Update dependency org.springframework.security:spring-security-core to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.security:spring-security-core (source)	3.2.10.RELEASE -> 5.7.12

GitHub Vulnerability Alerts

CVE-2016-5007

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x (as well as other unsupported versions) rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

CVE-2020-5408

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ?null?.

CVE-2024-22257

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

Specifically, an application is vulnerable if:

The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.

An application is not vulnerable if any of the following is true:

• The application does not use AuthenticatedVoter#vote directly.
• The application does not pass null to AuthenticatedVoter#vote.

Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.

CVE-2022-22978

In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-core)

v5.7.12

Compare Source

🪲 Bug Fixes

• Check for null Authentication #​14715

v5.7.11

Compare Source

⭐ New Features

• Automate spring-security.xsd #​13819

v5.7.10

Compare Source

🪲 Bug Fixes

• Use default PathPatternParser instance #​13461

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.34 #​13509
• Update org.springframework to 5.3.29 #​13511
• Update org.springframework.data to 2021.2.14 #​13512
• Update reactor-netty to 1.0.34 #​13510

v5.7.9

Compare Source

⭐ New Features

• Convert to Asciidoctor Tabs #​13404
• Use Antora name of security #​13328

🪲 Bug Fixes

• Additional filters registered when using Custom DSL #​13203
• Clarify that Kotlin DSL needs an import #​13092
• Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13098
• Fix Antora Warnings #​13291
• Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13155
• Fix Documentation Title #​13315
• Fix javadoc for migration from WebSecurityConfigurerAdapter #​12996
• Fix typo in SecurityMockMvcResultMatchers.java #​12793
• fix typo of modules.adoc #​12921
• Fix typo overview.adoc #​13269
• http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13131
• Proxy Server section is not linked in nav #​13313
• Typos in docs #​13283

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.33 #​13373
• Update io.rsocket to 1.1.4 #​13379
• Update org.springframework to 5.3.28 #​13382
• Update org.springframework.data to 2021.2.13 #​13385
• Update reactor-netty to 1.0.33 #​13376

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​Anubhav-2000
• @​SeasonPanPan
• @​amal-stack
• @​1993heqiang
• @​xak2000

v5.7.8

Compare Source

⭐ New Features

• Clarify documentation code snippet(s) (unclear where static imported methods come from) #​6597
• Document relationship between registrationId, EntityID, and resolving a relying party #​12764

🪲 Bug Fixes

• Add test to SimpleUrlAuthenticationSuccessHandlerTests #​12740
• Avoid NPE in FilterInvocation #​12922
• EntityId ignored in xml relying-party-registration #​11898
• Fix a javadoc typo in ReactiveAuthorizationManager #​12998
• Fix a javadoc typo in ReactiveAuthorizationManager #​12978
• Fix typo in SessionManagementConfigurer javadoc #​12820
• Missing spring-security-oauth2 xsds after release #​12804
• NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #​12960
• RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #​12664
• SwitchUserFilter should use HttpSessionSecurityContextRepository by default #​12834

🔨 Dependency Upgrades

• Update blockhound to 1.0.8.RELEASE #​13016
• Update io.projectreactor to 2020.0.31 #​13014
• Update logback-classic to 1.2.12 #​13013
• Update org.eclipse.jetty to 9.4.51.v20230217 #​13017
• Update org.springframework to 5.3.27 #​13018
• Update org.springframework.data to 2021.2.11 #​13019
• Update reactor-netty to 1.0.31 #​13015

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​marckchr
• @​yuanhang
• @​twosom
• @​esivakumar18
• @​martin-tarjanyi

v5.7.7

Compare Source

⭐ New Features

• chore: Use cache in continuous-integration-workflow.yml #​12503
• fix unclosed block in docs #​12542

🪲 Bug Fixes

• AuthorizationManager method security documentation should use AnnotationMatchingPointcut #​11095
• Document XMLObject retreival for Asserting Party metadata #​12667
• Fix typo in OAuth 2.0 testing docs #​12437
• Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #​11785
• NimbusJwtDecoder unknown KID scenario is not correctly tested #​12238
• NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #​12637
• SwitchUserFilter not working in Spring Security 6 #​12504
• Wrong name of the filter in the SecurityContextHolderFilter diagram #​11800

🔨 Dependency Upgrades

• Update blockhound to 1.0.7.RELEASE #​12733
• Update hibernate-entitymanager to 5.6.15.Final #​12736
• Update io.projectreactor to 2020.0.28 #​12732
• Update io.spring.nohttp to 0.0.11 #​12734
• Update jackson-bom to 2.13.5 #​12731
• Update org.aspectj to 1.9.19 #​12735
• Update org.springframework to 5.3.25 #​12737
• Update org.springframework.data to 2021.2.8 #​12738

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jonkjenn
• @​mojavelinux
• @​jongwooo
• @​eleftherias

v5.7.6

Compare Source

⭐ New Features

• Improve deprecation notice in WebSecurityConfigurerAdapter #​12260
• Replace deprecated set-state set-output GitHub Action's commands #​12297

🪲 Bug Fixes

• DefaultLdapAuthoritiesPopulator throws NullPointerException #​12407
• Fix AuthorizationFilter diagram in docs #​12285
• Incorrect scope map fix #​12205
• SAML logout: Incorrect log messages #​12208
• Saml2MetadataFilter response should configure writer to UTF-8 #​12221
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #​12125
• Update the RP-initiated Logout links #​12121

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #​12153
• Update Gradle to 7.5.1 #​12157
• Update hibernate-entitymanager to 5.6.14.Final #​12397
• Update httpclient to 4.5.14 #​12395
• Update io.projectreactor to 2020.0.26 #​12393
• Update jackson-bom to 2.13.4.20221013 #​12391
• Update jackson-databind to 2.13.4.2 #​12392
• Update org.eclipse.jetty to 9.4.50.v20221201 #​12396
• Update org.springframework to 5.3.24 #​12398
• Update org.springframework.data to 2021.2.6 #​12399
• Update reactor-netty to 1.0.26 #​12394

v5.7.5

Compare Source

🪲 Bug Fixes

• Fix AuthorizationFilter incorrectly extending OncePerRequestFilter #​12113
• Fix scope mapping #​12112
• IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #​11888

v5.7.4

Compare Source

⭐ New Features

• automatically manage docs version (with collector) #​11955

🪲 Bug Fixes

• AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #​11729
• Build fails with missing project property cloneOutputDirectory #​11979
• GitHubMilestoneApiTests due_on Should Use LocalDate #​11707
• HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #​11727
• NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #​11711
• RemoteJwkSet is not refreshed when encountering an unknown KID #​11723
• RequestRejectedHandler does not reliable prevent Internal Server Error #​11744

🔨 Dependency Upgrades

• Update Gradle Enterprise plugin to 3.11.1 #​11830
• Update hibernate-entitymanager to 5.6.10.Final #​11745
• Update hibernate-entitymanager to 5.6.12.Final #​12016
• Update io.projectreactor to 2020.0.22 #​11743
• Update io.projectreactor to 2020.0.24 #​12012
• Update io.rsocket to 1.1.3 #​12014
• Update jackson-bom to 2.13.4.20221012 #​12008
• Update jackson-databind to 2.13.4.1 #​12009
• Update jackson-datatype-jsr310 to 2.13.4 #​12010
• Update jsonassert to 1.5.1 #​11741
• Update mockk to 1.12.8 #​12011
• Update org.eclipse.jetty to 9.4.48.v20220622 #​11740
• Update org.eclipse.jetty to 9.4.49.v20220914 #​12015
• Update org.springframework to 5.3.22 #​11739
• Update org.springframework to 5.3.23 #​12017
• Update org.springframework.data to 2021.1.6 #​11742
• Update org.springframework.data to 2021.2.4 #​12018
• Update reactor-netty to 1.0.24 #​12013

v5.7.3

Compare Source

⭐ New Features

• Add Kotlin example showing integration with WebTestClient #​9998
• Set permissions for GitHub actions #​11642
• Update javadoc of EnableWebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #​11650

🪲 Bug Fixes

• Add Deprecated annotation to WebSecurity#securityInterceptor #​11637
• Check saganCreateRelease saganDeleteRelease Required Permissions #​11425
• org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #​11605
• RequestAttributeSecurityContextRepository.loadContext(HttpServletRequest) should never return null SecurityContext #​11606
• RequestRejectedHandler does not reliable prevent Internal Server Error #​11672
• Sources and javadocs missing in latest snapshots #​11628
• Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #​11484
• Update javadoc of HttpSecurity, WebSecurityConfiguration and WebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #​11651

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.10.Final #​11694
• Update io.projectreactor to 2020.0.22 #​11691
• Update jsonassert to 1.5.1 #​11696
• Update mockk to 1.12.5 #​11690
• Update org.eclipse.jetty to 9.4.48.v20220622 #​11693
• Update org.jetbrains.kotlinx to 1.6.4 #​11695
• Update org.springframework to 5.3.22 #​11697
• Update org.springframework.data to 2021.2.2 #​11698

v5.7.2

Compare Source

⭐ New Features

• Consider updating testing examples to use JUnit Jupiter #​11293

🪲 Bug Fixes

• Some Security Expressions cause NPE when used within @Query #​11289
• CsrfWebFilter null save content-type check #​11341
• Docs example uses access(String) with authorizeHttpRequests() #​11296
• Fix typo in BasicLookupStrategy Javadoc #​11339
• KeyInfo missing in AuthnRequest when using OpenSaml4AuthenticationRequestResolver #​11358
• OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #​11384
• SAML request encoding: on redirect binding, base64 encoded message contains CRLF #​11284
• SecurityContextRepository.loadContext(HttpServletRequest) cache result #​11390
• Should SAML metadata EntityDescriptor tag have the md: prefix? #​11311
• Update opaque-token.adoc #​11303

🔨 Dependency Upgrades

• Update aspectj-plugin to 6.4.3.1 #​11402
• Update hibernate-entitymanager to 5.6.9.Final #​11405
• Update io.projectreactor to 2020.0.20 #​11403
• Update jackson-bom to 2.13.3 #​11399
• Update jackson-databind to 2.13.3 #​11400
• Update jackson-datatype-jsr310 to 2.13.3 #​11401
• Update org.jetbrains.kotlinx to 1.6.3 #​11406
• Update org.opensaml:opensaml-core4 to 4.1.1 #​11410
• Update org.springframework to 5.3.21 #​11407
• Update org.springframework.data to 2021.2.1 #​11408
• Update reactor-netty to 1.0.20 #​11404
• Update spring-ldap-core to 2.4.1 #​11409

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​andrelugomes

v5.7.1

Compare Source

🪲 Bug Fixes

• StrictHttpFirewall incorrectly rejects valid CJKV characters #​11266

v5.7.0

Compare Source

⭐ New Features

• Check Samples should run against the current artifacts #​11199
• Consider replacing an inner loop with Set of authority strings in AuthorityAuthorizationManager#isAuthorized #​11188
• Remember me should detect UserDetailsService bean #​11170
• WebSessionServerSecurityContextRepository provides Mono.cache option #​8422
• X509 should detect UserDetailsService bean #​11174

🪲 Bug Fixes

• @EnableMethodSecurity doesn't resolve annotations on interfaces through a Proxy #​11177
• Add shouldFilterAllDispatcherTypes to Kotlin DSL #​11153
• Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator #​11165
• Multiple .requestMatchers().mvcMatchers() override previous one #​11185

🔨 Dependency Upgrades

• Update aspectj-plugin to 6.4.3 #​11218
• Update com.nimbusds to 9.35 #​11217
• Update htmlunit to 2.61.0 #​11222
• Update htmlunit-driver to 2.61.0 #​11224
• Update io.projectreactor to 2020.0.19 #​11220
• Update mockk to 1.12.4 #​11219
• Update org.jetbrains.kotlin to 1.6.21 #​11223
• Update org.springframework to 5.3.20 #​11225
• Update org.springframework.data to 2021.2.0 #​11228
• Update reactor-netty to 1.1.0-M2 #​11221
• Update spring-data-jpa to 2.7.0-RC1 #​11226
• Update spring-ldap-core to 2.4.0 #​11227

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​evgeniycheban

v5.6.12

Compare Source

🪲 Bug Fixes

• Use default PathPatternParser instance #​13460

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.34 #​13505
• Update org.springframework to 5.3.29 #​13508
• Update reactor-netty to 1.0.34 #​13506

v5.6.11

Compare Source

⭐ New Features

• Convert to Asciidoctor Tabs #​13403
• Use Antora name of security #​13327

🪲 Bug Fixes

• Fix Antora Warnings #​13210
• Fix Documentation Title #​13314

🔨 Dependency Upgrades

• Update blockhound to 1.0.8.RELEASE #​13390
• Update hibernate-entitymanager to 5.6.15.Final #​13400
• Update io.projectreactor to 2020.0.33 #​13387
• Update io.rsocket to 1.1.4 #​13392
• Update io.spring.nohttp to 0.0.11 #​13394
• Update jackson-bom to 2.13.5 #​13375
• Update jackson-databind to 2.13.5 #​13378
• Update jackson-datatype-jsr310 to 2.13.5 #​13381
• Update logback-classic to 1.2.12 #​13372
• Update mockk to 1.12.8 #​13384
• Update org.antora.gradle.plugin to 1.0.0 #​13396
• Update org.aspectj to 1.9.19 #​13398
• Update org.eclipse.jetty to 9.4.51.v20230217 #​13399
• Update org.springframework to 5.3.28 #​13401
• Update reactor-netty to 1.0.33 #​13389

v5.6.10

Compare Source

⭐ New Features

• Replace deprecated set-state set-output GitHub Action's commands #​12032
• update generateAntora task to make prereleases unique #​12083

🪲 Bug Fixes

• DefaultLdapAuthoritiesPopulator throws NullPointerException #​12090
• docs: fix realm typo #​12120
• Fix AuthorizationFilter diagram in docs #​12274
• Fix typo in DefaultLoginPageConfigurer Javadoc #​12311
• Fix typo on opaque-token.adoc #​12114
• Fix: Replace tenantRepository with tenants #​12269
• Incorrect scope map fix #​12144
• OAuth 2.0 Resource Server Multi-tenancy - documentation improvement #​12295
• Outdated example in Javadoc of UrlAuthorizationConfigurer #​11487
• Saml2MetadataFilter response should configure writer to UTF-8 #​12026
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #​3065
• Update the RP-initiated Logout links #​12081

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #​12152
• Update Gradle to 7.5.1 #​11779
• Update hibernate-entitymanager to 5.6.14.Final #​12388
• Update httpclient to 4.5.14 #​12386
• Update io.projectreactor to 2020.0.26 #​12384
• Update jackson-bom to 2.13.4.20221013 #​12381
• Update jackson-databind to 2.13.4.2 #​12382
• Update mockk to 1.12.8 #​12383
• Update org.eclipse.jetty to 9.4.50.v20221201 #​12387
• Update org.springframework to 5.3.24 #​12389
• Update org.springframework.data to 2021.1.10 #​12390
• Update reactor-netty to 1.0.26 #​12385

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​markkovari
• @​ghusta
• @​mojavelinux
• @​selllami
• @​cbot59

v5.6.9

Compare Source

🪲 Bug Fixes

• Fix AuthorizationFilter incorrectly extending OncePerRequestFilter #​12102
• Fix scope mapping #​12101

v5.6.8

Compare Source

⭐ New Features

• automatically manage docs version (with collector) #​11943

🪲 Bug Fixes

• Add rncToXsd task description to CONTRIBUTING.adoc #​11935
• AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #​11730
• Build fails with missing project property cloneOutputDirectory #​11969
• GitHubMilestoneApiTests due_on Should Use LocalDate #​11708
• HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #​11728
• NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #​11712
• RemoteJwkSet is not refreshed when encountering an unknown KID #​11724
• Updated reference to architecture page #​11778

🔨 Dependency Upgrades

• Update Gradle Enterprise plugin to 3.11.1 #​11827
• Update hibernate-entitymanager to 5.6.12.Final #​12005
• Update io.projectreactor to 2020.0.24 #​12001
• Update io.rsocket to 1.1.3 #​12003
• Update jackson-bom to 2.13.4.20221012 #​11997
• Update jackson-databind to 2.13.4.1 #​11998
• Update jackson-datatype-jsr310 to 2.13.4 #​11999
• Update mockk to 1.12.8 #​12000
• Update org.eclipse.jetty to 9.4.49.v20220914 #​12004
• Update org.springframework to 5.3.23 #​12006
• Update org.springframework.data to 2021.1.8 #​12007
• Update reactor-netty to 1.0.24 #​12002

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​rwinch
• @​underground-hill
• @​mojavelinux
• @​jprinet
• @​Kehrlann

v5.6.7

Compare Source

⭐ New Features

• Add Kotlin example showing integration with WebTestClient #​11612
• Set permissions for GitHub actions #​11644

🪲 Bug Fixes

• Add Deprecated annotation to WebSecurity#securityInterceptor #​11636
• Fix saganCreateRelease saganDeleteRelease Required Permissions #​11426
• org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #​11608
• RequestRejectedHandler does not reliable prevent Internal Server Error #​11673
• Sources and javadocs missing in latest snapshots #​11629
• Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #​11485

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.10.Final #​11683
• Update io.projectreactor to 2020.0.22 #​11680
• Update jsonassert to 1.5.1 #​11684
• Update mockk to 1.12.5 #​11679
• Update org.eclipse.jetty to 9.4.48.v20220622 #​11682
• Update org.springframework to 5.3.22 #​11685
• Update org.springframework.data to 2021.1.6 #​11686
• Update reactor-netty to 1.0.22 #​11681

v5.6.6

Compare Source

⭐ New Features

• Consider updating testing examples to use JUnit Jupiter #​11292

🪲 Bug Fixes

• CsrfWebFilter null save content-type check #​11342
• Docs example uses access(String) with authorizeHttpRequests() #​11297
• Fix typo in BasicLookupStrategy Javadoc #​11340
• OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #​11385
• SAML request encoding: on redirect binding, base64 encoded message contains CRLF #​11285
• Should SAML metadata EntityDescriptor tag have the md: prefix? #​11310
• Some Security Expressions cause NPE when used within @Query #​11290

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.9.Final #​11416
• Update io.projectreactor to 2020.0.20 #​11414
• Update jackson-bom to 2.13.3 #​11411
• Update jackson-databind to 2.13.3 #​11412
• Update jackson-datatype-jsr310 to 2.13.3 #​11413
• Update org.opensaml:opensaml-core4 to 4.1.1 #​11420
• Update org.springframework to 5.3.21 #​11417
• Update org.springframework.data to 2021.1.5 #​11418
• Update reactor-netty to 1.0.20 #​11415
• Update spring-ldap-core to 2.3.8.RELEASE #​11419

v5.6.5

Compare Source

🪲 Bug Fixes

• StrictHttpFirewall incorrectly rejects valid CJKV characters #​11267

v5.6.4

Compare Source

⭐ New Features

• Check Samples should run against the current artifacts #​11200

🪲 Bug Fixes

• Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator #​11166
• Multiple .requestMatchers().mvcMatchers() override previous one #​11186

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.19 #​11207
• Update mockk to 1.12.4 #​11206
• Update org.springframework to 5.3.20 #​11209
• Update org.springframework.data to 2021.1.4 #​11210
• Update reactor-netty to 1.0.19 #​11208

v5.6.3

Compare Source

🪲 Bug Fixes

• AuthorizationManagerWebInvocationPrivilegeEvaluator should grant access when AuthorizationManager abstains #​10951
• Change HashSet to LinkedHashSet for RelyingPartyRegistration credentials #​10916
• Fix saml2 authentication-requests documentation #​11047
• Remove "Hi servlet/authentication/architecture there" from docs #​10963

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.8.Final #​11124
• Update io.projectreactor to 2020.0.18 #​11119
• Update io.rsocket to 1.1.2 #​11121
• Update jackson-bom to 2.13.2.20220328 #​11115
• Update jackson-databind to 2.13.2.2 #​11116
• Update jackson-datatype-jsr310 to 2.13.2 #​11117
• Update logback-classic to 1.2.11 #​11114
• Update mockk to 1.12.3 #​11118
• Update org.aspectj to 1.9.9.1 #​11122
• Update org.eclipse.jetty to 9.4.46.v20220331 #​11123
• Update org.springframework to 5.3.19 #​11125
• Update org.springframework.data to 2021.1.3 #​11126
• Update reactor-netty to 1.0.18 #​11120
• Update spring-ldap-core to 2.3.7.RELEASE #​11127

v5.6.2

Compare Source

⏪ Breaking Changes

• Saml2 metadata includes SingleLogoutService even if saml2 logout is disabled / not configured #​10734

⭐ New Features

• Document Authorize HTTP Requests for Reactive Security #​10801
• Introduce AuthorizationManagerWebInvocationPrivilegeEvaluator #​10682

🪲 Bug Fixes

• add Kotlin examples for Spring Data Integration of servlet application #​10848
• commons-logging:commons-logging is a transitive dependency of some modules #​10772
• Do not rely on javax. group ids #​10770
• Fix broken link to SAML2 login example #​10806
• Getting Spring Security Reference Docs have a error #​10796
• Make source code compatible with JDK 8 #​10699
• Replace StringUtils class of oauth2-oidc-sdk completely #​10824
• RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext #​10792
• WebInvocationPrivilegeEvaluator Bean should support multiple SecurityFilterChains #​10680

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.5.Final #​10873
• Update io.projectreactor to 2020.0.16 #​10867
• Update io.spring.javaformat to 0.0.31 [#​10870](https://github.com/spring

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.