6.0.2

⭐ New Features

• CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12651
• Document @EnableWebFluxSecurity requiring @Configuration in 6.0.0 #12444
• Move classpath checks to class member variable #11437
• Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12339
• Revisit Session Management Documentation #12680
• Spring Security 6.0 Migration Guide Should Mention @Configuration Meta-Annotation Removal From Configuration Annotations #12498
• Update broken links, correct gradle command for Windows OS. #12336

🪲 Bug Fixes

• 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12548
• @EnableReactiveMethodSecurity#useAuthorizationManager should be true #12506
• A typo in form login doc #12678
• Adjusts setRequestHandler javadoc in CsrfWebFilter #12467
• AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12517
• DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #12671
• Document XMLObject retreival for Asserting Party metadata #12729
• Document XMLObject retreival for Asserting Party metadata #12728
• Duplicate words. #12471
• Fix CSRF protection provided by @EnableWebSocketSecurity / Stomp #12378
• gradlew nativeTest fails with Failed to instantiate [org.springframework.security.test.context.support.WithUserDetailsSecurityContextFactory]: No default constructor found #12614
• Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #12459
• javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12616
• NimbusJwtDecoder unknown KID scenario is not correctly tested #12495
• No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12615
• NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12687
• Security observations are not setting their parent osbervation #12524
• SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12579
• Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12490
• SwitchUserFilter not working in Spring Security 6 #12511
• Update expression-based.adoc #12363
• Update multitenancy.adoc #12474
• WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12622
• Wrong name of the filter in the SecurityContextHolderFilter diagram #12527

🔨 Dependency Upgrades

• Update hibernate-core to 6.1.7.Final #12707
• Update io.projectreactor to 2022.0.3 #12701
• Update io.spring.nohttp to 0.0.11 #12703
• Update jackson-bom to 2.14.2 #12696
• Update jackson-databind to 2.14.2 #12697
• Update jackson-datatype-jsr310 to 2.14.2 #12698
• Update jakarta.servlet.jsp-api to 3.1.1 #12704
• Update junit-bom to 5.9.2 #12708
• Update junit-platform-launcher to 1.9.2 #12710
• Update maven-resolver-provider to 3.8.7 #12705
• Update micrometer-observation to 1.10.4 #12699
• Update mockk to 1.13.4 #12700
• Update org.aspectj to 1.9.19 #12706
• Update org.junit.jupiter to 5.9.2 #12709
• Update org.springframework to 6.0.5 #12711
• Update org.springframework.data to 2022.0.2 #12712
• Update reactor-netty to 1.1.3 #12702
• Update spring-ldap-core to 3.0.1 #12713

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @dmitriygrushin
• @donhuvy
• @sakaeda11
• @deleze
• @wldomiciano

5.8.2

⭐ New Features

• Add XorCsrfChannelInterceptor #12562
• Document @EnableWebFluxSecurity requiring @Configuration in 6.0.0 #12434
• fix unclosed block in docs #12553
• Improve documentation on what changed in the default behaviour in version 6 vs 5.7 #12462
• Spring Security 6.0 Migration Guide Should Mention @Configuration Meta-Annotation Removal From Configuration Annotations #12486

🪲 Bug Fixes

• AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12516
• DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #12665
• Document XMLObject retreival for Asserting Party metadata #12693
• Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #12458
• NimbusJwtDecoder unknown KID scenario is not correctly tested #12494
• NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12686
• SwitchUserFilter not working in Spring Security 6 #12510
• Wrong name of the filter in the SecurityContextHolderFilter diagram #12526

🔨 Dependency Upgrades

• Update blockhound to 1.0.7.RELEASE #12719
• Update hibernate-entitymanager to 5.6.15.Final #12722
• Update io.projectreactor to 2020.0.28 #12717
• Update io.spring.nohttp to 0.0.11 #12720
• Update jackson-bom to 2.13.5 #12714
• Update jackson-databind to 2.13.5 #12715
• Update jackson-datatype-jsr310 to 2.13.5 #12716
• Update junit-bom to 5.9.2 #12723
• Update org.aspectj to 1.9.19 #12721
• Update org.junit.jupiter to 5.9.2 #12724
• Update org.springframework to 5.3.25 #12725
• Update org.springframework.data to 2021.2.8 #12739
• Update org.springframework.data to 2021.2.8 #12726
• Update reactor-netty to 1.0.28 #12718

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @sjohnr

6.1.0-M1

⭐ New Features

• Add EnableWebSecurity migration steps to 5.8 guide #12355
• Add a RelyingPartyRegistrationRepository constructor to Saml2MetadataFilter #11815
• Add an option to set the SameSite policy in the CookieCsrfTokenRepository #12086
• Add Authority String AuthorizationManager #12231
• Add configurable authorities split regex #12124
• Add configurable authorities split regex #12073
• add packages (dependencies) to playbook template in docs-build branch #12522
• Add the ability to set the SameSite policy to the CRSF Cookie #12109
• Allow authorization request resolver to be changed for the OAuth2 client configuration #12430
• AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up for a RoleHierarchy bean in the context #12505
• Consider replacing SecurityExpressionRoot.AuthenticationSupplier with SingletonSupplier #12489
• Document @EnableWebFluxSecurity requiring @Configuration in 6.0.0 #12445
• Inaccurate javadoc text in setRequestHandler method from CsrfWebFilter class #12484
• Inaccurate javadoc text in setRequestHandler method of CsrfFilter class #12515
• Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12441
• Replace deprecated set-state set-output GitHub Action's commands #12300
• SecuredAuthorizationManager should allow customizing underlying authorization manager #12233
• SecuredAuthorizationManager should cache annotation's value #12232
• Spring Security 6.0 Migration Guide Should Mention @Configuration Meta-Annotation Removal From Configuration Annotations #12499

🪲 Bug Fixes

• AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12518
• DefaultLdapAuthoritiesPopulator throws NullPointerException #12410
• Error in ACLS document #12406
• Fix AuthorizationFilter diagram in docs #12287
• Incorrect Javadoc for class ExpressionAuthorizationDecision #12436
• Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #12460
• JwtAuthenticationProvider should use provided authentication details #11822
• NimbusJwtDecoder unknown KID scenario is not correctly tested #12496
• ProxyFactoryBean on AuthenticationManager does not work in native mode #12372
• Reactive migration documentation for @EnableReactiveMethodSecurity is wrong (or implementation is wrong) #12514
• Security observations are not setting their parent osbervation #12525
• Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12493
• SwitchUserFilter not working in Spring Security 6 #12512
• Wrong name of the filter in the SecurityContextHolderFilter diagram #12528

🔨 Dependency Upgrades

• Update org.gretty:gretty to 4.0.3 #12277

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @evgeniycheban
• @jzheaux
• @mojavelinux
• @kumo829
• @PatrickWalter214

6.0.1

⭐ New Features

• Add EnableWebSecurity migration steps to 5.8 guide #12354
• Replace deprecated set-state set-output GitHub Action's commands #12299

🪲 Bug Fixes

• codes in spring security docs fail to work #12342
• codes in spring security docs fail to work #12341
• DefaultLdapAuthoritiesPopulator throws NullPointerException #12409
• Error in ACLS document #12270
• Fix AuthorizationFilter diagram in docs #12288
• Incorrect Javadoc for class ExpressionAuthorizationDecision #12435
• Incorrect sample code in securityMatcher migration docs #12303
• Incorrect sample code in securityMatcher migration docs #12302
• It's not possible to disable micrometer obversability #12268
• ProxyFactoryBean on AuthenticationManager does not work in native mode #12367
• SecurityContextHolderFilter does not apply to async dispatch #12369
• SecurityContextHolderFilter does not apply to async dispatch #12368

🔨 Dependency Upgrades

• Update hibernate-core to 6.1.6.Final #12423
• Update httpclient to 4.5.14 #12421
• Update io.projectreactor to 2022.0.1 #12419
• Update jackson-bom to 2.14.1 #12413
• Update jackson-databind to 2.14.1 #12414
• Update jackson-datatype-jsr310 to 2.14.1 #12415
• Update logback-classic to 1.4.5 #12412
• Update micrometer-observation to 1.10.2 #12417
• Update mockk to 1.13.3 #12418
• Update org.eclipse.jetty to 11.0.13 #12422
• Update org.jetbrains.kotlin to 1.7.22 #12424
• Update org.springframework to 6.0.3 #12426
• Update reactor-netty to 1.1.1 #12420
• Update slf4j-api to 2.0.6 #12425
• Update unboundid-ldapsdk to 6.0.7 #12416

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @mojavelinux

5.8.1

⭐ New Features

• Add EnableWebSecurity migration steps to 5.8 guide #12334
• Replace deprecated set-state set-output GitHub Action's commands #12298

🪲 Bug Fixes

• codes in spring security docs fail to work #11396
• DefaultLdapAuthoritiesPopulator throws NullPointerException #12408
• Fix AuthorizationFilter diagram in docs #12286
• Fix password encoder migration guide #12318
• Fix typo #12316
• Incorrect Javadoc for class ExpressionAuthorizationDecision #12411
• Incorrect sample code in securityMatcher migration docs #12296
• SecurityContextHolderFilter does not apply to async dispatch #11962

🔨 Dependency Upgrades

• Update httpclient to 4.5.14 #12403
• Update io.projectreactor to 2020.0.26 #12401
• Update mockk to 1.13.3 #12400
• Update org.eclipse.jetty to 9.4.50.v20221201 #12404
• Update org.jetbrains.kotlin to 1.7.22 #12405
• Update reactor-netty to 1.0.26 #12402

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @heowc
• @mschneid

5.7.6

⭐ New Features

• Improve deprecation notice in WebSecurityConfigurerAdapter #12260
• Replace deprecated set-state set-output GitHub Action's commands #12297

🪲 Bug Fixes

• DefaultLdapAuthoritiesPopulator throws NullPointerException #12407
• Fix AuthorizationFilter diagram in docs #12285
• Incorrect scope map fix #12205
• SAML logout: Incorrect log messages #12208
• Saml2MetadataFilter response should configure writer to UTF-8 #12221
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12125
• Update the RP-initiated Logout links #12121

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12153
• Update Gradle to 7.5.1 #12157
• Update hibernate-entitymanager to 5.6.14.Final #12397
• Update httpclient to 4.5.14 #12395
• Update io.projectreactor to 2020.0.26 #12393
• Update jackson-bom to 2.13.4.20221013 #12391
• Update jackson-databind to 2.13.4.2 #12392
• Update org.eclipse.jetty to 9.4.50.v20221201 #12396
• Update org.springframework to 5.3.24 #12398
• Update org.springframework.data to 2021.2.6 #12399
• Update reactor-netty to 1.0.26 #12394

5.6.10

⭐ New Features

• Replace deprecated set-state set-output GitHub Action's commands #12032
• update generateAntora task to make prereleases unique #12083

🪲 Bug Fixes

• DefaultLdapAuthoritiesPopulator throws NullPointerException #12090
• docs: fix realm typo #12120
• Fix AuthorizationFilter diagram in docs #12274
• Fix typo in DefaultLoginPageConfigurer Javadoc #12311
• Fix typo on opaque-token.adoc #12114
• Fix: Replace tenantRepository with tenants #12269
• Incorrect scope map fix #12144
• OAuth 2.0 Resource Server Multi-tenancy - documentation improvement #12295
• Outdated example in Javadoc of UrlAuthorizationConfigurer #11487
• Saml2MetadataFilter response should configure writer to UTF-8 #12026
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #3065
• Update the RP-initiated Logout links #12081

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12152
• Update Gradle to 7.5.1 #11779
• Update hibernate-entitymanager to 5.6.14.Final #12388
• Update httpclient to 4.5.14 #12386
• Update io.projectreactor to 2020.0.26 #12384
• Update jackson-bom to 2.13.4.20221013 #12381
• Update jackson-databind to 2.13.4.2 #12382
• Update mockk to 1.12.8 #12383
• Update org.eclipse.jetty to 9.4.50.v20221201 #12387
• Update org.springframework to 5.3.24 #12389
• Update org.springframework.data to 2021.1.10 #12390
• Update reactor-netty to 1.0.26 #12385

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @markkovari
• @ghusta
• @mojavelinux
• @selllami
• @cbot59

6.0.0

⏪ Breaking Changes

• CsrfAuthenticationStrategy is not consistent with CsrfFilter #12235
• Register FilterChainProxy for all dispatcher types #12180

⭐ New Features

• Add test runtime hints for annotations using @WithSecurityContext #12215
• Add WebTestUtils test runtime hints #12216
• Align with Servlet API 6 #12146
• Document Configure Default SessionAuthenticationStrategy #12192
• Document DelegatingSecurityContextRepository #12185
• Improve deprecation notice in WebSecurityConfigurerAdapter #12262
• Log a warning when AuthorizationGrantType does not exactly match a pre-defined constant #12234
• Migration guide for the removal of CAS #12163
• Polish Span and Meter Names #12225
• Register FilterChainProxy for All Dispatcher Types Migration Steps #12212
• Restructure 6.0 Migration Guide #12242
• Support Jakarta WebSocket 2.1 #12148

🪲 Bug Fixes

• CsrfAuthenticationStrategy does not check for existing token #12241
• Ensure instrumentation names align with semantic conventions #12156
• Incorrect scope map fix #12207
• SAML logout: Incorrect log messages #12210
• Saml2MetadataFilter response should configure writer to UTF-8 #12223

🔨 Dependency Upgrades

• Update micrometer-observation to 1.10.1 #12250
• Update org.springframework to 6.0.0 #12255
• Update org.springframework.data to 2022.0.0 #12256
• Update r2dbc-h2 to 1.0.0.RELEASE #12251
• Update slf4j-api to 2.0.4 #12254
• Update spring-ldap-core to 3.0.0 #12257

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @jzheaux

5.8.0

⭐ New Features

• Add Kotlin example showing integration with WebTestClient #11611
• Add MethodExpressionAuthorizationManager #11502
• Add Polish localization to error messages from ExceptionTranslationFi… #12201
• Add support AuthorizationManager + #11503
• AnonymousAuthenticationFilter should cache its Supplier #11900
• CookieServerCsrfTokenRepository doesn't support setting MaxAge #11441
• DefaultFilterChainValidator should check AuthorizationFilter #11473
• Deprecate Resource Owner Password Credentials grant #11591
• Document Configure Default CsrfToken BREACH Protection #12107
• Document Defer load CsrfToken #12105
• Document DelegatingSecurityContextRepository #12069
• Document deprecations in oauth2-client #12193
• Document how to opt-in for SHA256 in RememberMe #12097
• Document how to use the new requestMatchers and securityMatchers #12100
• Document Migration to SecurityContextHolderFilter #12098
• Document new oauth2Login() authority defaults #12188
• Document reactive CSRF migration steps #12226
• Document Saved Requests Spring Security 6 Migration #12089
• Document Update to 5.8 for Migration Guide #12196
• Fix Javadoc in EnableWebSocketSecurity #12211
• Improve deprecation notice in WebSecurityConfigurerAdapter #12261
• InterceptMethodsBeanDefinitionDecorator should allow using AuthorizationManager #11469
• Migration guide for CAS support removal #12240
• Preparation and Migration Guides should point to each other #12093
• Preparation Guide should follow Reference Manual standards #12096
• Preparation Guide should show opt-out steps after opt-in steps #12104
• Provide guide for migrating from FilterSecurityInterceptor to AuthorizationFilter #11337
• Register FilterChainProxy for All Dispatcher Types Migration Steps #12186
• SAML: OpenSaml4AuthenticationProvider.createDefaultAssertionValidator() should make it easier to add ValidationContext static parameters #11675
• trigger partial docs build on push (5.8.x) #12195

🪲 Bug Fixes

• AuthenticationServiceException propagation flag is unconfigurable in 5.8 #12132
• CsrfAuthenticationStrategy does not check for existing token #12236
• CsrfAuthenticationStrategy does not regenerate CsrfToken with CookieCsrfTokenRepository #12141
• fix deploy docs workflow (5.8.x) #12197
• Fix saganCreateRelease saganDeleteRelease Required Permissions #11424
• Incorrect scope map fix #12206
• IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #12076
• org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11604
• SAML logout: Incorrect log messages #12209
• Saml2MetadataFilter response should configure writer to UTF-8 #12222
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12126
• SecurityContextRepository.loadContext(HttpServletRequest) cache result #11391
• Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #11483
• Update the RP-initiated Logout links #12122

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12154
• Update aspectj-plugin to 6.5.0.3 #11583
• Update assertj-core to 3.23.1 #11572
• Update com.nimbusds to 9.38.1 #11570
• Update Gradle to 7.5.1 #12158
• Update hibernate-entitymanager to 5.6.10.Final #11578
• Update hibernate-entitymanager to 5.6.14.Final #12245
• Update hsqldb to 2.7.1 #12246
• Update htmlunit to 2.63.0 #11575
• Update htmlunit-driver to 2.63.0 #11580
• Update io.projectreactor to 2020.0.21 #11567
• Update io.projectreactor to 2020.0.25 #12243
• Update io.spring.javaformat to 0.0.34 #11573
• Update jackson-bom to 2.13.3 #11574
• Update jsonassert to 1.5.1 #11581
• Update junit-bom to 5.9.0-RC1 #11571
• Update mockk to 1.12.4 #11568
• Update org.eclipse.jetty to 9.4.48.v20220622 #11576
• Update org.jetbrains.kotlin to 1.7.10 #11582
• Update org.jetbrains.kotlin to 1.7.21 #12247
• Update org.jetbrains.kotlinx to 1.6.4 #11566
• Update org.springframework to 5.3.22 #11569
• Update org.springframework to 5.3.24 #12248
• Update org.springframework.data to 2021.2.2 #11579
• Update org.springframework.data to 2021.2.6 #12249
• Update reactor-netty to 1.0.25 #12244
• Update spring-ldap-core to 2.4.1 #11577

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @sjohnr
• @LeovR
• @mojavelinux
• @marcusdacoregio
• @kylevessPL

6.0.0-RC2

⭐ New Features

• Add release line extension #12078
• Add SpringTestContext.addFilter #12071
• Document Defer load CsrfToken #12106
• Document how to opt-in for SHA256 in RememberMe #12119
• Document how to use the new requestMatchers and securityMatchers #12151
• Document Saved Requests Spring Security 6 Migration #12091
• SAML: OpenSaml4AuthenticationProvider.createDefaultAssertionValidator() should make it easier to add ValidationContext static parameters #12149
• sync local-antora-playbook.yml with antora-playbook.yml #12085

🪲 Bug Fixes

• AuthenticationServiceException propagation flag is unconfigurable in 5.8 #12133
• CsrfAuthenticationStrategy does not regenerate CsrfToken with CookieCsrfTokenRepository #12142
• IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #12077
• Remove antMatcher usage from Multiple HttpSecurity docs #12150
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #12127
• Unauthorized when authenticated user is shown an error page #12070
• Update the RP-initiated Logout links #12123

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #12155
• Update Gradle to 7.5.1 #12159
• Update hibernate-core to 6.1.5.Final #12173
• Update hsqldb to 2.7.1 #12174
• Update htmlunit to 2.66.0 #12172
• Update htmlunit-driver to 2.66.0 #12176
• Update io.projectreactor to 2022.0.0 #12170
• Update jackson-bom to 2.14.0 #12166
• Update jackson-databind to 2.14.0 #12167
• Update jackson-datatype-jsr310 to 2.14.0 #12168
• Update micrometer-observation to 1.10.0 #12169
• Update org.jetbrains.kotlin to 1.7.21 #12175
• Update org.springframework to 6.0.0-RC4 #12178
• Update reactor-netty to 1.1.0 #12171
• Update spring-data-jpa to 3.0.0-RC2 #12177

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @grafjo
• @mojavelinux