Release Notes - Spring Security - Version 3.2.0.RC2 - HTML format

Sub-task

  • [SEC-2269] - Fix Headers documentation
  • [SEC-2309] - Document CSRF and multipart/form-data
  • [SEC-2358] - RequestMatcher that matches based upon headers

Bug

  • [SEC-2103] - Querying token for series: thread dump for info level
  • [SEC-2108] - LDAP reference incorrectly spells GrantedAuthoritiesMapper
  • [SEC-2131] - Docs mention 402 (payment required) in session management section
  • [SEC-2139] - Order of named filter positions in spring-security.xsd is wrong
  • [SEC-2196] - @PreAuthorize doesn't work with method wich using generics
  • [SEC-2228] - Change Import-Package statement for org.openid4java.consumer to optional
  • [SEC-2229] - Cleanup Optional Dependencies
  • [SEC-2246] - HttpSessionRequestCache.getRequest performs cast to concrete DefaultSavedRequest instead of interface SavedRequest
  • [SEC-2256] - ns-config typo with http@interecept-url with method taking precidence
  • [SEC-2270] - Duplicate version for guides index
  • [SEC-2272] - CsrfRequestDataValueProcessor should support Spring 4.2.0M2+
  • [SEC-2276] - Delay storing the CsrfToken until the CsrfToken is accessed
  • [SEC-2280] - Fix SessionFixationConfigurer#changeSessionId Javadoc
  • [SEC-2288] - NoSuchMethodError: MediaType.isCompatibleWithMediaType;) with Spring 4.x
  • [SEC-2291] - Fix internal links within reference
  • [SEC-2292] - CsrfFilter should ignore case for methods that can bypass
  • [SEC-2295] - Remove ERROR log when Spring Security is embedded into an UberJar
  • [SEC-2296] - HttpServletRequest.login should throw ServletException if already authenticated
  • [SEC-2301] - GlobalMethodSecurityConfiguration's DefaultWebSecurityExpressionHandler has null BeanResolver
  • [SEC-2302] - Allow filters to register in front of SpringSecurityFilterChain
  • [SEC-2303] - WebSecurity's default expression handler does not have the bean resolver set
  • [SEC-2304] - GlobalMethodSecurityConfiguration has two methods for the Expression Handler
  • [SEC-2306] - Session Fixation protection can improperly log warning about not being protected
  • [SEC-2311] - LogoutConfigurer should by default allow other methods if CSRF is disabled
  • [SEC-2312] - Spring Security should link to Spring 3.2.x javadoc
  • [SEC-2320] - AuthorizePrincipalArgumentResolver allow null if incorrect class
  • [SEC-2324] - Tag Library Version Needs Updating to 3.2
  • [SEC-2328] - Java configuration missing hasAnyRole
  • [SEC-2329] - AuthenticationTrustResolver is hard-coded as a private final AuthenticationTrustResolverImpl in several classes
  • [SEC-2330] - CacheControlHeadersWriter should be single header
  • [SEC-2331] - Cache Control should include "Expires: 0"
  • [SEC-2332] - GlobalMethodSecurityConfiguration does not configure the proper voters
  • [SEC-2336] - WebSecurityConfigurerAdapter#registerAuthentication incorrectly states exposed Beans
  • [SEC-2352] - HttpSessionCsrfTokenRepository creates sessions unecessarily
  • [SEC-2354] - Cannot build samples from maven pom
  • [SEC-2378] - CSRF Multipart documentation bug
  • [SEC-2382] - AutowireBeanFactoryObjectPostProcessor does not work with BeanNameAutoProxyCreator

Defect

  • [SEC-2308] - DefaultSpringSecurityContextSource should accept empty Base DNs

Improvement

  • [SEC-2093] - Document What is new in Spring Security 3.2 Section
  • [SEC-2094] - Document Concurrency Support
  • [SEC-2095] - Document Servlet API Support
  • [SEC-2129] - AntPathRequestMatcher support case sensitive matches
  • [SEC-2146] - Document AspectJ does not inherit annotations in appendix
  • [SEC-2171] - Include Information about Pooling in Spring LDAP documentation
  • [SEC-2271] - Add Javadoc to LogoutConfigurer#logoutUrl to explain why POST is prefered
  • [SEC-2274] - Add ApplicationContext as a HttpSecurity shared object
  • [SEC-2281] - Document Java Config
  • [SEC-2282] - Document CSRF
  • [SEC-2285] - Document Security Headers
  • [SEC-2286] - CsrfFilter should log with URL when tokens don't match
  • [SEC-2297] - AbstractSecurityWebApplicationInitializer should default to include DispatcherType.ASYNC
  • [SEC-2298] - Spring Security should provide HandlerMethodArgumentResolver for Authentication.getPrincipal()
  • [SEC-2299] - Document Web MVC integration
  • [SEC-2305] - GlobalMethodSecurityConfiguration should try to Autowire PermissionEvaluator
  • [SEC-2307] - Java Configuration should configure RequestCache to ignore favicon.ico
  • [SEC-2313] - Use javadoc update tool in build
  • [SEC-2314] - AbstractSecurityWebApplicationInitializer#getSessionTrackingModes can be improved
  • [SEC-2321] - Improve Java Config defaults for JavaScript clients
  • [SEC-2322] - Support JDK 8 reflection to resolve method argument names
  • [SEC-2349] - Convert Reference and FAQ to Asciidoctor
  • [SEC-2360] - AbstractRememberMeServices provide message for Assert on key field
  • [SEC-2361] - Update Java Configuration Samples to use @Autowired AuthenticationManagerBuilder
  • [SEC-2362] - AbstractRememberMeServices loginSuccess is unclear
  • [SEC-2368] - DebugFilter should output headers and HTTP method
  • [SEC-2426] - Add CSRF and logout with non-post example

New Feature

  • [SEC-2151] - Method Security support for binding parameter names with annotations
  • [SEC-2339] - Provide Logical (Or, And, Negated) RequestMatchers

Refactoring

  • [SEC-2357] - Move *RequestMatchers to .matchers package
  • [SEC-2359] - Merge DefaultLoginPageViewFilter w/ DefaultLoginPageGeneratingFilter
  • [SEC-2365] - registerAuthentication->configure
  • [SEC-2366] - Extract AbstractRequestMatcherRegistry from AbstractRequestMatcherConfigurer
  • [SEC-2369] - PreAuthenticatedGrantedAuthoritiesUserDetailsService.createuserDetails camelcasing
  • [SEC-2371] - Remove ObjectPostProcessor.QUIESENT_POSTPROCESSOR

Task

  • [SEC-2243] - Remove Additional DebugFilter
  • [SEC-2283] - Improve headers Java Config Javadoc and Tests
  • [SEC-2284] - Clean out spring-security-javaconfig issues and fix if necessary
  • [SEC-2289] - Run Tests against Spring 4.x
  • [SEC-2293] - Update Spring LDAP version
  • [SEC-2294] - Update Spring Version to 3.2.4.RELEASE
  • [SEC-2300] - Update Spring LDAP version to 1.3.2.RELEASE
  • [SEC-2341] - Update to Gradle 1.8

Edit/Copy Release Notes

The text area below allows the project release notes to be edited and copied to another document.