Spring Security 5.2.0.M2 Released
On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M2! This release includes 100+ updates. You can find the highlights below:
OAuth 2.0
gh-6446 - Client Support for PKCE
PKCE isn’t just for native or browser-based apps, but for any time we want to have a public client. Spring Security 5.2 introduces a secure way for backends to authenticate as public clients.
gh-5350 - OpenID Connect RP-Initiated Logout
gh-5465 - Ability to use symmetric keys with JwtDecoder
gh-5397 - Ability for NimbusReactiveJwtDecoder to take a custom processor
gh-6513 & gh-5200 - Support for Resource Server Token Introspection
Resource Server now supports a second OAuth 2.0 token verification strategy: Token Introspection. This is handy when a Resource Server wants to or must verify the token remotely.
gh-5351 - Support for Resource Server Multi-tenancy (Servlet only)
With the introduction of AuthenticationManagerResolver, initial support for multi-tenant Resource Servers has arrived.
Core
gh-6494 - Converting key material into Key instances
Spring Security 5.2 simplifies converting X.509 and PKCS#8 key material into RSAPublicKey and RSAPrivateKey instances by registering Converter s to the ConversionService and PropertyEditor s to the PropertyEditorRegistry. You can see an example in the Resource Server static key sample.
gh-6774 - Support for JDK 12
gh-6722 - Introducing AuthenticationManagerResolver
gh-6546 - Introducing @CurrentSecurityContext for method arguments
Like @AuthenticationPrincipal before it, @CurrentSecurityContext works with an argument resolver to retrieve aspects of the SecurityContext:
public String hello(@CurrentSecurityContext
SecurityContext context) {
return Optional.ofNullable(context.getAuthentication())
.map(Authentication::getName).orElse("world");
}
// or
public String hello(@CurrentSecurityContext
(expression="authentication.name") String name) {
return Optional.ofNullable(name).orElse("world");
}