grails-spring-security-core

grails-spring-security-core copied to clipboard

v6.3.1

Compare Source

v6.3.0

Compare Source

:star: New Features

• Add getters to OAuth2AuthorizedClientId #​13648
• Add timeout defaults to JwtDecoders #​14890
• doc: added hint to declare GrantedAuthorityDefaults as infrastructure bean #​15065
• Improve logging for Global Authentication #​14711
• Minor docs fix #​15043
• Minor Documentation update on import needed for using Kotlin DSL #​14969
• OAuth2 Client Authentication docs are incomplete #​14982
• Proofread CasAuthenticationFilter documentation #​14883
• Replace "Spring Boot 2.x" with "Spring Boot" #​14919
• Simplify Disabling application/x-www-form-urlencoded Encoding Client ID and Secret #​14859
• Support Specifying Identifier for relying-party-registrations Element #​14487
• Update What's New in 6.3 #​14918

:beetle: Bug Fixes

• Do Not Invalidate Current Session When Its Registered #​15066
• Fix MethodAuthorizationDeniedPostProcessor does not exist in java doc #​14955
• fix docs error in AuthenticatedReactiveAuthorizationManager #​14979
• OIDC Logout section is not shown in the navbar #​15113
• Wrong information for RequestCacheAwareFilter in the Spring Security documentation. #​14996

:hammer: Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.5 to 1.5.6 #​14926
• Bump com.fasterxml.jackson:jackson-bom from 2.17.0 to 2.17.1 #​15010
• Bump com.gradle.develocity from 3.17.2 to 3.17.3 #​15051
• Bump com.gradle.develocity from 3.17.3 to 3.17.4 #​15104
• Bump io.micrometer:micrometer-observation from 1.12.5 to 1.12.6 #​15068
• Bump io.mockk:mockk from 1.13.10 to 1.13.11 #​15086
• Bump io.projectreactor:reactor-bom from 2023.0.5 to 2023.0.6 #​15076
• Bump org-apache-maven-resolver from 1.9.18 to 1.9.19 #​14940
• Bump org-apache-maven-resolver from 1.9.19 to 1.9.20 #​14987
• Bump org-aspectj from 1.9.22 to 1.9.22.1 #​15052
• Bump org-bouncycastle from 1.78 to 1.78.1 #​14929
• Bump org-eclipse-jetty from 11.0.20 to 11.0.21 #​15087
• Bump org.hibernate.orm:hibernate-core from 6.4.4.Final to 6.4.5.Final #​14948
• Bump org.hibernate.orm:hibernate-core from 6.4.5.Final to 6.4.6.Final #​14952
• Bump org.hibernate.orm:hibernate-core from 6.4.6.Final to 6.4.7.Final #​14962
• Bump org.hibernate.orm:hibernate-core from 6.4.7.Final to 6.4.8.Final #​14980
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.23 to 1.9.24 #​15025
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.23 to 1.9.24 #​15026
• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.8.0 to 1.8.1 #​15053
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.13 to 4.33.15 #​14945
• Bump org.springframework.data:spring-data-bom from 2024.0.0-RC1 to 2024.0.0 #​15103
• Bump org.springframework:spring-framework-bom from 6.1.6 to 6.1.7 #​15088

:nut_and_bolt: Build Updates

• Attach Antora Docs to Pull Requests #​15061
• Bump com.github.spullara.mustache.java:compiler from 0.9.11 to 0.9.12 #​14986
• Bump com.github.spullara.mustache.java:compiler from 0.9.12 to 0.9.13 #​14999
• Bump io.spring.ge.conventions from 0.0.16 to 0.0.17 #​14963
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.2 to 1.0.3 #​14928
• Consider Adding a Build Updates section to the release changelog #​15039

:heart: Contributors

Thank you to all the contributors who worked on this release:

@​Crain-32, @​Kehrlann, @​MrJovanovic13, @​ch4mpy, @​dependabot[bot], @​joaquinjsb, @​kse-music, @​madorb, @​rishiraj88, and @​vvaadd

v6.2.5

Compare Source

v6.2.4

Compare Source

:beetle: Bug Fixes

• SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException #​14805
• Address AuthorizationObservationConvention Package Tangle #​14795
• bug org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector introspect method error #​14848
• Transactional annotation breaks AOT for native image #​14865

:hammer: Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.12.4 to 1.12.5 #​14867
• Bump io.projectreactor:reactor-bom from 2023.0.4 to 2023.0.5 #​14873
• Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #​14821
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.1 to 1.0.2 #​14786
• Bump org-aspectj from 1.9.21.2 to 1.9.22 #​14798
• Bump org.slf4j:slf4j-api from 2.0.12 to 2.0.13 #​14907
• Bump org.springframework.data:spring-data-bom from 2023.1.4 to 2023.1.5 #​14908
• Bump org.springframework.ldap:spring-ldap-core from 3.2.2 to 3.2.3 #​14896
• Bump org.springframework:spring-framework-bom from 6.1.5 to 6.1.6 #​14895
• Update org.opensaml:opensaml-core4 to 4.3.1 #​14850

:heart: Contributors

Thank you to all the contributors who worked on this release:

@​dependabot[bot]

v6.2.3

Compare Source

:star: New Features

• Structure101 Plugin Should Ignore Deprecated Files #​14640

:beetle: Bug Fixes

• Check for null Authentication #​14666
• Fix Package Tangle in CAS #​14641
• LogoutConfigurer#createLogoutFilter sets the SecurityContextHolderStrategy twice #​14648
• ObservationTextHandler class is not defined in a reactive context #​14653
• PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #​14723
• Spring security's ServerLogoutHandler order problem. #​14682

:hammer: Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.12.3 to 1.12.4 #​14719
• Bump io.mockk:mockk from 1.13.9 to 1.13.10 #​14661
• Bump io.projectreactor:reactor-bom from 2023.0.3 to 2023.0.4 #​14726
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #​14705
• Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #​14734
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.22 to 1.9.23 #​14706
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.22 to 1.9.23 #​14704
• Bump org.springframework.data:spring-data-bom from 2023.1.3 to 2023.1.4 #​14770
• Bump org.springframework:spring-framework-bom from 6.1.4 to 6.1.5 #​14757

:heart: Contributors

Thank you to all the contributors who worked on this release:

@​dependabot[bot]

v6.2.2

Compare Source

:star: New Features

• Configuration examples in docs are out of date #​14392

:beetle: Bug Fixes

• "Span wasn't started - an observation must be started (not only created)" (Micrometer) due to observation handling in Spring Security Web? #​14568
• HandlerMappingIntrospectorRequestTransformer is registered twice in AOT #​14367
• OAuth2AuthorizationExchange is not serializable #​14405
• WebTestUtilsTestRuntimeHints should implement RuntimeHintsRegistrar #​14468
• Application context fails to load: Couldn't find FilterChainProxy #​14380
• Back-Channel Logout should use localhost for internal logout request #​14553
• Cannot configure SecurityContextRepository in CasAuthenticationFilter #​14536
• Documentation about configuring SecuritySocketAcceptorInterceptor in Spring Boot is confusing #​14348
• fix typo in anonymous.adoc #​14424
• fix: typo in Authentication Architecture ProviderManager #​14448
• Missing native-image reflection hint for HandlerMappingIntrospectorCachFilterFactoryBean #​14377
• Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #​14470
• ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor #​14350
• SAML relying party logout filter is always ordered last #​14551
• Spring Security 6.2 defaults to InMemoryOidcSessionRegistry causing memory leaks in distributed systems with external session storage #​14558
• Test using @WithMockUser fails with 401 UNAUTHORIZED with 3.2 #​14207
• Typo: Update authorize-http-requests.adoc #​14563
• Unexpected Exception Handling in NimbusReactiveJwtDecoder decode Method #​14496
• X-Xss-Protection header "1; mode=block" differs in Servlet and Reactive #​14346

:hammer: Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.15.4 #​14617
• Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #​14582
• Bump Gradle Wrapper from 8.5 to 8.6 #​14547
• Bump gradle/gradle-build-action from 2 to 3 #​14503
• Bump io-spring-javaformat from 0.0.40 to 0.0.41 #​14439
• Bump io.micrometer:micrometer-observation from 1.12.1 to 1.12.2 #​14429
• Bump io.micrometer:micrometer-observation from 1.12.2 to 1.12.3 #​14589
• Bump io.mockk:mockk from 1.13.8 to 1.13.9 #​14412
• Bump io.projectreactor:reactor-bom from 2023.0.1 to 2023.0.2 #​14430
• Bump io.projectreactor:reactor-bom from 2023.0.2 to 2023.0.3 #​14612
• Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #​14463
• Bump org-aspectj from 1.9.21 to 1.9.21.1 #​14605
• Bump org-eclipse-jetty from 11.0.18 to 11.0.19 #​14354
• Bump org-eclipse-jetty from 11.0.19 to 11.0.20 #​14518
• Bump org.apereo.cas.client:cas-client-core from 4.0.3 to 4.0.4 #​14440
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.21 to 1.9.22 #​14364
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.21 to 1.9.22 #​14363
• Bump org.junit:junit-bom from 5.10.1 to 5.10.2 #​14543
• Bump org.slf4j:slf4j-api from 2.0.10 to 2.0.11 #​14422
• Bump org.slf4j:slf4j-api from 2.0.11 to 2.0.12 #​14554
• Bump org.slf4j:slf4j-api from 2.0.9 to 2.0.10 #​14387
• Bump org.springframework.data:spring-data-bom from 2023.1.1 to 2023.1.2 #​14455
• Bump org.springframework.data:spring-data-bom from 2023.1.2 to 2023.1.3 #​14624
• Bump org.springframework.ldap:spring-ldap-core from 3.2.1 to 3.2.2 #​14616
• Bump org.springframework:spring-framework-bom from 6.1.2 to 6.1.3 #​14454
• Bump org.springframework:spring-framework-bom from 6.1.3 to 6.1.4 #​14615
• Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #​14504
• Bump spring-io/spring-github-workflows from eaf17a1 to 1e8b058 #​14583

:heart: Contributors

Thank you to all the contributors who worked on this release:

@​Amitmahato, @​andreasbuechel, @​boulce, and @​dependabot[bot]

v6.2.1

Compare Source

:star: New Features

• docs: make XML and Java/Kotlin consistent with AspectJExpressionPointcut #​14219
• Document that Shibboleth Repository is Required for SAML Support #​14295
• Fix typo in architecture.adoc #​14254
• Fixing link in authentication/architecture.adoc #​13593
• Integrate HandlerMappingIntrospector Caching #​14332
• OAuth2 Resource Server is exposing server information. #​14278

:beetle: Bug Fixes

• Update Java Config Spring MVC documentation #​14234
• add missing [tabs] fix typo in docs #​14208
• AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #​14267
• Correct What's New in 6.2 reference to forServletPattern #​14200
• Fix typo in getClaimAsMap docstring #​14183
• Fix typo in the 'Authorizing Requests' example #​14169
• fix wrong document about "jws-algorithms" #​14280
• Improve error message when ServletRegistration API is unavailable #​14232
• Update Javadoc Comments in AuthorizationEvent Class #​14175

:hammer: Dependency Upgrades

• Bump actions/checkout from 3 to 4 #​14323
• Bump actions/setup-java from 3 to 4 #​14320
• Bump ch.qos.logback:logback-classic from 1.4.11 to 1.4.13 #​14213
• Bump ch.qos.logback:logback-classic from 1.4.13 to 1.4.14 #​14239
• Bump com.unboundid:unboundid-ldapsdk from 6.0.10 to 6.0.11 #​14223
• Bump Gamesight/slack-workflow-status from 1.0.1 to 1.2.0 #​14328
• Bump Gradle Wrapper from 8.4 to 8.5 #​14222
• Bump io.micrometer:micrometer-observation from 1.12.0 to 1.12.1 #​14284
• Bump io.projectreactor:reactor-bom from 2023.0.0 to 2023.0.1 #​14289
• Bump org-apache-maven-resolver from 1.9.16 to 1.9.17 #​14184
• Bump org-apache-maven-resolver from 1.9.17 to 1.9.18 #​14197
• Bump org-aspectj from 1.9.20.1 to 1.9.21 #​14271
• Bump org.apache.maven:maven-resolver-provider from 3.9.5 to 3.9.6 #​14228
• Bump org.hibernate.orm:hibernate-core from 6.3.1.Final to 6.3.2.Final #​14190
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.20 to 1.9.21 #​14192
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.20 to 1.9.21 #​14191
• Bump org.springframework.data:spring-data-bom from 2023.1.0 to 2023.1.1 #​14341
• Bump org.springframework.ldap:spring-ldap-core from 3.2.0 to 3.2.1 #​14335
• Bump org.springframework:spring-framework-bom from 6.1.0 to 6.1.1 #​14189
• Bump org.springframework:spring-framework-bom from 6.1.1 to 6.1.2 #​14319
• Bump sjohnr/slack-workflow-status from 1.pre.beta to 1.1.0 #​14318
• Bump slackapi/slack-github-action from 1.19.0 to 1.24.0 #​14322
• Bump spring-io/spring-gradle-build-action from 1 to 2 #​14321

:heart: Contributors

Thank you to all the contributors who worked on this release:

@​ParkerM, @​YangSiJun528, @​aaron-to-go, @​ahmd-nabil, @​andreilisa, @​dependabot[bot], @​limvik, and @​prufrock

v6.2.0

Compare Source

:star: New Features

• AuthorizationManager[Before/After]ReactiveMethodInterceptor doesn't support Kotlin coroutines #​12080
• Simplify configuration of OAuth2 Client component model #​11783

:beetle: Bug Fixes

• On Cancel, ObservationWebFilterDecorator Starts After-Filter Span without Stopping It #​14064
• Authentication not propagated correctly after migrating to SB3 #​14112
• Authorization does not show up on Features section #​14105
• Fix obsolete comment and typos #​14060
• Fix typo in documentation #​14130
• improve render in headers.adoc #​14102
• ReactiveRemoteJWKSource caches invalid response status into jwkSetURL #​14042
• References to WebFlux docs do not link to them #​14108
• relay_state should not be included in signing calculation when it is null #​14039
• samesite set by Tomcat CookieProcessor ignored when creating XSRF-TOKEN cookie in CsrfTokenRepository #​14138
• Security configuration is failed to be initialized in a Servlet 6.0 container #​14166
• Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #​14115
• Spring Security metric names should not contain dashes #​14067
• spring.security counters inaccurate due onComplete and cancel() #​14147
• The latest "OAuth2AuthorizedClientManager" class is not AOT ready #​14094
• UnboundIdContainer should be marked as not running at shutdown #​14095

:hammer: Dependency Upgrades

• Bump io-spring-javaformat from 0.0.39 to 0.0.40 #​14156
• Bump io.micrometer:micrometer-observation from 1.12.0-RC1 to 1.12.0 #​14135
• Bump io.projectreactor:reactor-bom from 2023.0.0-RC1 to 2023.0.0 #​14145
• Bump org.junit:junit-bom from 5.10.0 to 5.10.1 #​14097
• Bump org.springframework.data:spring-data-bom from 2023.1.0-RC1 to 2023.1.0 #​14172
• Bump org.springframework.ldap:spring-ldap-core from 3.2.0-RC1 to 3.2.0 #​14155
• Bump org.springframework:spring-framework-bom from 6.1.0-RC1 to 6.1.0-RC2 #​14055
• Bump org.springframework:spring-framework-bom from 6.1.0-RC2 to 6.1.0 #​14157

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

• @​nico-ortiz
• @​dependabot[bot]
• @​martin-lukas

v6.1.9

Compare Source

:star: New Features

• Bump Gradle Wrapper from 8.6 to 8.7 #​14796

:beetle: Bug Fixes

• SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException #​14634
• Address AuthorizationObservationConvention Package Tangle #​14794
• bug org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector introspect method error #​14847
• Transactional annotation breaks AOT for native image #​14825

:hammer: Dependency Upgrades

• Bump io.projectreactor:reactor-bom from 2022.0.17 to 2022.0.18 #​14876
• Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #​14823
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.1 to 1.0.2 #​14783
• Bump org-aspectj from 1.9.21.2 to 1.9.22 #​14799
• Bump org.slf4j:slf4j-api from 2.0.12 to 2.0.13 #​14909
• Bump org.springframework:spring-framework-bom from 6.0.18 to 6.0.19 #​14894

:heart: Contributors

Thank you to all the contributors who worked on this release:

@​dependabot[bot] and @​github-actions[bot]

v6.1.8

Compare Source

:beetle: Bug Fixes

• Check for null Authentication #​14665
• Fix Package Tangle in CAS #​14627
• Fix Package Tangle in SAML 2.0 #​14628
• LogoutConfigurer#createLogoutFilter sets the SecurityContextHolderStrategy twice #​14647
• ObservationTextHandler class is not defined in a reactive context #​14651
• PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #​14722
• Spring security's ServerLogoutHandler order problem. #​14681

:hammer: Dependency Upgrades

• Bump io.mockk:mockk from 1.13.9 to 1.13.10 #​14660
• Bump io.projectreactor:reactor-bom from 2022.0.16 to 2022.0.17 #​14728
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 #​14703
• Bump org-aspectj from 1.9.21.1 to 1.9.21.2 #​14733
• Bump org.springframework:spring-framework-bom from 6.0.17 to 6.0.18 #​14762

:heart: Contributors

Thank you to all the contributors who worked on this release:

@​dependabot[bot]

v6.1.7

Compare Source

:star: New Features

• Fix Spring initializr link in 'Getting Spring Security' #​14375
• Refactor: Remove Irrelevant Documentation Lines #​14374
• Typo fix in configuration.adoc #​14372
• Updated the Configuration examples in docs #​14391

:beetle: Bug Fixes

• "Span wasn't started - an observation must be started (not only created)" (Micrometer) due to observation handling in Spring Security Web? #​14445
• HandlerMappingIntrospectorRequestTransformer is registered twice in AOT #​14362
• OAuth2AuthorizationExchange is not serializable #​14402
• WebTestUtilsTestRuntimeHints should implement RuntimeHintsRegistrar #​14399
• Application context fails to load: Couldn't find FilterChainProxy #​14370
• Cannot configure SecurityContextRepository in CasAuthenticationFilter #​14529
• Documentation about configuring SecuritySocketAcceptorInterceptor in Spring Boot is confusing #​14347
• Fix broken sample code in Authorize HttpServletRequests #​14386
• Fix command in CONTRIBUTING.adoc #​14489
• Missing native-image reflection hint for HandlerMappingIntrospectorCachFilterFactoryBean #​14359
• Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken #​14397
• ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor #​14349
• SAML relying party logout filter is always ordered last #​14550
• Typo: Update ldap.adoc #​14509
• Typo: Update session-management.adoc #​14515
• Unexpected Exception Handling in NimbusReactiveJwtDecoder decode Method #​14495
• X-Xss-Protection header "1; mode=block" differs in Servlet and Reactive #​14345

:hammer: Dependency Upgrades

• Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #​14581
• Bump Gradle Wrapper from 8.5 to 8.6 #​14540
• Bump gradle/gradle-build-action from 2 to 3 #​14500
• Bump io-spring-javaformat from 0.0.40 to 0.0.41 #​14436
• Bump io.mockk:mockk from 1.13.8 to 1.13.9 #​14413
• Bump io.projectreactor:reactor-bom from 2022.0.14 to 2022.0.15 #​14428
• Bump io.projectreactor:reactor-bom from 2022.0.15 to 2022.0.16 #​14611
• Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #​14465
• Bump org-aspectj from 1.9.21 to 1.9.21.1 #​14606
• Bump org-eclipse-jetty from 11.0.18 to 11.0.19 #​14355
• Bump org-eclipse-jetty from 11.0.19 to 11.0.20 #​14519
• Bump org.apereo.cas.client:cas-client-core from 4.0.3 to 4.0.4 #​14437
• Bump org.slf4j:slf4j-api from 2.0.10 to 2.0.11 #​14421
• Bump org.slf4j:slf4j-api from 2.0.11 to 2.0.12 #​14555
• Bump org.slf4j:slf4j-api from 2.0.9 to 2.0.10 #​14389
• Bump org.springframework:spring-framework-bom from 6.0.15 to 6.0.16 #​14443
• Bump org.springframework:spring-framework-bom from 6.0.16 to 6.0.17 #​14621
• Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #​14499
• Bump spring-io/spring-github-workflows from eaf17a1 to 1e8b058 #​14580

:heart: Contributors

Thank you to all the contributors who worked on this release:

@​Siddharth1605, @​acktsap, @​boulce, @​dependabot[bot], @​github-actions[bot], @​kcsurapaneni, @​nkilchenmann, and @​ty-v1

v6.1.6

Compare Source

:star: New Features

• Document that Shibboleth Repository is Required for SAML Support #​14294
• Integrate HandlerMappingIntrospector Caching #​14128
• OAuth2 Resource Server is exposing server information. #​14277
• Resolve RequestMatcher at request-time #​14085

:beetle: Bug Fixes

• AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #​14266
• Authentication not propagated correctly after migrating to SB3 #​14111
• Authorization does not show up on Features section #​14104
• DefaultLoginPageGeneratingFilter should be able to handle AuthenticationExceptions without message #​14117
• Fix broken link for servlet getting started page #​14119
• Fix typo in method-security.adoc #​14059
• fix wrong document about "jws-algorithms" #​14279
• Improve error message when ServletRegistration API is unavailable #​14231
• improve render in headers.adoc #​14101
• On Cancel, ObservationWebFilterDecorator Starts After-Filter Span without Stopping It #​14063
• ReactiveRemoteJWKSource caches invalid response status into jwkSetURL #​14041
• References to WebFlux docs do not link to them #​14107
• relay_state should not be included in signing calculation when it is null #​14038
• samesite set by Tomcat CookieProcessor ignored when creating XSRF-TOKEN cookie in CsrfTokenRepository #​14131
• Security configuration is failed to be initialized in a Servlet 6.0 container #​14165
• Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #​14114
• Spring Security metric names should not contain dashes #​14066
• spring.security counters inaccurate due onComplete and cancel() #​14146
• Update Java Config Spring MVC documentation #​14233
• Update logout.adoc: Replace Directives with Directive #​14062

:hammer: Dependency Upgrades

• Bump actions/checkout from 3 to 4 #​14310
• Bump actions/setup-java from 3 to 4 #​14327
• Bump ch.qos.logback:logback-classic from 1.4.11 to 1.4.13 #​14214
• Bump ch.qos.logback:logback-classic from 1.4.13 to 1.4.14 #​14238
• Bump com.unboundid:unboundid-ldapsdk from 6.0.10 to 6.0.11 #​14224
• Bump Gamesight/slack-workflow-status from 1.0.1 to 1.2.0 #​14317
• Bump Gradle Wrapper from 8.4 to 8.5 #​14218
• Bump io-spring-javaformat from 0.0.39 to 0.0.40 #​14158
• Bump io.micrometer:micrometer-observation from 1.10.12 to 1.10.13 #​14134
• Bump io.projectreactor:reactor-bom from 2022.0.12 to 2022.0.13 #​14144
• Bump io.projectreactor:reactor-bom from 2022.0.13 to 2022.0.14 #​14288
• Bump org-aspectj from 1.9.20.1 to 1.9.21 #​14272
• Bump org-eclipse-jetty from 11.0.17 to 11.0.18 #​14081
• Bump org.springframework.data:spring-data-bom from 2022.0.11 to 2022.0.12 #​14173
• Bump org.springframework:spring-framework-bom from 6.0.13 to 6.0.14 #​14159
• Bump org.springframework:spring-framework-bom from 6.0.14 to 6.0.15 #​14312
• Bump sjohnr/slack-workflow-status from 1.pre.beta to 1.1.0 #​14315
• Bump slackapi/slack-github-action from 1.19.0 to 1.24.0 #​14316
• Bump spring-io/spring-gradle-build-action from 1 to 2 #​14305

:heart: Contributors

Thank you to all the contributors who worked on this release:

@​Ruffeng, @​dependabot[bot], @​github-actions[bot], @​marbon87, and @​sadidshaikh

v6.1.5

Compare Source

:star: New Features

• Document how to publish an AuthenticationManager @Bean without WebSecurityConfigurerAdapter #​14015
• Replace deprecated method #​13649
• Use Gradle's Version Catalog #​13871

:beetle: Bug Fixes

• Dependency convergence failed: nimbus-jose-jwt #​13843
• Docs custom AuthorizationManager fix #​13991
• Fix snapshot_tests on CI workflow #​13878
• Fix parsing of GET SAML logout requests #​13970
• Saml-Metadata with special characters is corrupted #​13861
• Saml2LogoutRequestMixin relayState property should be binding #​13942

:hammer: Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #​13984
• Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #​13891
• Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #​13950
• Bump com.gradle.enterprise from 3.12.3 to 3.12.6 #​13934
• Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #​13903
• Bump Gradle Wrapper from 8.3 to 8.4 #​13974
• Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #​13935
• Bump io.micrometer:micrometer-observation from 1.10.10 to 1.10.11 #​13945
• Bump io.micrometer:micrometer-observation from 1.10.11 to 1.10.12 #​14001
• Bump io.mockk:mockk from 1.13.7 to 1.13.8 #​13952
• Bump io.projectreactor:reactor-bom from 2022.0.10 to 2022.0.11 #​13937
• Bump io.projectreactor:reactor-bom from 2022.0.11 to 2022.0.12 #​14000
• Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #​13985
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.1 #​13949
• Bump org-aspectj from 1.9.20 to 1.9.20.1 #​13896
• Bump org-eclipse-jetty from 11.0.15 to 11.0.16 #​13901
• Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #​13999
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #​13953
• Bump org.slf4j:slf4j-api from 2.0.7 to 2.0.9 #​13938
• Bump org.springframework.data:spring-data-bom from 2022.0.10 to 2022.0.11 #​14019
• Bump org.springframework.data:spring-data-bom from 2022.0.9 to 2022.0.10 #​13951
• Bump org.springframework.ldap:spring-ldap-core from 3.0.5 to 3.0.6 #​14007
• Bump org.springframework:spring-framework-bom from 6.0.11 to 6.0.12 #​13904
• Bump org.springframework:spring-framework-bom from 6.0.12 to 6.0.13 #​14006
• Update to org.apereo.cas.client:cas-client-core 4.0.3 #​13947

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

• @​Dyndyn
• @​limvik
• @​github-actions[bot]
• @​dependabot[bot]
• @​pbborisov18

v6.1.4

Compare Source

:star: New Features

• Automate spring-security.xsd #​13825

:beetle: Bug Fixes

• CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set #​13659
• CookieRequestCache ignores user Locale #​13796
• Default Security Configuration adds WWW-Authenticate Twice #​13759
• Fix inaccurate information about permitting the FORWARD dispatcher in Kotlin [#​13729](https://togithub.com/spri