Skip to content

fix(deps): update dependency org.springframework.security:spring-security-bom to v5

Pavel Břoušek requested to merge renovate/major-spring-security into master

Created by: renovate[bot]

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework.security:spring-security-bom (source) 4.2.20.RELEASE -> 5.6.1 age adoption passing confidence

Release Notes

spring-projects/spring-security

v5.6.1

Compare Source

New Features
  • Document authentication helper method in WebClient integration #​10468
  • Document authentication helper method in WebClient integration for Servlet Environments #​10120
  • Document parameters converter in oauth2 client servlet docs #​10469
  • Document parameters converter in oauth2 client servlet docs #​10467
🐞 Bug Fixes
  • AuthorityAuthorizationManager incorrectly compares GrantedAuthority #​10595
  • clockSkew Javadoc is not consistent with implementation #​10535
  • Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #​10560
  • Kotlin DSL examples in reactive oauth2 docs call build twice #​10591
  • StaticServerHttpHeadersWriter should work with case-insensitive header names #​10581
🔨 Dependency Upgrades
Contributors

We'd like to thank all the contributors who worked on this release!

v5.6.0

Compare Source

New Features

  • DaoAuthenticationProviderTests#avg function doesn't return fraction #​10426
  • Docs Should Use Section Summary #​10449
  • MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #​10436
  • Revamp OAuth 2.0 Login/Client reactive documentation #​8174
  • Revamp Reactive OAuth 2.0 Login documentation #​10479
  • Split up Documentation Further #​10367
  • Support Structure 101 License Id in Package Tangle Check #​10443

🐞 Bug Fixes

  • Adding keyInfo section to LogoutRequest from RP side #​10450
  • In saml2 LogoutRequest from RP doesn't contain KeyInfo #​10438
  • Oauth2 Resource Server will not retry on first failure with Multi-tenancy #​10444
  • Port Missing Integration Docs #​10465
  • SAML 2.0 JUnit Tests are being skipped #​10215
  • Various build time javadoc warnings fix #​10423

🔨 Dependency Upgrades

Contributors

We'd like to thank all the contributors who worked on this release!

v5.5.4

Compare Source

🐞 Bug Fixes

  • Documentation has wrong code example in the 'Customizing OpenSAML’s AuthnRequest Instance' section #​10527
  • Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #​10561
  • MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #​10531
  • Multi-tenancy Documentation - com.nimbusds.jwt.proc.JWTProcessor does not have a setJWTClaimSetJWSKeySelector method #​10520
  • Multi-tenancy Documentation - JwtDecoder sample has multiple errors #​10516
  • Oauth2 Resource Server will not retry on first failure with Multi-tenancy #​10484
  • StaticServerHttpHeadersWriter should work with case-insensitive header names #​10582
  • WebInvocationPrivilegeEvaluator does not provide a way to pass a ServletContext #​10435

🔨 Dependency Upgrades

  • Update cas-client-core to 3.6.4 #​10637
  • Update hibernate-entitymanager to 5.4.33 #​10635
  • Update hsqldb to 2.6.1 #​10636
  • Update io.projectreactor to 2020.0.14 #​10633
  • Update io.spring.javaformat to 0.0.29 #​10411
  • Update jackson-bom to 2.12.6 #​10630
  • Update jackson-databind to 2.12.6 #​10631
  • Update jackson-datatype-jsr310 to 2.12.6 #​10632
  • Update logback-classic to 1.2.9 #​10629
  • Update org.jetbrains.kotlin to 1.5.32 #​10638
  • Update org.springframework to 5.3.14 #​10639
  • Update org.springframework.data to 2021.0.7 #​10640
  • Update reactor-netty to 1.0.14 #​10634
  • Update spring-ldap-core to 2.3.5.RELEASE #​10641

v5.5.3

Compare Source

New Features

  • Allow defining custom SAML 2.0 Assertion Signature Validator #​10317
  • Add Documentation for Static Methods Classes for mockJwt() and jwt() #​10265

🐞 Bug Fixes

  • ClaimAccessor#getClaimAsMap doesn't return null as documented #​10371
  • 5.5.X only works with spring-security-5.4.xsd schema (XML-based config) #​10369
  • SecurityNamespaceHandler: update schema version to 5.5 #​10348
  • JwtTimeStampValidator uses wrong error on token expiration #​10328
  • Fix typo #​10313
  • Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type #​10257
  • ACL docs refer to nonexistent sample apps #​10237
  • SAML 2.0 Login should allow loginProcessingUrl without {registrationId} when providing an AuthenticationConverter #​10176

🔨 Dependency Upgrades

  • Update org.springframework.data to 2021.0.6 #​10417
  • Update org.springframework to 5.3.11 #​10416
  • Update org.jetbrains.kotlinx to 1.5.2 #​10415
  • Update org.jetbrains.kotlin to 1.5.31 #​10414
  • Update org.eclipse.jetty to 9.4.44.v20210927 #​10413
  • Update io.spring.nohttp to 0.0.10 #​10412
  • Update r2dbc-spi-test to 0.8.6.RELEASE #​10410
  • Update reactor-netty to 1.0.12 #​10409
  • Update io.projectreactor to 2020.0.12 #​10408
  • Update jackson-datatype-jsr310 to 2.12.5 #​10407
  • Update jackson-databind to 2.12.5 #​10406
  • Update jackson-bom to 2.12.5 #​10405
  • Update logback-classic to 1.2.6 #​10404

Contributors

We'd like to thank all the contributors who worked on this release!

v5.5.2

Compare Source

New Features

  • Consider adding springFrameworkVersion property #​10068
  • Introduce samplesBranch property #​10036
  • Use the new springFrameworkVersion property in docs' links #​10067

🔨 Dependency Upgrades

  • Update com.nimbusds to 9.9.1 #​10186
  • Update io.projectreactor to 2020.0.10 #​10187
  • Update jackson-bom to 2.12.4 #​10183
  • Update jackson-databind to 2.12.4 #​10184
  • Update jackson-datatype-jsr310 to 2.12.4 #​10185
  • Update logback-classic to 1.2.5 #​10182
  • Update org.aspectj to 1.9.7 #​10189
  • Update org.eclipse.jetty to 9.4.43.v20210629 #​10190
  • Update org.jetbrains.kotlin to 1.5.21 #​10191
  • Update org.jetbrains.kotlinx to 1.5.1 #​10192
  • Update org.slf4j to 1.7.32 #​10193
  • Update org.springframework to 5.3.9 #​10194
  • Update org.springframework.data to 2021.0.4 #​10195
  • Update reactor-netty to 1.0.10 #​10188

v5.5.1

Compare Source

New Features
  • Consider adding a link checker to build #​9972
  • Use Job Outputs to Transmit Error #​9928
  • Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #​9917
  • Combine different OS Build in one CI Job #​9798
  • Use GPG_PRIVATE_KEY directly #​9778
🐞 Bug Fixes
  • Update links to point to migrated samples #​9971
  • Add messaging to documentation about sample migration #​9970
  • Fix broken links in docs #​9969
  • CORS section is missing in Reactive reference documentation #​9952
  • RSocket documentation mentions non-existent class #​9950
  • Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #​9941
  • Missing log of "caused by" exception when OP document metadata cannot be reached #​9939
  • Missing support for private_key_jwt in ClientRegistrations #​9936
  • Allow client registration from issuer uri with no authorize_endpoint #​9935
  • Missing support for urn:ietf:params:oauth:grant-type:jwt-bearer in ClientRegistrations #​9934
  • Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #​9929
  • Jwt client authentication converter should detect new key #​9927
  • Adding filters relative to custom ones is broken #​9906
  • SEC-3139: Anonymous authentication token not passed to Controller #​9890
  • Clarify quick start section in README #​9885
  • RSocket and WebClient with Security refCount: 0 #​9870
  • spring-security-config kotlin-stdlib-jdk8 dependency isn't optional #​9864
  • Client credentials not correctly encoded in Basic Auth #​9858
  • Docs should state default value for Resource Server validation clock skew is 60 seconds #​9849
  • OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #​9819
  • DefaultSpringSecurityContextSource can't handle spaces in baseDn #​9806
  • OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #​9805
  • NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #​9801
  • Fix Build Scan in Build Windows CI Job #​9797
  • GitHub Actions only Activated for main #​9777
  • Artifactory missing mavenJava publication #​9774
  • spring-security-core depends on spring-security-crypto #​9773
🔨 Dependency Upgrades
  • Update org.springframework to 5.3.8 #​9984
  • Update org.slf4j to 1.7.31 #​9983
  • Update org.jetbrains.kotlin to 1.5.10 #​9982
  • Update hibernate-entitymanager to 5.4.32.Final #​9981
  • Update org.eclipse.jetty to 9.4.42.v20210604 #​9980
  • Update io.rsocket to 1.1.1 #​9979
  • Remove commons-codec constraint #​9977
  • Update to OpenSAML 4.1.1 #​9976
  • Update to nimbus-jose-jwt 9.10 #​9975
  • Update to oauth2-oidc-sdk 9.9 #​9974

v5.5.0

Compare Source

New Features

  • Configure user name used for Gradle CI builds #​9747
  • HttpSessionOAuth2AuthorizationRequestRepository storing one OAuth2AuthorizationRequest #​9649
  • Incorrect javadoc in AuthorizationCodeOAuth2AuthorizedClientProvider #​9708
  • Restore Dependency Constraints for commons-codec and commons-logging #​8836
  • Stop CI Jobs on Forks #​9717
  • Update javadoc AuthorizationCodeOAuth2AuthorizedClientProvider #​9730

🔨 Dependency Upgrades

  • Update io.projectreactor to 2020.0.7 #​9750
  • Update io.spring.nohttp to 0.0.8 #​9753
  • Update org.springframework to 5.3.7 #​9754
  • Update org.springframework.data to 2021.0.1 #​9755
  • Update r2dbc-spi-test to 0.8.5.RELEASE #​9752
  • Update spring-ldap-core to 2.3.4.RELEASE #​9756
  • Update to com.gradle.enterprise 3.6.1 #​9764
  • Update to Gradle. 6.9 #​9758
  • Update to Kotlin 1.5.0 #​9763

Contributors

We'd like to thank all the contributors who worked on this release!

v5.4.10

Compare Source

🐞 Bug Fixes
  • StaticServerHttpHeadersWriter should work with case-insensitive header names #​10583
  • Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #​10562
  • MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #​10532
  • Documentation has wrong code example in the 'Customizing OpenSAML’s AuthnRequest Instance' section #​10528
  • Multi-tenancy Documentation - com.nimbusds.jwt.proc.JWTProcessor does not have a setJWTClaimSetJWSKeySelector method #​10521
  • Multi-tenancy Documentation - JwtDecoder sample has multiple errors #​10517
  • Oauth2 Resource Server will not retry on first failure with Multi-tenancy #​10485
  • WebInvocationPrivilegeEvaluator does not provide a way to pass a ServletContext #​10437

v5.4.9

Compare Source

New Features

  • Add Documentation for Static Methods Classes for mockJwt() and jwt() #​10266

🐞 Bug Fixes

  • SAML 2.0 Login should allow loginProcessingUrl without {registrationId} when providing an AuthenticationConverter #​10342
  • JwtTimeStampValidator uses wrong error on token expiration #​10329
  • Fix typo #​10314
  • Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type #​10258
  • MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented #​10209

🔨 Dependency Upgrades

v5.4.8

Compare Source

New Features

  • Remove -PdeployDocsHost=docs-ip.spring.io from Build #​10021

🐞 Bug Fixes

  • Regression with URL encode client credentials #​10126
  • AuthenticationFailureEvent does not exist #​10107
  • Fix a typo in some class names in the oauth documentation #​10052
  • Fix Saml2WebSsoAuthenticationRequestFilter javadoc #​10027
  • Update to use s01.oss.sonatype.org Maven Publishing #​10015
  • Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher #​10009
  • logoutSuccessUrl in DefaultLoginPageGeneratingFilter is not set #​9997

🔨 Dependency Upgrades

  • Update to Spring Boot 2.4.8 #​10181
  • Update to spring-build-conventions:0.0.38 #​10020

v5.4.7

Compare Source

New Features
  • Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #​9920
🐞 Bug Fixes
  • Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #​9942
  • Missing log of "caused by" exception when OP document metadata cannot be reached #​9940
  • Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #​9930
  • Adding filters relative to custom ones is broken #​9908
  • SEC-3139: Anonymous authentication token not passed to Controller #​9891
  • Clarify quick start section in README #​9886
  • RSocket and WebClient with Security refCount: 0 #​9871
  • Client credentials not correctly encoded in Basic Auth #​9861
  • Docs should state default value for Resource Server validation clock skew is 60 seconds #​9848
  • OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #​9820
  • DefaultSpringSecurityContextSource can't handle spaces in baseDn #​9807
  • OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #​9802
  • NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #​9800
  • docs.af.pivotal.io->docs-ip.spring.io #​9686
  • Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter #​9681
  • NullPointerException in StrictHttpFirewall spring-security-web version 5.4.5 #​9674
  • WebFlux httpBasic() should match on XHR requests #​9662
  • HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #​9643
  • oauth2Login() generates authorization links for "client_credentials" grant type #​9637

v5.4.6

Compare Source

🐞 Bug Fixes

🔨 Dependency Upgrades

v5.4.5

Compare Source

🐞 Bug Fixes

  • Downgrade to Nimbus JOSE JWT 8.+ #​9453

Contributors

We'd like to thank all the contributors who worked on this release!

v5.4.4

Compare Source

This release fixes a problem with the release of 5.4.3

New Features

  • Migrate SAML 2.0 Samples to Use PCFOne #​9369
  • Resolve artifacts from Maven Central first #​9367
  • Use constant time comparisons for CSRF tokens #​9357
  • Improve HttpSessionSecurityContextSessionRepository Performance #​9388

🐞 Bug Fixes

  • OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #​9426
  • Fix custom marshaller example #​9409
  • Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #​9403
  • CurrentSecurityContextArgumentResolver should configure BeanResolver #​9402
  • Consider downgrading to Nimbus 8 #​9399
  • Remove notEmpty check for authorities in DefaultOAuth2User #​9396
  • Wrong example name in Spring Security documentation #​9383
  • Make user info response status check error only #​9376
  • Malformed WWW-Authenticate Causes NPE #​9364
  • CsrfWebFilter creates CsrfException with incorrect message when no token is found #​9338
  • Exception when declaring multiple AuthenticationManager beans #​9332
  • webflux-x509 sample cert needs renewal #​9322
  • OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #​9258

🔨 Dependency Upgrades

v5.4.3

Compare Source

New Features

  • Migrate SAML 2.0 Samples to Use PCFOne #​9369
  • Resolve artifacts from Maven Central first #​9367
  • Use constant time comparisons for CSRF tokens #​9357
  • Improve HttpSessionSecurityContextSessionRepository Performance #​9388

🐞 Bug Fixes

  • OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #​9426
  • Fix custom marshaller example #​9409
  • Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #​9403
  • CurrentSecurityContextArgumentResolver should configure BeanResolver #​9402
  • Consider downgrading to Nimbus 8 #​9399
  • Remove notEmpty check for authorities in DefaultOAuth2User #​9396
  • Wrong example name in Spring Security documentation #​9383
  • Make user info response status check error only #​9376
  • Malformed WWW-Authenticate Causes NPE #​9364
  • CsrfWebFilter creates CsrfException with incorrect message when no token is found #​9338
  • Exception when declaring multiple AuthenticationManager beans #​9332
  • webflux-x509 sample cert needs renewal #​9322
  • OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #​9258

🔨 Dependency Upgrades

v5.4.2

Compare Source

New Features

🐞 Bug Fixes

🔨 Dependency Upgrades

  • Update to Google App Engine 1.9.83 #​9250
  • Update to Kotlin 1.4.20 #​9249
  • Update to Spring Boot 2.4.0 #​9248
  • 5.4.x Snapshot Build Should Point to Other Maintenance Branches #​9162

v5.4.1

Compare Source

New Features

  • Replace expired msdn link with latest web archive copy #​9050
  • Add documentation for StrictHttpFirewall enhancements #​9038
  • Replace Tomcat6 URL for SSL Guide to Tomcat 10 #​9034
  • Use AssertJ for exception testing #​9013

🐞 Bug Fixes

  • Add try-with-resources to close stream #​9053
  • RelyingPartyRegistrations Fails to Read Keycloak Metadata #​9051
  • fix miswritten comment of FormLoginDsl.kt #​9042
  • Adapt to WebClient's new exception wrapping #​9031
  • StandardInterceptUrlRegistry should not refer to ExpressionUrlAuthorizationConfigurer #​9026
  • Fix broken Mono chain #​9022
  • Use Schedulers.boundedElastic for UUID.randomUUID #​9021
  • CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #​9018
  • WebSessionServerCsrfTokenRepository#generateToken() don't use Schedulers.boundedElastic() #​9017
  • NullPointerException SessionRegistryImpl.onApplicationEvent(SessionRegistryImpl.java:111) #​9011
  • Quick javadoc fix for DelegatingPasswordEncoder #​8890

Contributors

We'd like to thank all the contributors who worked on this release!

v5.4.0

Compare Source

New Features
  • Add What's New in 5.4 #​9002
  • Add What's New in 5.4 Section to Docs #​9001
  • Add Resource Server Servlet Logging #​9000
  • Simplify saml2Login Samples #​8990
  • Remove Framework Tests from saml2Login Sample #​8989
  • Add authenticationManagerResolver to resource server Kotlin DSL #​8981
  • Generalize SAML 2.0 Assertion Validation Support #​8970
  • Update abstract-authentication-processing-filter.adoc #​8965
  • Add spring-javaformat checkstyle and formatting #​8946
  • Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL #​8926
  • Add hasAnyAuthority(String...) and hasAnyRole(String...) to authorizeRequests in Kotlin DSL #​8892
  • Resolve oauth2 client-id, client-secret placeholders #​8880
  • Restructure SAML 2.0 documentation #​8763
  • security:client-registrations doesn't take propertyconfigurer properties #​8453
🐞 Bug Fixes
  • Clickjacking demo in docs: YouTube link in X-Frame-Options section leads to private video #​8986
  • NoClassDefFoundError: AuthMetadataFlyweight at o.s.s.r.m.SimpleAuthenticationEncoder #​8948
  • SAML attributes not parsed correctly with prefixed XML elements #​8864
  • Don't use oidc scopes_supported for scope as default in ClientRegistrations #​8790
  • scopes_supported metadata should not be used as default in ClientRegistrations #​8514
🔨 Dependency Upgrades
  • Set springDataVersion to Neumann-SR+ #​9007
  • Set rsocketVersion to 1.0.+ #​9006
Contributors

We'd like to thank all the contributors who worked on this release!

v5.3.13.RELEASE

Compare Source

🐞 Bug Fixes
  • Reactive resource server tests failing #​10660
  • Gretty samples fail when using logback 1.2.9 #​10643
  • StaticServerHttpHeadersWriter should work with case-insensitive header names #​10584
  • Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #​10563
  • MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #​10533
  • Multi-tenancy Documentation - com.nimbusds.jwt.proc.JWTProcessor does not have a setJWTClaimSetJWSKeySelector method #​10522
  • Multi-tenancy Documentation - JwtDecoder sample has multiple errors #​10518
  • Oauth2 Resource Server will not retry on first failure with Multi-tenancy #​10486
🔨 Dependency Upgrades

v5.3.12.RELEASE

Compare Source

New Features
  • Add Documentation for Static Methods Classes for mockJwt() and jwt() #​10267
🐞 Bug Fixes
  • JwtTimeStampValidator uses wrong error on token expiration #​10330
  • Fix typo #​10315
  • Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type #​10259
  • MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented #​10179
🔨 Dependency Upgrades

v5.3.11.RELEASE

Compare Source

New Features
  • Remove -PdeployDocsHost=docs-ip.spring.io from Build #​10023
🐞 Bug Fixes
  • Regression with URL encode client credentials #​10127
  • AuthenticationFailureEvent does not exist #​10108
  • Update to use s01.oss.sonatype.org Maven Publishing #​10024
  • Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher #​10010
🔨 Dependency Upgrades
  • Update to spring-build-conventions:0.0.38 #​10022

v5.3.10.RELEASE

Compare Source

New Features

  • Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #​9915

🐞 Bug Fixes

  • Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #​9945
  • Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #​9932
  • Adding filters relative to custom ones is broken #​9909
  • SEC-3139: Anonymous authentication token not passed to Controller #​9892
  • Clarify quick start section in README #​9887
  • RSocket and WebClient with Security refCount: 0 #​9872
  • Client credentials not correctly encoded in Basic Auth #​9862
  • Docs should state default value for Resource Server validation clock skew is 60 seconds #​9850
  • OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #​9821
  • DefaultSpringSecurityContextSource can't handle spaces in baseDn #​9808
  • OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #​9803
  • NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #​9799
  • docs.af.pivotal.io->docs-ip.spring.io #​9687
  • Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter #​9682
  • WebFlux httpBasic() should match on XHR requests #​9664
  • HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #​9644
  • oauth2Login() generates authorization links for "client_credentials" grant type #​9638

v5.3.9.RELEASE

Compare Source

🐞 Bug Fixes
  • Add null check in CsrfFilter and CsrfWebFilter #​9593
🔨 Dependency Upgrades

v5.3.8.RELEASE

Compare Source

This release fixes a problem with the release of 5.3.7.

New Features
  • Improve HttpSessionSecurityContextSessionRepository Performance #​9391
  • Improve HttpSessionSecurityContextSessionRepository Performance #​9389
  • Migrate SAML 2.0 Samples to Use PCFOne #​9370
  • Resolve artifacts from Maven Central first #​9368
  • Use constant time comparisons for CSRF tokens #​9358
🐞 Bug Fixes
  • Fix the 5.3.7.RELEASE
  • OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #​9427
  • CurrentSecurityContextArgumentResolver should configure BeanResolver #​9405
  • Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #​9404
  • Remove notEmpty check for authorities in DefaultOAuth2User #​9397
  • Wrong example name in Spring Security documentation #​9384
  • CsrfWebFilter creates CsrfException with incorrect message when no token is found #​9339
  • webflux-x509 sample cert needs renewal #​9323
  • OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #​9259

[v5.3.7.RELEASE](https://togithub.com/spring-pro

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

Merge request reports