Sub-task
- [SEC-2046] - Cache Control
- [SEC-2098] - X-Frame-Options to defend against clickjacking
- [SEC-2099] - X-XSS-Protection Header Support
- [SEC-2116] - Add Support for the Strict Transport Security header
- [SEC-2206] - Use Propdeps plugin
- [SEC-2207] - Update Gradle to 1.6
- [SEC-2208] - Use Docbook Plugin
- [SEC-2209] - Generate pom.xml
- [SEC-2210] - Add Tomcat7 Gradle for samples
- [SEC-2211] - gradlew build should build everything (including itests)
- [SEC-2212] - remove configure() blocks from gradle/*.gradle
- [SEC-2213] - Update to Groovy 2.x
- [SEC-2214] - Update Spring Dependencies
- [SEC-2217] - Sonar Runner
- [SEC-2231] - Access-Control-Allow-*
- [SEC-2232] - Headers JavaConfig Support
- [SEC-2233] - Polish pull request
- [SEC-2234] - DelegatingHeaderWriter with RequestMatcher
- [SEC-2251] - Create Hello World Java Configuration Guide
- [SEC-2252] - Create Form Login Java Configuration Guide
- [SEC-2255] - Update to Gradle 1.7
Bug
- [SEC-2137] - Session fixation protection cannot be disabled when concurrent session control is enabled
- [SEC-2187] - OpenIDAuthenticationFilter should encode URL parameters
- [SEC-2191] - AuthenticationManagerBuilder requires a ObjectPostProcessor
- [SEC-2198] - http.httpBasic() does not properly default the AuthenticationEntryPoint
- [SEC-2203] - Add Java Config Samples
- [SEC-2205] - Create UserDetailsServiceDelegator
- [SEC-2215] - Injecting AuthenticationManager to SecurityContextHolderAwareRequestFilter
- [SEC-2222] - Javadoc error - WebSecurityConfigurerAdapter.registerAuthentication & EnableWebSecurity refer to wrong parameter
- [SEC-2223] - FirewallRequest#reset() has incomplete javadoc
- [SEC-2230] - Support for Security Headers
- [SEC-2242] - Typo in technical overview with "source source"
- [SEC-2257] - Remove HttpSecurityBuilder#getAuthenticationManager()
New Feature
- [SEC-1574] - CSRF Protection
- [SEC-2238] - JavaConfig for WebAsynchFilter
- [SEC-2239] - Remove Duplicate SessionCreationPolicy
Task
- [SEC-2194] - Migrate Java Config Samples into Spring Security
- [SEC-2244] - Defaults for /login /login?error and /login?success based upon loginUrl
Improvement
- [SEC-2042] - AbstractAuthenticationProcessingFilter should support RequestMatcher
- [SEC-2097] - Clean up Gradle build
- [SEC-2135] - Support Servlet 3.1's HttpServletRequest#changeSessionId() as alternate session fixation protection strategy
- [SEC-2156] - Provide a way to cofigure HttpSession tracking mode with Spring Security
- [SEC-2192] - Create AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME
- [SEC-2197] - Allow Multiple invocations on HttpSecurity
- [SEC-2199] - Handling Multiple AuthenticationEntryPoint defaults
- [SEC-2202] - http.authorizeUrls() to http.authorizeRequests()
- [SEC-2221] - MediaTypeRequestMatcher - support for match based upon MediaType
- [SEC-2245] - Make MethodSecurityExpressionRoot easier to override
- [SEC-2249] - AbstractSecurityWebApplicationInitializer should allow registration of Java Config
- [SEC-2260] - update cas client library
Refactoring
- [SEC-2216] - SecurityConfigurerAdapter.addObjectPostProcessor return this
Edit/Copy Release Notes
The text area below allows the project release notes to be edited and copied to another document.