fix(deps): update dependency org.springframework.security:spring-security-web to v5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.security:spring-security-web (source)	3.1.3.RELEASE -> 5.4.11

GitHub Vulnerability Alerts

CVE-2021-22112

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

CVE-2022-22978

In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-web)

v5.4.11

Compare Source

v5.4.10

Compare Source

🪲 Bug Fixes

• StaticServerHttpHeadersWriter should work with case-insensitive header names #​10583
• Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #​10562
• MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #​10532
• Documentation has wrong code example in the 'Customizing OpenSAML’s AuthnRequest Instance' section #​10528
• Multi-tenancy Documentation - com.nimbusds.jwt.proc.JWTProcessor does not have a setJWTClaimSetJWSKeySelector method #​10521
• Multi-tenancy Documentation - JwtDecoder sample has multiple errors #​10517
• Oauth2 Resource Server will not retry on first failure with Multi-tenancy #​10485
• WebInvocationPrivilegeEvaluator does not provide a way to pass a ServletContext #​10437

v5.4.9

Compare Source

⭐ New Features

• Add Documentation for Static Methods Classes for mockJwt() and jwt() #​10266

🪲 Bug Fixes

• SAML 2.0 Login should allow loginProcessingUrl without {registrationId} when providing an AuthenticationConverter #​10342
• JwtTimeStampValidator uses wrong error on token expiration #​10329
• Fix typo #​10314
• Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type #​10258
• MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented #​10209

🔨 Dependency Upgrades

• Update to Spring Boot 2.4.11 #​10418

v5.4.8

Compare Source

⭐ New Features

• Remove -PdeployDocsHost=docs-ip.spring.io from Build #​10021

🪲 Bug Fixes

• Regression with URL encode client credentials #​10126
• AuthenticationFailureEvent does not exist #​10107
• Fix a typo in some class names in the oauth documentation #​10052
• Fix Saml2WebSsoAuthenticationRequestFilter javadoc #​10027
• Update to use s01.oss.sonatype.org Maven Publishing #​10015
• Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher #​10009
• logoutSuccessUrl in DefaultLoginPageGeneratingFilter is not set #​9997

🔨 Dependency Upgrades

• Update to Spring Boot 2.4.8 #​10181
• Update to spring-build-conventions:0.0.38 #​10020

v5.4.7

Compare Source

⭐ New Features

• Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #​9920

🪲 Bug Fixes

• Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #​9942
• Missing log of "caused by" exception when OP document metadata cannot be reached #​9940
• Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #​9930
• Adding filters relative to custom ones is broken #​9908
• SEC-3139: Anonymous authentication token not passed to Controller #​9891
• Clarify quick start section in README #​9886
• RSocket and WebClient with Security refCount: 0 #​9871
• Client credentials not correctly encoded in Basic Auth #​9861
• Docs should state default value for Resource Server validation clock skew is 60 seconds #​9848
• OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #​9820
• DefaultSpringSecurityContextSource can't handle spaces in baseDn #​9807
• OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #​9802
• NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #​9800
• docs.af.pivotal.io->docs-ip.spring.io #​9686
• Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter #​9681
• NullPointerException in StrictHttpFirewall spring-security-web version 5.4.5 #​9674
• WebFlux httpBasic() should match on XHR requests #​9662
• HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #​9643
• oauth2Login() generates authorization links for "client_credentials" grant type #​9637

v5.4.6

Compare Source

🪲 Bug Fixes

• Add null check in CsrfFilter and CsrfWebFilter #​9592
• @​Order annotations cannot be used with @​Bean methods #​9517

🔨 Dependency Upgrades

• Update to Spring Boot 2.4.4 #​9613

v5.4.5

Compare Source

🪲 Bug Fixes

• Downgrade to Nimbus JOSE JWT 8.+ #​9453

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​wilkinsona

v5.4.4

Compare Source

This release fixes a problem with the release of 5.4.3

⭐ New Features

• Migrate SAML 2.0 Samples to Use PCFOne #​9369
• Resolve artifacts from Maven Central first #​9367
• Use constant time comparisons for CSRF tokens #​9357
• Improve HttpSessionSecurityContextSessionRepository Performance #​9388

🪲 Bug Fixes

• OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #​9426
• Fix custom marshaller example #​9409
• Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #​9403
• CurrentSecurityContextArgumentResolver should configure BeanResolver #​9402
• Consider downgrading to Nimbus 8 #​9399
• Remove notEmpty check for authorities in DefaultOAuth2User #​9396
• Wrong example name in Spring Security documentation #​9383
• Make user info response status check error only #​9376
• Malformed WWW-Authenticate Causes NPE #​9364
• CsrfWebFilter creates CsrfException with incorrect message when no token is found #​9338
• Exception when declaring multiple AuthenticationManager beans #​9332
• webflux-x509 sample cert needs renewal #​9322
• OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #​9258

🔨 Dependency Upgrades

• Update to GAE 1.9.86 #​9448
• Update to Spring Boot 2.4.2 #​9447
• Update to Kotlin 1.4.30 #​9446

v5.4.3

Compare Source

⭐ New Features

• Migrate SAML 2.0 Samples to Use PCFOne #​9369
• Resolve artifacts from Maven Central first #​9367
• Use constant time comparisons for CSRF tokens #​9357
• Improve HttpSessionSecurityContextSessionRepository Performance #​9388

🪲 Bug Fixes

• OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #​9426
• Fix custom marshaller example #​9409
• Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #​9403
• CurrentSecurityContextArgumentResolver should configure BeanResolver #​9402
• Consider downgrading to Nimbus 8 #​9399
• Remove notEmpty check for authorities in DefaultOAuth2User #​9396
• Wrong example name in Spring Security documentation #​9383
• Make user info response status check error only #​9376
• Malformed WWW-Authenticate Causes NPE #​9364
• CsrfWebFilter creates CsrfException with incorrect message when no token is found #​9338
• Exception when declaring multiple AuthenticationManager beans #​9332
• webflux-x509 sample cert needs renewal #​9322
• OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #​9258

🔨 Dependency Upgrades

• Update to GAE 1.9.86 #​9448
• Update to Spring Boot 2.4.2 #​9447
• Update to Kotlin 1.4.30 #​9446

v5.4.2

Compare Source

⭐ New Features

• Update snapshot build dependencies #​9254
• Update to Gradle 6.6.1 #​9232

🪲 Bug Fixes

• Tests should not combine Authentication and @​AuthenticationPrincipal #​9255
• Remove empty Appendix Section from docs #​9253
• CookieRequestCache handles URL encoded query parameters incorrectly #​9252
• Improve Metadata URL Documentation #​9251

🔨 Dependency Upgrades

• Update to Google App Engine 1.9.83 #​9250
• Update to Kotlin 1.4.20 #​9249
• Update to Spring Boot 2.4.0 #​9248
• 5.4.x Snapshot Build Should Point to Other Maintenance Branches #​9162

v5.4.1

Compare Source

⭐ New Features

• Replace expired msdn link with latest web archive copy #​9050
• Add documentation for StrictHttpFirewall enhancements #​9038
• Replace Tomcat6 URL for SSL Guide to Tomcat 10 #​9034
• Use AssertJ for exception testing #​9013

🪲 Bug Fixes

• Add try-with-resources to close stream #​9053
• RelyingPartyRegistrations Fails to Read Keycloak Metadata #​9051
• fix miswritten comment of FormLoginDsl.kt #​9042
• Adapt to WebClient's new exception wrapping #​9031
• StandardInterceptUrlRegistry should not refer to ExpressionUrlAuthorizationConfigurer #​9026
• Fix broken Mono chain #​9022
• Use Schedulers.boundedElastic for UUID.randomUUID #​9021
• CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #​9018
• WebSessionServerCsrfTokenRepository#generateToken() don't use Schedulers.boundedElastic() #​9017
• NullPointerException SessionRegistryImpl.onApplicationEvent(SessionRegistryImpl.java:111) #​9011
• Quick javadoc fix for DelegatingPasswordEncoder #​8890

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​muRn
• @​b12f10w
• @​uy-rrodriguez
• @​geonu1109
• @​tt4g
• @​philwebb
• @​MeTPP

v5.4.0

Compare Source

⭐ New Features

• Add What's New in 5.4 #​9002
• Add What's New in 5.4 Section to Docs #​9001
• Add Resource Server Servlet Logging #​9000
• Simplify saml2Login Samples #​8990
• Remove Framework Tests from saml2Login Sample #​8989
• Add authenticationManagerResolver to resource server Kotlin DSL #​8981
• Generalize SAML 2.0 Assertion Validation Support #​8970
• Update abstract-authentication-processing-filter.adoc #​8965
• Add spring-javaformat checkstyle and formatting #​8946
• Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL #​8926
• Add hasAnyAuthority(String...) and hasAnyRole(String...) to authorizeRequests in Kotlin DSL #​8892
• Resolve oauth2 client-id, client-secret placeholders #​8880
• Restructure SAML 2.0 documentation #​8763
• security:client-registrations doesn't take propertyconfigurer properties #​8453

🪲 Bug Fixes

• Clickjacking demo in docs: YouTube link in X-Frame-Options section leads to private video #​8986
• NoClassDefFoundError: AuthMetadataFlyweight at o.s.s.r.m.SimpleAuthenticationEncoder #​8948
• SAML attributes not parsed correctly with prefixed XML elements #​8864
• Don't use oidc scopes_supported for scope as default in ClientRegistrations #​8790
• scopes_supported metadata should not be used as default in ClientRegistrations #​8514

🔨 Dependency Upgrades

• Set springDataVersion to Neumann-SR+ #​9007
• Set rsocketVersion to 1.0.+ #​9006

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​evgeniycheban
• @​jzheaux
• @​taoroot
• @​philwebb
• @​koishikawa11
• @​martin-v

v5.3.13.RELEASE

Compare Source

🪲 Bug Fixes

• Reactive resource server tests failing #​10660
• Gretty samples fail when using logback 1.2.9 #​10643
• StaticServerHttpHeadersWriter should work with case-insensitive header names #​10584
• Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors #​10563
• MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #​10533
• Multi-tenancy Documentation - com.nimbusds.jwt.proc.JWTProcessor does not have a setJWTClaimSetJWSKeySelector method #​10522
• Multi-tenancy Documentation - JwtDecoder sample has multiple errors #​10518
• Oauth2 Resource Server will not retry on first failure with Multi-tenancy #​10486

🔨 Dependency Upgrades

• Update to AspectJ 1.9.7 #​10645
• Update to Google App Engine 1.9.93 #​10644

v5.3.12.RELEASE

Compare Source

⭐ New Features

• Add Documentation for Static Methods Classes for mockJwt() and jwt() #​10267

🪲 Bug Fixes

• JwtTimeStampValidator uses wrong error on token expiration #​10330
• Fix typo #​10315
• Saml2LoginConfigurer relyingPartyRegistrationRepository method does not return correct type #​10259
• MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented #​10179

🔨 Dependency Upgrades

• Update to Google App Engine 1.9.88 #​10381
• Update to nohttp 0.0.10 #​10380

v5.3.11.RELEASE

Compare Source

⭐ New Features

• Remove -PdeployDocsHost=docs-ip.spring.io from Build #​10023

🪲 Bug Fixes

• Regression with URL encode client credentials #​10127
• AuthenticationFailureEvent does not exist #​10108
• Update to use s01.oss.sonatype.org Maven Publishing #​10024
• Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher #​10010

🔨 Dependency Upgrades

• Update to spring-build-conventions:0.0.38 #​10022

v5.3.10.RELEASE

Compare Source

⭐ New Features

• Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #​9915

🪲 Bug Fixes

• Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #​9945
• Using the SecurityMockServerConfigurers.java requires the com.nimbusds oauth2-oidc-sdk on the classpath #​9932
• Adding filters relative to custom ones is broken #​9909
• SEC-3139: Anonymous authentication token not passed to Controller #​9892
• Clarify quick start section in README #​9887
• RSocket and WebClient with Security refCount: 0 #​9872
• Client credentials not correctly encoded in Basic Auth #​9862
• Docs should state default value for Resource Server validation clock skew is 60 seconds #​9850
• OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #​9821
• DefaultSpringSecurityContextSource can't handle spaces in baseDn #​9808
• OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #​9803
• NPE in HttpSessionSecurityContextRepository.isTransientAuthentication #​9799
• docs.af.pivotal.io->docs-ip.spring.io #​9687
• Buffer LEAK detected by ResourceLeakDetector in AuthenticationPayloadExchangeConverter #​9682
• WebFlux httpBasic() should match on XHR requests #​9664
• HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #​9644
• oauth2Login() generates authorization links for "client_credentials" grant type #​9638

v5.3.9.RELEASE

Compare Source

🪲 Bug Fixes

• Add null check in CsrfFilter and CsrfWebFilter #​9593

🔨 Dependency Upgrades

• Update to Spring Boot 2.2.13 #​9614

v5.3.8.RELEASE

Compare Source

This release fixes a problem with the release of 5.3.7.

⭐ New Features

• Improve HttpSessionSecurityContextSessionRepository Performance #​9391
• Improve HttpSessionSecurityContextSessionRepository Performance #​9389
• Migrate SAML 2.0 Samples to Use PCFOne #​9370
• Resolve artifacts from Maven Central first #​9368
• Use constant time comparisons for CSRF tokens #​9358

🪲 Bug Fixes

• Fix the 5.3.7.RELEASE
• OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #​9427
• CurrentSecurityContextArgumentResolver should configure BeanResolver #​9405
• Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #​9404
• Remove notEmpty check for authorities in DefaultOAuth2User #​9397
• Wrong example name in Spring Security documentation #​9384
• CsrfWebFilter creates CsrfException with incorrect message when no token is found #​9339
• webflux-x509 sample cert needs renewal #​9323
• OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #​9259

v5.3.7.RELEASE

Compare Source

⭐ New Features

• Improve HttpSessionSecurityContextSessionRepository Performance #​9391
• Improve HttpSessionSecurityContextSessionRepository Performance #​9389
• Migrate SAML 2.0 Samples to Use PCFOne #​9370
• Resolve artifacts from Maven Central first #​9368
• Use constant time comparisons for CSRF tokens #​9358

🪲 Bug Fixes

• OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #​9427
• CurrentSecurityContextArgumentResolver should configure BeanResolver #​9405
• Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #​9404
• Remove notEmpty check for authorities in DefaultOAuth2User #​9397
• Wrong example name in Spring Security documentation #​9384
• CsrfWebFilter creates CsrfException with incorrect message when no token is found #​9339
• webflux-x509 sample cert needs renewal #​9323
• OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #​9259

v5.3.6.RELEASE

Compare Source

🪲 Bug Fixes

• Remove empty Appendix Section from docs #​9161
• Tests should not combine Authentication and @​AuthenticationPrincipal #​9125

🔨 Dependency Upgrades

• Update to Google App Engine 1.9.83 #​9247
• Update to Spring Boot 2.2.11 #​9246

v5.3.5.RELEASE

Compare Source

🪲 Bug Fixes

• SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #​9057
• CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #​9024

🔨 Dependency Upgrades

• Update to AspectJ 1.9.6 #​9106
• Update to Google App Engine 1.9.82 #​9105
• Update to Spring Boot 2.2.10.RELEASE #​9104

v5.3.4.RELEASE

Compare Source

⭐ New Features

• Add logging #​8888
• Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #​8855
• formLogin() does not work with REST Docs #​8748
• Use Github Actions PR pipeline and remove Travis for 5.3.x #​8724

🪲 Bug Fixes

• ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #​8896
• OAuth2AuthenticationException should be in allowlist #​8863
• Resolved bearer token has no padding indicators #​8837
• Fix ProviderManager Javadoc typo #​8811
• LoginPageGeneratingWebFilter should honor context path #​8808
• OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #​8803
• RoleHierarchy is not used by AbstractAuthorizeTag #​8678
• OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #​8672
• ReactorContext not available in PayloadSocketAcceptor delegate.accept #​8655

🔨 Dependency Upgrades

• Update to spring-build-conventions:0.0.34.RELEASE #​8925
• Update to nohttp 0.0.5.RELEASE #​8924
• Update to GAE 1.9.81 #​8923
• Update to Spring Boot 2.2.9.RELEASE #​8922
• Update to spring-build-conventions:0.0.33.RELEASE #​8760

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​elliedori

v5.3.3.RELEASE

Compare Source

⭐ New Features

• Update BCryptPasswordEncoder documentation with default strength #​8574

🪲 Bug Fixes

• Delay AuthenticationPrincipalArgumentResolver Lookup #​8614
• Fix typos in BCryptPasswordEncoder documentation #​8601
• Fixing typo in SAML 2.0 Sample README #​8600
• Mock request with non-standard HTTP method in test #​8597
• Remove unused field 'digester' in Md4PasswordEncoder #​8575
• Polish JDBC Authentication documentation #​8573
• ACL : AclImpl.hashCode leads to StackOverflowError #​8569
• Fix Kotlin Sample Documentation #​8565
• Object ID Identity conversion to long fails on old schema #​8558
• Blocking in WebSessionServerCsrfTokenRepository #​8544
• Fix AntPathRequestMatcher Javadoc #​8526
• Document NoOpPasswordEncoder will not be removed #​8521
• Fix non-standard HTTP method for CsrfWebFilter #​8515

🔨 Dependency Upgrades

• Update to AppEngine 1.9.80 #​8647
• Update to Spring Boot 2.2.7.RELEASE #​8646
• Update to Kotlin 1.3.72 #​8645

v5.3.2.RELEASE

Compare Source

⭐ New Features

• SAML Authentication Provider assertions #​8491
• BCryptPasswordEncoder.encode() throws NPE #​8345

🪲 Bug Fixes

• Fix Javadoc punctuation #​8490
• Fixed typos in documentation #​8460
• JdbcOAuth2AuthorizedClientService should support update when saving #​8448
• Add ROLE_INFRASTRUCTURE to infrastructure beans #​8437
• Fix Documentation to Refer to BasicAuthenticationFilter #​8423
• Fix typo with correct capitalization #​8408
• Global ServerSecurityContextRepository ignored by logout #​8385
• Fix example in javadoc of FilterChainProxy #​8351
• Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #​8311

🔨 Dependency Upgrades

• Update to aspectj-plugin:4.1.6 #​8306

v5.3.1.RELEASE

Compare Source

⭐ New Features

• SpringTestContext returns ConfigurableWebApplicationContext #​8237
• OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #​8234
• SwitchUserFilter vulnerable to CSRF #​8222
• Clarify use case for ServerBearerExchangeFilterFunction #​8221
• Update Encryptors documentation for standard and stronger #​8211
• Document JwtGrantedAuthoritiesConverter #​8183
• userNameAttribute case style is different others #​8179
• Document AuthNRequest POST binding support #​8165
• Polish SAML 2.0 Login Sample #​8164
• OpenSamlImplementation should not use reflection #​8161
• Document AuthorizedClientServiceOAuth2AuthorizedClientManager #​8153
• Assign sensible default for OAuth2AuthorizedClientProvider #​8151
• Document OAuth2Authorization success and failure handlers #​8146
• Document Jackson serialization support for OAuth 2.0 Client #​8145
• Document OAuth 2.0 Authorization Request improvements #​8133
• Document OAuth 2.0 Login XML Support #​8132
• Document OAuth 2.0 Client XML Support #​8131
• Basic auth header without user results in exception #​8122
• Document AuthenticationEventPublisher improvements #​8103
• Typo 'properites' -> 'properties' in documentation #​8098
• Document OAuth 2.0 Resource Server XML Support #​8094
• Provide spring-security-5*.xsd for https://www.springframework.org/schema/security/ #​8091
• Document OIDC Logout Success Handler Improvements #​8088
• Add OAuth 2.0 Test Support Docs #​8087
• Update test to have comment about secure salt length #​8084
• Document JwtClaimValidator #​8076

🪲 Bug Fixes

• HttpServletRequest.logout() not functioning #​8238
• OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #​8209
• oauth2Login WebFlux should not auto-redirect for XHR request #​8201
• Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer #​8178
• RSocket test should throw AccessDeniedException #​8160
• Make OAuth2ErrorHttpMessageConverter more resilient #​8158
• Fix typo in Javadoc of HttpSecurity#csrf() #​8134
• NPE thrown when token response contains a null value #​8121
• Google's top result for "Spring Security Reference" returns a 404 #​8086
• 5.3.0 Documentation What's New has some broken links #​8069

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​YYTVicky

v5.3.0.RELEASE

Compare Source

⭐ New Features

• Update What's New Section #​8062
• Document JdbcOAuth2AuthorizedClientService #​8061
• Add oauth2login xml sample #​8060
• Update doc diagram palette to use sans-serif font #​8057
• Add SecurityFilterChain Figure #​8055
• oauth2Client Test Support should allow configuration of principal name #​8054
• Add Kotlin Configuration section to docs #​8051
• Add anchors to SAML 2.0 documentation #​8049
• Update UserDetailsService Docs #​8048
• Add Figures to Basic Authentication Docs #​8039
• Add Link to DispatcherServlet in Filter Review Doc #​8036
• Add Figures to Form Log In Docs #​8035
• Add Figure for AuthenticationEntryPoint Docs #​8030
• Add ProviderManager to Docs #​8029
• Custom ServerHttpHeadersWriter to HeaderSpec #​8028
• Add hasRole(String) to authorizeRequests in Kotlin DSL #​8023
• Add missing @​FunctionalInterface in oauth2 modules #​8020
• Provide configurable Clock in OidcIdTokenValidator #​8019
• Add OAuth2AuthorizeRequest.Builder.principal(String) #​8018
• Extract AuthenticationManager Docs #​8006
• Extract SecurityContextHolder, SecurityContext, Authentication, and GrantedAuthority Docs #​8005
• Add AbstractAuthenticationProcessingFilter Docs #​8004
• Extract AuthenticationEntryPoint Docs #​8003
• Extract ExceptionTranslationFilter Docs #​8002
• Extract FilterSecurityInterceptor Docs #​8001
• Use Color Palette that is Accessible for Color Blind #​8000
• Create a palette.odg #​7999
• Add Numbers Icons #​7998
• Instantiate exceptions lazily #​7996
• JwtIssuerReactiveAuthen

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.