On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.RC2. This release comes with 50+ tickets closed.
As always we look forward to hearing your feedback! You can find the highlights below:
In the beginning, the Spring Security DSL had two oauths:
http .oauth2() .client()...
which made some sense, since one was an authentication mechanism, like
openidLogin and the others--
authorizationServer--were a bit more like OAuth 2.0 personalities.
In the end, though, that separation felt like needless extra typing, so we resolved to flatten out the hierarchy, which means that, as of this release, we now have:
http .oauth2Login()... .oauth2Client()... .oauth2ResourceServer()
There are no functionality or feature changes tied to this refactoring of the DSL, just less typing for you.
The team has been hard at work with WebClient, and we are excited to announce some new OAuth 2.0 WebClient extensions for both Servlet and WebFlux applications. These extensions make it easy to transmit OAuth 2.0 authorities seamlessly from machine to machine.
Read up on all the details in the OAuth 2.0 Web Client master ticket.
The first part of the OAuth 2.0 journey was spec compliance. This next release introduces much more support for configuring Spring Security to work with providers that extend or deviate from the spec.
For example, it’s now possible to customize the token request made from a client to the authorization server.
Along those same lines, Resource Server is shipping with support for customizing the claim set that is parsed from incoming JWTs. This is handy when the application needs to add or remove a claim or needs to parse a claim in a custom way:
NimbusJwtDecoderJwkSupport decoder = // ... decoder.setClaimSetConverter( MappedJwtClaimSetConverter .withDefaults("custom-date", this::convertToInstant));
And the journey towards spec compliance also continues. In this release, support for collecting and providing any metadata returned from the OIDC Provider Configuration endpoint was added.
ClientRegistration ships with
getConfigurationMetadata which sits alongside methods targeted at specific properties and returns the entire map of provider attributes.
This is handy for configuring timeouts, discovery, caching and otherwise taking full advantage of RestTemplate’s sophistication when communicating with an authorization server.
Support has also been added for deriving the X.509 principal via a strategy.
And support was added for configuring custom environment variables that inform the creation of an
In Spring Security WebFlux, it is more typical to have an authentication manager per request type. In this release, then, WebFlux ships with authentication manager configuration for Resource Server:
http .oauth2ResourceServer() .authenticationManager(customAuthenticationManager())
This is helpful in situations where the application needs to do some custom conversion of the
Jwt to a set of granted authorities.
Last but not least, https redirection support has been added to WebFlux and is accessible through
http.redirectToHttps() or directly via the
And we’ve updated our dependencies to be on the latest and greatest to ensure our transitive dependencies are up to date.