Spring Security 5.2.0.M3 Released

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M3! You can find the complete details in the changelog and the highlights below:

OAuth 2.0

gh-6727 - Support for Multi-tenancy in Reactive Resource Server
gh-6798 - Support for custom parameters in Opaque Token
gh-6239 - Finer variables for OAuth2 redirectUriTemplate expansion
gh-6863 - OAuth2 login has configurable authentication success handler
gh-6832 & gh-6849 - JWT and opaque token have configurable authentication manager
gh-6634 - Support for mock JWT in tests

Similar to other request post processors, jwt() can be used to establish a SecurityContext with a JwtAuthenticationToken.

       .with(jwt(jwt -> jwt.claim("scope", "message:read"))));


gh-6819 - Add nohttp to build

For more information about the nohttp project see this blog post.

gh-4469 - Support for path variables in message expressions
gh-6818 - Configuration classes are proxy-less and support proxyBeanMethods=false

This feature includes breaking changes to the classes AbstractSecurityWebSocketMessageBrokerConfigurer and GlobalMethodSecurityConfiguration.

In order to accomodate these changes, users extending AbstractSecurityWebSocketMessageBrokerConfigurer, who override the method inboundChannelSecurity will need to update the method signature to match the following.

public ChannelSecurityInterceptor inboundChannelSecurity(
    MessageSecurityMetadataSource messageSecurityMetadataSource) {
// implementation

Similarly, users extending GlobalMethodSecurityConfiguration who override the method methodSecurityInterceptor will need to update the method signature to match the following.

public MethodInterceptor methodSecurityInterceptor(
    MethodSecurityMetadataSource methodSecurityMetadataSource) {
// implementation


gh-5038 - Support for X509 Reactive
comments powered by Disqus