Release Notes - Spring Security - Version 3.1.1 - HTML format

Bug

  • [SEC-1735] - Logged out immediately after logging in on some browsers
  • [SEC-1861] - Tutorial on Spring Security outdated
  • [SEC-1868] - SecurityNamespaceHandler should not log an error if the web classes are not available
  • [SEC-1870] - HttpSessionDestroyedEvent#getSecurityContexts() broken
  • [SEC-1878] - DefaultFilterChainValidator throws UnsupportedOperationException
  • [SEC-1880] - Mislead exception text "Use logout-url or success-handler-ref, but not both"
  • [SEC-1885] - Adding <debug/> causes NoSuchMethodException when FilterChainProxy's relies on beans that have Autowired Constructors
  • [SEC-1886] - UnsupportedOperationException is thrown by DefaultFilterChainValidator if voter invokes an unsupported method
  • [SEC-1890] - BCryptPasswordEncoder throws IllegalArgumentException: Encoded password cannot be null or empty if password is empty (i.e. not encoded)
  • [SEC-1893] - Default https 8443 port mappings redirection
  • [SEC-1900] - sec:authorize ifAllGranted does not work if Authorities are deprecated GrantedAuthorityImpl
  • [SEC-1901] - Forwarding to /j_spring_security_check results in 404
  • [SEC-1904] - Incorrect LDAP class name in HTML docs (section 19.3.3)
  • [SEC-1907] - Exclude crypto module dep from core pom
  • [SEC-1927] - SessionManagementFilter does not add space between ID and session ID
  • [SEC-1937] - Support multiple <authentication-manager> elements
  • [SEC-1943] - In Spring Security Reference Documentation 3.0.x and 3.1.x SecurityContextHolderAwareRequestFilter has wrong name
  • [SEC-1965] - Passivity DefaultWebSecurityExpressionHandler no longer implements WebSecurityExpressionHandler
  • [SEC-1968] - PreAuthenticatedProcessingFilter does not clear out the security context causing user to unintentionally remain authenticated
  • [SEC-1970] - <sec:custom-authentication-provider> element mentioned in Spring Security Reference Documentation despite it has been removed

Improvement

  • [SEC-1865] - TextEscapeUtils: HTML Entity Encoding is not enough to stop XSS
  • [SEC-1867] - Unsafe authentication.getCredentials.toString() especially when credentials is now null by default since 3.0
  • [SEC-1875] - SessionRegistry.registerNewSession invoked twice after successful authentication
  • [SEC-1887] - Cannot override (protected) DefaultMethodSecurityExpressionHandler.createSecurityExpressionRoot
  • [SEC-1903] - FirewalledResponse recompiles constant regex pattern for every instance
  • [SEC-1950] - Defensively invoke SecurityContextHolder.clearContext() in FilterChainProxy
  • [SEC-1957] - DefaultFilterChainValidator unnecessarily casts to DefaultFilterInvocationSecurityMetadataSource
  • [SEC-1971] - Allow injection of ExpressionParser into AbstractSecurityExpressionHandler
  • [SEC-1981] - Support Builds in other Locale
  • [SEC-1990] - Code cleanup on bcrypt implementation

Task

  • [SEC-1906] - Update to Gradle 1.0
  • [SEC-1985] - WebSecurityExpressionHandler in reference should be removed
  • [SEC-1992] - Update Spring Dependency to 3.0.7

Edit/Copy Release Notes

The text area below allows the project release notes to be edited and copied to another document.