On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.RC1. This release comes with 50+ tickets closed.

As always we look forward to hearing your feedback! You can find the highlights below:

Table of Contents

• Servlet

  • OAuth2 Resource Server

    • Open ID Provider Configuration

    • Claim Validation

    • GrantedAuthority Extraction

  • OAuth2 Client Credentials Grant

  • Feature-Policy Secure Header

• WebFlux

  • OAuth2 Resource Servers

  • OAuth2 Login/Client

    • Authorization Code Grant

    • Authorization Request Resolver

    • Authorized Client Repository

  • Hardening Your Application

    • Secure Headers

    • CORS

• Dependency Updates

Servlet

OAuth2 Resource Server

Open ID Provider Configuration

Resource Server is now configurable via any issuer endpoint that supports Open Id Provider Configuration:

@Bean
JwtDecoder jwtDecoder() {
    return JwtDecoders.createDefaultFromIssuer("https://issuer-endpoint");
}

Claim Validation

Users can add their own validation rules to apply to a Jwt by exposing a JwtDecoder bean:

@Bean
JwtDecoder jwtDecoder() {
    String jwkSetUri = "https://issuer-endpoint/.well-known/jwks.json";
    NimbusJwtDecoderJwkSupport jwtDecoder =
      new NimbusJwkDecoderJwkSupport(jwkSetUri);
    OAuth2TokenValidator<Jwt> validator =
      new DelegatingOAuth2TokenValidator(
        JwtValidators.createDefault(),
        new MyCustomValidator());
    jwtDecoder.setJwtValidator(validator);
    return jwtDecoder;
}

GrantedAuthority Extraction

Users can customize how GrantedAuthority s are derived from a Jwt:

@Bean
JwtDecoder jwtDecoder() {
    String jwkSetUri = "https://issuer-endpoint/.well-known/jwks.json";
    NimbusJwtDecoderJwkSupport jwtDecoder =
      new NimbusJwkDecoderJwkSupport(jwkSetUri);
    JwtAuthenticationConverter jwtAuthenticationConverter =
      new JwtAuthenticationConverter() {
        protected Collection<GrantedAuthority> extractAuthorities(Jwt jwt) {
          return Arrays.asList(new SimpleGrantedAuthority("app:read"));
        }
    };
    jwtDecoder.setJwtAuthenticationConverter(jwtAuthenticationConverter);
    return jwtDecoder;
}

OAuth2 Client Credentials Grant

Basic Support for the Client Credentials Grant Type has been added.

Feature-Policy Secure Header

Basic support for the Feature-Policy has been added:

http
    .headers()
        .featurePolicy("geolocation 'none'");

WebFlux

OAuth2 Resource Servers

Basic support for Reactive-based OAuth2 Resource Servers has been added. See oauth2resourceserver-webflux

OAuth2 Login/Client

Authorization Code Grant

Basic support for Reactive-based Authorization Code Grant flow has been added. See authcodegrant-webflux

Authorization Request Resolver

Support for customizing the authentication request made to the Authorization Server has been added. This is handy if, for example, the authorization server requires a custom parameter to be sent. It is also helpful in multi-tenant scenarios where elements of the request like the hostname may change how the request to an authorization server is made.

Authorized Client Repository

Support for customizing the persistence of authorized clients between requests has been added:

http
    .oauth2()
        .client()
            .authorizedClientRepository(new MyCookieBasedClientRepository());

Hardening Your Application

Secure Headers

Support for the following secure headers has been added to WebFlux:

• Content-Security-Policy

• Referrer-Policy

• Feature-Policy

CORS

Support for CORS has been added to Webflux.

Dependency Updates

We have updated our dependencies to be on the latest and greatest to ensure our transitive dependencies are up to date.

Project Site | Reference | Help