Engineering
Releases
News and Events

Spring Security 5.2.0.M2 Released

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M2! This release includes 100+ updates. You can find the highlights below:

OAuth 2.0

gh-6446 - Client Support for PKCE

PKCE isn’t just for native or browser-based apps, but for any time we want to have a public client. Spring Security 5.2 introduces a secure way for backends to authenticate as public clients.

gh-5350 - OpenID Connect RP-Initiated Logout
gh-5465 - Ability to use symmetric keys with JwtDecoder
gh-5397 - Ability for NimbusReactiveJwtDecoder to take a custom processor
gh-6513 & gh-5200 - Support for Resource Server Token Introspection

Resource Server now supports a second OAuth 2.0 token verification strategy: Token Introspection. This is handy when a Resource Server wants to or must verify the token remotely.

gh-5351 - Support for Resource Server Multi-tenancy (Servlet only)

With the introduction of AuthenticationManagerResolver, initial support for multi-tenant Resource Servers has arrived.

Core

gh-6494 - Converting key material into Key instances

Spring Security 5.2 simplifies converting X.509 and PKCS#8 key material into RSAPublicKey and RSAPrivateKey instances by registering Converter s to the ConversionService and PropertyEditor s to the PropertyEditorRegistry. You can see an example in the Resource Server static key sample.

gh-6774 - Support for JDK 12
gh-6722 - Introducing AuthenticationManagerResolver
gh-6546 - Introducing @CurrentSecurityContext for method arguments

Like @AuthenticationPrincipal before it, @CurrentSecurityContext works with an argument resolver to retrieve aspects of the SecurityContext:

public String hello(@CurrentSecurityContext
        SecurityContext context) {
    return Optional.ofNullable(context.getAuthentication())
            .map(Authentication::getName).orElse("world");
}

// or

public String hello(@CurrentSecurityContext
        (expression="authentication.name") String name) {
    return Optional.ofNullable(name).orElse("world");
}

Web

gh-4187 - Support for the Clear-Site-Data header
gh-6312 - Support for HSTS preload
gh-6453 - Introducing CompositeHeaderWriter, as well as some other header-writing cleanup.
comments powered by Disqus