Release Notes - Spring Security - Version 4.0.0.RC1 - HTML format

Sub-task

  • [SEC-2667] - Consider Oracle Guidelines
  • [SEC-2714] - AuthenticationPrincipal Argument Resolver for messaging Support

Bug

  • [SEC-2227] - AbstractAuthenticationProcessingFilter (and similar filters) should match on exact URLs by default
  • [SEC-2574] - Default JavaConfig SessionRegistryImpl does not receive SessionDestroyedEvents
  • [SEC-2615] - accesscontrollist tag documentation incorrectly states hasPermission is an or
  • [SEC-2674] - HSTS Documentation refers to http.hsts() instead of http.httpStrictTransportSecurity()
  • [SEC-2705] - ExpressionBasedMessageSecurityMetadataSourceFactory configures null TrustResolver on DefaultMessageSecurityExpressionHandler
  • [SEC-2719] - authenticated().withRoles(...) is order-sensitive
  • [SEC-2747] - Remove spring-core dependency from spring-security-crypto
  • [SEC-2768] - DefaultMessageSecurityExpressionHandler does not set PermissionEvaluator
  • [SEC-2769] - DefaultMessageSecurityExpressionHandler does not set RoleHierarchy
  • [SEC-2773] - Non-static declaration of ApplicationListener bean causes premature initialization

New Feature

  • [SEC-2054] - BasicAuthenticationFilter should not invoke on ERROR dispatch
  • [SEC-2347] - Make CSRF enabled by default when using XML Namespace
  • [SEC-2348] - Make Security Headers enabled by default when using XML Namespace
  • [SEC-2702] - WebSocket Security XML Namespace Support
  • [SEC-2785] - Add PDF, Multi Html, and epub formats for reference

Task

  • [SEC-2179] - Provide Spring Security WebSocket support
  • [SEC-2716] - Misspelling on filter name in the documentation
  • [SEC-2732] - Update net.sf.ehcache:ehcache-core dependencies to use net.sf.ehcache:ehcache instead
  • [SEC-2737] - Remove WebSocket Outbound Authorization
  • [SEC-2784] - Update to Gradle 2.2.1
  • [SEC-2787] - Update Dependency Versions

Improvement

  • [SEC-1897] - Remove raw types from AbstractAccessDecisionManager implementations
  • [SEC-2150] - Annotating at class level does not protected Spring Data Repositories methods that are not overriden
  • [SEC-2201] - Add ability to implement a custom Sid
  • [SEC-2491] - KeyBasedPersistenceTokenService pseudoRandomNumberBytes should default to 32
  • [SEC-2569] - SavedRequestAwareWrapper should not override cookies
  • [SEC-2682] - DelegatingSecurityContextRunnable/Callable should delegate toString()
  • [SEC-2713] - Support authorization rules by SimpMessageType
  • [SEC-2749] - CsrfConfigurer.requireCsrfProtectionMatcher performs notNull check on wrong value
  • [SEC-2788] - Add @Configuration as meta annotation to @Enable* annotations
  • [SEC-2789] - Add Default WebSecurityConfigurationAdapter

Defect

  • [SEC-2725] - ApacheDSContainer should specify ClassLoader to LdiffFileLoader

Refactoring

  • [SEC-2344] - Remove Spring 4 check from DefaultSecurityParameterNameDiscoverer
  • [SEC-2703] - ChannelSecurityInterceptor should use ThreadLocal for InterceptorStatusToken
  • [SEC-2704] - Separation of inbound/outbound authorization rules
  • [SEC-2781] - Remove Deprecations
  • [SEC-2783] - XML Configuration Defaults Should Match JavaConfig
  • [SEC-2790] - Deprecate @EnableWebMvcSecurity

Edit/Copy Release Notes

The text area below allows the project release notes to be edited and copied to another document.