Update dependency org.springframework.security:spring-security-core to v5.8.14

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.security:spring-security-core (source)	5.1.2.RELEASE -> 5.8.14

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-core)

v5.8.14

Compare Source

⭐ New Features

• Document the role of CredentialsContainer #​15319

🪲 Bug Fixes

• Clarify url Parameter Usage in AD Provider Constructor #​15409
• Using sec:authorize in JSPX causes 'java.lang.NullPointerException: Cannot invoke "jakarta.servlet.ServletRegistration.getClassName()" because "registration" is null' #​15363

🔨 Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.13 to 0.9.14 #​15375
• Bump io.projectreactor.netty:reactor-netty from 1.0.46 to 1.0.47 #​15391
• Bump io.projectreactor.netty:reactor-netty from 1.0.47 to 1.0.48 #​15606
• Bump io.projectreactor:reactor-bom from 2020.0.45 to 2020.0.46 #​15390
• Bump io.projectreactor:reactor-bom from 2020.0.46 to 2020.0.47 #​15604
• Bump org-eclipse-jetty from 9.4.54.v20240208 to 9.4.55.v20240627 #​15360
• Bump org.skyscreamer:jsonassert from 1.5.1 to 1.5.2 #​15291
• Bump org.skyscreamer:jsonassert from 1.5.1 to 1.5.3 #​15335
• Bump org.springframework:spring-framework-bom from 5.3.37 to 5.3.39 #​15615

🔩 Build Updates

• Automate check of expected branch version #​15226
• Bump @antora/collector-extension from 1.0.0-alpha.4 to 1.0.0-alpha.6 in /docs #​15447
• Bump @antora/collector-extension from 1.0.0-alpha.6 to 1.0.0-alpha.7 in /docs #​15484
• Bump @antora/collector-extension from 1.0.0-alpha.7 to 1.0.0-beta.1 in /docs #​15558
• Bump @antora/collector-extension from 1.0.0-beta.1 to 1.0.0-beta.2 in /docs #​15633
• Bump @springio/antora-extensions from 1.11.1 to 1.12.0 in /docs #​15417
• Bump @springio/antora-extensions from 1.12.0 to 1.13.0 in /docs #​15523
• Bump @springio/antora-extensions from 1.13.0 to 1.13.1 in /docs #​15559
• Bump @springio/antora-extensions from 1.13.1 to 1.14.2 in /docs #​15632
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.10 to 1.0.0-alpha.11 in /docs #​15416
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.11 to 1.0.0-alpha.12 in /docs #​15524
• Bump antora from 3.2.0-alpha.4 to 3.2.0-alpha.5 in /docs #​15330
• Bump antora from 3.2.0-alpha.5 to 3.2.0-alpha.6 in /docs #​15481
• Bump com.gradle.develocity from 3.17.5 to 3.17.6 #​15463

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​Haarolean
• @​dependabot[bot]

v5.8.13

Compare Source

⭐ New Features

• doc: added hint to declare GrantedAuthorityDefaults as infrastructure bean #​14779
• Enhance Logging in RequestMatcherDelegatingAuthorizationManage #​14837
• Improve PasswordEncoder Error Messaging #​14951
• InMemoryUserDetailsManager: consider improving the error message when no PasswordEncoding has been specified #​14880
• Mention all required dependencies in LDAP documentation #​15235
• Remove useBase64 parameter #​14862

🪲 Bug Fixes

• AbstractRequestMatcherRegistry#requestMatchers should pick MvcRequestMatcher when using MockMvc #​13849
• Always Use Request-Level ServletContext to Evaluate Request Matcher Paths #​15195
• Assert WebSession is not null #​14977
• Conditionally Add Conventions Plugin #​15152
• DispatcherServletDelegatingRequestMatcher causes errors when there is more than one ServletContext #​14418
• Fix Java example in multitenanci.adoc #​15146
• LDIF file on official documentation breaks the startup process #​15089
• Link to article with remember-me-persistent-token strategy is broken #​14358
• ProxyRestrictionConditionValidator is missing in the OpenSaml4AuthenticationProvider.SAML20AssertionValidators class #​14931
• Resolving invalid CSRF token values is not consistent #​15184
• Restore Build Scan Capability #​15120
• Wrong information for RequestCacheAwareFilter in the Spring Security documentation. #​14855

🔨 Dependency Upgrades

• Bump io.projectreactor.netty:reactor-netty from 1.0.44 to 1.0.45 #​15074
• Bump io.projectreactor.netty:reactor-netty from 1.0.45 to 1.0.46 #​15231
• Bump io.projectreactor.tools:blockhound from 1.0.8.RELEASE to 1.0.9.RELEASE #​14923
• Bump io.projectreactor:reactor-bom from 2020.0.43 to 2020.0.44 #​15073
• Bump io.projectreactor:reactor-bom from 2020.0.44 to 2020.0.45 #​15230
• Bump org.hsqldb:hsqldb from 2.7.2 to 2.7.3 #​15191
• Bump org.springframework:spring-framework-bom from 5.3.34 to 5.3.35 #​15085
• Bump org.springframework:spring-framework-bom from 5.3.35 to 5.3.36 #​15135
• Bump org.springframework:spring-framework-bom from 5.3.36 to 5.3.37 #​15253
• Bump slackapi/slack-github-action from 1.25.0 to 1.26.0 #​14938

🔩 Build Updates

• Attach Antora Docs to Pull Requests #​14992
• Bump @antora/collector-extension from 1.0.0-alpha.3 to 1.0.0-alpha.4 in /docs #​15160
• Bump @springio/antora-extensions from 1.10.0 to 1.11.1 in /docs #​15140
• Bump com.github.spullara.mustache.java:compiler from 0.9.11 to 0.9.13 #​15001
• Bump com.gradle.develocity from 3.17.2 to 3.17.4 #​15099
• Bump com.gradle.develocity from 3.17.4 to 3.17.5 #​15240
• Bump io.spring.ge.conventions from 0.0.16 to 0.0.17 #​14959
• Consider Adding a Build Updates section to the release changelog #​14485
• Migrate to com.gradle.develocity plugin #​15021
• Update Gradle Enterprise plugin to 3.17.2 #​15020

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​caio-henrique
• @​jzheaux
• @​dukbong
• @​Harsh4902
• @​abimael-turing
• @​dependabot[bot]
• @​sheriumair
• @​paschm

v5.8.12

Compare Source

🪲 Bug Fixes

• Conditional check for data-source-ref is incorrect #​14742

🔨 Dependency Upgrades

• Bump io.projectreactor.netty:reactor-netty from 1.0.43 to 1.0.44 #​14878
• Bump io.projectreactor:reactor-bom from 2020.0.42 to 2020.0.43 #​14877
• Bump io.spring.ge.conventions from 0.0.15 to 0.0.16 #​14822
• Bump org.springframework:spring-framework-bom from 5.3.33 to 5.3.34 #​14891

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​dependabot[bot]
• @​sheriumair

v5.8.11

Compare Source

🪲 Bug Fixes

• Allow tab in HTTP header values. #​14590
• Check for null Authentication #​14664
• PostAuthorize Method Interceptors Should Use Order from AuthorizationInterceptorsOrder #​14720
• Remove duplicate setSecurityContextHolderStrategy #​14603
• Spring security's ServerLogoutHandler order problem. #​14379

🔨 Dependency Upgrades

• Bump io.projectreactor.netty:reactor-netty from 1.0.41 to 1.0.43 #​14730
• Bump io.projectreactor:reactor-bom from 2020.0.41 to 2020.0.42 #​14729
• Bump org.springframework:spring-framework-bom from 5.3.32 to 5.3.33 #​14759

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​chbecker2
• @​kse-music
• @​dependabot[bot]

v5.8.10

Compare Source

⭐ New Features

• Updated broken documentation link in javadocs #​14329

🪲 Bug Fixes

• Fix security filter sort in javadoc #​14552
• ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor #​11596
• Saml2 LogoutFilter Should Come Before Common LogoutFilter #​14549

🔨 Dependency Upgrades

• Bump Gamesight/slack-workflow-status from 1.2.0 to 1.3.0 #​14584
• Bump gradle/gradle-build-action from 2 to 3 #​14505
• Bump io-spring-javaformat from 0.0.40 to 0.0.41 #​14438
• Bump io.projectreactor.netty:reactor-netty from 1.0.40 to 1.0.41 #​14432
• Bump io.projectreactor:reactor-bom from 2020.0.39 to 2020.0.40 #​14431
• Bump io.projectreactor:reactor-bom from 2020.0.40 to 2020.0.41 #​14614
• Bump io.spring.ge.conventions from 0.0.14 to 0.0.15 #​14464
• Bump org-aspectj from 1.9.20.1 to 1.9.21.1 #​14607
• Bump org-eclipse-jetty from 9.4.53.v20231009 to 9.4.54.v20240208 #​14608
• Bump org.springframework:spring-framework-bom from 5.3.31 to 5.3.32 #​14622
• Bump slackapi/slack-github-action from 1.24.0 to 1.25.0 #​14506
• Bump spring-io/spring-github-workflows from eaf17a1 to 1e8b058 #​14585

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​kse-music
• @​geirhe
• @​aspan
• @​dependabot[bot]

v5.8.9

Compare Source

⭐ New Features

• Document that Shibboleth Repository is Required for SAML Support #​14286
• OAuth2 Resource Server is exposing server information. #​13730
• Resolve RequestMatcher at request-time #​14078
• Update Java Config Spring MVC documentation #​14220

🪲 Bug Fixes

• AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #​13625
• Authentication not propagated correctly after migrating to SB3 #​12877
• Authorization does not show up on Features section #​14099
• Documentation about configuring SecuritySocketAcceptorInterceptor in Spring Boot is confusing #​13718
• Fix caching error state in ReactiveRemoteJWKSource #​13976
• fix wrong document about "jws-algorithms" #​14252
• Improve error message when ServletRegistration API is unavailable #​14221
• References to WebFlux docs do not link to them #​14100
• relay_state should not be included in signing calculation when it is null #​13913
• Security configuration is failed to be initialized in a Servlet 6.0 container #​13794
• Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #​13644
• X-Xss-Protection header "1; mode=block" differs in Servlet and Reactive #​11948
• XML namespace with saml2-login configuration fails using Java 8 and spring-security 5.8 #​12483

🔨 Dependency Upgrades

• Bump actions/checkout from 3 to 4 #​14313
• Bump actions/setup-java from 3 to 4 #​14307
• Bump ch.qos.logback:logback-classic from 1.2.12 to 1.2.13 #​14240
• Bump Gamesight/slack-workflow-status from 1.0.1 to 1.2.0 #​14301
• Bump io-spring-javaformat from 0.0.39 to 0.0.40 #​14153
• Bump io.projectreactor.netty:reactor-netty from 1.0.38 to 1.0.39 #​14143
• Bump io.projectreactor.netty:reactor-netty from 1.0.39 to 1.0.40 #​14290
• Bump io.projectreactor:reactor-bom from 2020.0.37 to 2020.0.38 #​14142
• Bump io.projectreactor:reactor-bom from 2020.0.38 to 2020.0.39 #​14291
• Bump org.springframework.data:spring-data-bom from 2021.2.17 to 2021.2.18 #​14170
• Bump org.springframework:spring-framework-bom from 5.3.30 to 5.3.31 #​14154
• Bump slackapi/slack-github-action from 1.19.0 to 1.24.0 #​14303
• Bump spring-io/spring-gradle-build-action from 1 to 2 #​14308

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​dongelci
• @​dependabot[bot]

v5.8.8

Compare Source

⭐ New Features

• Document how to publish an AuthenticationManager @Bean without WebSecurityConfigurerAdapter #​11926
• Use Gradle's Version Catalog #​13868

🪲 Bug Fixes

• Fix snapshot_tests on CI workflow #​13876
• fix corrupted saml2 metadata once special characters are present #​13777
• Saml-Metadata with special characters is corrupted #​13776
• Saml2LogoutRequestMixin relayState property should be binding #​12539

🔨 Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #​13982
• Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #​13927
• Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #​13890
• Bump com.gradle.enterprise from 3.11.1 to 3.11.4 #​13928
• Bump io.projectreactor.netty:reactor-netty from 1.0.35 to 1.0.36 #​13885
• Bump io.projectreactor.netty:reactor-netty from 1.0.36 to 1.0.38 #​13998
• Bump io.projectreactor:reactor-bom from 2020.0.35 to 2020.0.36 #​13944
• Bump io.projectreactor:reactor-bom from 2020.0.36 to 2020.0.37 #​13997
• Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #​13925
• Bump org-aspectj from 1.9.20 to 1.9.20.1 #​13893
• Bump org-eclipse-jetty from 9.4.51.v20230217 to 9.4.52.v20230823 #​13909
• Bump org-eclipse-jetty from 9.4.52.v20230823 to 9.4.53.v20231009 #​13996
• Bump org.apache.logging.log4j:log4j-core from 2.17.1 to 2.17.2 #​13926
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #​13954
• Bump org.springframework.data:spring-data-bom from 2021.2.15 to 2021.2.16 #​13907
• Bump org.springframework.data:spring-data-bom from 2021.2.16 to 2021.2.17 #​14018
• Bump org.springframework:spring-framework-bom from 5.3.29 to 5.3.30 #​13908

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​JannickWeisshaupt
• @​erichaagdev
• @​dependabot[bot]

v5.8.7

Compare Source

⭐ New Features

• Automate spring-security.xsd #​13823

🪲 Bug Fixes

• CookieRequestCache ignores user Locale #​13792
• Default Security Configuration adds WWW-Authenticate Twice #​13737
• OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #​11893
• Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #​13804

v5.8.6

Compare Source

⭐ New Features

• Closes #​11450 - Add Java beans configuration for Remmember Me Docs #​13570
• Dependencies are resolved from appropriate repositories #​13582
• requestMatchers servlet validation error should include information about servlet paths #​13667
• requestMatchers should not count servlets without mappings #​13666

🪲 Bug Fixes

• Fix Bearer Token RestTemplate Support example #​13434
• Referrer Header is set in Reactive Web Applications by default, although doc says it is not. #​13561
• The bean 'preFilterAuthorizationAdvisor', defined in class path resource could not be registered #​13572

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.35 #​13702
• Update org.aspectj to 1.9.20 #​13704
• Update org.springframework.data to 2021.2.15 #​13705
• Update reactor-netty to 1.0.35 #​13703

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​erichaagdev
• @​petrovskimario
• @​daniel-shuy

v5.8.5

Compare Source

⭐ New Features

• Improve RequestMatcher Validation #​13551
• Improve Security Filters Documentation #​8167

🪲 Bug Fixes

• Optimize Querying of RequestCache -> continue parameter #​13438
• Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration #​13417
• Use default PathPatternParser instance #​13462

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.34 #​13513
• Update org.springframework to 5.3.29 #​13515
• Update org.springframework.data to 2021.2.14 #​13516
• Update reactor-netty to 1.0.34 #​13514

v5.8.4

Compare Source

⭐ New Features

• Convert to Asciidoctor Tabs #​13405
• Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #​13227
• mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #​13252
• Use Antora name of security #​13329

🪲 Bug Fixes

• Additional filters registered when using Custom DSL #​13280
• AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #​13069
• AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #​13132
• Clarify that Kotlin DSL needs an import #​13101
• Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13191
• Fix Antora Warnings #​13292
• Fix code snippets in Authorize HttpServletRequest #​11522
• Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13219
• Fix Documentation Title #​13316
• Fix legacy-websocket-configuration cross-reference #​12969
• Fix typo in authorization.adoc #​13135
• http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13207
• Links between migration docs are out of date #​12675
• Proxy Server section is not linked in nav #​13322
• RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #​13104
• SAML 2.0 HTTP Redirect Binding query params may appear in any order #​12963
• SAML login fails in Internet Explorer 11 #​13106
• Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #​13160

🔨 Dependency Upgrades

• Address CVE-2023-1370 #​13146
• Update com.nimbusds to 9.43.3 #​13374
• Update hsqldb to 2.7.2 #​13388
• Update io.projectreactor to 2020.0.33 #​13377
• Update io.rsocket to 1.1.4 #​13383
• Update io.spring.javaformat to 0.0.39 #​13386
• Update junit-bom to 5.9.3 #​13391
• Update org.junit.jupiter to 5.9.3 #​13393
• Update org.springframework to 5.3.28 #​13395
• Update org.springframework.data to 2021.2.13 #​13397
• Update reactor-netty to 1.0.33 #​13380

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​LeovR
• @​lukaszmigdalek
• @​fredbalves86
• @​daisuzz

v5.8.3

Compare Source

⭐ New Features

• Clarify documentation code snippet(s) (unclear where static imported methods come from) #​12991
• Document 5.8 Migration for DefaultMethodSecurityExpressionHandler #​12356
• Documentation should mention that an empty SecurityContext should also be saved #​12906
• Expression-Based Access Control do not working as explain in spring security document for 6.0.2 also tried 6.0.5 the issue persist #​12928
• Fixed test in DefaultLoginPageGeneratingFilterTests #​12694

🪲 Bug Fixes

• Bug in documentation of Storing the Authentication manually #​12850
• DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #​12873
• EntityId ignored in xml relying-party-registration #​12776
• Fix .access(...) parameter #​12676
• Fix a javadoc typo in ReactiveAuthorizationManager #​12999
• Fix a javadoc typo in ReactiveAuthorizationManager #​12982
• Fix ID of WebSocket Authorization section #​12872
• HttpSessionSecurityContextRepository fails to create a session because of the deferred security context support #​12314
• JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #​12472
• Missing spring-security-oauth2 xsds after release #​12805
• NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #​13004
• RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #​13054
• Saml2 RelyingPartyRegistration.nameIdFormat is ignored and not set in AuthnRequest from OpenSamlAuthenticationRequestResolver #​12935
• SecurityWebApplicationInitializer.getSecurityDispatcherTypes example is wrong in migration guide #​12939
• SwitchUserFilter should use HttpSessionSecurityContextRepository by default #​12835

🔨 Dependency Upgrades

• Update blockhound to 1.0.8.RELEASE #​13024
• Update io.projectreactor to 2020.0.31 #​13022
• Update io.spring.javaformat to 0.0.38 #​13025
• Update logback-classic to 1.2.12 #​13021
• Update org.eclipse.jetty to 9.4.51.v20230217 #​13026
• Update org.springframework to 5.3.27 #​13027
• Update org.springframework.data to 2021.2.10 #​13028
• Update org.springframework.data to 2021.2.11 #​13029
• Update reactor-netty to 1.0.31 #​13023

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​slauth
• @​twosom
• @​el-hopaness-romtic

v5.8.2

Compare Source

⭐ New Features

• Add XorCsrfChannelInterceptor #​12562
• Document @EnableWebFluxSecurity requiring @Configuration in 6.0.0 #​12434
• fix unclosed block in docs #​12553
• Improve documentation on what changed in the default behaviour in version 6 vs 5.7 #​12462
• Spring Security 6.0 Migration Guide Should Mention @Configuration Meta-Annotation Removal From Configuration Annotations #​12486

🪲 Bug Fixes

• AuthorizationManager method security documentation should use AnnotationMatchingPointcut #​12516
• DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #​12665
• Document XMLObject retreival for Asserting Party metadata #​12693
• Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #​12458
• NimbusJwtDecoder unknown KID scenario is not correctly tested #​12494
• NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #​12686
• SwitchUserFilter not working in Spring Security 6 #​12510
• Wrong name of the filter in the SecurityContextHolderFilter diagram #​12526

🔨 Dependency Upgrades

• Update blockhound to 1.0.7.RELEASE #​12719
• Update hibernate-entitymanager to 5.6.15.Final #​12722
• Update io.projectreactor to 2020.0.28 #​12717
• Update io.spring.nohttp to 0.0.11 #​12720
• Update jackson-bom to 2.13.5 #​12714
• Update jackson-databind to 2.13.5 #​12715
• Update jackson-datatype-jsr310 to 2.13.5 #​12716
• Update junit-bom to 5.9.2 #​12723
• Update org.aspectj to 1.9.19 #​12721
• Update org.junit.jupiter to 5.9.2 #​12724
• Update org.springframework to 5.3.25 #​12725
• Update org.springframework.data to 2021.2.8 #​12739
• Update org.springframework.data to 2021.2.8 #​12726
• Update reactor-netty to 1.0.28 #​12718

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​sjohnr

v5.8.1

Compare Source

⭐ New Features

• Add EnableWebSecurity migration steps to 5.8 guide #​12334
• Replace deprecated set-state set-output GitHub Action's commands #​12298

🪲 Bug Fixes

• codes in spring security docs fail to work #​11396
• DefaultLdapAuthoritiesPopulator throws NullPointerException #​12408
• Fix AuthorizationFilter diagram in docs #​12286
• Fix password encoder migration guide #​12318
• Fix typo #​12316
• Incorrect Javadoc for class ExpressionAuthorizationDecision #​12411
• Incorrect sample code in securityMatcher migration docs #​12296
• SecurityContextHolderFilter does not apply to async dispatch #​11962

🔨 Dependency Upgrades

• Update httpclient to 4.5.14 #​12403
• Update io.projectreactor to 2020.0.26 #​12401
• Update mockk to 1.13.3 #​12400
• Update org.eclipse.jetty to 9.4.50.v20221201 #​12404
• Update org.jetbrains.kotlin to 1.7.22 #​12405
• Update reactor-netty to 1.0.26 #​12402

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​heowc
• @​mschneid

v5.8.0

Compare Source

⭐ New Features

• Add Kotlin example showing integration with WebTestClient #​11611
• Add MethodExpressionAuthorizationManager #​11502
• Add Polish localization to error messages from ExceptionTranslationFi… #​12201
• Add support AuthorizationManager + #​11503
• AnonymousAuthenticationFilter should cache its Supplier #​11900
• CookieServerCsrfTokenRepository doesn't support setting MaxAge #​11441
• DefaultFilterChainValidator should check AuthorizationFilter #​11473
• Deprecate Resource Owner Password Credentials grant #​11591
• Document Configure Default CsrfToken BREACH Protection #​12107
• Document Defer load CsrfToken #​12105
• Document DelegatingSecurityContextRepository #​12069
• Document deprecations in oauth2-client #​12193
• Document how to opt-in for SHA256 in RememberMe #​12097
• Document how to use the new requestMatchers and securityMatchers #​12100
• Document Migration to SecurityContextHolderFilter #​12098
• Document new oauth2Login() authority defaults #​12188
• Document reactive CSRF migration steps #​12226
• Document Saved Requests Spring Security 6 Migration #​12089
• Document Update to 5.8 for Migration Guide #​12196
• Fix Javadoc in EnableWebSocketSecurity #​12211
• Improve deprecation notice in WebSecurityConfigurerAdapter #​12261
• InterceptMethodsBeanDefinitionDecorator should allow using AuthorizationManager #​11469
• Migration guide for CAS support removal #​12240
• Preparation and Migration Guides should point to each other #​12093
• Preparation Guide should follow Reference Manual standards #​12096
• Preparation Guide should show opt-out steps after opt-in steps #​12104
• Provide guide for migrating from FilterSecurityInterceptor to AuthorizationFilter #​11337
• Register FilterChainProxy for All Dispatcher Types Migration Steps #​12186
• SAML: OpenSaml4AuthenticationProvider.createDefaultAssertionValidator() should make it easier to add ValidationContext static parameters #​11675
• trigger partial docs build on push (5.8.x) #​12195

🪲 Bug Fixes

• AuthenticationServiceException propagation flag is unconfigurable in 5.8 #​12132
• CsrfAuthenticationStrategy does not check for existing token #​12236
• CsrfAuthenticationStrategy does not regenerate CsrfToken with CookieCsrfTokenRepository #​12141
• fix deploy docs workflow (5.8.x) #​12197
• Fix saganCreateRelease saganDeleteRelease Required Permissions #​11424
• Incorrect scope map fix #​12206
• IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #​12076
• org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #​11604
• SAML logout: Incorrect log messages #​12209
• Saml2MetadataFilter response should configure writer to UTF-8 #​12222
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #​12126
• SecurityContextRepository.loadContext(HttpServletRequest) cache result #​11391
• Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #​11483
• Update the RP-initiated Logout links #​12122

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #​12154
• Update aspectj-plugin to 6.5.0.3 #​11583
• Update assertj-core to 3.23.1 #​11572
• Update com.nimbusds to 9.38.1 #​11570
• Update Gradle to 7.5.1 #​12158
• Update hibernate-entitymanager to 5.6.10.Final #​11578
• Update hibernate-entitymanager to 5.6.14.Final #​12245
• Update hsqldb to 2.7.1 #​12246
• Update htmlunit to 2.63.0 [#​11575](https://redirect.github.com/spring-pr

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.