthenticationConverter' [#​7969](https://redirect.github.com/spring-projects/spring-security/issues/7969) - OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters [#​7967](https://redirect.github.com/spring-projects/spring-security/issues/7967) - OAuth2AuthorizationCodeGrantFilter should also match on query parameters [#​7964](https://redirect.github.com/spring-projects/spring-security/issues/7964) - Query parameters in authorization-url are double-encoded [#​7960](https://redirect.github.com/spring-projects/spring-security/issues/7960) - Don't force downcasting of RequestAttributes to ServletRequestAttributes [#​7959](https://redirect.github.com/spring-projects/spring-security/issues/7959) - ClassCastException for ServletRequestAttributes [#​7958](https://redirect.github.com/spring-projects/spring-security/issues/7958) #### :hammer: Dependency Upgrades - Update RSocket to 1.0.0-RC6 [#​8280](https://redirect.github.com/spring-projects/spring-security/issues/8280) - Update to reactive-streams 1.0.3 [#​8279](https://redirect.github.com/spring-projects/spring-security/issues/8279) - Update to OpenSAML 3.4.5 [#​8278](https://redirect.github.com/spring-projects/spring-security/issues/8278) - Update to hibernate-entitymanager 5.4.13.Final [#​8277](https://redirect.github.com/spring-projects/spring-security/issues/8277) - Update to hibernate-core 5.2.18.Final [#​8276](https://redirect.github.com/spring-projects/spring-security/issues/8276) - Update blockhound to 1.0.3.RELEASE [#​8275](https://redirect.github.com/spring-projects/spring-security/issues/8275) - Update to unboundid-ldapsdk 4.0.14 [#​8274](https://redirect.github.com/spring-projects/spring-security/issues/8274) - Update to okhttp 3.14.7 [#​8259](https://redirect.github.com/spring-projects/spring-security/issues/8259) - Update to Jackson 2.10.3 [#​8258](https://redirect.github.com/spring-projects/spring-security/issues/8258) - Update to mockwebserver 3.14.7 [#​8257](https://redirect.github.com/spring-projects/spring-security/issues/8257) - Update to org.powermock 2.0.6 [#​8255](https://redirect.github.com/spring-projects/spring-security/issues/8255) - Upgrade to embedded Apache Tomcat 9.0.33 [#​8254](https://redirect.github.com/spring-projects/spring-security/issues/8254) - Update to httpclient 4.5.12 [#​8253](https://redirect.github.com/spring-projects/spring-security/issues/8253) - Update to Spring Boot 2.2.6.RELEASE [#​8252](https://redirect.github.com/spring-projects/spring-security/issues/8252) - Update to GAE 1.9.79 [#​8251](https://redirect.github.com/spring-projects/spring-security/issues/8251) - Update to Reactor Dysprosium-SR6 [#​8250](https://redirect.github.com/spring-projects/spring-security/issues/8250) - Update to Spring Framework 5.2.5 [#​8249](https://redirect.github.com/spring-projects/spring-security/issues/8249) - Update to Spring Data Moore-SR6 [#​8248](https://redirect.github.com/spring-projects/spring-security/issues/8248) - Update to Jetty 9.4.22.v20191022 [#​7507](https://redirect.github.com/spring-projects/spring-security/issues/7507) ### [`v5.2.2.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.2.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.1.RELEASE...5.2.2.RELEASE) #### :star: New Features - Don't cache requests with `Accept: text/event-stream` by default. [#​7744](https://redirect.github.com/spring-projects/spring-security/pull/7744) - Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager [#​7717](https://redirect.github.com/spring-projects/spring-security/issues/7717) - Remove redundant validation for redirect-uri [#​7707](https://redirect.github.com/spring-projects/spring-security/issues/7707) - Polish oauth2-client Error-handling Tests [#​7647](https://redirect.github.com/spring-projects/spring-security/issues/7647) - Remove unnecessary code in SecurityExpressionRoot [#​7635](https://redirect.github.com/spring-projects/spring-security/pull/7635) - Extract HTTPS Documentation [#​7626](https://redirect.github.com/spring-projects/spring-security/issues/7626) - Remove unnecessary code in SecurityExpressionRoot [#​7601](https://redirect.github.com/spring-projects/spring-security/issues/7601) - Make jwks_uri optional for RFC 8414 and required for OpenID Connect [#​7573](https://redirect.github.com/spring-projects/spring-security/pull/7573) #### :beetle: Bug Fixes - Form login requiresAuthenticationMatcher is not used in WebFlux [#​7867](https://redirect.github.com/spring-projects/spring-security/issues/7867) - Form Login authenticationFailureHandler is not used in ServerHttpSecurity [#​7866](https://redirect.github.com/spring-projects/spring-security/issues/7866) - BasicAuthenticationFilter ignores credentials charset [#​7859](https://redirect.github.com/spring-projects/spring-security/issues/7859) - Default LDIF file not picked up in LDAP "unboundid" mode [#​7852](https://redirect.github.com/spring-projects/spring-security/issues/7852) - Incorrect LDIF file example in LDAP documentation [#​7849](https://redirect.github.com/spring-projects/spring-security/issues/7849) - Use the custom ServerRequestCache that the user configures [#​7753](https://redirect.github.com/spring-projects/spring-security/pull/7753) - RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure [#​7751](https://redirect.github.com/spring-projects/spring-security/issues/7751) - Disabling logout in WebFlux does nothing [#​7742](https://redirect.github.com/spring-projects/spring-security/issues/7742) - Saml2Authentication isn't serializable [#​7739](https://redirect.github.com/spring-projects/spring-security/issues/7739) - Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor [#​7738](https://redirect.github.com/spring-projects/spring-security/issues/7738) - CompositeServerHttpHeadersWriter Should Execute Sequentially [#​7732](https://redirect.github.com/spring-projects/spring-security/issues/7732) - DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially [#​7729](https://redirect.github.com/spring-projects/spring-security/issues/7729) - DelegatingServerLogoutHandler Should Execute Sequentially [#​7725](https://redirect.github.com/spring-projects/spring-security/issues/7725) - WebFlux oauth2Login returns 500 when bad client credentials [#​7703](https://redirect.github.com/spring-projects/spring-security/issues/7703) - Correctly configure authorization requests repository for OAuth2 login [#​7690](https://redirect.github.com/spring-projects/spring-security/issues/7690) - Correctly configure authorization requests repository for OAuth2 login [#​7689](https://redirect.github.com/spring-projects/spring-security/issues/7689) - DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository [#​7684](https://redirect.github.com/spring-projects/spring-security/issues/7684) - Update [@​MessageMapping](https://redirect.github.com/MessageMapping) to match input/output cardinality [#​7669](https://redirect.github.com/spring-projects/spring-security/pull/7669) - Add http and https spring.schema mappings [#​7623](https://redirect.github.com/spring-projects/spring-security/pull/7623) - Avoid toString in favor of getName in order to extract sid [#​6354](https://redirect.github.com/spring-projects/spring-security/pull/6354) #### :hammer: Dependency Upgrades - Update to Spring Boot 2.2.4 [#​7909](https://redirect.github.com/spring-projects/spring-security/issues/7909) - Update to org.slf4j 1.7.30 [#​7908](https://redirect.github.com/spring-projects/spring-security/issues/7908) - Update to org.powermock 2.0.5 [#​7907](https://redirect.github.com/spring-projects/spring-security/issues/7907) - Update to hibernate-validator 6.1.2.Final [#​7906](https://redirect.github.com/spring-projects/spring-security/issues/7906) - Update to hibernate-entitymanager 5.4.10.Final [#​7905](https://redirect.github.com/spring-projects/spring-security/issues/7905) - Update to org.aspectj 1.9.5 [#​7904](https://redirect.github.com/spring-projects/spring-security/issues/7904) - Update to httpclient 4.5.11 [#​7903](https://redirect.github.com/spring-projects/spring-security/issues/7903) - Update to commons-codec 1.14 [#​7899](https://redirect.github.com/spring-projects/spring-security/issues/7899) - Update to com.squareup.okhttp3 3.14.6 [#​7898](https://redirect.github.com/spring-projects/spring-security/issues/7898) - Update to Jackson 2.10.2 [#​7897](https://redirect.github.com/spring-projects/spring-security/issues/7897) - Update to Reactor Dysprosium SR4 [#​7896](https://redirect.github.com/spring-projects/spring-security/issues/7896) - Update to Spring Data Moore SR3 [#​7895](https://redirect.github.com/spring-projects/spring-security/issues/7895) - Update to Spring Framework 5.2.3 [#​7894](https://redirect.github.com/spring-projects/spring-security/issues/7894) - Update nimbus-jose-jwt because of CVE-2019-17195 [#​7570](https://redirect.github.com/spring-projects/spring-security/issues/7570) #### :heart: Contributors We'd like to thank all the contributors who worked on this release! - [@​rhamedy](https://redirect.github.com/rhamedy) - [@​Atry](https://redirect.github.com/Atry) - [@​fhanik](https://redirect.github.com/fhanik) - [@​quaff](https://redirect.github.com/quaff) - [@​joshiste](https://redirect.github.com/joshiste) - [@​eleftherias](https://redirect.github.com/eleftherias) - [@​LeeHainie](https://redirect.github.com/LeeHainie) ### [`v5.2.1.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.1.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.2.0.RELEASE...5.2.1.RELEASE) #### :star: New Features - Fix variable reference in sample code [#​7571](https://redirect.github.com/spring-projects/spring-security/pull/7571) - spring-security-saml2-service-provider impossible to use different format of assertionConsumerServiceUrlTemplate [#​7565](https://redirect.github.com/spring-projects/spring-security/issues/7565) - Add Resource Server Multi-tenancy Documentation [#​7532](https://redirect.github.com/spring-projects/spring-security/issues/7532) - Update SAML sample to use boot auto config [#​7521](https://redirect.github.com/spring-projects/spring-security/issues/7521) - Add Reactive CSRF Documentation [#​6487](https://redirect.github.com/spring-projects/spring-security/issues/6487) #### :beetle: Bug Fixes - Restore Removed Throws Clauses [#​7580](https://redirect.github.com/spring-projects/spring-security/pull/7580) - CsrfWebFilter should handle multipart/form-data [#​7576](https://redirect.github.com/spring-projects/spring-security/issues/7576) - Make saveAuthorizedClient save the authorized client [#​7551](https://redirect.github.com/spring-projects/spring-security/pull/7551) - DefaultReactiveOAuth2AuthorizedClientManager.saveAuthorizedClient does not save authorized client [#​7546](https://redirect.github.com/spring-projects/spring-security/issues/7546) - `throws Exception` was removed from WebSecurityConfigurerAdapter#configure(WebSecurity) [#​7541](https://redirect.github.com/spring-projects/spring-security/issues/7541) - SAML2 Provider SubjectConfirmation validation failure [#​7514](https://redirect.github.com/spring-projects/spring-security/issues/7514) - SAML2 Provider AuthNRequest Hardcoded Protocol Binding [#​7513](https://redirect.github.com/spring-projects/spring-security/issues/7513) - Clock skew to check access token expiration has wrong sign [#​7511](https://redirect.github.com/spring-projects/spring-security/issues/7511) #### :hammer: Dependency Upgrades - Upgrade to Spring Boot 2.2.0.RELEASE [#​7566](https://redirect.github.com/spring-projects/spring-security/pull/7566) #### :heart: Contributors We'd like to thank all the contributors who worked on this release! - [@​fhanik](https://redirect.github.com/fhanik) - [@​mftruso](https://redirect.github.com/mftruso) - [@​jzheaux](https://redirect.github.com/jzheaux) - [@​philsttr](https://redirect.github.com/philsttr) - [@​rweisleder](https://redirect.github.com/rweisleder) - [@​ramonPires](https://redirect.github.com/ramonPires) ### [`v5.2.0.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.2.0.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.1.13.RELEASE...5.2.0.RELEASE) #### :star: New Features - Add Hello RSocket Sample [#​7504](https://redirect.github.com/spring-projects/spring-security/issues/7504) - Add RSocket Reference [#​7502](https://redirect.github.com/spring-projects/spring-security/issues/7502) - CookieServerCsrfRepositoryTests should not start domain with a dot [#​7500](https://redirect.github.com/spring-projects/spring-security/issues/7500) - Add OAuth2 Resource Server to Modules Section [#​7498](https://redirect.github.com/spring-projects/spring-security/issues/7498) - Initial saml2 login docs [#​7495](https://redirect.github.com/spring-projects/spring-security/pull/7495) - SAML 2 Assertion - Always require signature validation [#​7490](https://redirect.github.com/spring-projects/spring-security/issues/7490) - Add Reactive Messaging CurrentSecurityContextPrincipalArgumentResolver [#​7488](https://redirect.github.com/spring-projects/spring-security/issues/7488) - CurrentSecurityContextArgumentResolver polishes [#​7487](https://redirect.github.com/spring-projects/spring-security/issues/7487) - Add ClientRegistration.withClientRegistration(ClientRegistration) [#​7486](https://redirect.github.com/spring-projects/spring-security/issues/7486) - Add hasAuthority method to RSocketSecurity [#​7478](https://redirect.github.com/spring-projects/spring-security/pull/7478) - Align Servlet ExchangeFilterFunction CoreSubscriber [#​7476](https://redirect.github.com/spring-projects/spring-security/pull/7476) - WebFluxSecurityConfiguration does not configure oauth2Client [#​7470](https://redirect.github.com/spring-projects/spring-security/issues/7470) - Allow to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec [#​7467](https://redirect.github.com/spring-projects/spring-security/pull/7467) - Add ability to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec [#​7466](https://redirect.github.com/spring-projects/spring-security/issues/7466) - Document Clear-Site-Data Support [#​7463](https://redirect.github.com/spring-projects/spring-security/issues/7463) - Document RFC 8414 Support [#​7462](https://redirect.github.com/spring-projects/spring-security/issues/7462) - Document Bearer Token Propagation [#​7461](https://redirect.github.com/spring-projects/spring-security/issues/7461) - Document Reactive Mock Jwt Testing [#​7460](https://redirect.github.com/spring-projects/spring-security/issues/7460) - Fixed typo in comment [#​7458](https://redirect.github.com/spring-projects/spring-security/pull/7458) - Use Schedulers.boundedElastic() [#​7457](https://redirect.github.com/spring-projects/spring-security/issues/7457) - AbstractUserDetailsReactiveAuthenticationManager uses newParallel [#​7456](https://redirect.github.com/spring-projects/spring-security/issues/7456) - Add hasAnyAuthority method in AuthorizePayloadsSpec.Access [#​7455](https://redirect.github.com/spring-projects/spring-security/pull/7455) - Add denyAll method in AuthorizePayloadsSpec.Access [#​7451](https://redirect.github.com/spring-projects/spring-security/pull/7451) - AuthenticationFilter's methods should be private [#​7447](https://redirect.github.com/spring-projects/spring-security/issues/7447) - AuthenticationFilter should provide session fixation protection [#​7446](https://redirect.github.com/spring-projects/spring-security/issues/7446) - Use Jwt.Builder [#​7443](https://redirect.github.com/spring-projects/spring-security/issues/7443) - Add AuthorizePayloadsSpec.Access denyAll, hasAnyRole, hasAnyAuthority [#​7437](https://redirect.github.com/spring-projects/spring-security/issues/7437) - Add AuthorizePayloadsSpec.Access hasAuthority [#​7435](https://redirect.github.com/spring-projects/spring-security/issues/7435) - Document Resource Server User-Info Usage [#​7431](https://redirect.github.com/spring-projects/spring-security/issues/7431) - Document Reactive Opaque Token Usage [#​7430](https://redirect.github.com/spring-projects/spring-security/issues/7430) - Document NimbusReactiveJwtDecoder [#​7425](https://redirect.github.com/spring-projects/spring-security/issues/7425) - Document Mock Jwt Testing [#​7424](https://redirect.github.com/spring-projects/spring-security/issues/7424) - Servlet ExchangeFilterFunctions should align [#​7422](https://redirect.github.com/spring-projects/spring-security/issues/7422) - Document Opaque Token Usage [#​7420](https://redirect.github.com/spring-projects/spring-security/issues/7420) - ServletBearerExchangeFilterFunction should propagate Authentication [#​7418](https://redirect.github.com/spring-projects/spring-security/issues/7418) - Document NimbusJwtDecoder [#​7408](https://redirect.github.com/spring-projects/spring-security/issues/7408) - Document Jwt.Builder [#​7407](https://redirect.github.com/spring-projects/spring-security/issues/7407) - Document OAuth2AuthenticatedPrincipal [#​7406](https://redirect.github.com/spring-projects/spring-security/issues/7406) - DefaultReactiveOAuth2AuthorizedClientManager should default ServerWebExchange [#​7390](https://redirect.github.com/spring-projects/spring-security/issues/7390) - Make OAuth2User extends OAuth2AuthenticatedPrincipal [#​7383](https://redirect.github.com/spring-projects/spring-security/pull/7383) - OAuth2User should extend OAuth2AuthenticatedPrincipal [#​7378](https://redirect.github.com/spring-projects/spring-security/issues/7378) - SamlAuthenticationProvider should propagate actual validation errors [#​7375](https://redirect.github.com/spring-projects/spring-security/issues/7375) - Add Reactive Messaging AuthenticationPrincipalArgumentResolver [#​7363](https://redirect.github.com/spring-projects/spring-security/issues/7363) - Allow Custom PayloadInterceptor to be Added [#​7362](https://redirect.github.com/spring-projects/spring-security/issues/7362) - Default RSocketSecurity [#​7361](https://redirect.github.com/spring-projects/spring-security/issues/7361) - Add nonce to OIDC Authentication Request [#​7337](https://redirect.github.com/spring-projects/spring-security/pull/7337) - Introduce LogoutSuccessEvent [#​7306](https://redirect.github.com/spring-projects/spring-security/pull/7306) - Mock Jwt should ensure that CSRF is not required [#​7170](https://redirect.github.com/spring-projects/spring-security/issues/7170) - Document BearerTokenResolver in reference [#​6254](https://redirect.github.com/spring-projects/spring-security/issues/6254) - Consider adding nonce to OIDC Authentication Request [#​4442](https://redirect.github.com/spring-projects/spring-security/issues/4442) - SEC-2680: Fire an event when logout has finished [#​2900](https://redirect.github.com/spring-projects/spring-security/issues/2900) #### :beetle: Bug Fixes - Correctly populate the AuthNRequest attributes [#​7496](https://redirect.github.com/spring-projects/spring-security/pull/7496) - AuthNRequest#Destination contains the SP entity ID, not the IDP SSO URI [#​7494](https://redirect.github.com/spring-projects/spring-security/issues/7494) - AbstractUserDetailsReactiveAuthenticationManager default Scheduler should be disposed [#​7492](https://redirect.github.com/spring-projects/spring-security/issues/7492) - Always validate saml2 signatures [#​7491](https://redirect.github.com/spring-projects/spring-security/pull/7491) - CurrentSecurityContext Javadoc should be about SecurityContext [#​7489](https://redirect.github.com/spring-projects/spring-security/issues/7489) - Fix AuthorizationPayloadInterceptor order using PayloadInterceptorOrd… [#​7450](https://redirect.github.com/spring-projects/spring-security/pull/7450) - SAML Response Skew is using the wrong type [#​7448](https://redirect.github.com/spring-projects/spring-security/issues/7448) - Jwt.Builder should keep notBefore as an Instant [#​7442](https://redirect.github.com/spring-projects/spring-security/issues/7442) - AuthorizePayloadsSpec uses AUTHENTICATION for AuthorizationPayloadInterceptor [#​7434](https://redirect.github.com/spring-projects/spring-security/issues/7434) - RSocketMessageHandlerITests could hang [#​7415](https://redirect.github.com/spring-projects/spring-security/issues/7415) - RSocketSecurity anyRequest delegates to anyExchange [#​7414](https://redirect.github.com/spring-projects/spring-security/issues/7414) - OpenSamlAuthenticationProvider should not throw AuthenticationServiceException [#​7377](https://redirect.github.com/spring-projects/spring-security/issues/7377) - OpenSamlAuthenticationProvider should propagate validation errors [#​7376](https://redirect.github.com/spring-projects/spring-security/issues/7376) - OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri [#​7036](https://redirect.github.com/spring-projects/spring-security/issues/7036) #### :hammer: Dependency Upgrades - Update to Spring Data Moore-RELEASE [#​7506](https://redirect.github.com/spring-projects/spring-security/pull/7506) - Remaining dependency upgrades for 5.2.0 [#​7505](https://redirect.github.com/spring-projects/spring-security/pull/7505) - Upgrade JSON jackson library to 2.10.0 [#​7480](https://redirect.github.com/spring-projects/spring-security/pull/7480) - Release/dependencies for 5.2 ga [#​7471](https://redirect.github.com/spring-projects/spring-security/pull/7471) - Update the AspectJ Gradle Plugin to 4.0.2 [#​7427](https://redirect.github.com/spring-projects/spring-security/pull/7427) - Update to Gradle 5.6.2 [#​7412](https://redirect.github.com/spring-projects/spring-security/pull/7412) - Upgrade to OpenSaml 3.4.3 [#​7392](https://redirect.github.com/spring-projects/spring-security/issues/7392) - Upgrade embedded Apache Tomcat to 9.0.24 [#​7384](https://redirect.github.com/spring-projects/spring-security/issues/7384) #### :heart: Contributors We'd like to thank all the contributors who worked on this release! - [@​rchigvintsev](https://redirect.github.com/rchigvintsev) - [@​munilvc](https://redirect.github.com/munilvc) - [@​sdoxsee](https://redirect.github.com/sdoxsee) - [@​jgrandja](https://redirect.github.com/jgrandja) - [@​jascama](https://redirect.github.com/jascama) - [@​bedla](https://redirect.github.com/bedla) - [@​mkheck](https://redirect.github.com/mkheck) - [@​fhanik](https://redirect.github.com/fhanik) - [@​larsgrefer](https://redirect.github.com/larsgrefer) - [@​okohub](https://redirect.github.com/okohub) - [@​eberttc](https://redirect.github.com/eberttc) - [@​eddumelendez](https://redirect.github.com/eddumelendez) - [@​evfool](https://redirect.github.com/evfool) ### [`v5.1.13.RELEASE`](https://redirect.github.com/spring-projects/spring-security/releases/tag/5.1.13.RELEASE) [Compare Source](https://redirect.github.com/spring-projects/spring-security/compare/5.1.12.RELEASE...5.1.13.RELEASE) #### :beetle: Bug Fixes - SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. [#​9059](https://redirect.github.com/spring-projects/spring-security/issues/9059) #### :hammer: Dependency Upgrades - Update to Spring Boot 2.1.17.RELEASE [#​9078](https://redirect.github.com/spring-projects/spring-security/issues/9078) - Update to Hibernate Validator 6.0.21 [#​9077](https://redirect.github.com/spring-projects/spring-security/issues/9077) - Update to org.aspectj 1.9.6 [#​9076](https://redirect.github.com/spring-projects/spring-security/issues/9076) - Update to GAE 1.9.82 [#​9075](https://redirect.github.com/spring-projects/spr