fix(deps): update dependency org.springframework.security:spring-security-bom to v6
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| org.springframework.security:spring-security-bom (source) | import | major |
5.8.3 -> 6.0.3
|
Release Notes
spring-projects/spring-security
v6.0.3
⭐ New Features
- Add new DaoAuthenticationProvider constructor #12874
- Clarify documentation code snippet(s) (unclear where static imported methods come from) #12992
- Documentation should mention that an empty SecurityContext should also be saved #12941
- Expression-Based Access Control do not working as explain in spring security document for 6.0.2 also tried 6.0.5 the issue persist #12932
- Incomplete documentation regarding Hierarchical roles. #12766
- Remove deprecated
SecurityContextPersistenceFilterfrom docs #12690
🐞 Bug Fixes
-
@EnableReactiveMethodSecuritycauses premature initialization of the ObservationRegistry and prevents it from being post-processed #12780 - Broken links in form login section of docs #12822
- chore: typo, removed extra "s" in word implementationss #12882
- EntityId ignored in xml relying-party-registration #12777
- Fix a javadoc typo in ReactiveAuthorizationManager #13000
- Fix a javadoc typo in ReactiveAuthorizationManager #12983
- Fix broken links in form login section #12823
- Fix docs typo #12745
- Fix documentation code block bug. #12980
- Fix typo architecture.adoc #12851
- fix typo in RequestCacheResultMatcher #12814
- HttpSessionSecurityContextRepository fails to create a session because of the deferred security context support #12919
- JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12767
- MessageMatcherDelegatingAuthorizationManager not extracting path variables for authorization context #12540
- Missing spring-security-oauth2 xsds after release #12806
- NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #13005
- NoSuchElementException in org.springframework.security.web.server.ObservationWebFilterChainDecorator
AroundWebFilterObservationSimpleAroundWebFilterObservation.start(ObservationWebFilterChainDecorator.java:274 #12829 - Observation Spans are not nested correctly in Webflux #12849
- RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #13055
- Saml2 RelyingPartyRegistration.nameIdFormat is ignored and not set in AuthnRequest from OpenSamlAuthenticationRequestResolver #12936
- Spring Security 6.0.2 ObservationFilterChainDecorator produce wrong instrument names #12811
- SwitchUserFilter should use HttpSessionSecurityContextRepository by default #12836
🔨 Dependency Upgrades
- Update assertj-core to 3.24.2 #13038
- Update io.projectreactor to 2022.0.6 #13034
- Update io.spring.javaformat to 0.0.38 #13036
- Update logback-classic to 1.4.6 #13030
- Update maven-resolver-provider to 3.8.8 #13037
- Update micrometer-observation to 1.10.6 #13032
- Update mockk to 1.13.5 #13033
- Update org.eclipse.jetty to 11.0.15 #13039
- Update org.springframework to 6.0.8 #13041
- Update org.springframework.data to 2022.0.5 #13042
- Update reactor-netty to 1.1.6 #13035
- Update slf4j-api to 2.0.7 #13040
- Update spring-ldap-core to 3.0.2 #13043
- Update unboundid-ldapsdk to 6.0.8 #13031
❤ Contributors
We'd like to thank all the contributors who worked on this release!
v6.0.2
⭐ New Features
- CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #12651
- Document
@EnableWebFluxSecurityrequiring@Configurationin 6.0.0 #12444 - Move classpath checks to class member variable #11437
- Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #12339
- Revisit Session Management Documentation #12680
- Spring Security 6.0 Migration Guide Should Mention
@ConfigurationMeta-Annotation Removal From Configuration Annotations #12498 - Update broken links, correct gradle command for Windows OS. #12336
🐞 Bug Fixes
- 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #12548
-
@EnableReactiveMethodSecurity#useAuthorizationManager should be true #12506 - A typo in form login doc #12678
- Adjusts setRequestHandler javadoc in CsrfWebFilter #12467
- AuthorizationManager method security documentation should use AnnotationMatchingPointcut #12517
- DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #12671
- Document XMLObject retreival for Asserting Party metadata #12729
- Document XMLObject retreival for Asserting Party metadata #12728
- Duplicate words. #12471
- Fix CSRF protection provided by
@EnableWebSocketSecurity/ Stomp #12378 - gradlew nativeTest fails with Failed to instantiate [org.springframework.security.test.context.support.WithUserDetailsSecurityContextFactory]: No default constructor found #12614
- Jackson serialization of
DefaultSaml2AuthenticatedPrincipal:LinkedMultiValueMap is not in the allowlist#12459 - javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #12616
- NimbusJwtDecoder unknown KID scenario is not correctly tested #12495
- No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #12615
- NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #12687
- Security observations are not setting their parent osbervation #12524
- SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12579
- Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #12490
- SwitchUserFilter not working in Spring Security 6 #12511
- Update expression-based.adoc #12363
- Update multitenancy.adoc #12474
- WebTestUtilsTestRuntimeHints should only be invoked for Servlet #12622
- Wrong name of the filter in the SecurityContextHolderFilter diagram #12527
🔨 Dependency Upgrades
- Update hibernate-core to 6.1.7.Final #12707
- Update io.projectreactor to 2022.0.3 #12701
- Update io.spring.nohttp to 0.0.11 #12703
- Update jackson-bom to 2.14.2 #12696
- Update jackson-databind to 2.14.2 #12697
- Update jackson-datatype-jsr310 to 2.14.2 #12698
- Update jakarta.servlet.jsp-api to 3.1.1 #12704
- Update junit-bom to 5.9.2 #12708
- Update junit-platform-launcher to 1.9.2 #12710
- Update maven-resolver-provider to 3.8.7 #12705
- Update micrometer-observation to 1.10.4 #12699
- Update mockk to 1.13.4 #12700
- Update org.aspectj to 1.9.19 #12706
- Update org.junit.jupiter to 5.9.2 #12709
- Update org.springframework to 6.0.5 #12711
- Update org.springframework.data to 2022.0.2 #12712
- Update reactor-netty to 1.1.3 #12702
- Update spring-ldap-core to 3.0.1 #12713
❤ Contributors
We'd like to thank all the contributors who worked on this release!
v6.0.1
⭐ New Features
- Add
EnableWebSecuritymigration steps to 5.8 guide #12354 - Replace deprecated set-state set-output GitHub Action's commands #12299
🐞 Bug Fixes
- codes in spring security docs fail to work #12342
- codes in spring security docs fail to work #12341
- DefaultLdapAuthoritiesPopulator throws NullPointerException #12409
- Error in ACLS document #12270
- Fix AuthorizationFilter diagram in docs #12288
- Incorrect Javadoc for class ExpressionAuthorizationDecision #12435
- Incorrect sample code in securityMatcher migration docs #12303
- Incorrect sample code in securityMatcher migration docs #12302
- It's not possible to disable micrometer obversability #12268
- ProxyFactoryBean on AuthenticationManager does not work in native mode #12367
- SecurityContextHolderFilter does not apply to async dispatch #12369
- SecurityContextHolderFilter does not apply to async dispatch #12368
🔨 Dependency Upgrades
- Update hibernate-core to 6.1.6.Final #12423
- Update httpclient to 4.5.14 #12421
- Update io.projectreactor to 2022.0.1 #12419
- Update jackson-bom to 2.14.1 #12413
- Update jackson-databind to 2.14.1 #12414
- Update jackson-datatype-jsr310 to 2.14.1 #12415
- Update logback-classic to 1.4.5 #12412
- Update micrometer-observation to 1.10.2 #12417
- Update mockk to 1.13.3 #12418
- Update org.eclipse.jetty to 11.0.13 #12422
- Update org.jetbrains.kotlin to 1.7.22 #12424
- Update org.springframework to 6.0.3 #12426
- Update reactor-netty to 1.1.1 #12420
- Update slf4j-api to 2.0.6 #12425
- Update unboundid-ldapsdk to 6.0.7 #12416
❤ Contributors
We'd like to thank all the contributors who worked on this release!
v6.0.0
⏪ Breaking Changes
- CsrfAuthenticationStrategy is not consistent with CsrfFilter #12235
- Register FilterChainProxy for all dispatcher types #12180
⭐ New Features
- Add test runtime hints for annotations using
@WithSecurityContext#12215 - Add WebTestUtils test runtime hints #12216
- Align with Servlet API 6 #12146
- Document Configure Default SessionAuthenticationStrategy #12192
- Document DelegatingSecurityContextRepository #12185
- Improve deprecation notice in WebSecurityConfigurerAdapter #12262
- Log a warning when
AuthorizationGrantTypedoes not exactly match a pre-defined constant #12234 - Migration guide for the removal of CAS #12163
- Polish Span and Meter Names #12225
- Register FilterChainProxy for All Dispatcher Types Migration Steps #12212
- Restructure 6.0 Migration Guide #12242
- Support Jakarta WebSocket 2.1 #12148
🐞 Bug Fixes
- CsrfAuthenticationStrategy does not check for existing token #12241
- Ensure instrumentation names align with semantic conventions #12156
- Incorrect scope map fix #12207
- SAML logout: Incorrect log messages #12210
- Saml2MetadataFilter response should configure writer to UTF-8 #12223
🔨 Dependency Upgrades
- Update micrometer-observation to 1.10.1 #12250
- Update org.springframework to 6.0.0 #12255
- Update org.springframework.data to 2022.0.0 #12256
- Update r2dbc-h2 to 1.0.0.RELEASE #12251
- Update slf4j-api to 2.0.4 #12254
- Update spring-ldap-core to 3.0.0 #12257
❤ Contributors
We'd like to thank all the contributors who worked on this release!
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.