|
|
@@ -4,6 +4,89 @@
|
|
|
Spring Security 6.4 provides a number of new features.
|
|
|
Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.
|
|
|
|
|
|
+== Deprecation Notices
|
|
|
+
|
|
|
+As we get closer to Spring Security 7, it's important to stay up to date on deprecations.
|
|
|
+As such, this section points out deprecations in the 6.4 release.
|
|
|
+
|
|
|
+* *Method Security* - `AuthorizationManager#check` is deprecated in favor of `AuthorizationManager#authorize`.
|
|
|
+This is primarily to allow the return type to be an interface instead of a concrete class.
|
|
|
+If you are invoking `AuthorizationManager#check`, please invoke `AuthorizationManager#authorize` instead.
|
|
|
++
|
|
|
+Relatedly, `AuthorizationEventPublisher#publishEvent` that takes an `AuthorizationDecision` is deprecated in favor of a method of the same name that takes an `AuthorizationResult` interface instead.
|
|
|
+* *Method Security* - `PrePostTemplateDefaults` is deprecated in favor of the more generic `AnnotationTemplateExpressionDefaults` as there is now meta-annotation property support for `@AuthenticationPrincipal` and `@CurrentSecurityContext` as well.
|
|
|
+If you are constructing a `PrePostTemplateDefaults`, change this out for an `AnnotationTemplateExpressionDefaults`.
|
|
|
+* *OAuth 2.0* - `NimbusOpaqueTokenIntrospector` has been deprecated in favor of `SpringOpaqueTokenIntrospector` in order to remove Spring Security OAuth 2.0 Resource Server's reliance on the `oidc-oauth2-sdk` package.
|
|
|
+If you are constructing a `NimbusOpaqueTokenIntrospector`, replace it with ``SpringOpaqueTokenIntrospector``'s constructor
|
|
|
+* *OAuth 2.0* - `DefaultAuthorizationCodeTokenResponseClient`, `DefaultClientCredentialsTokenResponseClient`, `DefaultJwtBearerTokenResponseClient`, `DefaultPasswordTokenResponseClient`, `DefaultRefreshTokenTokenResponseClient`, and `DefaultTokenExchangeTokenResponseClient` are deprecated in favor of their `RestClient` equivalents.
|
|
|
++
|
|
|
+Relatedly,`JwtBearerGrantRequestEntityConverter`, `OAuth2AuthorizationCodeGrantRequestEntityConverter`, `OAuth2ClientCredentialsGrantRequestEntityConverter`, `OAuth2PasswordGrantRequestEntityConverter`, `OAuth2RefreshTokenGrantRequestEntityConverter` are deprecated in favor of providing an instance of `DefaultOAuth2TokenRequestParametersConverter` to one of the above token response clients
|
|
|
++
|
|
|
+For example, if you have the following arrangement:
|
|
|
++
|
|
|
+[source,java]
|
|
|
+----
|
|
|
+private static class MyCustomConverter
|
|
|
+ extends AbstractOAuth2AuthorizationGrantRequestEntityConverter<OAuth2AuthorizationCodeGrantRequest> {
|
|
|
+ @Override
|
|
|
+ protected MultiValueMap<String, String> createParameters
|
|
|
+ (OAuth2AuthorizationCodeGrantRequest request) {
|
|
|
+ MultiValueMap<String, String> parameters = super.createParameters(request);
|
|
|
+ parameters.add("custom", "value");
|
|
|
+ return parameters;
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+@Bean
|
|
|
+OAuth2AccessTokenResponseClient authorizationCode() {
|
|
|
+ DefaultAuthorizationCodeTokenResponseClient client =
|
|
|
+ new DefaultAuthorizationCodeTokenResponseClient();
|
|
|
+ Converter<AuthorizationCodeGrantRequest, RequestEntity<?>> entityConverter =
|
|
|
+ new OAuth2AuthorizationCodeGrantRequestEntityConverter();
|
|
|
+ entityConverter.setParametersConverter(new MyCustomConverter());
|
|
|
+ client.setRequestEntityConverter(entityConverter);
|
|
|
+ return client;
|
|
|
+}
|
|
|
+----
|
|
|
++
|
|
|
+This configuration is deprecated since it uses `DefaultAuthorizationCodeTokenResponseClient` and `OAuth2AuthorizationCodeGrantRequestEntityConverter`.
|
|
|
+The recommended configuration is now:
|
|
|
++
|
|
|
+[source,java]
|
|
|
+----
|
|
|
+private static class MyCustomConverter implements Converter<OAuth2AuthorizationCodeGrantRequest, Map<String, String>> {
|
|
|
+ @Override
|
|
|
+ public MultiValueMap<String, String> convert(OAuth2AuthorizeCodeGrantRequest request) {
|
|
|
+ MultiValueMap<String, String> parameters = OAuth2AuthorizationCodeGrantRequest.defaultParameters(request);
|
|
|
+ parameters.add("custom", "value");
|
|
|
+ return parameters;
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+@Bean
|
|
|
+OAuth2AccessTokenResponseClient authorizationCode() {
|
|
|
+ RestClientAuthorizationCodeTokenResponseClient client =
|
|
|
+ new RestClientAuthorizationCodeTokenResponseClient();
|
|
|
+ client.setParametersConverter(new MyCustomConverter());
|
|
|
+ return client;
|
|
|
+}
|
|
|
+----
|
|
|
+
|
|
|
+
|
|
|
+* *SAML 2.0* - Unversioned OpenSAML implementations of Spring Security SAML 2.0 Service Provider's interfaces have been deprecated in favor of versioned ones.
|
|
|
+For example, `OpenSamlAuthenticationTokenConverter` is now replaced by `OpenSaml4AuthenticationTokenConverter` and `OpenSaml5AuthenticationTokenConverter`.
|
|
|
+If you are constructing one of these deprecated versions, please replace it with the one that corresponds to the OpenSAML version you are using.
|
|
|
+* *SAML 2.0* - Methods surrounding `AssertingPartyDetails` are deprecated in favor of equivalent methods that use the `AssertingPartyMetadata` interface.
|
|
|
+* *LDAP* - Usages of `DistinguishedName` are now deprecated in order to align with Spring LDAP's deprecations
|
|
|
+
|
|
|
+== One-Time Token Login
|
|
|
+
|
|
|
+* Spring Security now xref:servlet/authentication/onetimetoken.adoc[supports One-Time Token Login] via the `oneTimeTokenLogin()` DSL, including xref:servlet/authentication/onetimetoken.adoc#customize-generate-consume-token[JDBC support].
|
|
|
+
|
|
|
+== Passkeys
|
|
|
+
|
|
|
+Spring Security now has xref:servlet/authentication/passkeys.adoc[Passkeys] support.
|
|
|
+
|
|
|
== Method Security
|
|
|
|
|
|
* All xref:servlet/authorization/method-security.adoc#meta-annotations[method security annotations] now support {spring-framework-api-url}org/springframework/core/annotation/AliasFor.html[Framework's `@AliasFor`]
|
|
|
@@ -48,10 +131,14 @@ fun method(@CurrentUsername("username") val username: String): String {
|
|
|
======
|
|
|
* https://github.com/spring-projects/spring-security/issues/13490[Several] https://github.com/spring-projects/spring-security/issues/13234[improvements] https://github.com/spring-projects/spring-security/issues/15097[were made] to align Security's annotation search with ``AbstractFallbackMethodSecurityMetadataSource``'s algorithm.
|
|
|
This aids in migration from earlier versions of Spring Security.
|
|
|
+* Native applications can now xref:servlet/authorization/method-security.adoc#authorize-return-object-aot[use `@AuthorizeReturnObject`]
|
|
|
+* Native applications can now xref:servlet/authorization/method-security.adoc#pre-post-authorize-aot[reference beans in `@PreAuthorize` and `@PostAuthorize`]
|
|
|
+* `SecurityAnnotationScanners` offers https://github.com/spring-projects/spring-security/issues/15700[a convenient API] for scanning for Security annotations and for adding Security's selection and templating features to custom annotations
|
|
|
|
|
|
== OAuth 2.0
|
|
|
|
|
|
* `oauth2Login()` now accepts https://github.com/spring-projects/spring-security/pull/15237[`OAuth2AuthorizationRequestResolver` as a `@Bean`]
|
|
|
+* `ClientRegistrations` now supports externally obtained configuration
|
|
|
* Added `loginPage()` to DSL in reactive `oauth2Login()`
|
|
|
* OIDC Back-Channel support now accepts https://github.com/spring-projects/spring-security/issues/15003[logout tokens of type `logout+jwt`]
|
|
|
* `RestClient` can now be xref:servlet/oauth2/index.adoc#oauth2-client-access-protected-resources[configured] with `OAuth2ClientHttpRequestInterceptor` to xref:servlet/oauth2/index.adoc#oauth2-client-accessing-protected-resources-example[make protected resources requests]
|
|
|
@@ -131,7 +218,7 @@ class SecurityConfig {
|
|
|
}
|
|
|
----
|
|
|
======
|
|
|
-* Deprecated `Default*` implementations of `OAuth2AccessTokenResponseClient`
|
|
|
+* Token Exchange now https://github.com/spring-projects/spring-security/issues/15534[supports refresh tokens]
|
|
|
|
|
|
== SAML 2.0
|
|
|
|
|
|
@@ -197,15 +284,15 @@ This implementation also supports the validation of a metadata's signature.
|
|
|
* You can now sign https://github.com/spring-projects/spring-security/pull/14916[relying party metadata]
|
|
|
* `RelyingPartyRegistrationRepository` results can now be javadoc:org.springframework.security.saml2.provider.service.registration.CachingRelyingPartyRegistrationRepository[cached].
|
|
|
This is helpful if you want to defer the loading of the registration values til after application startup.
|
|
|
-It is also helpful if you want to control when metadata gets refreshed.
|
|
|
+It is also helpful if you want to control when metadata gets refreshed via Spring Cache.
|
|
|
* To align with the SAML 2.0 standard, the metadata endpoint now https://github.com/spring-projects/spring-security/issues/15147[uses the `application/samlmetadata+xml` MIME type]
|
|
|
|
|
|
== Web
|
|
|
|
|
|
* CSRF BREACH tokens are now https://github.com/spring-projects/spring-security/issues/15187[more consistent]
|
|
|
* The Remember Me cookie now is https://github.com/spring-projects/spring-security/pull/15203[more customizable]
|
|
|
-* Security Filter Chain is now improved.
|
|
|
-Specifically, the following arrangement is invalid since an any request filter chain comes before all other filter chains:
|
|
|
+* Security Filter Chain finds more invalid configurations.
|
|
|
+For example, a filter chain declared after an any-request filter chain is invalid since it will never be invoked:
|
|
|
+
|
|
|
[tabs]
|
|
|
======
|
|
|
@@ -217,6 +304,7 @@ Java::
|
|
|
@Order(0)
|
|
|
SecurityFilterChain api(HttpSecurity http) throws Exception {
|
|
|
http
|
|
|
+ // implicit securityMatcher("/**")
|
|
|
.authorizeHttpRequests(...)
|
|
|
.httpBasic(...)
|
|
|
|
|
|
@@ -264,14 +352,36 @@ fun app(val http: HttpSecurity): SecurityFilterChain {
|
|
|
----
|
|
|
======
|
|
|
You can read more https://github.com/spring-projects/spring-security/issues/15220[in the related ticket].
|
|
|
+* `ServerHttpSecurity` now https://github.com/spring-projects/spring-security/issues/15974[picks up `ServerWebExchangeFirewall` as a `@Bean`]
|
|
|
|
|
|
-== One-Time Token Login
|
|
|
-
|
|
|
-Spring Security now xref:servlet/authentication/onetimetoken.adoc[supports One-Time Token Login] via the `oneTimeTokenLogin()` DSL.
|
|
|
+== Observability
|
|
|
|
|
|
-== Passkeys
|
|
|
+Observability now supports xref:servlet/integrations/observability.adoc#observability-tracing-disable[toggling authorization, authentication, and request observations separately]
|
|
|
+For example, to turn off filter chain observations, you can publish a `@Bean` like this one:
|
|
|
+[tabs]
|
|
|
+======
|
|
|
+Java::
|
|
|
++
|
|
|
+[source,java,role="primary"]
|
|
|
+----
|
|
|
+@Bean
|
|
|
+SecurityObservationSettings allSpringSecurityObservations() {
|
|
|
+ return SecurityObservationSettings.withDefaults()
|
|
|
+ .shouldObserveFilterChains(false).build();
|
|
|
+}
|
|
|
+----
|
|
|
|
|
|
-Spring Security now has xref:servlet/authentication/passkeys.adoc[Passkeys] support.
|
|
|
+Kotlin::
|
|
|
++
|
|
|
+[source,kotlin,role="secondary"]
|
|
|
+----
|
|
|
+@Bean
|
|
|
+fun allSpringSecurityObservations(): SecurityObservationSettings {
|
|
|
+ return SecurityObservationSettings.builder()
|
|
|
+ .shouldObserveFilterChains(false).build()
|
|
|
+}
|
|
|
+----
|
|
|
+======
|
|
|
|
|
|
== Kotlin
|
|
|
|
Josh Cummings