Fri. Aug 14th, 2020

Spring Security 5.2.3, 5.1.9, 5.0.15 & 4.2.15 released, Spring security framework

2 min read

Spring Security, formerly known as  Acegi Security, provides comprehensive security services for J2EE-based enterprise applications. Especially enterprise software projects developed using the leading J2EE solution-Spring framework. There are a number of reasons why people use Spring Security, but the usual attraction is that they can not find a solution for a typical enterprise application scenario in the J2EE Servlet Specification or the EJB Specification.

Features

  • Comprehensive and extensible support for both Authentication and Authorization
  • Protection against attacks like session fixation, clickjacking, cross-site request forgery, etc
  • Servlet API integration
  • Optional integration with Spring Web MVC
  • Much more…

Spring Security 5.2.3, 5.1.9, 5.0.15 & 4.2.15 released.

Changelog

v 5.2.3

⭐️ New Features

  • SpringTestContext returns ConfigurableWebApplicationContext #8240
  • OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #8235
  • SwitchUserFilter vulnerable to CSRF #8223
  • Update Encryptors documentation for standard and stronger #8212
  • Getting OAuth2AuthenticationException when Bearer token is empty #8207
  • Document AuthorizedClientServiceOAuth2AuthorizedClientManager #8159
  • Basic auth header without user results in exception #8123
  • Typo ‘properites’ -> ‘properties’ in documentation #8099

🐞 Bug Fixes

  • Update tests to use absolute paths #8260
  • HttpServletRequest.logout() not functioning #8241
  • OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8210
  • oauth2Login WebFlux should not auto-redirect for XHR request #8202
  • Make OAuth2ErrorHttpMessageConverter more resilient #8180
  • RSocket test should throw AccessDeniedException #8155
  • Fix typo in Javadoc of HttpSecurity#csrf() #8137
  • Empty RelayState causes errors with ADFS #8070
  • Fix typo in AntPathRequestMatcher contructor comment #8045
  • An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8040
  • OAuth2 access token response parsing fails with nested JSON object #8021
  • Fix typo in snippet code ‘jwtAuthenticationConveter’ -> ‘jwtAuthenticationConverter’ #7969
  • OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #7967
  • OAuth2AuthorizationCodeGrantFilter should also match on query parameters #7964
  • Query parameters in authorization-url are double-encoded #7960
  • Don’t force downcasting of RequestAttributes to ServletRequestAttributes #7959
  • ClassCastException for ServletRequestAttributes #7958

🔨 Dependency Upgrades

  • Update RSocket to 1.0.0-RC6 #8280
  • Update to reactive-streams 1.0.3 #8279
  • Update to OpenSAML 3.4.5 #8278
  • Update to hibernate-entitymanager 5.4.13.Final #8277
  • Update to hibernate-core 5.2.18.Final #8276
  • Update blockhound to 1.0.3.RELEASE #8275
  • Update to unboundid-ldapsdk 4.0.14 #8274
  • Update to okhttp 3.14.7 #8259
  • Update to Jackson 2.10.3 #8258
  • Update to mockwebserver 3.14.7 #8257
  • Update to org.powermock 2.0.6 #8255
  • Upgrade to embedded Apache Tomcat 9.0.33 #8254
  • Update to httpclient 4.5.12 #8253
  • Update to Spring Boot 2.2.6.RELEASE #8252
  • Update to GAE 1.9.79 #8251
  • Update to Reactor Dysprosium-SR6 #8250
  • Update to Spring Framework 5.2.5 #8249
  • Update to Spring Data Moore-SR6 #8248
  • Update to Jetty 9.4.22.v20191022 #7507

More…

Download