5.1.7.RELEASE

⭐ New Features

• CookieServerCsrfRepositoryTests should not start domain with a dot #7501
• Fix docs typo WebSecurityConfigurationAdapter->WebSecurityConfigurerAdapter #7225

🪲 Bug Fixes

• OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri #7469
• RequestContextSubscriber could put null value in Reactor Context #7410
• OAuth2AuthorizationRequest not removed from session #7369
• InMemoryReactiveClientRegistrationRepository should not use ConcurrentReferenceHashMap #7359
• NimbusJwtDecoderJwkSupport only sets 'application/json' Accept header #7340
• SEC-2971: Footnotes are messed up in online docs #7326
• Confusing example - WebMvcConfigurer vs WebSecurityConfigurerAdapter #7303
• OnCommittedResponseWrapper fails on static resources served by Tomcat 8.5 #7297
• Fix WebClient Memory Leaks #7294
• Ensure filter order is maintained when using springSecurity() along with other filters #7267
• SessionAuthenticationStrategy make HttpSecurity.sessionManagement().maximumSessions(1) unavailability #7262
• SEC-2980: Possible race condition in SessionRegistryImpl #7226

5.2.0.RELEASE

⭐ New Features

• Add Hello RSocket Sample #7504
• Add RSocket Reference #7502
• CookieServerCsrfRepositoryTests should not start domain with a dot #7500
• Add OAuth2 Resource Server to Modules Section #7498
• Initial saml2 login docs #7495
• SAML 2 Assertion - Always require signature validation #7490
• Add Reactive Messaging CurrentSecurityContextPrincipalArgumentResolver #7488
• CurrentSecurityContextArgumentResolver polishes #7487
• Add ClientRegistration.withClientRegistration(ClientRegistration) #7486
• Add hasAuthority method to RSocketSecurity #7478
• Align Servlet ExchangeFilterFunction CoreSubscriber #7476
• WebFluxSecurityConfiguration does not configure oauth2Client #7470
• Allow to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec #7467
• Add ability to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec #7466
• Document Clear-Site-Data Support #7463
• Document RFC 8414 Support #7462
• Document Bearer Token Propagation #7461
• Document Reactive Mock Jwt Testing #7460
• Fixed typo in comment #7458
• Use Schedulers.boundedElastic() #7457
• AbstractUserDetailsReactiveAuthenticationManager uses newParallel #7456
• Add hasAnyAuthority method in AuthorizePayloadsSpec.Access #7455
• Add denyAll method in AuthorizePayloadsSpec.Access #7451
• AuthenticationFilter's methods should be private #7447
• AuthenticationFilter should provide session fixation protection #7446
• Use Jwt.Builder #7443
• Add AuthorizePayloadsSpec.Access denyAll, hasAnyRole, hasAnyAuthority #7437
• Add AuthorizePayloadsSpec.Access hasAuthority #7435
• Document Resource Server User-Info Usage #7431
• Document Reactive Opaque Token Usage #7430
• Document NimbusReactiveJwtDecoder #7425
• Document Mock Jwt Testing #7424
• Servlet ExchangeFilterFunctions should align #7422
• Document Opaque Token Usage #7420
• ServletBearerExchangeFilterFunction should propagate Authentication #7418
• Document NimbusJwtDecoder #7408
• Document Jwt.Builder #7407
• Document OAuth2AuthenticatedPrincipal #7406
• DefaultReactiveOAuth2AuthorizedClientManager should default ServerWebExchange #7390
• Make OAuth2User extends OAuth2AuthenticatedPrincipal #7383
• OAuth2User should extend OAuth2AuthenticatedPrincipal #7378
• SamlAuthenticationProvider should propagate actual validation errors #7375
• Add Reactive Messaging AuthenticationPrincipalArgumentResolver #7363
• Allow Custom PayloadInterceptor to be Added #7362
• Default RSocketSecurity #7361
• Add nonce to OIDC Authentication Request #7337
• Introduce LogoutSuccessEvent #7306
• Mock Jwt should ensure that CSRF is not required #7170
• Document BearerTokenResolver in reference #6254
• Consider adding nonce to OIDC Authentication Request #4442
• SEC-2680: Fire an event when logout has finished #2900

🪲 Bug Fixes

• Correctly populate the AuthNRequest attributes #7496
• AuthNRequest#Destination contains the SP entity ID, not the IDP SSO URI #7494
• AbstractUserDetailsReactiveAuthenticationManager default Scheduler should be disposed #7492
• Always validate saml2 signatures #7491
• CurrentSecurityContext Javadoc should be about SecurityContext #7489
• Fix AuthorizationPayloadInterceptor order using PayloadInterceptorOrd… #7450
• SAML Response Skew is using the wrong type #7448
• Jwt.Builder should keep notBefore as an Instant #7442
• AuthorizePayloadsSpec uses AUTHENTICATION for AuthorizationPayloadInterceptor #7434
• RSocketMessageHandlerITests could hang #7415
• RSocketSecurity anyRequest delegates to anyExchange #7414
• OpenSamlAuthenticationProvider should not throw AuthenticationServiceException #7377
• OpenSamlAuthenticationProvider should propagate validation errors #7376
• OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri #7036

🔨 Dependency Upgrades

• Update to Spring Data Moore-RELEASE #7506
• Remaining dependency upgrades for 5.2.0 #7505
• Upgrade JSON jackson library to 2.10.0 #7480
• Release/dependencies for 5.2 ga #7471
• Update the AspectJ Gradle Plugin to 4.0.2 #7427
• Update to Gradle 5.6.2 #7412
• Upgrade to OpenSaml 3.4.3 #7392
• Upgrade embedded Apache Tomcat to 9.0.24 #7384

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @rchigvintsev
• @munilvc
• @sdoxsee
• @jgrandja
• @jascama
• @bedla
• @mkheck
• @fhanik
• @larsgrefer
• @okohub
• @eberttc
• @eddumelendez
• @evfool

5.2.0.RC1

⭐ New Features

• Add attributes Consumer to OAuth2AuthorizationContext #7385
• Improve DefaultReactiveOAuth2UserService handling IOException #7370
• Add RSocket Support #7360
• Polish Server|ServletBearerExchangeFilterFunction #7355
• Refactor Servlet/Server BearerExchangeFilterFunction #7353
• OAuth2AuthorizeRequest supports attributes #7352
• Grant Individual Authorities From Claims #7351
• DefaultOAuth2AuthorizedClientManager and DefaultServerOAuth2AuthorizedClientManager Alignment #7350
• Align Servlet ClearSiteData expression of directives #7347
• Add Adapter to Translate Jwt to BearerTokenAuthentication #7346
• Opaque Token Introspector should return an Authenticated Principal #7345
• Opaque Token Introspection Strategy Flexibility #7344
• Add BearerTokenAuthentication #7343
• Add OAuth2AuthenticatedPrincipal #7342
• OAuth2AuthorizeRequest supports attributes #7341
• DefaultOAuth2UserService should extract authorities #7339
• InMemoryReactiveClientRegistrationRepository should check for duplicates #7338
• Add Servlet and ServerBearerExchangeFilterFunction #7330
• Update to Gradle 5.6.1 #7323
• Simplify and improve the buildSrc gradle plugin #7302
• Update to Gradle 5.6 #7300
• Add Catalan localization messages #7288
• Add Catalan localization messages #7287
• Resource Server should support WebClient Bearer Token propagation #7284
• Sample should use UserDetailsService bean instead of configureGlobal method #7283
• Mock Jwt Test Samples #7278
• Allow to set default securityContextRepository for each authenticatio… #7275
• Resource Server Multi-tenancy Sample Should Manage Its Own Jwt Decoder #7272
• Add setter for authorities claim name in JwtGrantedAuthoritiesConverter #7271
• Jwk Set Uri Nimbus Jwt Decoder builders should take SignatureAlgorithm #7270
• Add setContentLengthLong detection to OnCommittedResponseWrapper. #7264
• Consolidate shared code between JwtDecoders and ReactiveJwtDecoders #7263
• Remove MultiTenantAuthenticationManagerResolver #7259
• Add setter for authority prefix in JwtGrantedAuthoritiesConverter #7256
• Prevent IntelliJ IDEA from generating spaces for indentation #7253
• TokenBasedRememberMeServices.processAutoLoginCookie (TokenBasedRememberMeServices.java:134) java.lang.NullPointerException #7251
• Authentication Mechanisms Should Default their ServerSecurityContextRepository #7249
• Rename OAuth2TokenIntrospectionClient #7246
• Consider renaming OAuth2TokenIntrospectionClient #7245
• Add OAuth2LoginSpec#securityContextRepository #7244
• Cleanup Code Style Issues #7238
• Add Checkstyle configuration for IntelliJ IDEA #7237
• Expose getPort in ApacheDsContainer #7236
• OAuth2LoginConfigurer should discover OAuth2UserService beans #7232
• Make ldap integration tests independent #7231
• Remove unused imports #7229
• ServerHttpSecurity: oauth2Login() ignores securityContextRepository() #7222
• Use the 'io.freefair.aspectj' gradle plugin #7183
• Add RequestMatcher.matcher(HttpServletRequest) #7172
• ignore Multipart requests in HttpSessionRequestCache.requestMatcher #7167
• Add test examples for Oauth2 Resource Server sample #7159
• Add unbounid support in xml #7149
• OAuth2AuthorizedClientManager implementation works outside of request #7122
• Improve OAuth2 Resource Server tests #7118
• Introduce Reactive OAuth2AuthorizedClient Manager/Provider #7116
• Allow configurable Clock in OAuth2AuthorizedClientProvider impls #7114
• JwtGrantedAuthoritiesConverter should allow configuring the authority prefix #7101
• JwtGrantedAuthoritiesConverter should allow configuring the authorities claim name #7100
• Add authenticationFailureHandler method in OAuth2LoginSpec #7071
• v5.2.0.M3 docs contain Deprecated example code #7062
• Multipartfile request with no authentication is still consumed even after an AccessDeniedException is thrown #7060
• Add OAuth2LoginSpec.authenticationFailureHandler #7051
• Add Argon2PasswordEncoder #7045
• Fix docs typo WebSecurityConfigurationAdapter->WebSecurityConfigurerAdapter #7026
• Add support for Resource Owner Password Credentials grant #7013
• Jwt decoding should support multiple algorithms #6883
• Polish Resource Server DSL Error Messaging #6876
• Remove Invalid WebMvcConfigurer from Sample Documentation #6822
• Align code in oauth2-client extensions for WebClient #6811
• OAuth2 Client Credentials Flow: Getting access tokens in the service/data tier #6780
• Provide Servlet equivalent of UnAuthenticatedServerOAuth2AuthorizedClientRepository #6683
• Spring Boot + spring-security-oauth2-resource-server should not throw a ClassNotFoundException once it supports more than one token format #6209
• Support Resource Owner Password Credentials grant #6003
• Add Argon2PasswordEncoder #5354
• Add BearerExchangeFilterFunction #5334

🪲 Bug Fixes

• Remove package tangle in headers #7380
• Remove OAuth2AuthorizationRequest when a distributed session is used [#7334](https://github.com/spring-projects/spring-se...

5.2.0.M4

⭐ New Features

• Update to Reactor Dysprosium-M3 #7186
• Update to Spring Data Moore RC2 #7185
• Update to Spring Framework 5.2.0.RC1 #7184
• Downgrade modifier from public to protected #7180
• AuthenticationFilter#attemptAuthentication should be protected #7177
• Use org.mockito.ArgumentMatchers in favor of org.mockito.Matchers #7176
• Migrate VersionsResourceTasks groovy->java #7173
• Add support for allowedHostnames in StrictHttpFirewall #7158
• Upgrade org.springframework.boot:spring-boot-xxx to 2.2.0.M4 #7143
• Remove exceptions from lambda security configuration #7131
• Remove exception from security configuration methods #7128
• Support nested builder in DSL for reactive apps #7121
• Prevent disabled user from logging in on reactive applications #7113
• Oauth2 BearerTokenAuthenticationFilter logging issue #7110
• Add support for nested builders in the DSL for reactive apps #7107
• Error description by BearerTokenAccessDeniedHandler is misleading #7089
• Throws exception when passed IP address with too long mask #7084
• Allow configuration of SessionAuthenticationStrategy for CSRF #7083
• Add Chinese Traditional localized messages. #7082
• Changed docs to reflect that init should apply configurers #7080
• Update to Gradle 5.5.1 #7078
• Migrate TrangPlugin groovy->java #7077
• Cleanup redundant type casts #7073
• Allow upgrading between different SCrypt encodings #7057
• DSL nested builder for HTTP security #7046
• Add @nullable to UsernamePasswordAuthenticationFilter #7043
• Allow upgrading between different BCrypt encodings #7042
• Can't use a custom authorization grant type in a ClientRegistration #7040
• Add Generic AuthenticationFilter #7025
• Migrate DefaultLoginPageConfigurerTests groovy->java #6956
• Add generic getClaim() method in ClaimAccessor #6947
• Mock Jwt Support should accept a fully-configured Jwt #6896
• OpenID Connect Userinfo not fetched for custom claims #6886
• OAuth2LoginAuthenticationFilter sets AuthenticationDetails #6884
• OAuth2LoginAuthenticationFilter should set AuthenticationDetails #6866
• Introduce OAuth2AuthorizedClient Manager/Provider #6845
• Replace strange hashCode() implementations #6542
• Add Generic AuthenticationFilter #6506
• Allow in-memory authorized client services to be constructed with a map #5994
• Please add support for nested builders in the DSL #5557
• Allow configuration of added SessionAuthenticationStrategy for CsrfConfigurer #5300

🪲 Bug Fixes

• Basic authentication scheme is not case-insensitive #7163
• Fix CSRF session authentication strategy since version #7127
• Incorrect Javadoc for methods in HeadersConfigurer #7123
• Loggin Fix for printing the full stack trace, spring-projects/spring-… #7111
• Fix infinite loop in role hierarchy resolving #7106
• Fixed typo in documentation. #7092
• Fix typo in documentation #7050
• Allow custom ReactiveAuthenticationManager for basic and form auth #7048
• Fixed validation in ClientRegistration.Builder #7047
• Fix blocking in ServletOAuth2AuthorizedClientExchangeFilterFunction #7037
• Infinite loop in role hierarchy resolving #7035
• ServerBearerTokenAuthenticationConverter Handles Empty Tokens #7020
• Reactive OAuth2 using query parameters for access_token can cause HTTP 500s #7011
• OAuth2Login should process authenticated requests #6890
• Ensure ServletOAuth2AuthorizedClientExchangeFilterFunction is non-blocking #6589
• ServerHttpSecurity can't set multiple authentication managers #5660
• SCryptPasswordEncoder constructor javadoc needs to be fixed #4004
• SEC-2576: ArrayIndexOutOfBoundsException in IpAddressMatcher #2790

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @matkocsis
• @ddevrien
• @sothavirak
• @vpavic
• @sandmannn
• @karelmaxa
• @bstuder
• @ttddyy
• @rwinch
• @clementkng
• @samiconductor
• @sofiageo
• @behrangsa
• @tan9
• @jzheaux
• @jgrandja
• @Daimanta
• @eleftherias
• @sbespalov
• @bagyoni
• @larsgrefer
• @eddumelendez
• @dnl50
• @edouardhue
• @ThomasVitale

5.2.0.M3

⭐ New Features

• Move log statement in SessionRegistryImpl #6979
• Fix RoleHierarchy Javadoc #6973
• Disable bean proxying in configuration classes #6970
• Make Spring web configuration classes use proxyBeanMethods=false by default #6967
• Migrate JeeConfigurerTests groovy->java #6957
• Update to nohttp 0.0.2.RELEASE #6955
• RoleHierarchy Comments are misleading #6954
• Migrate RememberMeConfigurerTests groovy->java #6951
• Migrate CorsConfigurerTests groovy->java #6946
• Migrate ChannelSecurityConfigurerTests groovy->java #6944
• Add success handler modification of OAuth2LoginSpec #6938
• Migrate SessionManagementConfigurerTests groovy->java #6937
• JenkinsFile should always indicate the JDK in use #6928
• Add @transient to OAuth2IntrospectionAuthenticationToken #6918
• Added null checks and tests to constructors #6915
• Updates OAuth2ResourceServer configuration tests #6904
• Migrate LogoutConfigurerTests from groovy to java #6902
• Finer variables for OAuth2 redirectUriTemplate expansion #6900
• Add null checks to constructors #6892
• Fix JavaDoc for defaultSuccessUrl #6878
• Add constructor to JwtAuthenticationToken that takes a principal name #6865
• Add OAuth2LoginSpec.authenticationSuccessHandler #6863
• Add Multi-tenancy support for Reactive Resource Server #6861
• Git ignore .attach_pid* files #6860
• Translate messages.properties into Japanese #6855
• Replace bean method calls with injection #6853
• Make scheduler configurable on ReactiveAuthenticationManagerAdapter #6852
• Introduce Jwt.Builder #6851
• OpaqueToken DSL should accept an AuthenticationManager #6849
• Jwt DSL Configuration should accept an AuthenticationManager #6832
• OAuth2IntrospectionAuthenticationToken should be marked as @transient #6829
• Reactive JwkSource Builder Parameter Type Changed the parameter type from JWT to SignedJWT Fixes: gh-6771 #6827
• Fix javadoc typo #6825
• Support JwtValidationException on JwtReactiveAuthenticationManager #6823
• Switch to proxy-less configuration by leveraging @configuration(proxyBeanMethods = false) #6818
• Opaque Token Support for Custom Parameters #6798
• Fix no check if the parameter is null. #6775
• Expose bean setters in @configuration used by @EnableWebFluxSecurity #6761
• Multi-tenancy for Reactive Resource Server #6727
• Introduce ReactiveAuthenticationManagerResolver #6723
• Introduce JWT Flow API in Test Support #6634
• Opaque Token Intermediate Type #6632
• Make it possible to use Spring Security with functional bean registration #6624
• OAuth2ResourceServer configuration tests use deprecated extractAuthorities #6516
• X509 Reactive Support #6336
• Improve ClaimAccessor and externalize coercion #6245
• Add scheme/protocol variable for OAuth2 redirectUriTemplate #6239
• AccountStatusUserDetailsChecker implements MessageSourceAware #6151
• Support Path Variables in Message Expressions #6110
• WebSocket matchers ignore parameters #4469

🪲 Bug Fixes

• ID Token validation should use JwtTimestampValidator #6964
• Fix HttpSecurity Javadoc for jee() method #6959
• Fix HttpSecurity jee() Javadoc example for mappableRoles #6958
• DefaultServerOAuth2AuthorizationRequestResolver should use fromUri #6952
• WebClientReactiveClientCredentialsTokenResponseClient should not set Authorization header when ClientAuthenticationMethod.POST #6911
• Documentation fixes #6889
• java.lang.IllegalAccessError when resource server introspect token from oauth2 server #6843
• oauth2Login does not auto-redirect for XHR request #6812

🔨 Dependency Upgrades

• Update to Spring 5.2.0.M2 #6869

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @florian42
• @jgrandja
• @zeratul021
• @since1986
• @eleftherias
• @jbrokamp
• @sandmannn
• @rhamedy
• @vishalvrv9
• @ch4mpy
• @alurysharad
• @httpain
• @ttddyy
• @clementkng
• @Maxvgrad
• @dbuos
• @lgraf
• @weebl2000
• @alek-sys
• @dnl50
• @shimamchan
• @gavvvr
• @JokerSun

5.2.0.M2

⭐ New Features

• Add JDK 12 Build #6774
• Update Gradle version to 5.3.1 #6747
• Align JavaDoc in SecureRandomFactoryBean #6734
• Fix a typo #6725
• Introduce AuthenticationManagerResolver #6722
• Defer downstream filter execution if no OAuth2AuthorizedClient is found #6719
• Make UnAuthenticatedServerOAuth2AuthorizedClientRepository threadsafe #6717
• URL Cleanup #6662
• URL Cleanup #6655
• Simplify MediaTypeRequestMatcher construction #6648
• Polish #6635
• Introduced placeholder support for headers tag attributes #6623
• Allowing for a @bean of type OAuth2AccessTokenResponseClient<OAuth2Cl… #6606
• Throw exception that was created but not thrown #6604
• documentation: remove out-of-date #6603
• OAuth2LoginSpec discovers ReactiveOAuth2AccessTokenResponseClient @bean #6587
• OAuth2ClientConfiguration discovers client_credentials OAuth2AccessTokenResponseClient #6572
• Multi tenancy for Resource Server #6563
• Introduce @CurrentSecurityContext for method arguments #6562
• Fix Broken Documentation Link #6555
• Broken URL in documentation #6553
• Add Support for Clear Site Data on Logout #6550
• Introduce @CurrentSecurityContext for method arguments #6546
• Reactive Opaque Token Support #6519
• OidcIdTokenValidator ensures clockSkew is positive number #6514
• Add Reactive Opaque Token Support to Resource Server #6513
• Properties should reference scope not scopes #6510
• HeaderWriterFilter writes headers at beginning #6509
• Introduce OAuth2AuthorizationRequest.attributes #6508
• Introduce Support for Reading RSA Keys #6505
• NimbusReactiveJwtDecoder Takes Reactive Processor #6499
• Support symmetric key for JwtDecoder #6495
• Add RSA Key Converters #6494
• Improve formatting of LDAP snippets in Reference Documentation #6486
• Add client support for PKCE #6485
• OAuth2LoginSpec discovers ReactiveOAuth2AccessTokenResponseClient @bean #6477
• Add new configuration options for OAuth2LoginSpec #6462
• Update to nimbus-jose-jwt:6.7 #6459
• Consider having HeaderWriters check before writing #6456
• Added CompositeHeaderWriter #6455
• Consider having HeaderWriters check before writing #6454
• Add a composite HeaderWriter class #6453
• Support PKCE for Client #6446
• OidcIdTokenValidator ensures clockSkew is positive number #6443
• Save original request on oauth2Client filter #6418
• Add Support for Opaque OAuth2 Tokens to Resource Server #6352
• Add preload support to Strict-Transport-Security #6312
• Remove Servlet Spec 2.5 and 3.0 support #6220
• OAuth2ResourceServerConfigurerTests should avoid MockWebServer #6104
• OAuth2AuthorizationRequest.additionalParameters should not contain registration_id #5940
• NimbusReactiveJwtDecoder should accept a custom processor #5937
• Improve OAuth2LoginSpec with more configuration options #5598
• Provide support for symmetric key verification via JwtDecoder #5465
• Support for OIDC Logout #5356
• Multi-tenancy support for OAuth2 #5351
• Support RP (Client) initiated logout #5350
• Provide support for OAuth 2.0 Token Introspection #5200
• Add Clear Site Data to Log Out #4187

🪲 Bug Fixes

• ServletOAuth2AuthorizedClientExchangeFilterFunction supports chaining #6526
• Update resource-server.adoc #6523
• Fixed broken link #6522
• Fix broken link in README.adoc #6521
• Preserve existing refresh token if new refresh token not returned #6504
• Refreshing access token may remove refresh token from AuthorizedClient #6503
• ServletOAuth2AuthorizedClientExchangeFilterFunction Does Not Work For Chained Reactive Methods #6483
• Missing spring: prefix on jwk-set-uri example #6479
• Improve CsrfBeanDefinitionParser xml parsing #6451
• HTML markup fixed in DefaultLoginPageGeneratingFilter #6448
• XML configuration with multiple security:http register multiple requestDataValueProcessor #6423
• Invalid html in default login page #6417
• Webflux Oauth2 .oauth2Client() doesn't redirect back to the original request after authenticating in the auth server #6341
• Fix OAuth2 Client with Ditributed Session #6215

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @wangzw
• @sdoxsee
• @d3jie
• @ankurpathak
• @wilkinsona
• @sayembd
• @rhamedy
• @izeye
• @xyloman
• @rozagerardo
• @LukeButters
• @nickbr23
• @jzheaux
• @jgrandja
• @clevertension
• @spring-operator
• @farrault
• @rustamzh
• @fritzdj
• @vishalvrv9
• @andersonkyle
• @stasmihailov
• @xak2000
• @philsttr
• [@ThomasVitale](https://github.com/Thom...

5.2.0.M1

⭐ New Features

• Update to spring-build-conventions 0.0.23.RELEASE #6440
• customization support for StrictHttpFirewall #6439
• Update to Spring Data Lovelace SR4 #6438
• Update to Spring Framework 5.1.4 #6437
• Update to Reactor Californium-SR4 #6436
• Update to Spring Boot 2.1.2 #6435
• Update to htmlunit-driver 2.33.3 #6434
• Update to org.powermock 2.0.0 #6433
• Update to hibernate-entitymanager 5.4.0.Final #6432
• Update to ehcache 2.10.6 #6431
• Update to com.squareup.okhttp3 3.12.1 #6430
• Update to oauth2-oidc-sdk 6.5 #6429
• Update to nimbus-jose-jwt 6.5.1 #6428
• Update to jackson.core 2.9.8 #6427
• Update to cglib-nodep 3.2.10 #6426
• Update JwtTimestampValidator.java #6416
• Extract the ID Token JwtDecoderFactory to enable user customization #6415
• Expose ID Token JwtDecoderFactory #6379
• ID Token validation supports clock skew #6375
• Polish oauth2 client ExchangeFilterFunction's #6355
• Improve error messages in OidcIdTokenValidator #6349
• Polish tests #6346
• Removed isServlet30 check #6331
• Fixes typo in x,rnc files #6326
• Typo in Spring Security spring-security-x.y.rnc Files #6325
• Improve error messages in OidcIdTokenValidator #6323
• Add hasAnyAuthority() and hasAnyRole() in AuthorizeExchangeSpec #6310
• JdbcUserDetailsManager handles extra UserDetails attributes #6309
• Add WebFlux support for spring security web jackson module. #6305
• Add WebFlux support for spring security web jackson module #6303
• authorization_uri Supports Query Parameters #6299
• Extract OidcTokenValidator to an OAuth2TokenValidator #6298
• Remove check for method HttpServletRequest#getHeader and related test #6290
• Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6289
• Validate Scopes in ClientRegistration.Builder #6285
• Allow setting realm for Http Basic #6279
• Add cookieDomain to CookieCsrfTokenRepository #6276
• Add Anonymous Support to AuthenticatedReactiveAuthorizationManager #6267
• Remove Servlet 3.0 Support in CacheControlHeadersWriter #6265
• Remove Servlet 3.0 Support in AbstractRequestMatcherRegistry #6264
• Remove Servlet 2.5 and 3.0 Support for Remember Me #6263
• Remove Servlet Spec 2.5 and 3.0 Support for CSRF #6262
• Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository #6261
• Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter #6260
• Remove Servlet 2.5 Support for Session Fixation #6259
• Add DelegatingSecurityContextTaskScheduler #6257
• Validate ClientRegistration.scopes #6256
• RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts #6241
• Improve error message for Chinese #6240
• Add WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient #6238
• AuthenticatedReactiveAuthorizationManager support for AnonymousAuthenticationToken #6235
• JwtDecodersTests and ClientRegistrationsTest should explicitly test for trailing slash #6234
• Add Reactive Support for UserDetailsChecker #6229
• SessionRegistryImpl uses computeIfAbsent #6221
• Accept a case-insensitive "Bearer" keyword #6210
• Restored Jacoco default task dependence #6200
• Added support for Anonymous Authentication #6198
• Update to Gradle 5.0 #6197
• Make CachingUserDetailsService Public #6196
• Bearer should be case-insensitive in ServerBearerTokenAuthenticationConverter #6195
• Use SpringUtils to check scheme #6185
• BasicAuthenticationFilter could check the scheme more efficiently #6183
• ReactiveOAuth2AccessTokenResponseClients should support setting a custom WebClient #6182
• According to RFC 2617 #1.2, the "Bearer" keyword should be case-insensitive #6150
• Update to Gradle 5.0 #6148
• Update com.squareup.okhttp3 deps to 3.12.0 #6142
• Add GenericConversionService with support for UUID and Strings #6141
• Remove unused dependency slf4j-api in javaconfig x509 sample application #6131
• Remove unused compile dependency in javaconfig x509 sample #6130
• Replace deprecated Gradle Task method in AspectJPlugin.groovy #6129
• Replace deprecated Gradle Task.deleteAllActions() method in AspectJPlugin.groovy #6128
• WebClient support should get new access token when expired and client_credentials #6127
• AesBytesEncryptorTests should check available key strengths before running #6121
• CookieClearingLogoutHandler enhancement #6116
• Update to Gradle 4.10.2 #6114
• Update to oauth2-oidc-sdk:6.2 #6101
• Update webflux-form sample to use Built in CSRF Support #6097
• Update to nimbus-jose-jwt:6.3 #6095
• Updated Spring Boot version from 2.1.0.M4 to 2.1.0.RELEASE #6084
• Update to Spring Boot 2.1.0.RELEASE #6082
• Make AesBytesEncryptor public #6079
• CookieClearingLogoutHandler for differen...