Upgrade Spring Security 5.8.9 -> 6.2.1

[Picnic-Bot]

This PR contains the following updates:

Package	Type	Update	Change
Spring Security (source)	import	major	5.8.9 -> 6.2.1

---

Release Notes

spring-projects/spring-security (Spring Security)

v6.2.1

Compare Source

⭐ New Features

• docs: make XML and Java/Kotlin consistent with AspectJExpressionPointcut #​14219
• Document that Shibboleth Repository is Required for SAML Support #​14295
• Integrate HandlerMappingIntrospector Caching #​14332
• OAuth2 Resource Server is exposing server information. #​14278

🪲 Bug Fixes

• Update Java Config Spring MVC documentation #​14234
• add missing [tabs] fix typo in docs #​14208
• AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #​14267
• Correct What's New in 6.2 reference to forServletPattern #​14200
• Fix typo in getClaimAsMap docstring #​14183
• Fix typo in the 'Authorizing Requests' example #​14169
• fix wrong document about "jws-algorithms" #​14280
• Improve error message when ServletRegistration API is unavailable #​14232
• Update Javadoc Comments in AuthorizationEvent Class #​14175
• Fix typo in architecture.adoc #​14254
• Fixing link in authentication/architecture.adoc #​13593

🔨 Dependency Upgrades

• Bump actions/checkout from 3 to 4 #​14323
• Bump actions/setup-java from 3 to 4 #​14320
• Bump ch.qos.logback:logback-classic from 1.4.11 to 1.4.13 #​14213
• Bump ch.qos.logback:logback-classic from 1.4.13 to 1.4.14 #​14239
• Bump com.unboundid:unboundid-ldapsdk from 6.0.10 to 6.0.11 #​14223
• Bump Gamesight/slack-workflow-status from 1.0.1 to 1.2.0 #​14328
• Bump Gradle Wrapper from 8.4 to 8.5 #​14222
• Bump io.micrometer:micrometer-observation from 1.12.0 to 1.12.1 #​14284
• Bump io.projectreactor:reactor-bom from 2023.0.0 to 2023.0.1 #​14289
• Bump org-apache-maven-resolver from 1.9.16 to 1.9.17 #​14184
• Bump org-apache-maven-resolver from 1.9.17 to 1.9.18 #​14197
• Bump org-aspectj from 1.9.20.1 to 1.9.21 #​14271
• Bump org.apache.maven:maven-resolver-provider from 3.9.5 to 3.9.6 #​14228
• Bump org.hibernate.orm:hibernate-core from 6.3.1.Final to 6.3.2.Final #​14190
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.20 to 1.9.21 #​14192
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.20 to 1.9.21 #​14191
• Bump org.springframework.data:spring-data-bom from 2023.1.0 to 2023.1.1 #​14341
• Bump org.springframework.ldap:spring-ldap-core from 3.2.0 to 3.2.1 #​14335
• Bump org.springframework:spring-framework-bom from 6.1.0 to 6.1.1 #​14189
• Bump org.springframework:spring-framework-bom from 6.1.1 to 6.1.2 #​14319
• Bump sjohnr/slack-workflow-status from 1.pre.beta to 1.1.0 #​14318
• Bump slackapi/slack-github-action from 1.19.0 to 1.24.0 #​14322
• Bump spring-io/spring-gradle-build-action from 1 to 2 #​14321

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ParkerM, @​YangSiJun528, @​aaron-to-go, @​ahmd-nabil, @​andreilisa, @​dependabot[bot], @​limvik, and @​prufrock

v6.2.0

Compare Source

⭐ New Features

• AuthorizationManager[Before/After]ReactiveMethodInterceptor doesn't support Kotlin coroutines #​12080
• Simplify configuration of OAuth2 Client component model #​11783

🪲 Bug Fixes

• On Cancel, ObservationWebFilterDecorator Starts After-Filter Span without Stopping It #​14064
• Authentication not propagated correctly after migrating to SB3 #​14112
• Authorization does not show up on Features section #​14105
• Fix obsolete comment and typos #​14060
• Fix typo in documentation #​14130
• improve render in headers.adoc #​14102
• ReactiveRemoteJWKSource caches invalid response status into jwkSetURL #​14042
• References to WebFlux docs do not link to them #​14108
• relay_state should not be included in signing calculation when it is null #​14039
• samesite set by Tomcat CookieProcessor ignored when creating XSRF-TOKEN cookie in CsrfTokenRepository #​14138
• Security configuration is failed to be initialized in a Servlet 6.0 container #​14166
• Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #​14115
• Spring Security metric names should not contain dashes #​14067
• spring.security counters inaccurate due onComplete and cancel() #​14147
• The latest "OAuth2AuthorizedClientManager" class is not AOT ready #​14094
• UnboundIdContainer should be marked as not running at shutdown #​14095

🔨 Dependency Upgrades

• Bump io-spring-javaformat from 0.0.39 to 0.0.40 #​14156
• Bump io.micrometer:micrometer-observation from 1.12.0-RC1 to 1.12.0 #​14135
• Bump io.projectreactor:reactor-bom from 2023.0.0-RC1 to 2023.0.0 #​14145
• Bump org.junit:junit-bom from 5.10.0 to 5.10.1 #​14097
• Bump org.springframework.data:spring-data-bom from 2023.1.0-RC1 to 2023.1.0 #​14172
• Bump org.springframework.ldap:spring-ldap-core from 3.2.0-RC1 to 3.2.0 #​14155
• Bump org.springframework:spring-framework-bom from 6.1.0-RC1 to 6.1.0-RC2 #​14055
• Bump org.springframework:spring-framework-bom from 6.1.0-RC2 to 6.1.0 #​14157

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​nico-ortiz
• @​dependabot[bot]
• @​martin-lukas

v6.1.6

Compare Source

⭐ New Features

• Document that Shibboleth Repository is Required for SAML Support #​14294
• Integrate HandlerMappingIntrospector Caching #​14128
• OAuth2 Resource Server is exposing server information. #​14277
• Resolve RequestMatcher at request-time #​14085

🪲 Bug Fixes

• AnnotationConfigurationException when using PreAuthorize, CGLIB and EnableMethodSecurity #​14266
• Authentication not propagated correctly after migrating to SB3 #​14111
• Authorization does not show up on Features section #​14104
• DefaultLoginPageGeneratingFilter should be able to handle AuthenticationExceptions without message #​14117
• Fix broken link for servlet getting started page #​14119
• Fix typo in method-security.adoc #​14059
• fix wrong document about "jws-algorithms" #​14279
• Improve error message when ServletRegistration API is unavailable #​14231
• improve render in headers.adoc #​14101
• On Cancel, ObservationWebFilterDecorator Starts After-Filter Span without Stopping It #​14063
• ReactiveRemoteJWKSource caches invalid response status into jwkSetURL #​14041
• References to WebFlux docs do not link to them #​14107
• relay_state should not be included in signing calculation when it is null #​14038
• samesite set by Tomcat CookieProcessor ignored when creating XSRF-TOKEN cookie in CsrfTokenRepository #​14131
• Security configuration is failed to be initialized in a Servlet 6.0 container #​14165
• Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #​14114
• Spring Security metric names should not contain dashes #​14066
• spring.security counters inaccurate due onComplete and cancel() #​14146
• Update Java Config Spring MVC documentation #​14233
• Update logout.adoc: Replace Directives with Directive #​14062

🔨 Dependency Upgrades

• Bump actions/checkout from 3 to 4 #​14310
• Bump actions/setup-java from 3 to 4 #​14327
• Bump ch.qos.logback:logback-classic from 1.4.11 to 1.4.13 #​14214
• Bump ch.qos.logback:logback-classic from 1.4.13 to 1.4.14 #​14238
• Bump com.unboundid:unboundid-ldapsdk from 6.0.10 to 6.0.11 #​14224
• Bump Gamesight/slack-workflow-status from 1.0.1 to 1.2.0 #​14317
• Bump Gradle Wrapper from 8.4 to 8.5 #​14218
• Bump io-spring-javaformat from 0.0.39 to 0.0.40 #​14158
• Bump io.micrometer:micrometer-observation from 1.10.12 to 1.10.13 #​14134
• Bump io.projectreactor:reactor-bom from 2022.0.12 to 2022.0.13 #​14144
• Bump io.projectreactor:reactor-bom from 2022.0.13 to 2022.0.14 #​14288
• Bump org-aspectj from 1.9.20.1 to 1.9.21 #​14272
• Bump org-eclipse-jetty from 11.0.17 to 11.0.18 #​14081
• Bump org.springframework.data:spring-data-bom from 2022.0.11 to 2022.0.12 #​14173
• Bump org.springframework:spring-framework-bom from 6.0.13 to 6.0.14 #​14159
• Bump org.springframework:spring-framework-bom from 6.0.14 to 6.0.15 #​14312
• Bump sjohnr/slack-workflow-status from 1.pre.beta to 1.1.0 #​14315
• Bump slackapi/slack-github-action from 1.19.0 to 1.24.0 #​14316
• Bump spring-io/spring-gradle-build-action from 1 to 2 #​14305

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Ruffeng, @​dependabot[bot], @​github-actions[bot], @​marbon87, and @​sadidshaikh

v6.1.5

Compare Source

⭐ New Features

• Document how to publish an AuthenticationManager @Bean without WebSecurityConfigurerAdapter #​14015
• Replace deprecated method #​13649
• Use Gradle's Version Catalog #​13871

🪲 Bug Fixes

• Dependency convergence failed: nimbus-jose-jwt #​13843
• Docs custom AuthorizationManager fix #​13991
• Fix snapshot_tests on CI workflow #​13878
• Fix parsing of GET SAML logout requests #​13970
• Saml-Metadata with special characters is corrupted #​13861
• Saml2LogoutRequestMixin relayState property should be binding #​13942

🔨 Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #​13984
• Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #​13891
• Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #​13950
• Bump com.gradle.enterprise from 3.12.3 to 3.12.6 #​13934
• Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #​13903
• Bump Gradle Wrapper from 8.3 to 8.4 #​13974
• Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #​13935
• Bump io.micrometer:micrometer-observation from 1.10.10 to 1.10.11 #​13945
• Bump io.micrometer:micrometer-observation from 1.10.11 to 1.10.12 #​14001
• Bump io.mockk:mockk from 1.13.7 to 1.13.8 #​13952
• Bump io.projectreactor:reactor-bom from 2022.0.10 to 2022.0.11 #​13937
• Bump io.projectreactor:reactor-bom from 2022.0.11 to 2022.0.12 #​14000
• Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #​13985
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.1 #​13949
• Bump org-aspectj from 1.9.20 to 1.9.20.1 #​13896
• Bump org-eclipse-jetty from 11.0.15 to 11.0.16 #​13901
• Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #​13999
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #​13953
• Bump org.slf4j:slf4j-api from 2.0.7 to 2.0.9 #​13938
• Bump org.springframework.data:spring-data-bom from 2022.0.10 to 2022.0.11 #​14019
• Bump org.springframework.data:spring-data-bom from 2022.0.9 to 2022.0.10 #​13951
• Bump org.springframework.ldap:spring-ldap-core from 3.0.5 to 3.0.6 #​14007
• Bump org.springframework:spring-framework-bom from 6.0.11 to 6.0.12 #​13904
• Bump org.springframework:spring-framework-bom from 6.0.12 to 6.0.13 #​14006
• Update to org.apereo.cas.client:cas-client-core 4.0.3 #​13947

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​Dyndyn
• @​limvik
• @​github-actions[bot]
• @​dependabot[bot]
• @​pbborisov18

v6.1.4

Compare Source

⭐ New Features

• Automate spring-security.xsd #​13825

🪲 Bug Fixes

• CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set #​13659
• CookieRequestCache ignores user Locale #​13796
• Default Security Configuration adds WWW-Authenticate Twice #​13759
• Fix inaccurate information about permitting the FORWARD dispatcher in Kotlin #​13729
• OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #​13800
• Problem uploading multipart file after migrating to latest Spring Security. #​13820
• Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #​13806
• Spring ACL and native compilation fail to process datasource properties #​13814

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​username1103

v6.1.3

Compare Source

⭐ New Features

• Add MvcRequestMatcher reference documentation #​13726
• Refactor for readability #​13472
• requestMatchers servlet validation error should include information about servlet paths #​13722
• requestMatchers should not count servlets without mappings #​13724

🪲 Bug Fixes

• Add return statement of the roleHierachy method in the servlet/author… #​13596
• Fix typo in docs #​13637
• Referrer Header is set in Reactive Web Applications by default, although doc says it is not. #​13590
• RequestMatcherMetadataResponseResolver only shows last RelyingPartyRegistration #​13700
• saml2Login should not override OpenSaml4AuthenticationProvider bean #​13655
• The bean 'preFilterAuthorizationAdvisor', defined in class path resource could not be registered #​13580
• Update links in adocs #​13632

🔨 Dependency Upgrades

• Update io.projectreactor to 2022.0.10 #​13674
• Update logback-classic to 1.4.11 #​13669
• Update micrometer-observation to 1.10.10 #​13672
• Update mockk to 1.13.7 #​13673
• Update org.aspectj to 1.9.20 #​13676
• Update org.springframework.data to 2022.0.9 #​13677
• Update reactor-netty to 1.1.10 #​13675
• Update spring-ldap-core to 3.0.5 #​13678

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​galmegiz
• @​limvik

v6.1.2

Compare Source

⭐ New Features

• Improve RequestMatcher Validation #​13557
• Improve Security Filters Documentation #​13414
• Optimize Querying of RequestCache -> continue parameter #​13488
• Optimize Querying of RequestCache -> continue parameter #​13482

🪲 Bug Fixes

• Error message should show underlying Client Authentication method #​13498
• Javadoc for AuthorizationFilter#filterErrorDispatch is wrong #​13465
• once-per-request="true" does not work in XML configuration #​13494
• Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #​13199
• Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration #​13421
• Unable to Use hasIpAddress() Method After Migrating to authorizeHttpRequests() in Spring Security 6 #​13478
• update l179 of jwt docs #​13480
• Use default PathPatternParser instance #​13464

🔨 Dependency Upgrades

• Update io.projectreactor to 2022.0.9 #​13525
• Update jakarta.websocket to 2.1.1 #​13526
• Update micrometer-observation to 1.10.9 #​13524
• Update org.springframework to 6.0.11 #​13527
• Update org.springframework.data to 2022.0.8 #​13528
• Update org.springframework.data to 2022.0.8 #​13522

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​sueszli

v6.1.1

Compare Source

⭐ New Features

• Add initial Native section to reference docs #​13236
• Align Resource Server documentation with Boot's capabilities #​13239
• Convert to Asciidoctor Tabs #​13407
• Document How to Handle Method Security in Native Image #​13237
• Improve javadoc about deprecation of .and() and non-Customizer methods #​13273
• Make eclipse/vscode project import work #​13284
• Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #​13229
• mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #​13254
• Use Antora name of security #​13331

🪲 Bug Fixes

• Additional filters registered when using Custom DSL #​13282
• AOT Fails to proxy #​13369
• CasAuthenticationFilter.successfulAuthentication missing call to securityContextRepository.saveContext #​13243
• DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #​13223
• Deprecated hint on BasicAuthenticationFilter #​13279
• Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13193
• Fix Antora Warnings #​13294
• Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13221
• Fix Documentation Title #​13318
• Fix legacy-websocket-configuration cross-reference #​13206
• Fix type on method-security.adoc #​13212
• http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13209
• Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #​13218
• No longer maintained net.sourceforge.nekohtml with known security issues #​13287
• Provide meaningful error when invalid client-authentication-method is provided #​13309
• Proxy Server section is not linked in nav #​13324
• Use consistent list of micrometer tags in web observation handler #​13190
• UserBuilder does not allow authorities to be overridden #​13290

🔨 Dependency Upgrades

• Update cas-client-core to 4.0.2 #​13342
• Update com.nimbusds to 9.43.3 #​13335
• Update hsqldb to 2.7.2 #​13343
• Update io.projectreactor to 2022.0.8 #​13338
• Update io.rsocket to 1.1.4 #​13340
• Update io.spring.javaformat to 0.0.39 #​13341
• Update logback-classic to 1.4.8 #​13334
• Update micrometer-observation to 1.10.8 #​13337
• Update org.jetbrains.kotlin to 1.8.22 #​13344
• Update org.springframework to 6.0.10 #​13345
• Update org.springframework.data to 2022.0.7 #​13346
• Update reactor-netty to 1.1.8 #​13339
• Update spring-ldap-core to 3.0.4 #​13347
• Update unboundid-ldapsdk to 6.0.9 #​13336

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​dkorotych
• @​mariodmpereira

v6.1.0

Compare Source

⭐ New Features

• Explain the rational about deprecating .and() and non-lambda DSL methods #​13094
• Revisit CSRF Documentation #​13089

🪲 Bug Fixes

• AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #​13087
• AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #​13154
• Clarify that Kotlin DSL needs an import #​13103
• CookieCsrfTokenRepository overwrites previous Set-Cookie response headers #​13075
• Fix code snippets in Authorize HttpServletRequest #​13126
• Fix invalid link in ref doc #​12573
• fix javadoc typo #​12884
• Fix typo cas.adoc #​13116
• Links between migration docs are out of date #​13157
• RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #​13128
• rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #​13083
• SAML login fails in Internet Explorer 11 #​13142
• SimpleAroundFilterObservation.wrap calls scope.close() duplicated #​13150
• Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #​13122
• Update acls.adoc #​13078
• Update architecture.adoc #​13077
• Web Security Expression section of Documentation is obsolete or it does not work #​12974

🔨 Dependency Upgrades

• Update com.nimbusds to 9.43.2 #​13165
• Update io.projectreactor to 2022.0.7 #​13167
• Update jackson-bom to 2.14.3 #​13162
• Update jackson-databind to 2.14.3 #​13163
• Update jackson-datatype-jsr310 to 2.14.3 #​13164
• Update junit-bom to 5.9.3 #​13170
• Update junit-platform-launcher to 1.9.3 #​13172
• Update logback-classic to 1.4.7 #​13161
• Update micrometer-observation to 1.10.7 #​13166
• Update org.jetbrains.kotlin to 1.8.21 #​13169
• Update org.junit.jupiter to 5.9.3 #​13171
• Update org.springframework to 6.0.9 #​13173
• Update org.springframework.data to 2022.0.6 #​13174
• Update reactor-netty to 1.1.7 #​13168
• Update Spring Boot to 3.0.6 #​13177
• Update spring-ldap-core to 3.0.3 #​13175

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​SeasonPanPan
• @​neshkeev
• @​1993heqiang
• @​delvering17

v6.0.8

Compare Source

⭐ New Features

• Document how to publish an AuthenticationManager @Bean without WebSecurityConfigurerAdapter #​14014
• Use Gradle's Version Catalog #​13870

🪲 Bug Fixes

• Fix snapshot_tests on CI workflow #​13877
• Saml-Metadata with special characters is corrupted #​13860
• Saml2LogoutRequestMixin relayState property should be binding #​13939

🔨 Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.10 to 0.9.11 #​13981
• Bump com.github.spullara.mustache.java:compiler from 0.9.4 to 0.9.10 #​13886
• Bump com.google.code.gson:gson from 2.8.6 to 2.8.9 #​13898
• Bump com.gradle.enterprise from 3.11.1 to 3.11.4 #​13957
• Bump com.unboundid:unboundid-ldapsdk from 6.0.9 to 6.0.10 #​13895
• Bump Gradle Wrapper from 8.3 to 8.4 #​13973
• Bump io.freefair.gradle:aspectj-plugin from 6.6-rc1 to 6.6.3 #​13980
• Bump io.micrometer:micrometer-observation from 1.10.10 to 1.10.11 #​13921
• Bump io.micrometer:micrometer-observation from 1.10.11 to 1.10.12 #​13995
• Bump io.projectreactor.netty:reactor-netty from 1.1.10 to 1.1.11 #​13958
• Bump io.projectreactor.netty:reactor-netty from 1.1.11 to 1.1.12 #​13994
• Bump io.projectreactor:reactor-bom from 2022.0.10 to 2022.0.12 #​13992
• Bump io.spring.ge.conventions from 0.0.7 to 0.0.14 #​13919
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.1 #​13906
• Bump org-aspectj from 1.9.20 to 1.9.20.1 #​13979
• Bump org-eclipse-jetty from 11.0.15 to 11.0.16 #​13922
• Bump org-eclipse-jetty from 11.0.16 to 11.0.17 #​13993
• Bump org.apache.logging.log4j:log4j-core from 2.17.1 to 2.17.2 #​13923
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.29.0 to 4.29.4 #​13955
• Bump org.slf4j:slf4j-api from 2.0.7 to 2.0.9 #​13920
• Bump org.springframework.data:spring-data-bom from 2022.0.10 to 2022.0.11 #​14020
• Bump org.springframework.data:spring-data-bom from 2022.0.9 to 2022.0.10 #​13892
• Bump org.springframework.ldap:spring-ldap-core from 3.0.5 to 3.0.6 #​14009
• Bump org.springframework:spring-framework-bom from 6.0.11 to 6.0.12 #​13978
• Bump org.springframework:spring-framework-bom from 6.0.12 to 6.0.13 #​14008

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​github-actions[bot]
• @​dependabot[bot]

v6.0.7

Compare Source

⭐ New Features

• Automate spring-security.xsd #​13824

🪲 Bug Fixes

• CookieRequestCache ignores user Locale #​13795
• Default Security Configuration adds WWW-Authenticate Twice #​13758
• OAuth2AuthenticationExceptionMixin doesn't work in JDK 17 #​13799
• Problem uploading multipart file after migrating to latest Spring Security. #​13731
• Resolve The matchingRequestParameterName From The Query String #​13817
• Saml2AuthenticationExceptionMixin doesn't work in JDK 17 #​13805
• Spring ACL and native compilation fail to process datasource properties #​12653

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​marcusdacoregio

v6.0.6

Compare Source

⭐ New Features

• requestMatchers servlet validation error should include information about servlet paths #​13721
• requestMatchers should not count servlets without mappings #​13720

🪲 Bug Fixes

• Doc : typo in Custom DSLs section #​13325
• Fix typo in docs #​13605
• Referrer Header is set in Reactive Web Applications by default, although doc says it is not. #​13589
• saml2Login should not override OpenSaml4AuthenticationProvider bean #​13654
• The bean 'preFilterAuthorizationAdvisor', defined in class path resource could not be registered #​13579
• Update links in adocs #​13565

🔨 Dependency Upgrades

• Update io.projectreactor to 2022.0.10 #​13710
• Update logback-classic to 1.4.11 #​13707
• Update micrometer-observation to 1.10.10 #​13708
• Update mockk to 1.13.7 #​13709
• Update org.aspectj to 1.9.20 #​13712
• Update org.springframework.data to 2022.0.9 #​13713
• Update reactor-netty to 1.1.10 #​13711
• Update spring-ldap-core to 3.0.5 #​13714

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​bigfang
• @​ghusta
• @​limvik

v6.0.5

Compare Source

⭐ New Features

• Improve RequestMatcher Validation #​13556
• Improve Security Filters Documentation #​13413
• Optimize Querying of RequestCache -> continue parameter #​13487
• Optimize Querying of RequestCache -> continue parameter #​13481

🪲 Bug Fixes

• Error message should show underlying Client Authentication method #​13496
• Javadoc for AuthorizationFilter#filterErrorDispatch is wrong #​13456
• once-per-request="true" does not work in XML configuration #​13491
• Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #​13198
• Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration #​13420
• Unable to Use hasIpAddress() Method After Migrating to authorizeHttpRequests() in Spring Security 6 #​13477
• Use default PathPatternParser instance #​13463

🔨 Dependency Upgrades

• Update io.projectreactor to 2022.0.9 #​13518
• Update jakarta.websocket to 2.1.1 #​13519
• Update micrometer-observation to 1.10.9 #​13517
• Update org.springframework to 6.0.11 #​13520
• Update org.springframework.data to 2022.0.8 #​13521

v6.0.4

Compare Source

⭐ New Features

• Add initial Native section to reference docs #​12029
• Align Resource Server documentation with Boot's capabilities #​13238
• Convert to Asciidoctor Tabs #​13406
• Document How to Handle Method Security in Native Image #​13226
• Error On Unsupported Client Authentication Methods #​13240
• Make eclipse/vscode project import work #​12930
• Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #​13228
• mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #​13253
• Use Antora name of security #​13330

🪲 Bug Fixes

• Additional filters registered when using Custom DSL #​13281
• AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #​13086
• AOT Fails to proxy #​13368
• AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #​13153
• Clarify that Kotlin DSL needs an import #​13102
• DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #​13222
• Delete duplicate line from oauth2/client/core.adoc #​13233
• Deprecated hint on BasicAuthenticationFilter #​13278
• Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13192
• Fix Antora Warnings #​13293
• Fix code snippets in Authorize HttpServletRequest #​13125
• Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13220
• Fix Documentation Title #​13317
• Fix legacy-websocket-configuration cross-reference #​13205
• http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13208
• java.lang.IllegalArgumentException: Context does not have an entry for key [class io.micrometer.core.instrument.Timer$Sample] #​13133
• Links between migration docs are out of date #​13156
• Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #​13217
• No longer maintained net.sourceforge.nekohtml with known security issues #​13286
• Proxy Server section is not linked in nav #​13323
• RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #​13127
• rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #​13079
• SAML login fails in Internet Explorer 11 #​13141
• SimpleAroundFilterObservation.wrap calls scope.close() duplicated #​12787
• Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #​13084
• Spring Security SAML signature validation issue #​13182
• The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added. #​13008
• Use consistent list of micrometer tags in web observation handler #​13179
• X-XSS-Protection is now disabled #​13129

🔨 Dependency Upgrades

• Update com.nimbusds to 9.43.3 [

[Picnic-Bot]

Suggested commit message:

Upgrade Spring Security 5.8.9 -> 6.2.1 (#1010)

See:
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M1
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M2
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M3
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M4
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M5
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M6
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M7
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-RC1
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0-RC2
- https://github.com/spring-projects/spring-security/releases/tag/6.0.0
- https://github.com/spring-projects/spring-security/releases/tag/6.0.1
- https://github.com/spring-projects/spring-security/releases/tag/6.0.2
- https://github.com/spring-projects/spring-security/releases/tag/6.0.3
- https://github.com/spring-projects/spring-security/releases/tag/6.0.4
- https://github.com/spring-projects/spring-security/releases/tag/6.0.5
- https://github.com/spring-projects/spring-security/releases/tag/6.0.6
- https://github.com/spring-projects/spring-security/releases/tag/6.0.7
- https://github.com/spring-projects/spring-security/releases/tag/6.0.8
- https://github.com/spring-projects/spring-security/releases/tag/6.1.0-M1
- https://github.com/spring-projects/spring-security/releases/tag/6.1.0-M2
- https://github.com/spring-projects/spring-security/releases/tag/6.1.0-RC1
- https://github.com/spring-projects/spring-security/releases/tag/6.1.0
- https://github.com/spring-projects/spring-security/releases/tag/6.1.1
- https://github.com/spring-projects/spring-security/releases/tag/6.1.2
- https://github.com/spring-projects/spring-security/releases/tag/6.1.3
- https://github.com/spring-projects/spring-security/releases/tag/6.1.4
- https://github.com/spring-projects/spring-security/releases/tag/6.1.5
- https://github.com/spring-projects/spring-security/releases/tag/6.1.6
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0-M1
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0-M2
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0-M3
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0-RC1
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0-RC2
- https://github.com/spring-projects/spring-security/releases/tag/6.2.0
- https://github.com/spring-projects/spring-security/releases/tag/6.2.1
- https://github.com/spring-projects/spring-security/compare/5.8.9...6.2.1

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[Stephan202]

Blocked on #679.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[sonarcloud]

Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[Stephan202]

Updated the suggested commit message; will merge once built.