Skip to content

fix(deps): update spring security to v6.1.4

Automation Botrequested to merge
renovate/spring-security into main

This MR contains the following updates:

Package Type Update Change
org.springframework.security:spring-security-taglibs (source) compile minor 6.0.7 -> 6.1.4
org.springframework.security:spring-security-config (source) compile minor 6.0.7 -> 6.1.4
org.springframework.security:spring-security-web (source) compile minor 6.0.7 -> 6.1.4
org.springframework.security:spring-security-core (source) compile minor 6.0.7 -> 6.1.4

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-taglibs)

v6.1.4

Compare Source

New Features
🐞 Bug Fixes
  • CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set #​13659
  • CookieRequestCache ignores user Locale #​13796
  • Default Security Configuration adds WWW-Authenticate Twice #​13759
  • Fix inaccurate information about permitting the FORWARD dispatcher in Kotlin #​13729
  • OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #​13800
  • Problem uploading multipart file after migrating to latest Spring Security. #​13820
  • Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #​13806
  • Spring ACL and native compilation fail to process datasource properties #​13814
Contributors

We'd like to thank all the contributors who worked on this release!

v6.1.3

Compare Source

New Features

  • Add MvcRequestMatcher reference documentation #​13726
  • Refactor for readability #​13472
  • requestMatchers servlet validation error should include information about servlet paths #​13722
  • requestMatchers should not count servlets without mappings #​13724

🐞 Bug Fixes

  • Add return statement of the roleHierachy method in the servlet/author… #​13596
  • Fix typo in docs #​13637
  • Referrer Header is set in Reactive Web Applications by default, although doc says it is not. #​13590
  • RequestMatcherMetadataResponseResolver only shows last RelyingPartyRegistration #​13700
  • saml2Login should not override OpenSaml4AuthenticationProvider bean #​13655
  • The bean 'preFilterAuthorizationAdvisor', defined in class path resource could not be registered #​13580
  • Update links in adocs #​13632

🔨 Dependency Upgrades

Contributors

We'd like to thank all the contributors who worked on this release!

v6.1.2

Compare Source

New Features

  • Improve RequestMatcher Validation #​13557
  • Improve Security Filters Documentation #​13414
  • Optimize Querying of RequestCache -> continue parameter #​13488
  • Optimize Querying of RequestCache -> continue parameter #​13482

🐞 Bug Fixes

  • Error message should show underlying Client Authentication method #​13498
  • Javadoc for AuthorizationFilter#filterErrorDispatch is wrong #​13465
  • once-per-request="true" does not work in XML configuration #​13494
  • Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #​13199
  • Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration #​13421
  • Unable to Use hasIpAddress() Method After Migrating to authorizeHttpRequests() in Spring Security 6 #​13478
  • update l179 of jwt docs #​13480
  • Use default PathPatternParser instance #​13464

🔨 Dependency Upgrades

  • Update io.projectreactor to 2022.0.9 #​13525
  • Update jakarta.websocket to 2.1.1 #​13526
  • Update micrometer-observation to 1.10.9 #​13524
  • Update org.springframework to 6.0.11 #​13527
  • Update org.springframework.data to 2022.0.8 #​13528
  • Update org.springframework.data to 2022.0.8 #​13522

Contributors

We'd like to thank all the contributors who worked on this release!

v6.1.1

Compare Source

New Features

  • Add initial Native section to reference docs #​13236
  • Align Resource Server documentation with Boot's capabilities #​13239
  • Convert to Asciidoctor Tabs #​13407
  • Document How to Handle Method Security in Native Image #​13237
  • Improve javadoc about deprecation of .and() and non-Customizer methods #​13273
  • Make eclipse/vscode project import work #​13284
  • Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #​13229
  • mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #​13254
  • Use Antora name of security #​13331

🐞 Bug Fixes

  • Additional filters registered when using Custom DSL #​13282
  • AOT Fails to proxy #​13369
  • CasAuthenticationFilter.successfulAuthentication missing call to securityContextRepository.saveContext #​13243
  • DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #​13223
  • Deprecated hint on BasicAuthenticationFilter #​13279
  • Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13193
  • Fix Antora Warnings #​13294
  • Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13221
  • Fix Documentation Title #​13318
  • Fix legacy-websocket-configuration cross-reference #​13206
  • Fix type on method-security.adoc #​13212
  • http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13209
  • Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #​13218
  • No longer maintained net.sourceforge.nekohtml with known security issues #​13287
  • Provide meaningful error when invalid client-authentication-method is provided #​13309
  • Proxy Server section is not linked in nav #​13324
  • Use consistent list of micrometer tags in web observation handler #​13190
  • UserBuilder does not allow authorities to be overridden #​13290

🔨 Dependency Upgrades

Contributors

We'd like to thank all the contributors who worked on this release!

v6.1.0

Compare Source

New Features

  • Explain the rational about deprecating .and() and non-lambda DSL methods #​13094
  • Revisit CSRF Documentation #​13089

🐞 Bug Fixes

  • AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #​13087
  • AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #​13154
  • Clarify that Kotlin DSL needs an import #​13103
  • CookieCsrfTokenRepository overwrites previous Set-Cookie response headers #​13075
  • Fix code snippets in Authorize HttpServletRequest #​13126
  • Fix invalid link in ref doc #​12573
  • fix javadoc typo #​12884
  • Fix typo cas.adoc #​13116
  • Links between migration docs are out of date #​13157
  • RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #​13128
  • rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #​13083
  • SAML login fails in Internet Explorer 11 #​13142
  • SimpleAroundFilterObservation.wrap calls scope.close() duplicated #​13150
  • Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #​13122
  • Update acls.adoc #​13078
  • Update architecture.adoc #​13077
  • Web Security Expression section of Documentation is obsolete or it does not work #​12974

🔨 Dependency Upgrades

Contributors

We'd like to thank all the contributors who worked on this release!

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports