6.4.0-M4

⭐ New Features

• Abstract Common Code in UnmodifiableListDeserializer and UnmodifiableSetDeserializer #15673
• Add API for Registering Security Hints #15772
• Add cookie customizer to CookieRequestCache #15685
• Add DefaultResourcesFitler to XML configuration #15790
• Add One-Time Token Login support to Kotlin DSL #15727
• Add RestClient implementations #15337
• Add Support for One-Time Token Login #15114
• Cache Annotation Lookups #15799
• Consider adding RestClient implementations of OAuth2AccessTokenResponseClient #15298
• Deprecate default OAuth2AccessTokenResponseClients in favor of RestClient-based ones #15737
• Document how to configure One-Time Token TTL #15743
• EnableReactiveMethodSecurity Supports Custom MethodSecurityExpressionHandler #15719
• Fix adding more implied roles in the RoleHierarchy Builder. #15717
• Include FilterChain on SessionInformationExpiredEvent to allow continuing the request #14077
• Make OidcSessionRegistry Configurable in Kotlin #15814
• Oidc Logout Improvements #15540
• Pick Up OidcSessionRegistry bean in OIDC Configuration #15813
• Polish OneTimeTokenLogin #15750
• Provide Runtime Hints for Beans used in Pre/PostAuthorize Expressions #15794
• Remove the need for @JsonSerialize when serializing authorization proxy objects with Jackson #15687
• Remove trailing spaces in default UIs #15791
• Serve static resources (JS, CSS) from dedicated filter #15723
• Throw AuthorizationDeniedException when AuthorizationResult is available #15706
• Use HTML templating in default UIs #15580

🪲 Bug Fixes

• Correct Title in logout.adoc #15736
• Disabling credentials erasure on custom AuthenticationManager is not working #15809
• Fix getBeansWithName in global authentication configurers #15781
• Fix variable targetClassToUse is not passed into the synthesize method #15568
• Fixed typo in the Servlet API Integration documentation #15691
• Fixed typos in the Servlet and Reactive Observability documents #15692
• Hardcode ott-username input name in DefaultLoginPageGeneratingFilter #15740
• SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module #15768

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.7 to 1.5.8 #15762
• Bump com.gradle.develocity from 3.17.6 to 3.18 #15682
• Bump io.micrometer:micrometer-observation from 1.13.3 to 1.13.4 #15777
• Bump io.projectreactor:reactor-bom from 2023.0.9 to 2023.0.10 #15787
• Bump io.spring.develocity.conventions from 0.0.20 to 0.0.21 #15795
• Bump jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api from 3.0.1 to 3.0.2 #15695
• Bump org-eclipse-jetty from 11.0.23 to 11.0.24 #15732
• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.8.1 to 1.9.0 #15810
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.21 to 4.33.22 #15763
• Bump org.mockito:mockito-bom from 5.12.0 to 5.13.0 #15703
• Bump org.seleniumhq.selenium:selenium-java from 4.23.1 to 4.24.0 #15708
• Bump org.springframework.data:spring-data-bom from 2024.0.3 to 2024.0.4 #15811
• Bump org.springframework:spring-framework-bom from 6.2.0-M7 to 6.2.0-RC1 #15801

🔩 Build Updates

• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.12 to 1.0.0-alpha.13 in /docs #15755
• Check samples is stuck on an old snapshot dependency #15798
• Update Spring Boot links #15720

❤️ Contributors

Thank you to all the contributors who worked on this release:

@CrazyParanoid, @Kehrlann, @dependabot[bot], @fb64, @hyunmin0317, @jzheaux, @kse-music, @marcusdacoregio, @ngocnhan-tran1996, @nielsbasjes, @sjohnr, and @ximinghui

6.4.0-M3

⭐ New Features

• Simplify adding AuthorizationAdvisors to AuthorizationAdvisorProxyFactory #15497

🔨 Dependency Upgrades

• Bump com.gradle.develocity from 3.17.6 to 3.18 #15654
• Bump io.freefair.gradle:aspectj-plugin from 8.7.1 to 8.10 #15653
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.20 to 4.33.21 #15671

🔩 Build Updates

• Migrate slack notifications to GChat #15669

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot]

6.3.3

🪲 Bug Fixes

• ObservationRegistry is never post-processed #15658

🔨 Dependency Upgrades

• Bump org-eclipse-jetty from 11.0.22 to 11.0.23 #15664

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot]

6.4.0-M2

⭐ New Features

• (Spring Boot 2.7->3.2) Duplicate @PreAuthorize annotation error across class hierarchy #15097
• Add @FunctionalInterface to AuthenticationManager #15441
• Add RestClient interceptor #15437
• Add AssertingPartyMetadataRepository #15349
• Add AuthorizationDeniedException(String) constructor #15607
• Add methods to augment allowed headers and parameters in StrictHttpFi… #15048
• Bad return type for HeadersConfigurer#permissionsPolicy method with customizer #14803
• Fix NPE when nameAttributeValue is null (#15338) #15407
• Improve @AuthenticationPrincipal meta-annotations #15344
• Improve @CurrentSecurityContext meta-annotations #15553
• Inline CSS for default login and logout page #15303
• Method Annotations Should Support @AliasFor #15436
• Preserve custom user type in InMemoryUserDetailsManager #15498
• RelyingPartyRegistrations typically produces unusable registrationId #15017
• Validate asserting party metadata signature #12116

🪲 Bug Fixes

• @DeniedHandler should not require an ApplicationContext to function #15496
• AuthorizationAnnotationUtils.findUniqueAnnotation is broken when interface is inherited #13490
• EnableMethodSecurity should publish only one bean of each AuthorizationAdvisor #15608

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.6 to 1.5.7 #15621
• Bump com.google.code.gson:gson from 2.10.1 to 2.11.0 #15575
• Bump io.freefair.gradle:aspectj-plugin from 8.6 to 8.7.1 #15586
• Bump io.micrometer:micrometer-observation from 1.12.8 to 1.13.3 #15585
• Bump io.mockk:mockk from 1.13.11 to 1.13.12 #15429
• Bump io.projectreactor:reactor-bom from 2023.0.8 to 2023.0.9 #15600
• Bump jakarta-websocket from 2.1.1 to 2.2.0 #15573
• Bump jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api from 3.0.0 to 3.0.1 #15587
• Bump jakarta.servlet:jakarta.servlet-api from 6.0.0 to 6.1.0 #15576
• Bump org-apache-maven-resolver from 1.9.21 to 1.9.22 #15548
• Bump org.apache.maven:maven-resolver-provider from 3.9.8 to 3.9.9 #15641
• Bump org.assertj:assertj-core from 3.25.3 to 3.26.3 #15577
• Bump org.gretty:gretty from 4.1.4 to 4.1.5 #15428
• Bump org.hibernate.orm:hibernate-core from 6.4.10.Final to 6.6.0.Final #15603
• Bump org.hibernate.orm:hibernate-core from 6.4.9.Final to 6.4.10.Final #15531
• Bump org.htmlunit:htmlunit from 4.1.0 to 4.4.0 #15612
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.24 to 1.9.25 #15453
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.24 to 1.9.25 #15454
• Bump org.junit:junit-bom from 5.10.3 to 5.11.0 #15610
• Bump org.mockito:mockito-bom from 5.11.0 to 5.12.0 #15584
• Bump org.seleniumhq.selenium:htmlunit3-driver from 4.20.0 to 4.23.0 #15574
• Bump org.seleniumhq.selenium:selenium-java from 4.20.0 to 4.23.1 #15602
• Bump org.slf4j:slf4j-api from 2.0.13 to 2.0.14 #15532
• Bump org.slf4j:slf4j-api from 2.0.13 to 2.0.15 #15547
• Bump org.slf4j:slf4j-api from 2.0.15 to 2.0.16 #15569
• Bump org.springframework.data:spring-data-bom from 2024.0.2 to 2024.0.3 #15640
• Bump org.springframework.ldap:spring-ldap-core from 3.2.4 to 3.2.6 #15622
• Bump org.springframework:spring-framework-bom from 6.2.0-M5 to 6.2.0-M6 #15443
• Bump org.springframework:spring-framework-bom from 6.2.0-M6 to 6.2.0-M7 #15611

🔩 Build Updates

• Bump @antora/collector-extension from 1.0.0-alpha.4 to 1.0.0-alpha.6 in /docs #15448
• Bump @antora/collector-extension from 1.0.0-alpha.6 to 1.0.0-alpha.7 in /docs #15485
• Bump @antora/collector-extension from 1.0.0-alpha.7 to 1.0.0-beta.1 in /docs #15564
• Bump @antora/collector-extension from 1.0.0-beta.1 to 1.0.0-beta.2 in /docs #15634
• Bump @springio/antora-extensions from 1.12.0 to 1.13.0 in /docs #15520
• Bump @springio/antora-extensions from 1.13.0 to 1.13.1 in /docs #15565
• Bump @springio/antora-extensions from 1.13.1 to 1.14.2 in /docs #15635
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.11 to 1.0.0-alpha.12 in /docs #15519
• Bump antora from 3.2.0-alpha.5 to 3.2.0-alpha.6 in /docs #15483
• Bump com.gradle.develocity from 3.17.5 to 3.17.6 #15462
• Bump io-spring-javaformat from 0.0.42 to 0.0.43 #15646
• Fix code formatting in documentation #15572
• Migrate slack notifications to GChat #15506
• Remove duplicated "the" in JavaDoc #15469
• Update spring-test to Mock TestContext in Tests #15579

❤️ Contributors

Thank you to all the contributors who worked on this release:

@HyoJongPark, @Kehrlann, @MrJovanovic13, @baezzys, @benelog, @crusherd, @dependabot[bot], @jzheaux, @kse-music, @pongdangx2, and @sjohnr

6.3.2

⭐ New Features

• ActiveDirectoryLdapAuthenticationProvider does not implement support for multiple urls #15495
• Document the role of CredentialsContainer #15321
• OIDC Backchannel Logout should allow logout tokens having typ header of logout+jwt #15410

🪲 Bug Fixes

• A broken link in Spring Security reference #15297
• Documentation for ServletBearerExchangeFilterFunction incomplete or incorrect #15460
• EnableMethodSecurity should publish only one bean of each AuthorizationAdvisor #15592
• Fix Compromised Password Checker Docs Sample Not Working #15305
• Fix for #15172 introduces significant performance degredation #15324
• Pre/PostAuthorize should not ignore HandleAuthorizationDenied#handlerClass when ApplicationContext is not provided #15535
• Update prerequisites documentation with Java 17 #15340
• Use Correct Meta-Annotation in Kotlin Sample #15472
• Using sec:authorize in JSPX causes 'java.lang.NullPointerException: Cannot invoke "jakarta.servlet.ServletRegistration.getClassName()" because "registration" is null' #15440

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.6 to 1.5.7 #15619
• Bump com.fasterxml.jackson:jackson-bom from 2.17.1 to 2.17.2 #15374
• Bump com.github.spullara.mustache.java:compiler from 0.9.13 to 0.9.14 #15373
• Bump io.micrometer:micrometer-observation from 1.12.7 to 1.12.8 #15383
• Bump io.micrometer:micrometer-observation from 1.12.8 to 1.12.9 #15581
• Bump io.mockk:mockk from 1.13.11 to 1.13.12 #15430
• Bump io.projectreactor:reactor-bom from 2023.0.7 to 2023.0.8 #15388
• Bump io.projectreactor:reactor-bom from 2023.0.8 to 2023.0.9 #15597
• Bump jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api from 3.0.0 to 3.0.1 #15582
• Bump org-apache-maven-resolver from 1.9.20 to 1.9.21 #15372
• Bump org-apache-maven-resolver from 1.9.21 to 1.9.22 #15545
• Bump org-eclipse-jetty from 11.0.21 to 11.0.22 #15356
• Bump org.apache.maven:maven-resolver-provider from 3.9.7 to 3.9.8 #15268
• Bump org.apache.maven:maven-resolver-provider from 3.9.8 to 3.9.9 #15642
• Bump org.gretty:gretty from 4.1.4 to 4.1.5 #15431
• Bump org.hibernate.orm:hibernate-core from 6.4.9.Final to 6.4.10.Final #15530
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.24 to 1.9.25 #15456
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.24 to 1.9.25 #15455
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.19 to 4.33.20 #15267
• Bump org.junit:junit-bom from 5.10.2 to 5.10.3 #15315
• Bump org.skyscreamer:jsonassert from 1.5.1 to 1.5.3 #15336
• Bump org.slf4j:slf4j-api from 2.0.13 to 2.0.14 #15529
• Bump org.slf4j:slf4j-api from 2.0.14 to 2.0.15 #15546
• Bump org.slf4j:slf4j-api from 2.0.15 to 2.0.16 #15571
• Bump org.springframework.data:spring-data-bom from 2024.0.1 to 2024.0.2 #15421
• Bump org.springframework.data:spring-data-bom from 2024.0.2 to 2024.0.3 #15643
• Bump org.springframework.ldap:spring-ldap-core from 3.2.4 to 3.2.6 #15620
• Bump org.springframework:spring-framework-bom from 6.1.10 to 6.1.11 #15402
• Bump org.springframework:spring-framework-bom from 6.1.11 to 6.1.12 #15613
• Bump org.springframework:spring-framework-bom from 6.1.9 to 6.1.10 #15279

🔩 Build Updates

• Automate check of expected branch version #15310
• Bump @antora/collector-extension from 1.0.0-alpha.4 to 1.0.0-alpha.6 in /docs #15449
• Bump @antora/collector-extension from 1.0.0-alpha.6 to 1.0.0-alpha.7 in /docs #15482
• Bump @antora/collector-extension from 1.0.0-alpha.7 to 1.0.0-beta.1 in /docs #15560
• Bump @antora/collector-extension from 1.0.0-beta.1 to 1.0.0-beta.2 in /docs #15637
• Bump @springio/antora-extensions from 1.11.1 to 1.12.0 in /docs #15418
• Bump @springio/antora-extensions from 1.12.0 to 1.13.0 in /docs #15517
• Bump @springio/antora-extensions from 1.13.0 to 1.13.1 in /docs #15561
• Bump @springio/antora-extensions from 1.13.1 to 1.14.2 in /docs #15636
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.10 to 1.0.0-alpha.11 in /docs #15419
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.11 to 1.0.0-alpha.12 in /docs #15515
• Bump antora from 3.2.0-alpha.4 to 3.2.0-alpha.5 in /docs #15329
• Bump antora from 3.2.0-alpha.5 to 3.2.0-alpha.6 in /docs #15480
• Bump com.gradle.develocity from 3.17.5 to 3.17.6 #15464
• Bump io-spring-javaformat from 0.0.42 to 0.0.43 #15650
• Fix typos and formatting in documentation #15380
• Migrate slack notifications to GChat #15505
• Use explicit types instead of var #15537

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Kehrlann, @dependabot[bot], and @tahakorkem

6.2.6

⭐ New Features

• ActiveDirectoryLdapAuthenticationProvider does not implement support for multiple urls #15494
• Document the role of CredentialsContainer #15320
• OIDC Backchannel Logout should allow logout tokens having typ header of logout+jwt #15277

🪲 Bug Fixes

• A broken link in Spring Security reference #15288
• Correct HttpSessionCsrfTokenRepository Documentation #15392
• Documentation for ServletBearerExchangeFilterFunction incomplete or incorrect #15459
• Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource #15444
• Update prerequisites documentation with Java 17 #15323
• Using sec:authorize in JSPX causes 'java.lang.NullPointerException: Cannot invoke "jakarta.servlet.ServletRegistration.getClassName()" because "registration" is null' #15439

🔨 Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.13 to 0.9.14 #15376
• Bump io.micrometer:micrometer-observation from 1.12.7 to 1.12.8 #15381
• Bump io.micrometer:micrometer-observation from 1.12.8 to 1.12.9 #15588
• Bump io.mockk:mockk from 1.13.11 to 1.13.12 #15427
• Bump io.projectreactor:reactor-bom from 2023.0.7 to 2023.0.8 #15389
• Bump io.projectreactor:reactor-bom from 2023.0.8 to 2023.0.9 #15599
• Bump jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api from 3.0.0 to 3.0.1 #15589
• Bump org-apache-maven-resolver from 1.9.20 to 1.9.21 #15377
• Bump org-apache-maven-resolver from 1.9.21 to 1.9.22 #15543
• Bump org-eclipse-jetty from 11.0.21 to 11.0.22 #15358
• Bump org.apache.maven:maven-resolver-provider from 3.9.7 to 3.9.8 #15271
• Bump org.apache.maven:maven-resolver-provider from 3.9.8 to 3.9.9 #15645
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.24 to 1.9.25 #15452
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.24 to 1.9.25 #15451
• Bump org.junit:junit-bom from 5.10.2 to 5.10.3 #15314
• Bump org.skyscreamer:jsonassert from 1.5.1 to 1.5.3 #15333
• Bump org.slf4j:slf4j-api from 2.0.13 to 2.0.14 #15528
• Bump org.slf4j:slf4j-api from 2.0.14 to 2.0.15 #15544
• Bump org.slf4j:slf4j-api from 2.0.15 to 2.0.16 #15570
• Bump org.springframework.data:spring-data-bom from 2023.1.7 to 2023.1.8 #15422
• Bump org.springframework.data:spring-data-bom from 2023.1.8 to 2023.1.9 #15644
• Bump org.springframework.ldap:spring-ldap-core from 3.2.4 to 3.2.6 #15618
• Bump org.springframework:spring-framework-bom from 6.1.10 to 6.1.11 #15404
• Bump org.springframework:spring-framework-bom from 6.1.11 to 6.1.12 #15614
• Bump org.springframework:spring-framework-bom from 6.1.9 to 6.1.10 #15280

🔩 Build Updates

• Automate check of expected branch version #15309
• Bump @antora/collector-extension from 1.0.0-alpha.4 to 1.0.0-alpha.6 in /docs #15445
• Bump @antora/collector-extension from 1.0.0-alpha.6 to 1.0.0-alpha.7 in /docs #15488
• Bump @antora/collector-extension from 1.0.0-alpha.7 to 1.0.0-beta.1 in /docs #15563
• Bump @antora/collector-extension from 1.0.0-beta.1 to 1.0.0-beta.2 in /docs #15639
• Bump @springio/antora-extensions from 1.11.1 to 1.12.0 in /docs #15415
• Bump @springio/antora-extensions from 1.12.0 to 1.13.0 in /docs #15516
• Bump @springio/antora-extensions from 1.13.0 to 1.13.1 in /docs #15562
• Bump @springio/antora-extensions from 1.13.1 to 1.14.2 in /docs #15638
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.10 to 1.0.0-alpha.11 in /docs #15414
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.11 to 1.0.0-alpha.12 in /docs #15518
• Bump antora from 3.2.0-alpha.4 to 3.2.0-alpha.5 in /docs #15328
• Bump antora from 3.2.0-alpha.5 to 3.2.0-alpha.6 in /docs #15489
• Bump com.gradle.develocity from 3.17.5 to 3.17.6 #15465
• Bump io-spring-javaformat from 0.0.42 to 0.0.43 #15649
• Migrate slack notifications to GChat #15504

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Junhyunny, @Kehrlann, @OLibutzki, @arey, @baezzys, and @dependabot[bot]

5.8.14

⭐ New Features

• Document the role of CredentialsContainer #15319

🪲 Bug Fixes

• Clarify url Parameter Usage in AD Provider Constructor #15409
• Using sec:authorize in JSPX causes 'java.lang.NullPointerException: Cannot invoke "jakarta.servlet.ServletRegistration.getClassName()" because "registration" is null' #15363

🔨 Dependency Upgrades

• Bump com.github.spullara.mustache.java:compiler from 0.9.13 to 0.9.14 #15375
• Bump io.projectreactor.netty:reactor-netty from 1.0.46 to 1.0.47 #15391
• Bump io.projectreactor.netty:reactor-netty from 1.0.47 to 1.0.48 #15606
• Bump io.projectreactor:reactor-bom from 2020.0.45 to 2020.0.46 #15390
• Bump io.projectreactor:reactor-bom from 2020.0.46 to 2020.0.47 #15604
• Bump org-eclipse-jetty from 9.4.54.v20240208 to 9.4.55.v20240627 #15360
• Bump org.skyscreamer:jsonassert from 1.5.1 to 1.5.2 #15291
• Bump org.skyscreamer:jsonassert from 1.5.1 to 1.5.3 #15335
• Bump org.springframework:spring-framework-bom from 5.3.37 to 5.3.39 #15615

🔩 Build Updates

• Automate check of expected branch version #15226
• Bump @antora/collector-extension from 1.0.0-alpha.4 to 1.0.0-alpha.6 in /docs #15447
• Bump @antora/collector-extension from 1.0.0-alpha.6 to 1.0.0-alpha.7 in /docs #15484
• Bump @antora/collector-extension from 1.0.0-alpha.7 to 1.0.0-beta.1 in /docs #15558
• Bump @antora/collector-extension from 1.0.0-beta.1 to 1.0.0-beta.2 in /docs #15633
• Bump @springio/antora-extensions from 1.11.1 to 1.12.0 in /docs #15417
• Bump @springio/antora-extensions from 1.12.0 to 1.13.0 in /docs #15523
• Bump @springio/antora-extensions from 1.13.0 to 1.13.1 in /docs #15559
• Bump @springio/antora-extensions from 1.13.1 to 1.14.2 in /docs #15632
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.10 to 1.0.0-alpha.11 in /docs #15416
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.11 to 1.0.0-alpha.12 in /docs #15524
• Bump antora from 3.2.0-alpha.4 to 3.2.0-alpha.5 in /docs #15330
• Bump antora from 3.2.0-alpha.5 to 3.2.0-alpha.6 in /docs #15481
• Bump com.gradle.develocity from 3.17.5 to 3.17.6 #15463

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @Haarolean
• @dependabot[bot]

6.4.0-M1

⏪ Breaking Changes

• Adapt to form data not adding charset if it is UTF-8 #15275

⭐ New Features

• AclAuthorizationStrategyImpl should use RoleHierarchy #4186
• Add CachingRelyingPartyRegistrationRepository #15341
• Add interface IterableRelyingPartyRegistrationRepository or similar #15027
• Add Kotlin support to DefaultMethodSecurityExpressionHandler #15093
• Add Kotlin support to PreFilter and PostFilter annotations #15095
• Add RequestMatcher for matching parameters #15342
• Add saml2Logout Kotlin DSL support #14935
• Add SecurityContextRepository to Kotlin Reactive DSL #15013
• Add setter method for userDetailsChecker in CasAuthenticationProvider(#10277) #15047
• Add support checking AnyRequestMatcher securityFilterChains #15221
• Add support configuring OAuth2AuthorizationRequestResolver as bean #15237
• Add support remember-me cookie customization #15203
• Adds missing translated messages for PT-BR #15181
• Adjust DefaultSecurityFilterChain Logging Level and Simplify Filter Logging #15096
• Clarify the behavior of Concurrent Session Management when an IdP is involved #15206
• CSRF example for Single-Page Apps could be improved #15105
• Deprecate authorizeRequests from Kotlin DSL #15173
• Deprecate OpenSamlRelyingPartyRegistration #15343
• Description of securityMatcher and multiple filter chains has now more details #15029
• Document the role of CredentialsContainer #15322
• Expose user name attribute name in OAuth2UserAuthority #15012
• LDAP bind failures due to invalid credentials don't cause AuthenticationFailure events to be fired #3834
• Mention all required dependencies in LDAP documentation #15246
• OIDC Backchannel Logout should allow logout tokens having typ header of logout+jwt #15003
• Remove Deprecated Usages for Spring LDAP #15274
• SAML metadata Content-Type should be application/samlmetadata+xml #15147
• Support GrantedAuthorityDefaults Bean in authorizeHttpRequests Kotlin DSL #15171
• Support RoleHierarchy Bean in authorizeHttpRequests Kotlin DSL #15136
• Support signing SAML metadata #14916
• Update Kotlin example for MockMvc and Spring Security #15177
• Update the OAuth2 jwt and opaque Resource Server documentation #15362
• Use Javadoc macro #15386

🪲 Bug Fixes

• Assert WebSession is not null #15180
• Docs: Fix import for reactive example with Kotlin DSL #15200
• Fix Compromised Password Checker Docs Sample Not Working #15306
• Fix Java example in multitenanci.adoc #15164
• Fix link in the In-Memory Authentication documentation #14689
• Fix malformed list in "Using Method Parameters" documentation #15325
• Fix typos and formatting in documentation #15353
• Fix wrong explanation for @PostAuthorize annotation #15222
• Resolving invalid CSRF token values is not consistent #15187
• The docs reference #7537 which is closed #15263

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.0-alpha.3 to 1.0.0-alpha.4 in /docs #15158
• Bump antora from 3.2.0-alpha.4 to 3.2.0-alpha.5 in /docs #15332
• Bump com.fasterxml.jackson:jackson-bom from 2.17.1 to 2.17.2 #15371
• Bump com.github.spullara.mustache.java:compiler from 0.9.13 to 0.9.14 #15370
• Bump com.gradle.develocity from 3.17.4 to 3.17.5 #15242
• Bump Gradle Wrapper from 8.7 to 8.8 #15188
• Bump io-spring-javaformat from 0.0.41 to 0.0.42 #15214
• Bump io.projectreactor:reactor-bom from 2023.0.7 to 2023.0.8 #15387
• Bump org-apache-maven-resolver from 1.9.20 to 1.9.21 #15369
• Bump org-eclipse-jetty from 11.0.21 to 11.0.22 #15357
• Bump org.apache.maven:maven-resolver-provider from 3.9.6 to 3.9.7 #15169
• Bump org.apache.maven:maven-resolver-provider from 3.9.7 to 3.9.8 #15270
• Bump org.hibernate.orm:hibernate-core from 6.4.8.Final to 6.4.9.Final #15234
• Bump org.hsqldb:hsqldb from 2.7.2 to 2.7.3 #15190
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.15 to 4.33.16 #15175
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.16 to 4.33.17 #15215
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.17 to 4.33.19 #15259
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.19 to 4.33.20 #15269
• Bump org.junit:junit-bom from 5.10.2 to 5.10.3 #15313
• Bump org.skyscreamer:jsonassert from 1.5.1 to 1.5.3 #15334
• Bump org.springframework.data:spring-data-bom from 2024.0.0 to 2024.0.1 #15258
• Bump org.springframework.data:spring-data-bom from 2024.0.1 to 2024.0.2 #15420
• Bump org.springframework.ldap:spring-ldap-core from 3.2.3 to 3.2.4 #15250
• Bump org.springframework:spring-framework-bom from 6.1.8 to 6.1.9 #15249
• Bump org.springframework:spring-framework-bom from 6.2.0-M4 to 6.2.0-M5 #15403
• Upgrade to Spring Framework 6.2.0-M4 #15266

🔩 Build Updates

• Automate check of expected branch version #15311
• Bump spring-io/spring-doc-actions from 5a57bcc6a0da2a1474136cf29571b277850432bc to 852920ba3fb1f28b35a2f13201133bc00ef33677 #15289
• Configure Build to Confirm UnboundId 7 Compatibility #15400
• Fixing URL on README #15350

❤️ Contributors

Thank you to all the contributors who worked on this release:

@CrazyParanoid, @Doremi203, @Junhyunny, @Kyoungwoong, @Marcono1234, @Seungpan...

6.3.1

⭐ New Features

• Clarify the behavior of Concurrent Session Management when an IdP is involved #15071
• Mention all required dependencies in LDAP documentation #15245
• Minor docs fix #15144

🪲 Bug Fixes

• AbstractRequestMatcherRegistry#requestMatchers should pick MvcRequestMatcher when using MockMvc #15211
• Assert WebSession is not null #15179
• DispatcherServletDelegatingRequestMatcher causes errors when running tests with MockMvc #15197
• Documentation clarification after #12783 has been closed is needed. #15208
• Fix Java example in multitenanci.adoc #15151
• Fix Kotlin example in authorize-http-requests.adoc #15129
• Incorrect documentation for OIDC Back-Channel Logout #15212
• IpAddressMatcher.matches(String address) still accepts URLs #15172
• LDIF file on official documentation breaks the startup process #15167
• Link to article with remember-me-persistent-token strategy is broken #15149
• OpenSaml4AssertionValidator is not respecting clock skew settings #15183
• Resolving invalid CSRF token values is not consistent #15186
• spring-security/docs/modules/ROOT/pages/servlet/authorization /method-security #15143
• SpringOpaqueTokenIntrospector does not add scopes as granted authorities properly #15165

🔨 Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.12.6 to 1.12.7 #15225
• Bump io.projectreactor:reactor-bom from 2023.0.6 to 2023.0.7 #15229
• Bump org.apache.directory.shared:shared-ldap from 0.9.15 to 0.9.19 #15161
• Bump org.apache.maven:maven-resolver-provider from 3.9.6 to 3.9.7 #15168
• Bump org.gretty:gretty from 4.1.3 to 4.1.4 #15133
• Bump org.hibernate.orm:hibernate-core from 6.4.8.Final to 6.4.9.Final #15228
• Bump org.hsqldb:hsqldb from 2.7.2 to 2.7.3 #15193
• Bump org.springframework.data:spring-data-bom from 2024.0.0 to 2024.0.1 #15260
• Bump org.springframework.ldap:spring-ldap-core from 3.2.3 to 3.2.4 #15251
• Bump org.springframework:spring-framework-bom from 6.1.7 to 6.1.8 #15134
• Bump org.springframework:spring-framework-bom from 6.1.8 to 6.1.9 #15252

🔩 Build Updates

• Bump @antora/collector-extension from 1.0.0-alpha.3 to 1.0.0-alpha.4 in /docs #15159
• Bump @springio/antora-extensions from 1.10.0 to 1.11.1 in /docs #15141
• Bump com.gradle.develocity from 3.17.4 to 3.17.5 #15239
• Bump gradle/gradle-build-action from 2 to 3 #15157
• Bump io-spring-javaformat from 0.0.41 to 0.0.42 #15219
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.15 to 4.33.16 #15176
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.16 to 4.33.17 #15218
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.17 to 4.33.19 #15261
• Bump spring-io/spring-doc-actions from 17ed79ea5fbd65813c69ef1062a024d4a37ff0ca to 5a57bcc6a0da2a1474136cf29571b277850432bc #15139

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot] and @theHacker

6.2.5

⭐ New Features

• doc: added hint to declare GrantedAuthorityDefaults as infrastructure bean #15063
• Enhance Logging in RequestMatcherDelegatingAuthorizationManage #14922
• InMemoryUserDetailsManager: consider improving the error message when no PasswordEncoding has been specified #14974
• Mention all required dependencies in LDAP documentation #15244

🪲 Bug Fixes

• Assert WebSession is not null #15178
• AbstractRequestMatcherRegistry#requestMatchers should pick MvcRequestMatcher when using MockMvc #15210
• DispatcherServletDelegatingRequestMatcher causes errors when running tests with MockMvc #15196
• Fix Java example in multitenanci.adoc #15150
• Incorrect documentation for OIDC Back-Channel Logout #15198
• InMemoryUserDetailsManager Setting User Roles in Official Documentation Example Causes Error #14972
• LDIF file on official documentation breaks the startup process #15166
• Link to article with remember-me-persistent-token strategy is broken #15148
• OIDC Logout section is not shown in the navbar #15112
• OpenSaml4AssertionValidator is not respecting clock skew settings #15022
• ProxyRestrictionConditionValidator is missing in the OpenSaml4AuthenticationProvider.SAML20AssertionValidators class #14958
• Resolving invalid CSRF token values is not consistent #15185
• spring-security/docs/modules/ROOT/pages/servlet/authorization /method-security #15045
• Wrong information for RequestCacheAwareFilter in the Spring Security documentation. #14995

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.17.0 to 2.17.1 #15011
• Bump io.micrometer:micrometer-observation from 1.12.5 to 1.12.6 #15069
• Bump io.micrometer:micrometer-observation from 1.12.6 to 1.12.7 #15224
• Bump io.mockk:mockk from 1.13.10 to 1.13.11 #15079
• Bump io.projectreactor:reactor-bom from 2023.0.5 to 2023.0.6 #15075
• Bump io.projectreactor:reactor-bom from 2023.0.6 to 2023.0.7 #15232
• Bump org-apache-maven-resolver from 1.9.18 to 1.9.19 #14939
• Bump org-apache-maven-resolver from 1.9.19 to 1.9.20 #15031
• Bump org-aspectj from 1.9.22 to 1.9.22.1 #15049
• Bump org-eclipse-jetty from 11.0.20 to 11.0.21 #15080
• Bump org.apache.maven:maven-resolver-provider from 3.9.6 to 3.9.7 #15170
• Bump org.hibernate.orm:hibernate-core from 6.4.4.Final to 6.4.5.Final #14949
• Bump org.hibernate.orm:hibernate-core from 6.4.5.Final to 6.4.6.Final #14953
• Bump org.hibernate.orm:hibernate-core from 6.4.6.Final to 6.4.7.Final #14960
• Bump org.hibernate.orm:hibernate-core from 6.4.7.Final to 6.4.8.Final #14981
• Bump org.hsqldb:hsqldb from 2.7.2 to 2.7.3 #15192
• Bump org.jetbrains.kotlin:kotlin-bom from 1.9.23 to 1.9.24 #15024
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.23 to 1.9.24 #15023
• Bump org.opensaml:opensaml-core4 from 4.3.1 to 4.3.2 #14947
• Bump org.springframework.data:spring-data-bom from 2023.1.5 to 2023.1.6 #15101
• Bump org.springframework.data:spring-data-bom from 2023.1.6 to 2023.1.7 #15262
• Bump org.springframework.ldap:spring-ldap-core from 3.2.3 to 3.2.4 #15248
• Bump org.springframework:spring-framework-bom from 6.1.6 to 6.1.7 #15081
• Bump org.springframework:spring-framework-bom from 6.1.7 to 6.1.8 #15132
• Bump org.springframework:spring-framework-bom from 6.1.8 to 6.1.9 #15247
• Update to OAuth2 OIDC SDK 9.43.4 #14920
• Upgrade nimbus-jose-jwt to version 9.37.3 #14836

🔩 Build Updates

• Attach Antora Docs to Pull Requests #15060
• Bump @antora/collector-extension from 1.0.0-alpha.3 to 1.0.0-alpha.4 in /docs #15163
• Bump @springio/antora-extensions from 1.10.0 to 1.11.1 in /docs #15142
• Bump com.github.spullara.mustache.java:compiler from 0.9.11 to 0.9.13 #15032
• Bump com.gradle.develocity from 3.17.2 to 3.17.3 #15050
• Bump com.gradle.develocity from 3.17.3 to 3.17.4 #15102
• Bump com.gradle.develocity from 3.17.4 to 3.17.5 #15241
• Bump io-spring-javaformat from 0.0.41 to 0.0.42 #15216
• Bump io.spring.ge.conventions from 0.0.16 to 0.0.17 #14961
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.2 to 1.0.3 #14924
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.13 to 4.33.15 #14950
• Consider Adding a Build Updates section to the release changelog #15038

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dependabot[bot]