Release Notes - Spring Security - Version 3.0.8 - HTML format


  • [SEC-1735] - Logged out immediately after logging in on some browsers
  • [SEC-1828] - PasswordEncoder DataAccessException undocumented
  • [SEC-1839] - PreAuth documentation refers to </security-authentication-manager> but should be </security:authentication-manager>
  • [SEC-1848] - AbstractLdapAuthenticator must escape username
  • [SEC-1857] - ContextPropagatingRemoteInvocation does not correctly propagate the principal
  • [SEC-1880] - Mislead exception text "Use logout-url or success-handler-ref, but not both"
  • [SEC-1881] - Tests ending in Test are not ran
  • [SEC-1882] - AuthzImpl Using spring-web-3.0.6.RELEASE results in NullPointerException
  • [SEC-1943] - In Spring Security Reference Documentation 3.0.x and 3.1.x SecurityContextHolderAwareRequestFilter has wrong name
  • [SEC-1968] - PreAuthenticatedProcessingFilter does not clear out the security context causing user to unintentionally remain authenticated
  • [SEC-1970] - <sec:custom-authentication-provider> element mentioned in Spring Security Reference Documentation despite it has been removed
  • [SEC-1972] - OpenID4JavaConsumer throws an NPE
  • [SEC-1975] - AuthenticationSimpleHttpInvokerRequestExecutor and AnonymousAuthenticationToken
  • [SEC-2005] - SecurityContext should be persisted immediately when the response is committed
  • [SEC-2025] - HttpSessionSecurityContextRepository restores authentication to the new session if session is invalidated from another thread
  • [SEC-2031] - PreInvocationAuthorizationAdviceVoter checks in support(Class<?>) for super and not for child class
  • [SEC-2038] - initFilterBean() is not called within AbstractPreAuthenticatedProcessingFilter
  • [SEC-2055] - SaveContextServletOutputStream should delegate flush and close methods to wrapped ServletOutputStream
  • [SEC-2056] - CVE-2012-5055 DaoAuthenticationProvider can reveal which usernames are valid
  • [SEC-2057] - ConcurrentSessionFilter documentation incorrectly states it doesn't rely on SecurityContextHolder, results in null to all logout handlers Authentication object
  • [SEC-2061] - Incorrect Value in


  • [SEC-1865] - TextEscapeUtils: HTML Entity Encoding is not enough to stop XSS
  • [SEC-1875] - SessionRegistry.registerNewSession invoked twice after successful authentication
  • [SEC-2041] - Consider Delegating all methods of Wrapped ServletOutputStream and PrintWriter


  • [SEC-2013] - AbstractAuthenticationProcessingFilter is missing space in log message

Edit/Copy Release Notes

The text area below allows the project release notes to be edited and copied to another document.