Release Notes - Spring Security - Version 3.0.0 RC1 - HTML format


  • [SEC-951] - Acl Serialization Errors that cohere with parent-child-structure of Acls.
  • [SEC-973] - OpenIDAuthenticationProcessingFilter assumes https uses port 80
  • [SEC-1002] - java.lang.IllegalStateException: Mask 1 does not have a corresponding static Permission
  • [SEC-1087] - NTLM Filter and IE Post problems
  • [SEC-1199] - JdbcMutableAclService can't create acl_object_identity entry in PostgreSQL
  • [SEC-1201] - PropertyPlaceholderConfigurer does not work for intercept-url attributes
  • [SEC-1208] - http create-session=never throws exception when concurrent session filter is in use
  • [SEC-1227] - Concurrent session management won't work with external filters
  • [SEC-1234] - RolesAllowed or Secured Annotations on Interface don't apply to child Interfaces
  • [SEC-1235] - The order of the filter chain breaks if you mix variables and hard coded patterns
  • [SEC-1236] - Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored
  • [SEC-1237] - Nightly snapshots do not publish sources jars
  • [SEC-1239] - Special characters in JAAS config file location
  • [SEC-1240] - {ssha} is specified in the Spring Security password-encoder schema, but isn't handled by code
  • [SEC-1241] - SavedRequest not destroyed after successful authentication
  • [SEC-1242] - Injecting NullRememberMeService Throws ClassCastException
  • [SEC-1244] - <ldap-server> doesn't work unless "security" is the default namespace.
  • [SEC-1247] - AbstractProcessingFilter, successfulAuthentication() redirects to targetUrl without consulting alwaysUseDefaultTargetUrl.
  • [SEC-1248] - @PostFilter on Collection may inadvertently modify the Collection
  • [SEC-1255] - Target-URL after successfull login differes from original URL, when it was encoded according to RFC 3986
  • [SEC-1256] - Cannot use bean configuration to configure a FilterSecurityMetadataSource with SpEL expressions due to hard-coded "false" value in code
  • [SEC-1258] - SavedRequestAwareWrapper causes trouble in 3.0 M2 in combination with Spring MVC
  • [SEC-1267] - file name exsits special charts in svn?

New Feature

  • [SEC-525] - [PATCH] Add AccessCheckerTag based on URL resource access permissions.
  • [SEC-1004] - Add support for SAML 2.0 SSO
  • [SEC-1074] - Support ldap-server with disabled schema checking
  • [SEC-1188] - add getter to SecurityContextHolder to retrieve SecurityContextHolderStrategy instance, to enable injection
  • [SEC-1218] - No support in JSF taglib
  • [SEC-1228] - Create UserDetailsService for CAS That Leverages SAML-based Attribute Release
  • [SEC-1246] - Introduce EL-based authorization tag


  • [SEC-1212] - Document salt-source-ref in namespace appendix
  • [SEC-1233] - Remove NTLM support
  • [SEC-1238] - Move Portlet support to Spring Security Extensions
  • [SEC-1252] - Remove 2.0.x schemas from 3.0


  • [SEC-666] - AccessControlList tag should support permission codes
  • [SEC-884] - The Authorization Tag Libraries should use the AccessDecisionManager
  • [SEC-925] - BasicLookupStrategy - support for schema qualifier
  • [SEC-1022] - Remove use of static methods/initializers in Acl Permissions
  • [SEC-1047] - DigestProcessingFilter does not leave the UsernamePasswordAuthenticationToken.authenticated=true
  • [SEC-1049] - RoleHierarchy in SidRetrievalStrategy
  • [SEC-1072] - Use namespace bean prefix for BeanIds instead of underline
  • [SEC-1075] - Update the embedded LDAP server to use Apache DS 1.5
  • [SEC-1135] - No support for LDAP {md5} encryption scheme
  • [SEC-1153] - AuthenticationProcessingFilterEntryPoint should use RedirectUtils
  • [SEC-1167] - Introduce more flexible SavedRequest handling
  • [SEC-1169] - Add more docs on authentication success and failure handling strategies.
  • [SEC-1177] - MethodInvocationUtils Returns Null With Valid Method String and Class
  • [SEC-1184] - Reorganize Package
  • [SEC-1190] - preAuth does not detect a change in the SSO header
  • [SEC-1204] - MethodSecurityInterceptor doesn't secure implemented interfaces
  • [SEC-1213] - Enhance Security Config Schema and GlobalMethodSecurityBeanDefinitionParser to allow for "Order" to be set on the MethodSecurityMetadataSourceAdvisor.
  • [SEC-1214] - Placing <http /> element in config file for DispatcherServlet seems not to be supported
  • [SEC-1217] - AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context
  • [SEC-1222] - Provide a constructor for LdapUserDetailsService that does not require an LdapAuthoritiesPopulator.
  • [SEC-1224] - BasicLookupStrategy, JdbcAclService, and JdbcMutableAclService should support Catalog and Schema
  • [SEC-1225] - Use bean references for authentication providers to allow use of @Autowire
  • [SEC-1226] - Introduce RedirectStrategy to replace RedirectUtils
  • [SEC-1229] - Redesign Concurrent Session Control implementation
  • [SEC-1245] - Add role hierarchy support to expression handlers
  • [SEC-1249] - AbstractPreAuthenticatedProcessingFilter should better support continueFilterChainOnUnsuccessfulAuthentication
  • [SEC-1250] - RequestHeaderPreAuthenticatedProcessingFilter cannot be use to fail back to another authentication type
  • [SEC-1257] - APIs using List<ConfigAttribute> should use a Collection instead
  • [SEC-1259] - Improve consistency of authentication filter names
  • [SEC-1261] - Convert FilterChainOrder to an enum
  • [SEC-1263] - Add FactoryBean for namespace AuthenticationManager


  • [SEC-1180] - Unreachable code inside UrlUtils.buildRequestUrl(...)
  • [SEC-1220] - Google App Engine compatibility issues
  • [SEC-1231] - Authentication.getAuthorities should be of type Collection<GrantedAuthority> and not List<GrantedAuthority>
  • [SEC-1243] - Make "determineTargetUrl" method protected

Edit/Copy Release Notes

The text area below allows the project release notes to be edited and copied to another document.