On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M3! You can find the complete details in the changelog and the highlights below:

OAuth 2.0

gh-6727 - Support for Multi-tenancy in Reactive Resource Server

gh-6798 - Support for custom parameters in Opaque Token

gh-6239 - Finer variables for OAuth2 redirectUriTemplate expansion

gh-6863 - OAuth2 login has configurable authentication success handler

gh-6832 & gh-6849 - JWT and opaque token have configurable authentication manager

gh-6634 - Support for mock JWT in tests

Similar to other request post processors, jwt() can be used to establish a SecurityContext with a JwtAuthenticationToken.

mockMvc.perform(get("/")
       .with(jwt(jwt -> jwt.claim("scope", "message:read"))));

Core

gh-6819 - Add nohttp to build

For more information about the nohttp project see this blog post.

gh-4469 - Support for path variables in message expressions

gh-6818 - Configuration classes are proxy-less and support proxyBeanMethods=false

This feature includes breaking changes to the classes AbstractSecurityWebSocketMessageBrokerConfigurer and GlobalMethodSecurityConfiguration.

In order to accomodate these changes, users extending AbstractSecurityWebSocketMessageBrokerConfigurer, who override the method inboundChannelSecurity will need to update the method signature to match the following.

@Bean
public ChannelSecurityInterceptor inboundChannelSecurity(
    MessageSecurityMetadataSource messageSecurityMetadataSource) {
// implementation
}

Similarly, users extending GlobalMethodSecurityConfiguration who override the method methodSecurityInterceptor will need to update the method signature to match the following.

@Bean
public MethodInterceptor methodSecurityInterceptor(
    MethodSecurityMetadataSource methodSecurityMetadataSource) {
// implementation
}

Web

gh-5038 - Support for X509 Reactive

Project Site | Reference | Help