Update dependency org.springframework.security:spring-security-web to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.security:spring-security-web (source)	3.2.10.RELEASE -> 5.7.13

GitHub Vulnerability Alerts

CVE-2021-22112

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

CVE-2022-22978

In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

CVE-2024-38821

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

• It must be a WebFlux application
• It must be using Spring's static resources support
• It must have a non-permitAll authorization rule applied to the static resources support

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-web)

v5.7.13

Compare Source

v5.7.12

Compare Source

🪲 Bug Fixes

• Check for null Authentication #​14715

v5.7.11

Compare Source

⭐ New Features

• Automate spring-security.xsd #​13819

v5.7.10

Compare Source

🪲 Bug Fixes

• Use default PathPatternParser instance #​13461

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.34 #​13509
• Update org.springframework to 5.3.29 #​13511
• Update org.springframework.data to 2021.2.14 #​13512
• Update reactor-netty to 1.0.34 #​13510

v5.7.9

Compare Source

⭐ New Features

• Convert to Asciidoctor Tabs #​13404
• Use Antora name of security #​13328

🪲 Bug Fixes

• Additional filters registered when using Custom DSL #​13203
• Clarify that Kotlin DSL needs an import #​13092
• Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13098
• Fix Antora Warnings #​13291
• Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13155
• Fix Documentation Title #​13315
• Fix javadoc for migration from WebSecurityConfigurerAdapter #​12996
• Fix typo in SecurityMockMvcResultMatchers.java #​12793
• fix typo of modules.adoc #​12921
• Fix typo overview.adoc #​13269
• http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13131
• Proxy Server section is not linked in nav #​13313
• Typos in docs #​13283

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.33 #​13373
• Update io.rsocket to 1.1.4 #​13379
• Update org.springframework to 5.3.28 #​13382
• Update org.springframework.data to 2021.2.13 #​13385
• Update reactor-netty to 1.0.33 #​13376

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​Anubhav-2000
• @​SeasonPanPan
• @​amal-stack
• @​1993heqiang
• @​xak2000

v5.7.8

Compare Source

⭐ New Features

• Clarify documentation code snippet(s) (unclear where static imported methods come from) #​6597
• Document relationship between registrationId, EntityID, and resolving a relying party #​12764

🪲 Bug Fixes

• Add test to SimpleUrlAuthenticationSuccessHandlerTests #​12740
• Avoid NPE in FilterInvocation #​12922
• EntityId ignored in xml relying-party-registration #​11898
• Fix a javadoc typo in ReactiveAuthorizationManager #​12998
• Fix a javadoc typo in ReactiveAuthorizationManager #​12978
• Fix typo in SessionManagementConfigurer javadoc #​12820
• Missing spring-security-oauth2 xsds after release #​12804
• NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #​12960
• RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #​12664
• SwitchUserFilter should use HttpSessionSecurityContextRepository by default #​12834

🔨 Dependency Upgrades

• Update blockhound to 1.0.8.RELEASE #​13016
• Update io.projectreactor to 2020.0.31 #​13014
• Update logback-classic to 1.2.12 #​13013
• Update org.eclipse.jetty to 9.4.51.v20230217 #​13017
• Update org.springframework to 5.3.27 #​13018
• Update org.springframework.data to 2021.2.11 #​13019
• Update reactor-netty to 1.0.31 #​13015

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​marckchr
• @​yuanhang
• @​twosom
• @​esivakumar18
• @​martin-tarjanyi

v5.7.7

Compare Source

⭐ New Features

• chore: Use cache in continuous-integration-workflow.yml #​12503
• fix unclosed block in docs #​12542

🪲 Bug Fixes

• AuthorizationManager method security documentation should use AnnotationMatchingPointcut #​11095
• Document XMLObject retreival for Asserting Party metadata #​12667
• Fix typo in OAuth 2.0 testing docs #​12437
• Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #​11785
• NimbusJwtDecoder unknown KID scenario is not correctly tested #​12238
• NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #​12637
• SwitchUserFilter not working in Spring Security 6 #​12504
• Wrong name of the filter in the SecurityContextHolderFilter diagram #​11800

🔨 Dependency Upgrades

• Update blockhound to 1.0.7.RELEASE #​12733
• Update hibernate-entitymanager to 5.6.15.Final #​12736
• Update io.projectreactor to 2020.0.28 #​12732
• Update io.spring.nohttp to 0.0.11 #​12734
• Update jackson-bom to 2.13.5 #​12731
• Update org.aspectj to 1.9.19 #​12735
• Update org.springframework to 5.3.25 #​12737
• Update org.springframework.data to 2021.2.8 #​12738

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jonkjenn
• @​mojavelinux
• @​jongwooo
• @​eleftherias

v5.7.6

Compare Source

⭐ New Features

• Improve deprecation notice in WebSecurityConfigurerAdapter #​12260
• Replace deprecated set-state set-output GitHub Action's commands #​12297

🪲 Bug Fixes

• DefaultLdapAuthoritiesPopulator throws NullPointerException #​12407
• Fix AuthorizationFilter diagram in docs #​12285
• Incorrect scope map fix #​12205
• SAML logout: Incorrect log messages #​12208
• Saml2MetadataFilter response should configure writer to UTF-8 #​12221
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #​12125
• Update the RP-initiated Logout links #​12121

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #​12153
• Update Gradle to 7.5.1 #​12157
• Update hibernate-entitymanager to 5.6.14.Final #​12397
• Update httpclient to 4.5.14 #​12395
• Update io.projectreactor to 2020.0.26 #​12393
• Update jackson-bom to 2.13.4.20221013 #​12391
• Update jackson-databind to 2.13.4.2 #​12392
• Update org.eclipse.jetty to 9.4.50.v20221201 #​12396
• Update org.springframework to 5.3.24 #​12398
• Update org.springframework.data to 2021.2.6 #​12399
• Update reactor-netty to 1.0.26 #​12394

v5.7.5

Compare Source

🪲 Bug Fixes

• Fix AuthorizationFilter incorrectly extending OncePerRequestFilter #​12113
• Fix scope mapping #​12112
• IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #​11888

v5.7.4

Compare Source

⭐ New Features

• automatically manage docs version (with collector) #​11955

🪲 Bug Fixes

• AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #​11729
• Build fails with missing project property cloneOutputDirectory #​11979
• GitHubMilestoneApiTests due_on Should Use LocalDate #​11707
• HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #​11727
• NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #​11711
• RemoteJwkSet is not refreshed when encountering an unknown KID #​11723
• RequestRejectedHandler does not reliable prevent Internal Server Error #​11744

🔨 Dependency Upgrades

• Update Gradle Enterprise plugin to 3.11.1 #​11830
• Update hibernate-entitymanager to 5.6.10.Final #​11745
• Update hibernate-entitymanager to 5.6.12.Final #​12016
• Update io.projectreactor to 2020.0.22 #​11743
• Update io.projectreactor to 2020.0.24 #​12012
• Update io.rsocket to 1.1.3 #​12014
• Update jackson-bom to 2.13.4.20221012 #​12008
• Update jackson-databind to 2.13.4.1 #​12009
• Update jackson-datatype-jsr310 to 2.13.4 #​12010
• Update jsonassert to 1.5.1 #​11741
• Update mockk to 1.12.8 #​12011
• Update org.eclipse.jetty to 9.4.48.v20220622 #​11740
• Update org.eclipse.jetty to 9.4.49.v20220914 #​12015
• Update org.springframework to 5.3.22 #​11739
• Update org.springframework to 5.3.23 #​12017
• Update org.springframework.data to 2021.1.6 #​11742
• Update org.springframework.data to 2021.2.4 #​12018
• Update reactor-netty to 1.0.24 #​12013

v5.7.3

Compare Source

⭐ New Features

• Add Kotlin example showing integration with WebTestClient #​9998
• Set permissions for GitHub actions #​11642
• Update javadoc of EnableWebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #​11650

🪲 Bug Fixes

• Add Deprecated annotation to WebSecurity#securityInterceptor #​11637
• Check saganCreateRelease saganDeleteRelease Required Permissions #​11425
• org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #​11605
• RequestAttributeSecurityContextRepository.loadContext(HttpServletRequest) should never return null SecurityContext #​11606
• RequestRejectedHandler does not reliable prevent Internal Server Error #​11672
• Sources and javadocs missing in latest snapshots #​11628
• Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #​11484
• Update javadoc of HttpSecurity, WebSecurityConfiguration and WebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #​11651

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.10.Final #​11694
• Update io.projectreactor to 2020.0.22 #​11691
• Update jsonassert to 1.5.1 #​11696
• Update mockk to 1.12.5 #​11690
• Update org.eclipse.jetty to 9.4.48.v20220622 #​11693
• Update org.jetbrains.kotlinx to 1.6.4 #​11695
• Update org.springframework to 5.3.22 #​11697
• Update org.springframework.data to 2021.2.2 #​11698

v5.7.2

Compare Source

⭐ New Features

• Consider updating testing examples to use JUnit Jupiter #​11293

🪲 Bug Fixes

• Some Security Expressions cause NPE when used within @Query #​11289
• CsrfWebFilter null save content-type check #​11341
• Docs example uses access(String) with authorizeHttpRequests() #​11296
• Fix typo in BasicLookupStrategy Javadoc #​11339
• KeyInfo missing in AuthnRequest when using OpenSaml4AuthenticationRequestResolver #​11358
• OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #​11384
• SAML request encoding: on redirect binding, base64 encoded message contains CRLF #​11284
• SecurityContextRepository.loadContext(HttpServletRequest) cache result #​11390
• Should SAML metadata EntityDescriptor tag have the md: prefix? #​11311
• Update opaque-token.adoc #​11303

🔨 Dependency Upgrades

• Update aspectj-plugin to 6.4.3.1 #​11402
• Update hibernate-entitymanager to 5.6.9.Final #​11405
• Update io.projectreactor to 2020.0.20 #​11403
• Update jackson-bom to 2.13.3 #​11399
• Update jackson-databind to 2.13.3 #​11400
• Update jackson-datatype-jsr310 to 2.13.3 #​11401
• Update org.jetbrains.kotlinx to 1.6.3 #​11406
• Update org.opensaml:opensaml-core4 to 4.1.1 #​11410
• Update org.springframework to 5.3.21 #​11407
• Update org.springframework.data to 2021.2.1 #​11408
• Update reactor-netty to 1.0.20 #​11404
• Update spring-ldap-core to 2.4.1 #​11409

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​andrelugomes

v5.7.1

Compare Source

🪲 Bug Fixes

• StrictHttpFirewall incorrectly rejects valid CJKV characters #​11266

v5.7.0

Compare Source

⭐ New Features

• Check Samples should run against the current artifacts #​11199
• Consider replacing an inner loop with Set of authority strings in AuthorityAuthorizationManager#isAuthorized #​11188
• Remember me should detect UserDetailsService bean #​11170
• WebSessionServerSecurityContextRepository provides Mono.cache option #​8422
• X509 should detect UserDetailsService bean #​11174

🪲 Bug Fixes

• @EnableMethodSecurity doesn't resolve annotations on interfaces through a Proxy #​11177
• Add shouldFilterAllDispatcherTypes to Kotlin DSL #​11153
• Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator #​11165
• Multiple .requestMatchers().mvcMatchers() override previous one #​11185

🔨 Dependency Upgrades

• Update aspectj-plugin to 6.4.3 #​11218
• Update com.nimbusds to 9.35 #​11217
• Update htmlunit to 2.61.0 #​11222
• Update htmlunit-driver to 2.61.0 #​11224
• Update io.projectreactor to 2020.0.19 #​11220
• Update mockk to 1.12.4 #​11219
• Update org.jetbrains.kotlin to 1.6.21 #​11223
• Update org.springframework to 5.3.20 #​11225
• Update org.springframework.data to 2021.2.0 #​11228
• Update reactor-netty to 1.1.0-M2 #​11221
• Update spring-data-jpa to 2.7.0-RC1 #​11226
• Update spring-ldap-core to 2.4.0 #​11227

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​evgeniycheban

v5.6.12

Compare Source

🪲 Bug Fixes

• Use default PathPatternParser instance #​13460

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.34 #​13505
• Update org.springframework to 5.3.29 #​13508
• Update reactor-netty to 1.0.34 #​13506

v5.6.11

Compare Source

⭐ New Features

• Convert to Asciidoctor Tabs #​13403
• Use Antora name of security #​13327

🪲 Bug Fixes

• Fix Antora Warnings #​13210
• Fix Documentation Title #​13314

🔨 Dependency Upgrades

• Update blockhound to 1.0.8.RELEASE #​13390
• Update hibernate-entitymanager to 5.6.15.Final #​13400
• Update io.projectreactor to 2020.0.33 #​13387
• Update io.rsocket to 1.1.4 #​13392
• Update io.spring.nohttp to 0.0.11 #​13394
• Update jackson-bom to 2.13.5 #​13375
• Update jackson-databind to 2.13.5 #​13378
• Update jackson-datatype-jsr310 to 2.13.5 #​13381
• Update logback-classic to 1.2.12 #​13372
• Update mockk to 1.12.8 #​13384
• Update org.antora.gradle.plugin to 1.0.0 #​13396
• Update org.aspectj to 1.9.19 #​13398
• Update org.eclipse.jetty to 9.4.51.v20230217 #​13399
• Update org.springframework to 5.3.28 #​13401
• Update reactor-netty to 1.0.33 #​13389

v5.6.10

Compare Source

⭐ New Features

• Replace deprecated set-state set-output GitHub Action's commands #​12032
• update generateAntora task to make prereleases unique #​12083

🪲 Bug Fixes

• DefaultLdapAuthoritiesPopulator throws NullPointerException #​12090
• docs: fix realm typo #​12120
• Fix AuthorizationFilter diagram in docs #​12274
• Fix typo in DefaultLoginPageConfigurer Javadoc #​12311
• Fix typo on opaque-token.adoc #​12114
• Fix: Replace tenantRepository with tenants #​12269
• Incorrect scope map fix #​12144
• OAuth 2.0 Resource Server Multi-tenancy - documentation improvement #​12295
• Outdated example in Javadoc of UrlAuthorizationConfigurer #​11487
• Saml2MetadataFilter response should configure writer to UTF-8 #​12026
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #​3065
• Update the RP-initiated Logout links #​12081

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #​12152
• Update Gradle to 7.5.1 #​11779
• Update hibernate-entitymanager to 5.6.14.Final #​12388
• Update httpclient to 4.5.14 #​12386
• Update io.projectreactor to 2020.0.26 #​12384
• Update jackson-bom to 2.13.4.20221013 #​12381
• Update jackson-databind to 2.13.4.2 #​12382
• Update mockk to 1.12.8 #​12383
• Update org.eclipse.jetty to 9.4.50.v20221201 #​12387
• Update org.springframework to 5.3.24 #​12389
• Update org.springframework.data to 2021.1.10 #​12390
• Update reactor-netty to 1.0.26 #​12385

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​markkovari
• @​ghusta
• @​mojavelinux
• @​selllami
• @​cbot59

v5.6.9

Compare Source

🪲 Bug Fixes

• Fix AuthorizationFilter incorrectly extending OncePerRequestFilter #​12102
• Fix scope mapping #​12101

v5.6.8

Compare Source

⭐ New Features

• automatically manage docs version (with collector) #​11943

🪲 Bug Fixes

• Add rncToXsd task description to CONTRIBUTING.adoc #​11935
• AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #​11730
• Build fails with missing project property cloneOutputDirectory #​11969
• GitHubMilestoneApiTests due_on Should Use LocalDate #​11708
• HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #​11728
• NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #​11712
• RemoteJwkSet is not refreshed when encountering an unknown KID #​11724
• Updated reference to architecture page #​11778

🔨 Dependency Upgrades

• Update Gradle Enterprise plugin to 3.11.1 #​11827
• Update hibernate-entitymanager to 5.6.12.Final #​12005
• Update io.projectreactor to 2020.0.24 #​12001
• Update io.rsocket to 1.1.3 #​12003
• Update jackson-bom to 2.13.4.20221012 #​11997
• Update jackson-databind to 2.13.4.1 #​11998
• Update jackson-datatype-jsr310 to 2.13.4 #​11999
• Update mockk to 1.12.8 #​12000
• Update org.eclipse.jetty to 9.4.49.v20220914 #​12004
• Update org.springframework to 5.3.23 #​12006
• Update org.springframework.data to 2021.1.8 #​12007
• Update reactor-netty to 1.0.24 #​12002

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​rwinch
• @​underground-hill
• @​mojavelinux
• @​jprinet
• @​Kehrlann

v5.6.7

Compare Source

⭐ New Features

• Add Kotlin example showing integration with WebTestClient #​11612
• Set permissions for GitHub actions #​11644

🪲 Bug Fixes

• Add Deprecated annotation to WebSecurity#securityInterceptor #​11636
• Fix saganCreateRelease saganDeleteRelease Required Permissions #​11426
• org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #​11608
• RequestRejectedHandler does not reliable prevent Internal Server Error #​11673
• Sources and javadocs missing in latest snapshots #​11629
• Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #​11485

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.10.Final #​11683
• Update io.projectreactor to 2020.0.22 #​11680
• Update jsonassert to 1.5.1 #​11684
• Update mockk to 1.12.5 #​11679
• Update org.eclipse.jetty to 9.4.48.v20220622 #​11682
• Update org.springframework to 5.3.22 #​11685
• Update org.springframework.data to 2021.1.6 #​11686
• Update reactor-netty to 1.0.22 #​11681

v5.6.6

Compare Source

⭐ New Features

• Consider updating testing examples to use JUnit Jupiter #​11292

🪲 Bug Fixes

• CsrfWebFilter null save content-type check #​11342
• Docs example uses access(String) with authorizeHttpRequests() #​11297
• Fix typo in BasicLookupStrategy Javadoc #​11340
• OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #​11385
• SAML request encoding: on redirect binding, base64 encoded message contains CRLF #​11285
• Should SAML metadata EntityDescriptor tag have the md: prefix? #​11310
• Some Security Expressions cause NPE when used within @Query #​11290

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.9.Final #​11416
• Update io.projectreactor to 2020.0.20 #​11414
• Update jackson-bom to 2.13.3 #​11411
• Update jackson-databind to 2.13.3 #​11412
• Update jackson-datatype-jsr310 to 2.13.3 #​11413
• Update org.opensaml:opensaml-core4 to 4.1.1 #​11420
• Update org.springframework to 5.3.21 #​11417
• Update org.springframework.data to 2021.1.5 #​11418
• Update reactor-netty to 1.0.20 #​11415
• Update spring-ldap-core to 2.3.8.RELEASE #​11419

v5.6.5

Compare Source

🪲 Bug Fixes

• StrictHttpFirewall incorrectly rejects valid CJKV characters #​11267

v5.6.4

Compare Source

⭐ New Features

• Check Samples should run against the current artifacts #​11200

🪲 Bug Fixes

• Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator #​11166
• Multiple .requestMatchers().mvcMatchers() override previous one #​11186

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.19 #​11207
• Update mockk to 1.12.4 #​11206
• Update org.springframework to 5.3.20 #​11209
• Update org.springframework.data to 2021.1.4 #​11210
• Update reactor-netty to 1.0.19 #​11208

v5.6.3

Compare Source

🪲 Bug Fixes

• AuthorizationManagerWebInvocationPrivilegeEvaluator should grant access when AuthorizationManager abstains #​10951
• Change HashSet to LinkedHashSet for RelyingPartyRegistration credentials #​10916
• Fix saml2 authentication-requests documentation #​11047
• Remove "Hi servlet/authentication/architecture there" from docs #​10963

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.8.Final #​11124
• Update io.projectreactor to 2020.0.18 #​11119
• Update io.rsocket to 1.1.2 #​11121
• Update jackson-bom to 2.13.2.20220328 #​11115
• Update jackson-databind to 2.13.2.2 #​11116
• Update jackson-datatype-jsr310 to 2.13.2 #​11117
• Update logback-classic to 1.2.11 #​11114
• Update mockk to 1.12.3 #​11118
• Update org.aspectj to 1.9.9.1 #​11122
• Update org.eclipse.jetty to 9.4.46.v20220331 #​11123
• Update org.springframework to 5.3.19 #​11125
• Update org.springframework.data to 2021.1.3 #​11126
• Update reactor-netty to 1.0.18 #​11120
• Update spring-ldap-core to 2.3.7.RELEASE #​11127

v5.6.2

Compare Source

⏪ Breaking Changes

• Saml2 metadata includes SingleLogoutService even if saml2 logout is disabled / not configured #​10734

⭐ New Features

• Document Authorize HTTP Requests for Reactive Security #​10801
• Introduce AuthorizationManagerWebInvocationPrivilegeEvaluator #​10682

🪲 Bug Fixes

• add Kotlin examples for Spring Data Integration of servlet application #​10848
• commons-logging:commons-logging is a transitive dependency of some modules #​10772
• Do not rely on javax. group ids #​10770
• Fix broken link to SAML2 login example #​10806
• Getting Spring Security Reference Docs have a error #​10796
• Make source code compatible with JDK 8 #​10699
• Replace StringUtils class of oauth2-oidc-sdk completely #​10824
• RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext #​10792
• WebInvocationPrivilegeEvaluator Bean should support multiple SecurityFilterChains #​10680

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.5.Final #​10873
• Update io.projectreactor to 2020.0.16 #​10867
• Update io.spring.javaformat to 0.0.31 #​10870
• Update logback-classic to 1.2.10 #​10865
• Update mockk to 1.12.2 #​10866
• Update org.aspectj to 1.9.8 #​10871
• Update org.eclipse.jetty to 9.4.45.v20220203 #​10872
• Update org.slf4j to 1.7.36 #​10874
• Update org.springframework to 5.3.16 #​10875
• Update org.springframework.data to 2021.1.2 #​10876
• Update r2dbc-h2 to 0.8.5.RELEASE #​10869
• Update reactor-netty to 1.0.16 #​10868
• Update spring-ldap-core to 2.3.6.RELEASE #​10877

[v5.6.1](https://github.com/spring-projects/spring-security/releases/tag/5.6

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.