Spring Security 5.4.4, 5.3.8, and 5.2.9 released, Spring security framework
Spring Security, formerly known as Acegi Security, provides comprehensive security services for J2EE-based enterprise applications. Especially enterprise software projects developed using the leading J2EE solution-Spring framework. There are a number of reasons why people use Spring Security, but the usual attraction is that they can not find a solution for a typical enterprise application scenario in the J2EE Servlet Specification or the EJB Specification.
Features
- Comprehensive and extensible support for both Authentication and Authorization
- Protection against attacks like session fixation, clickjacking, cross-site request forgery, etc
- Servlet API integration
- Optional integration with Spring Web MVC
- Much more…
Spring Security 5.4.4, 5.3.8, and 5.2.9 released.
Changelog
v 5.2.9
⭐ New Features
- Improve HttpSessionSecurityContextSessionRepository Performance #9390
- Migrate SAML 2.0 Samples to Use PCFOne #9371
- Use constant time comparisons for CSRF tokens #9359
🐞 Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9428
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9406
- Remove notEmpty check for authorities in DefaultOAuth2User #9398
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9340
- webflux-x509 sample cert needs renewal #9321
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9260
🔨 Dependency Upgrades
- Update to GAE 1.9.86 #9442
- Update to Tomcat 9.0.43 #9441
- Update to Jetty 9.4.36.v20210114 #9440
- Update to hibernate-validator 6.1.7.Final #9439
- Update to hibernate-entitymanager 5.4.28.Final #9438
- Update to thymeleaf-spring5 3.0.12 #9437
- Update to Spring Data Moore-SR12 #9436
- Update to Reactor Dysprosium-SR16 #9435
- Update to Spring Framework 5.2.12.RELEASE #9434
- Update to Spring Boot 2.2.13.RELEASE #9433
v5.3.8
⭐ New Features
- Improve HttpSessionSecurityContextSessionRepository Performance #9391
- Improve HttpSessionSecurityContextSessionRepository Performance #9389
- Migrate SAML 2.0 Samples to Use PCFOne #9370
- Resolve artifacts from Maven Central first #9368
- Use constant time comparisons for CSRF tokens #9358
🐞 Bug Fixes
- Fix the 5.3.7.RELEASE
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9427
- CurrentSecurityContextArgumentResolver should configure BeanResolver #9405
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9404
- Remove notEmpty check for authorities in DefaultOAuth2User #9397
- Wrong example name in Spring Security documentation #9384
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9339
- webflux-x509 sample cert needs renewal #9323
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9259
v5.4.4
⭐ New Features
- Migrate SAML 2.0 Samples to Use PCFOne #9369
- Resolve artifacts from Maven Central first #9367
- Use constant time comparisons for CSRF tokens #9357
- Improve HttpSessionSecurityContextSessionRepository Performance #9388
🐞 Bug Fixes
- OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9426
- Fix custom marshaller example #9409
- Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9403
- CurrentSecurityContextArgumentResolver should configure BeanResolver #9402
- Consider downgrading to Nimbus 8 #9399
- Remove notEmpty check for authorities in DefaultOAuth2User #9396
- Wrong example name in Spring Security documentation #9383
- Make user info response status check error only #9376
- Malformed WWW-Authenticate Causes NPE #9364
- CsrfWebFilter creates CsrfException with incorrect message when no token is found #9338
- Exception when declaring multiple AuthenticationManager beans #9332
- webflux-x509 sample cert needs renewal #9322
- OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9258