You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
65 lines
5.5 KiB
65 lines
5.5 KiB
[[new]] |
|
= What's New in Spring Security 6.0 |
|
|
|
Spring Security 6.0 provides a number of new features. |
|
Below are the highlights of the release. |
|
|
|
== Baseline Changes |
|
|
|
* Spring Security 6 requires JDK 17 |
|
|
|
== Breaking Changes |
|
|
|
* https://github.com/spring-projects/spring-security/issues/8980[gh-8980] - Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)`. |
|
Instead use data storage to encrypt values. |
|
* https://github.com/spring-projects/spring-security/issues/11520[gh-11520] - Remember Me uses SHA256 by default |
|
* https://github.com/spring-projects/spring-security/issues/8819[gh-8819] - Move filters to web package |
|
Reorganize imports |
|
* https://github.com/spring-projects/spring-security/issues/7349[gh-7349] - Move filter and token to appropriate packages |
|
Reorganize imports |
|
* https://github.com/spring-projects/spring-security/issues/11026[gh-11026] - Use `RequestAttributeSecurityContextRepository` instead of `NullSecurityContextRepository` |
|
* https://github.com/spring-projects/spring-security/pull/11887[gh-11827] - Change default authority for `oauth2Login()` |
|
* https://github.com/spring-projects/spring-security/issues/10347[gh-10347] - Remove `UsernamePasswordAuthenticationToken` check in `BasicAuthenticationFilter` |
|
* https://github.com/spring-projects/spring-security/pull/11923[gh-11923] - Remove `WebSecurityConfigurerAdapter`. |
|
Instead, create a https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter[SecurityFilterChain bean]. |
|
* https://github.com/spring-projects/spring-security/issues/11899[gh-11899] - Use `MvcRequestMatcher` by default if Spring MVC is present. |
|
You can configure a different `RequestMatcher` by using the https://docs.spring.io/spring-security/reference/servlet/appendix/namespace/http.html#nsa-http-attributes[request-matcher attribute from <http>]. |
|
* Change use-authorization-manager="true" to default |
|
If the application uses `use-expressions="true"` or `access-decision-manager-ref` switch to `use-expressions="false"` or `authorization-manager-ref`, respectively. |
|
If application relies on the implicit `<intercept-url pattern="/**" access="permitAll"/>`, this is no longer implicit and needs to be specified. |
|
Or use `use-authorization-manager="false"` |
|
* https://github.com/spring-projects/spring-security/issues/11939[gh-11939] - Remove deprecated `antMatchers`, `mvcMatchers`, `regexMatchers` helper methods from Java Configuration. |
|
Instead, use `requestMatchers` or `HttpSecurity#securityMatchers`. |
|
* https://github.com/spring-projects/spring-security/issues/11985[gh-11985] - Remove deprecated constructors in `Argon2PasswordEncoder`, `SCryptPasswordEncoder` and `Pbkdf2PasswordEncoder`. |
|
* https://github.com/spring-projects/spring-security/issues/11960[gh-11960] - Default to Xor CSRF protection for xref:servlet/exploits/csrf.adoc#servlet-csrf-configure-request-handler[servlet] and xref:reactive/exploits/csrf.adoc#webflux-csrf-configure-request-handler[reactive] |
|
* https://github.com/spring-projects/spring-security/issues/12019[gh-12019] - Remove deprecated method `setTokenFromMultipartDataEnabled` from `CsrfWebFilter` |
|
* https://github.com/spring-projects/spring-security/issues/12020[gh-12020] - Remove deprecated method `tokenFromMultipartDataEnabled` from Java Configuration |
|
* https://github.com/spring-projects/spring-security/issues/9429[gh-9429] - `Authentication(Web)Filter` rethrows `AuthenticationServiceException`s |
|
* https://github.com/spring-projects/spring-security/issues/11027[gh-11027], https://github.com/spring-projects/spring-security/issues/11466[gh-11466] - Authorization on every dispatcher type |
|
* https://github.com/spring-projects/spring-security/issues/11110[gh-11110] - Require explicit session saves by default |
|
* https://github.com/spring-projects/spring-security/issues/11057[gh-11057] - Remove `MessageSourceAware` from `ExceptionTranslationWebFilter` |
|
* https://github.com/spring-projects/spring-security/issues/12022[gh-12202] - Remove OAuth deprecations |
|
* https://github.com/spring-projects/spring-security/issues/10556[gh-10556] - Remove EOL OpenSaml 3 Support. |
|
Use the OpenSaml 4 Support instead. |
|
* https://github.com/spring-projects/spring-security/issues/11077[gh-11077] - Remove SAML deprecations |
|
** Remove `Converter` constructors from `Saml2MetadataFilter` and `Saml2AuthenticationTokenConverter` |
|
** Remove `Saml2AuthenticationRequestContextResolver` and `Saml2AuthenticationRequestFactory` and implementations |
|
** Remove `Saml2AuthenticationToken(String, String, String, String, List)` |
|
** Remove `RelyingPartyRegistration.ProviderDetails` and related methods |
|
** Remove `OpenSamlAuthenticationProvider` |
|
* https://github.com/spring-projects/spring-security/issues/12180[gh-12180] - Register `FilterChainProxy` for all dispatcher types |
|
|
|
== Core |
|
|
|
* https://github.com/spring-projects/spring-security/issues/11446[gh-11446] - Add native image support for `@PreAuthorize` |
|
* https://github.com/spring-projects/spring-security/issues/11737[gh-11737] - Add native image support for `@PostAuthorize` |
|
* xref:servlet/integrations/observability.adoc[Instrumentation] of `AuthenticationManager`, `AuthorizationManager`, and `FilterChainProxy` |
|
* xref:reactive/integrations/observability.adoc[Instrumentation] of `ReactiveAuthenticationManager`, `ReactiveAuthorizationManager`, and `WebFilterChainProxy` |
|
|
|
== LDAP |
|
|
|
* https://github.com/spring-projects/spring-security/pull/9276[gh-9276] - LdapAuthoritiesPopulator is post-processed |
|
|
|
== Web |
|
|
|
* https://github.com/spring-projects/spring-security/issues/11432[gh-11432] - `CookieServerCsrfTokenRepository` supports maxage
|
|
|