Spring Security 5.2.0.M2 Released
On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M2! This release includes 100+ updates. You can find the highlights below:
OAuth 2.0
gh-6446 - Client Support for PKCE
PKCE isn’t just for native or browser-based apps, but for any time we want to have a public client. Spring Security 5.2 introduces a secure way for backends to authenticate as public clients.
gh-5350 - OpenID Connect RP-Initiated Logout
gh-5465 - Ability to use symmetric keys with JwtDecoder
gh-5397 - Ability for NimbusReactiveJwtDecoder
to take a custom processor
gh-6513 & gh-5200 - Support for Resource Server Token Introspection
Resource Server now supports a second OAuth 2.0 token verification strategy: Token Introspection. This is handy when a Resource Server wants to or must verify the token remotely.
gh-5351 - Support for Resource Server Multi-tenancy (Servlet only)
With the introduction of AuthenticationManagerResolver
, initial support for multi-tenant Resource Servers has arrived.
Core
gh-6494 - Converting key material into Key
instances
Spring Security 5.2 simplifies converting X.509 and PKCS#8 key material into RSAPublicKey
and RSAPrivateKey
instances by registering Converter
s to the ConversionService
and PropertyEditor
s to the PropertyEditorRegistry
. You can see an example in the Resource Server static key sample.
gh-6774 - Support for JDK 12
gh-6722 - Introducing AuthenticationManagerResolver
gh-6546 - Introducing @CurrentSecurityContext
for method arguments
Like @AuthenticationPrincipal
before it, @CurrentSecurityContext
works with an argument resolver to retrieve aspects of the SecurityContext
:
public String hello(@CurrentSecurityContext
SecurityContext context) {
return Optional.ofNullable(context.getAuthentication())
.map(Authentication::getName).orElse("world");
}
// or
public String hello(@CurrentSecurityContext
(expression="authentication.name") String name) {
return Optional.ofNullable(name).orElse("world");
}