2 Releases published by 1 person

• 6.3.6

  published Dec 16, 2024

• 6.4.2

  published Dec 16, 2024

65 Pull requests merged by 12 people

• Fix missing space in documentation

  #16353 merged Jan 7, 2025

• Bump org.assertj:assertj-core from 3.27.1 to 3.27.2

  #16365 merged Jan 7, 2025

• Bump ch.qos.logback:logback-classic from 1.5.15 to 1.5.16

  #16366 merged Jan 6, 2025

• Bump ch.qos.logback:logback-classic from 1.5.15 to 1.5.16

  #16364 merged Jan 6, 2025

• Bump ch.qos.logback:logback-classic from 1.5.15 to 1.5.16

  #16363 merged Jan 6, 2025

• Bump org.mockito:mockito-bom from 5.14.2 to 5.15.2

  #16360 merged Jan 3, 2025

• Bump org.assertj:assertj-core from 3.27.0 to 3.27.1

  #16357 merged Jan 2, 2025

• Bump com.webauthn4j:webauthn4j-core from 0.28.3.RELEASE to 0.28.4.RELEASE

  #16356 merged Jan 2, 2025

• Bump com.webauthn4j:webauthn4j-core from 0.28.3.RELEASE to 0.28.4.RELEASE

  #16355 merged Jan 2, 2025

• Bump ch.qos.logback:logback-classic from 1.5.14 to 1.5.15

  #16334 merged Dec 23, 2024

• Bump io.mockk:mockk from 1.13.13 to 1.13.14

  #16335 merged Dec 23, 2024

• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.10.0 to 1.10.1

  #16333 merged Dec 23, 2024

• Bump ch.qos.logback:logback-classic from 1.5.14 to 1.5.15

  #16332 merged Dec 23, 2024

• Bump io.mockk:mockk from 1.13.13 to 1.13.14

  #16331 merged Dec 23, 2024

• Bump ch.qos.logback:logback-classic from 1.5.14 to 1.5.15

  #16330 merged Dec 23, 2024

• Bump io.mockk:mockk from 1.13.13 to 1.13.14

  #16329 merged Dec 23, 2024

• Add Support JDBC Repositories For WebAuthn

  #16282 merged Dec 20, 2024

• Bump org.assertj:assertj-core from 3.26.3 to 3.27.0

  #16317 merged Dec 20, 2024

• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.9.0 to 1.10.0

  #16316 merged Dec 20, 2024

• Bump ch.qos.logback:logback-classic from 1.5.13 to 1.5.14

  #16318 merged Dec 20, 2024

• Bump ch.qos.logback:logback-classic from 1.5.13 to 1.5.14

  #16314 merged Dec 20, 2024

• Bump ch.qos.logback:logback-classic from 1.5.13 to 1.5.14

  #16313 merged Dec 20, 2024

• Add @AuthenticationPrincipal/@CurrentSecurityContext Interface Support for Expression Templates

  #16201 merged Dec 19, 2024

• Add support checking same security matchers

  #16186 merged Dec 19, 2024

• Bump ch.qos.logback:logback-classic from 1.5.12 to 1.5.13

  #16304 merged Dec 19, 2024

• Bump org.hibernate.orm:hibernate-core from 6.6.3.Final to 6.6.4.Final

  #16305 merged Dec 19, 2024

• Bump ch.qos.logback:logback-classic from 1.5.12 to 1.5.13

  #16302 merged Dec 19, 2024

• Bump org.hibernate.orm:hibernate-core from 6.6.3.Final to 6.6.4.Final

  #16303 merged Dec 19, 2024

• Bump ch.qos.logback:logback-classic from 1.5.12 to 1.5.13

  #16301 merged Dec 19, 2024

• Support Determining Max Sessions by Authentication

  #16218 merged Dec 19, 2024

• Use relative URLs in /login redirects

  #14714 merged Dec 18, 2024

• Add UserDetailsService Constructor

  #15984 merged Dec 17, 2024

• Allow configuring custom ServerHttpHeadersWriter for Kotlin DSL

  #16136 merged Dec 17, 2024

• Bump org.junit:junit-bom from 5.11.3 to 5.11.4

  #16293 merged Dec 17, 2024

• Bump org.springframework.data:spring-data-bom from 2024.1.0 to 2024.1.1

  #16288 merged Dec 16, 2024

• Bump org.junit:junit-bom from 5.11.3 to 5.11.4

  #16292 merged Dec 16, 2024

• Bump org.springframework.data:spring-data-bom from 2024.1.0 to 2024.1.1

  #16290 merged Dec 16, 2024

• Bump org.springframework.data:spring-data-bom from 2024.0.6 to 2024.0.7

  #16289 merged Dec 16, 2024

• Bump gradle/gradle-build-action from 2 to 3

  #16278 merged Dec 13, 2024

• Bump org.springframework:spring-framework-bom from 6.2.0 to 6.2.1

  #16271 merged Dec 12, 2024

• Bump org.springframework:spring-framework-bom from 6.1.15 to 6.1.16

  #16272 merged Dec 12, 2024

• Bump org.springframework.ldap:spring-ldap-core from 3.2.8 to 3.2.10

  #16270 merged Dec 12, 2024

• Bump org.springframework.ldap:spring-ldap-core from 3.2.8 to 3.2.10

  #16269 merged Dec 12, 2024

• Update document regarding PublicKeyCredentialCreationOptions.attestation value

  #16264 merged Dec 12, 2024

• Avoid requesting an unnecessary attestation statement when creating a webauthn credential

  #16252 merged Dec 11, 2024

• webauthn: add webdriver test

  #15969 merged Dec 11, 2024

• Bump io.projectreactor:reactor-bom from 2023.0.12 to 2023.0.13

  #16257 merged Dec 11, 2024

• Bump io.projectreactor:reactor-bom from 2023.0.12 to 2023.0.13

  #16256 merged Dec 11, 2024

• Bump io.micrometer:micrometer-observation from 1.14.1 to 1.14.2

  #16255 merged Dec 11, 2024

• Bump io.projectreactor:reactor-bom from 2023.0.12 to 2023.0.13

  #16254 merged Dec 11, 2024

• Use Documentation Tags for Maven and Gradle in Getting Started

  #16234 merged Dec 11, 2024

• Restore @AuthenticationPrincipal/@CurrentSecurityContext Interface Support

  #16245 merged Dec 10, 2024

• Fix Documentation Typos

  #16054 merged Dec 10, 2024

• Bump org.gretty:gretty from 4.1.5 to 4.1.6

  #16247 merged Dec 9, 2024

• Bump org.gretty:gretty from 4.1.5 to 4.1.6

  #16246 merged Dec 9, 2024

• Bump antora from 3.2.0-alpha.6 to 3.2.0-alpha.8 in /docs

  #16244 merged Dec 9, 2024

• Bump @antora/collector-extension from 1.0.0 to 1.0.1 in /docs

  #16243 merged Dec 9, 2024

• Bump @antora/collector-extension from 1.0.0 to 1.0.1 in /docs

  #16242 merged Dec 9, 2024

• Bump antora from 3.2.0-alpha.6 to 3.2.0-alpha.8 in /docs

  #16241 merged Dec 9, 2024

• Bump @antora/collector-extension from 1.0.0 to 1.0.1 in /docs

  #16240 merged Dec 9, 2024

• Bump antora from 3.2.0-alpha.6 to 3.2.0-alpha.8 in /docs

  #16238 merged Dec 9, 2024

• Bump @antora/collector-extension from 1.0.0 to 1.0.1 in /docs

  #16239 merged Dec 9, 2024

• Bump antora from 3.2.0-alpha.6 to 3.2.0-alpha.8 in /docs

  #16237 merged Dec 9, 2024

• Bump antora from 3.2.0-alpha.6 to 3.2.0-alpha.8

  #16236 merged Dec 9, 2024

• Bump @antora/collector-extension from 1.0.0 to 1.0.1

  #16235 merged Dec 9, 2024

22 Pull requests opened by 13 people

• Fixed grammatical mistakes/errors in the docs.

  #16232 opened Dec 8, 2024

• Explain behaviour with XMLHttpRequest on 401 response

  #16280 opened Dec 13, 2024

• Implement `Serializable` for PublicKeyCredentialUserEntity

  #16285 opened Dec 13, 2024

• Make Saml2AuthenticationToken Serializable

  #16287 opened Dec 15, 2024

• gh-16251 Remove Deprecated Usages of RemoteJWKSet

  #16296 opened Dec 17, 2024

• Add Support GenerateOneTimeTokenRequestResolver

  #16297 opened Dec 17, 2024

• gh-16231 add JwtPrincipalConverter.java support

  #16311 opened Dec 19, 2024

• Fixed the issue where the annotation parameter scan skipped first-level conflicts

  #16312 opened Dec 20, 2024

• Add ServerWebExchange parameter to AuthorizationRequestCustomizer

  #16320 opened Dec 20, 2024

• Bump Gradle Wrapper from 8.10.2 to 8.12

  #16324 opened Dec 21, 2024

• Remove Autowire annotation on the unique constructor in ReactiveAuthorizationManagerMethodSecurityConfiguration

  #16326 opened Dec 22, 2024

• Add GenerateOneTimeTokenFilterTests

  #16327 opened Dec 22, 2024

• WebAuthnDsl Bug Fix

  #16339 opened Dec 23, 2024

• Fix logout code snippet for Kotlin

  #16341 opened Dec 25, 2024

• Fix incorrect rendering of SpEL expression example tabs

  #16343 opened Dec 25, 2024

• Fix for JdbcOneTimeTokenService cleanupExpiredTokens failing with PostgreSQL

  #16344 opened Dec 25, 2024

• Add documentation for configuring public endpoints

  #16345 opened Dec 26, 2024

• Polish WebSecurityConfiguration

  #16348 opened Dec 27, 2024

• Fix typo

  #16350 opened Dec 29, 2024

• Change deprecated FilterSecurityInterceptor to AuthorizationFilter

  #16352 opened Dec 30, 2024

• The selectJwk method of NimbusJwtEncoder class should not throw Exception when jwks size great than one #16170

  #16354 opened Jan 2, 2025

• Polish AbstractHttpConfigurer

  #16362 opened Jan 6, 2025

37 Issues closed by 8 people

• [build] Settings.gradle's logic to handle different buildFile name could result in phantom subproject

  #16322 closed Jan 5, 2025

• RoleHierarchy not automatically inject in overwritten MethodSecurityExpressionHandler bean

  #16307 closed Jan 3, 2025

• WebSessionOAuth2ServerAuthorizationRequestRepository assumes state parameter is url-decoded

  #16359 closed Jan 2, 2025

• Method Level Security Using SpEL

  #16347 closed Dec 27, 2024

• AWS - Token Exchange with Auth0 not happening (thought it might be IPV6 issue...)

  #16323 closed Dec 22, 2024

• JDBC WebAuthn Repositories

  #16224 closed Dec 20, 2024

• State mismatch due to URL encoding

  #16309 closed Dec 20, 2024

• how to config httpclient timeout in spring gateway?

  #16315 closed Dec 20, 2024

• Jwt Principal customization

  #16231 closed Dec 19, 2024

• Support Meta-Annotation Parameters on Parameter Annotations

  #16248 closed Dec 19, 2024

• Consider alerting applications when both `FilterSecurityInterceptor` and `AuthorizationFilter` are in the same filter chain

  #16213 closed Dec 19, 2024

• Fail when several filter chains have the same securityMatcher

  #15982 closed Dec 19, 2024

• Fix logoutRequestRepository not set on Saml2RelyingPartyInitiatedLogoutSuccessHandler

  #16310 closed Dec 19, 2024

• Support varying maxSessions by user in Servlet

  #16206 closed Dec 19, 2024

• Consider making the constructor of `OAuth2AccessToken.TokenType` `public`

  #16086 closed Dec 18, 2024

• Redirect using a relative URL

  #7273 closed Dec 18, 2024

• Issues regarding the creator of DaoAuthenticationProvider

  #15973 closed Dec 17, 2024

• ServerHeadersDsl doesn't allow addition of custom ServerHttpHeadersWriter

  #16009 closed Dec 17, 2024

• Simplify Request Authorization Configuration

  #13057 closed Dec 17, 2024

• StreamingResponseBody & SSE Meet 'Access Denied'

  #16266 closed Dec 16, 2024

• Add Missing serialVersionUIDs

  #16275 closed Dec 16, 2024

• DefaultSaml2AuthenticatedPrincipal should define a serialVersionUID

  #16163 closed Dec 13, 2024

• Backport reusable workflows to 5.8.x

  #14548 closed Dec 13, 2024

• Fix WebAuthnWebdriverTests

  #16283 closed Dec 13, 2024

• Prepare for Spring Security 6.5

  #16221 closed Dec 13, 2024

• Add 6.4 Sample Serializations for Serializable classes

  #16274 closed Dec 13, 2024

• Remove 5.8.x and 6.2.x dependabot configuration

  #16268 closed Dec 12, 2024

• Remove 5.8.x from Auto Merge Forward Dependabot PRs

  #15770 closed Dec 12, 2024

• Should return www-authenticate even for "X-Requested-With: XMLHttpRequest" requests

  #16103 closed Dec 12, 2024

• Spring Security Overlaps SCG Router Mappings

  #16259 closed Dec 12, 2024

• CI is not using the correct secret for Develocity

  #16263 closed Dec 12, 2024

• CI is not using the correct secret for Develocity

  #16262 closed Dec 12, 2024

• carrier thread be suspended by synchronized in RemoteJWKSet

  #15866 closed Dec 11, 2024

• Mutate breaks functionality of StrictFirewallHttpHeaders with recently modified HttpHeaders#writableHttpHeaders

  #16261 closed Dec 11, 2024

• Mutate breaks functionality of StrictFirewallHttpHeaders with recently modified HttpHeaders#writabeHttpHeaders

  #16069 closed Dec 11, 2024

• Documentation code snippets should consistently use joint tabs for java, kotlin, & XML

  #16228 closed Dec 11, 2024

• Issue when using @AuthenticationPrincipal on interfaces

  #16177 closed Dec 10, 2024

33 Issues opened by 24 people

• Unable to access encrypted SAML assertions in custom ResponseValidator after upgrade from 6.3 to 6.4

  #16367 opened Jan 6, 2025

• Add a Webauth request URL customization feature.

  #16361 opened Jan 5, 2025

• Add HSTS header also in case of a RequestRejectedException

  #16358 opened Jan 2, 2025

• Spring Security WebAuthn is missing Registration by anonymous user, a use case specified in WebAuthn L2 Subsection 1.3.1

  #16351 opened Dec 30, 2024

• Allow configuration of OAuth2LoginAuthenticationFilter.authenticationResultConverter

  #16349 opened Dec 28, 2024

• Sorting RememberMeAuthenticationFilter

  #16346 opened Dec 26, 2024

• Fix Rendering of SpEL expression example Tabs in method security Documentation

  #16342 opened Dec 25, 2024

• [Azure Oauth2] IllegalArgumentException: Attribute value for "xxx" is null

  #16340 opened Dec 24, 2024

• Incorrect kotlin webauthn configuration

  #16338 opened Dec 23, 2024

• Spring Security IPv6 issue - is there a global config setting?

  #16337 opened Dec 23, 2024

• Multiple /authorize requests in the same session are not supported. Why?

  #16336 opened Dec 23, 2024

• WebAuthn + Redis doesn't work; Redis defaults to JdkSerializationRedisSerializer, WebAuthn classes lack Serializable interface, WebAuthn mixins missing for GenericJackson2JsonRedisSerializer

  #16328 opened Dec 23, 2024

• Inconsistent constructor declaration on bean with name '_reactiveMethodSecurityConfiguration'

  #16325 opened Dec 22, 2024

• OIDC Back-Channel Logout Support for Clustered Servers

  #16321 opened Dec 20, 2024

• relying-party-registration doesn't resolve placeholders in xml

  #16308 opened Dec 19, 2024

• Pass Http Request to OAuth2AuthorizationRequestResolver#authorizationRequestCustomizer

  #16306 opened Dec 19, 2024

• Favor Relative Redirects by Default

  #16300 opened Dec 18, 2024

• Bean Conflict Between `webSocketAuthorizationManagerPostProcessor` and `objectPostProcessor` in Spring Security Configuration

  #16299 opened Dec 18, 2024

• Add copyright modifier task

  #16298 opened Dec 17, 2024

• UniqueSecurityAnnotationScanner should consider annotation on target class level as fallback

  #16295 opened Dec 17, 2024

• Customize OneTimeToken expire time

  #16291 opened Dec 16, 2024

• Make Saml2AuthenticationToken Serializable

  #16286 opened Dec 13, 2024

• Consider adding `PrincipalResolver` to `ExchangeFilterFunctions`

  #16284 opened Dec 13, 2024

• Improve the BasicAuthenticationFilter to allow callbacks for both successful and failed authentication events.

  #16281 opened Dec 13, 2024

• Ensure Serializable Security Components declare serialVersionUID

  #16276 opened Dec 13, 2024

• Make WebAuthnAuthentication Serializable

  #16273 opened Dec 12, 2024

• NimbusJwtEncoder should simplify constructing with javax.security Keys

  #16267 opened Dec 12, 2024

• Request for exception approval for CVE-2024-38819 [Spring Framework Path Traversal Vulnerability

  #16265 opened Dec 12, 2024

• Automatically apply Customizer Beans to the Security DSL

  #16258 opened Dec 11, 2024

• Support refreshing OIDC ID Token

  #16253 opened Dec 10, 2024

• Remove Deprecated Usages of RemoteJWKSet

  #16251 opened Dec 9, 2024

• Add @AuthorizeRequestMapping annotation

  #16250 opened Dec 9, 2024

• Add "Best Match" based Web Authorization Rules

  #16249 opened Dec 9, 2024

21 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Expose getter for nameAttributeKey in OAuth2AuthenticatedPrincipal

  #16003 commented on Dec 17, 2024 • 14 new comments

• Encode clientId and clientSecret for `OpaqueTokenIntrospector` and `ReactiveOpaqueTokenIntrospector`

  #16008 commented on Dec 21, 2024 • 8 new comments

• Address BouncyCastle's deprecated AESFastEngine usage

  #16164 commented on Dec 18, 2024 • 0 new comments

• `Authentication` in the security context is not updated during the refresh token flow

  #15509 commented on Jan 7, 2025 • 0 new comments

• Add `OAuth2AuthorizedClientManager` autoconfiguration without `spring-boot-starter-web` dependency

  #15877 commented on Dec 30, 2024 • 0 new comments

• SEC-2701: DaoAuthenticationProvider shadows actual authentication exceptions

  #2924 commented on Dec 28, 2024 • 0 new comments

• Passkey Endpoints do not Honor .permitAll()

  #16070 commented on Dec 28, 2024 • 0 new comments

• Saml2LogoutConfigurer: Use RequestMatcher from LogoutConfigurer

  #10821 commented on Dec 20, 2024 • 0 new comments

• hasAuthority and custom Mono<Boolean> method in @PreAuthorize leads to ConverterNotFoundException error

  #15209 commented on Dec 19, 2024 • 0 new comments

• Spring Security's `Filter`s and `WebFilter`s Automatically Registered by Spring Boot

  #16222 commented on Dec 18, 2024 • 0 new comments

• Deprecate PortResolver

  #12971 commented on Dec 18, 2024 • 0 new comments

• SAML 2.0 Documentation should talk about decrypting unsigned SAML 2.0 responses

  #10219 commented on Dec 16, 2024 • 0 new comments

• [OAuth2] Misconfigured OAuth2LoginAuthenticationFilter when combining OAuth2 login and OAuth2 client configuration

  #16105 commented on Dec 16, 2024 • 0 new comments

• The selectJwk method of NimbusJwtEncoder class should not throw Exception when jwks size great than one

  #16170 commented on Dec 16, 2024 • 0 new comments

• Consider adding support for pushed authorization requests (PAR, RFC 9126)

  #11301 commented on Dec 13, 2024 • 0 new comments

• Servlet and Reactive OAuth2 Client consistency

  #15299 commented on Dec 13, 2024 • 0 new comments

• Consider adding `ClientRegistrationIdResolver` to `ExchangeFilterFunction`s

  #15825 commented on Dec 13, 2024 • 0 new comments

• Throw custom Exception when the HTTP Method is rejected

  #12191 commented on Dec 12, 2024 • 0 new comments

• Support UserDetailsService components in OAuth2 Resource Server flows

  #6237 commented on Dec 12, 2024 • 0 new comments

• Programmatic way to use expression-based authorization manager for websockets

  #12650 commented on Dec 10, 2024 • 0 new comments

• Create a class analogous to AbstractHttpConfigurer for reactive applications

  #9198 commented on Dec 9, 2024 • 0 new comments