Update dependency org.springframework.security:spring-security-web to v5

[dev-mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
org.springframework.security:spring-security-web (source)	compile	major	4.0.1.RELEASE -> 5.2.14.RELEASE

By merging this PR, the issue #19 will be automatically resolved and closed:

Severity	CVSS Score	CVE	Reachability
High	8.8	CVE-2021-22112
High	7.5	CVE-2016-5007
High	7.5	CVE-2016-9879
High	7.3	CVE-2019-11272
Medium	6.6	WS-2017-3767
Medium	5.9	WS-2016-7107
Medium	5.9	WS-2020-0293

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-web)

v5.2.14.RELEASE

Compare Source

🪲 Bug Fixes

• StaticServerHttpHeadersWriter should work with case-insensitive header names #​10585
• MissingCsrfTokenException message is misleading when not storing the CSRF tokens in the session #​10534
• Multi-tenancy Documentation - com.nimbusds.jwt.proc.JWTProcessor does not have a setJWTClaimSetJWSKeySelector method #​10523
• Multi-tenancy Documentation - JwtDecoder sample has multiple errors #​10519

🔨 Dependency Upgrades

• Update to GAE 1.9.93 #​10628
• Upgrade httpmime to 4.5.13 #​10627
• Upgrade httpcore to 4.4.15 #​10626
• Upgrade attoparser to 2.0.5.RELEASE #​10625
• Update to hibernate-entitymanager 5.4.33 #​10624
• Upgrade jboss logging to 3.3.3.Final #​10623
• Upgrade jboss jandex to 2.0.5.Final #​10622
• Upgrade Unbescape to 1.1.6.RELEASE #​10621
• Update to thymeleaf-spring5 3.0.14 #​10620
• Update to embedded Tomcat websocket 8.5.73 #​10619
• Upgrade to embedded Apache Tomcat 9.0.56 #​10618
• Upgrade Reactor to Dysprosium-SR25 #​10617
• Upgrade Spring Framework to 5.2.19.RELEASE #​10616

v5.2.13.RELEASE

Compare Source

🪲 Bug Fixes

• Fix typo #​10316
• MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented #​10180

🔨 Dependency Upgrades

• Update to embedded Tomcat websocket 8.5.72 #​10379
• Update to Jetty 9.4.44.v20210927 #​10378
• Update to nohttp 0.0.10 #​10377
• Upgrade to embedded Apache Tomcat 9.0.54 #​10376
• Upgrade Spring Framework to 5.2.18.RELEASE #​10375
• Upgrade Reactor to Dysprosium-SR24 #​10374

v5.2.12.RELEASE

Compare Source

🪲 Bug Fixes

• Regression with URL encode client credentials #​10128
• Update to use s01.oss.sonatype.org Maven Publishing #​10030
• Every XML sec:authentication-manager creates a new global instance of AuthenticationEventPublisher #​10012

🔨 Dependency Upgrades

• Update to embedded Tomcat websocket 8.5.69 #​10170
• Update to org.aspectj 1.9.7 #​10169
• Update to org.slf4j 1.7.32 #​10168
• Update to Jetty 9.4.43.v20210629 #​10167
• Update to embedded Apache Tomcat 9.0.52 #​10166
• Update to jaxb-impl 2.3.5 #​10165
• Update to Spring Framework 5.2.16.RELEASE #​10164
• Update to Reactor Dysprosium-SR22 #​10163
• Update to spring-build-conventions:0.0.23.2.RELEASE #​10029

v5.2.11.RELEASE

Compare Source

⭐ New Features

• Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository #​9921

🪲 Bug Fixes

• Disabling logout keeps LogoutPageGeneratingWebFilter registered at /logout #​9948
• Adding filters relative to custom ones is broken #​9910
• SEC-3139: Anonymous authentication token not passed to Controller #​9893
• Clarify quick start section in README #​9888
• RSocket and WebClient with Security refCount: 0 #​9873
• URL encode client credentials #​9866
• Client credentials not correctly encoded in Basic Auth #​9863
• Docs should state default value for Resource Server validation clock skew is 60 seconds #​9851
• DefaultSpringSecurityContextSource can't handle spaces in baseDn #​9809
• OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #​9804
• docs.af.pivotal.io->docs-ip.spring.io #​9688
• WebFlux httpBasic() should match on XHR requests #​9665
• HttpSecurity.addFilter* with same Filter in Different Position Places in Incorrect Location #​9645
• oauth2Login() generates authorization links for "client_credentials" grant type #​9639

🔨 Dependency Upgrades

• Update to Spring LDAP Core 2.3.4.RELEASE #​9968
• Update to org.slf4j 1.7.31 #​9967
• Update to HSQLDB 2.5.2 #​9966
• Update to hibernate-entitymanager 5.4.32.Final #​9965
• Update to Jetty 9.4.42.v20210604 #​9964
• Update to embedded Apache Tomcat 9.0.48 #​9963
• Update to embedded Tomcat websocket 8.5.68 #​9962
• Update ehcache to 2.10.9.2 #​9961
• Update to jaxb-impl 2.3.4 #​9960
• Update to RSocket 1.0.5 #​9959
• Update to Spring Framework 5.2.15.RELEASE #​9958
• Update to Reactor Dysprosium-SR20 #​9957
• Upgrade to nohttp 0.0.8 #​9956

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​sjohnr

v5.2.10.RELEASE

Compare Source

🪲 Bug Fixes

• Add null check in CsrfFilter and CsrfWebFilter #​9594

🔨 Dependency Upgrades

• Update to nohttp 0.0.6.RELEASE #​9609
• Update to GAE 1.9.88 #​9608
• Update to OpenSAML 3.4.6 #​9607
• Update to hibernate-entitymanager 5.4.30.Final #​9606
• Update to Groovy 2.4.21 #​9605
• Update to embedded Apache Tomcat 9.0.45 #​9604
• Update blockhound to 1.0.6.RELEASE #​9603
• Update to RSocket 1.0.4 #​9602
• Update to Spring Data Moore-SR13 #​9601
• Update to Spring Framework 5.2.13.RELEASE #​9600
• Update to Reactor Dysprosium-SR18 #​9599

v5.2.9.RELEASE

Compare Source

⭐ New Features

• Improve HttpSessionSecurityContextSessionRepository Performance #​9390
• Migrate SAML 2.0 Samples to Use PCFOne #​9371
• Use constant time comparisons for CSRF tokens #​9359

🪲 Bug Fixes

• OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #​9428
• Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #​9406
• Remove notEmpty check for authorities in DefaultOAuth2User #​9398
• CsrfWebFilter creates CsrfException with incorrect message when no token is found #​9340
• webflux-x509 sample cert needs renewal #​9321
• OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #​9260

🔨 Dependency Upgrades

• Update to GAE 1.9.86 #​9442
• Update to Tomcat 9.0.43 #​9441
• Update to Jetty 9.4.36.v20210114 #​9440
• Update to hibernate-validator 6.1.7.Final #​9439
• Update to hibernate-entitymanager 5.4.28.Final #​9438
• Update to thymeleaf-spring5 3.0.12 #​9437
• Update to Spring Data Moore-SR12 #​9436
• Update to Reactor Dysprosium-SR16 #​9435
• Update to Spring Framework 5.2.12.RELEASE #​9434
• Update to Spring Boot 2.2.13.RELEASE #​9433

v5.2.8.RELEASE

Compare Source

🪲 Bug Fixes

• Remove empty Appendix Section from docs #​9172
• Tests should not combine Authentication and @​AuthenticationPrincipal #​9126

🔨 Dependency Upgrades

• Update to Spring LDAP Core 2.3.3 #​9245
• Update to Powermock 2.0.9 #​9244
• Update to HSQLDB 2.5.1 #​9243
• Update to Hibernate EntityManager 5.4.25 #​9242
• Update to Jetty 9.4.35 #​9241
• Update to HttpComponents HttpClient 4.5.13 #​9240
• Update to RSocket 1.0.3 #​9239
• Update to Reactor Dysprosium-SR14 #​9238
• Update to Google App Engine 1.9.83 #​9237
• Update to Jackson Databind 2.10.5.1 #​9236
• Update to Spring Data Moore-SR11 #​9235
• Update to Spring 5.2.11 #​9234
• Update to Spring Boot 2.2.11 #​9233

v5.2.7.RELEASE

Compare Source

🪲 Bug Fixes

• SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #​9058
• CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #​9025

🔨 Dependency Upgrades

• Update to Spring Data Moore-SR10 #​9088
• Update to Hibernate Entity manager 5.4.22 #​9087
• Update to Hibernate Validator 6.1.6 #​9086
• Upgrade to embedded Apache Tomcat 9.0.38 #​9085
• Update to RSocket 1.0.2 #​9084
• Update to Spring Framework 5.2.9 #​9083
• Update to Reactor Dysprosium-SR12 #​9082
• Update to Spring Boot 2.2.10 #​9081
• Update to GAE 1.9.82 #​9080
• Update to org.aspectj 1.9.6 #​9079

v5.2.6.RELEASE

Compare Source

⭐ New Features

• Add logging #​8889
• Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #​8856
• Use Github Actions PR pipeline and remove Travis for 5.2.x #​8723

🪲 Bug Fixes

• ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #​8897
• Resolved bearer token has no padding indicators #​8838
• Fix ProviderManager Javadoc typo #​8812
• LoginPageGeneratingWebFilter should honor context path #​8809
• RoleHierarchy is not used by AbstractAuthorizeTag #​8679
• OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #​8673
• ReactorContext not available in PayloadSocketAcceptor delegate.accept #​8656

🔨 Dependency Upgrades

• Update to nohttp 0.0.5.RELEASE #​8927
• Update to Spring Boot 2.2.9.RELEASE #​8921
• Update to Reactor Dysprosium-SR10 #​8920
• Update to Spring Framework 5.2.8.RELEASE #​8919
• Update to Spring Data Moore-SR9 #​8918
• Update to PowerMock Mockito2 2.0.7 #​8917
• Update blockhound to 1.0.4.RELEASE #​8916
• Update to groovy 2.4.20 #​8915
• Update to embedded Tomcat websocket 8.5.57 #​8914
• Upgrade to embedded Apache Tomcat 9.0.37 #​8913
• Update to jaxb-impl 2.3.3 #​8912
• Update to GAE 1.9.81 #​8911
• Update to Jackson 2.10.5 #​8910
• Update to spring-build-conventions:0.0.33.RELEASE #​8761
• Update to RSocket 1.0.1 #​8664

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​elliedori

v5.2.5.RELEASE

Compare Source

🪲 Bug Fixes

• Delay AuthenticationPrincipalArgumentResolver Lookup #​8615
• Mock request with non-standard HTTP method in test #​8595
• Remove unused field 'digester' in Md4PasswordEncoder #​8576
• ACL : AclImpl.hashCode leads to StackOverflowError #​8570
• Object ID Identity conversion to long fails on old schema #​8559
• Blocking in WebSessionServerCsrfTokenRepository #​8545
• Fix AntPathRequestMatcher Javadoc #​8527
• Document NoOpPasswordEncoder will not be removed #​8522
• Fix non-standard HTTP method for CsrfWebFilter #​8516

🔨 Dependency Upgrades

• Update to Spring Boot 2.2.7 #​8630
• Update to okhttp 3.14.9 #​8629
• Update to Jython 2.5.3 #​8628
• Update to mockwebserver 3.14.9 #​8627
• Update to RSocket 1.0.0 #​8626
• Update to groovy 2.4.19 #​8625

v5.2.4.RELEASE

Compare Source

⭐ New Features

• SAML Authentication Provider assertions #​8495
• BCryptPasswordEncoder.encode() throws NPE #​8346

🪲 Bug Fixes

• Fix Javadoc punctuation #​8494
• Add ROLE_INFRASTRUCTURE to infrastructure beans #​8438
• SEC-2664: ActiveDirectoryLdapAuthenticationProvider should wrap communication exceptions in InternalAuthenticationServiceException #​8430
• OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #​8426
• Fix typo with correct capitalization #​8409
• Global ServerSecurityContextRepository ignored by logout #​8386
• Fix example in javadoc of FilterChainProxy #​8352
• Fix typo in Javadoc of ServerHttpSecurity#hasAuthority #​8338
• Java Doc of org.springframework.security.config.annotation.web.builders.HttpSecurity contains grammatical errors #​8312

🔨 Dependency Upgrades

• Update to Byte Buddy 1.9.16 #​8481
• Upgrade to embedded Apache Tomcat 9.0.34 #​8469
• Update RSocket to 1.0.0-RC7 #​8468
• Update to GAE 1.9.80 #​8467
• Update to Jackson 2.10.4 #​8466
• Update to org.powermock 2.0.7 #​8465
• Update to Reactor Dysprosium-SR7 #​8464
• Update to Spring Framework 5.2.6.RELEASE #​8463
• Update to Spring Data Moore-SR7 #​8462

v5.2.3.RELEASE

Compare Source

⏪ Non-passive

• SwitchUserFilter vulnerable to CSRF #​8223

⭐ New Features

• SpringTestContext returns ConfigurableWebApplicationContext #​8240
• OAuth2LoginAuthenticationProvider uses OAuth2AuthorizationCodeAuthenticationProvider #​8235
• Update Encryptors documentation for standard and stronger #​8212
• Getting OAuth2AuthenticationException when Bearer token is empty #​8207
• Document AuthorizedClientServiceOAuth2AuthorizedClientManager #​8159
• Basic auth header without user results in exception #​8123
• Typo 'properites' -> 'properties' in documentation #​8099

🪲 Bug Fixes

• Update tests to use absolute paths #​8260
• HttpServletRequest.logout() not functioning #​8241
• OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #​8210
• oauth2Login WebFlux should not auto-redirect for XHR request #​8202
• Make OAuth2ErrorHttpMessageConverter more resilient #​8180
• RSocket test should throw AccessDeniedException #​8155
• Fix typo in Javadoc of HttpSecurity#csrf() #​8137
• Empty RelayState causes errors with ADFS #​8070
• Fix typo in AntPathRequestMatcher contructor comment #​8045
• An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #​8040
• OAuth2 access token response parsing fails with nested JSON object #​8021
• Fix typo in snippet code 'jwtAuthenticationConveter' -> 'jwtAuthenticationConverter' #​7969
• OAuth2AuthorizationCodeGrantWebFilter should also match on query parameters #​7967
• OAuth2AuthorizationCodeGrantFilter should also match on query parameters #​7964
• Query parameters in authorization-url are double-encoded #​7960
• Don't force downcasting of RequestAttributes to ServletRequestAttributes #​7959
• ClassCastException for ServletRequestAttributes #​7958

🔨 Dependency Upgrades

• Update RSocket to 1.0.0-RC6 #​8280
• Update to reactive-streams 1.0.3 #​8279
• Update to OpenSAML 3.4.5 #​8278
• Update to hibernate-entitymanager 5.4.13.Final #​8277
• Update to hibernate-core 5.2.18.Final #​8276
• Update blockhound to 1.0.3.RELEASE #​8275
• Update to unboundid-ldapsdk 4.0.14 #​8274
• Update to okhttp 3.14.7 #​8259
• Update to Jackson 2.10.3 #​8258
• Update to mockwebserver 3.14.7 #​8257
• Update to org.powermock 2.0.6 #​8255
• Upgrade to embedded Apache Tomcat 9.0.33 #​8254
• Update to httpclient 4.5.12 #​8253
• Update to Spring Boot 2.2.6.RELEASE #​8252
• Update to GAE 1.9.79 #​8251
• Update to Reactor Dysprosium-SR6 #​8250
• Update to Spring Framework 5.2.5 #​8249
• Update to Spring Data Moore-SR6 #​8248
• Update to Jetty 9.4.22.v20191022 #​7507

v5.2.2.RELEASE

Compare Source

⭐ New Features

• Don't cache requests with Accept: text/event-stream by default. #​7744
• Provide reactive implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager #​7717
• Remove redundant validation for redirect-uri #​7707
• Polish oauth2-client Error-handling Tests #​7647
• Remove unnecessary code in SecurityExpressionRoot #​7635
• Extract HTTPS Documentation #​7626
• Remove unnecessary code in SecurityExpressionRoot #​7601
• Make jwks_uri optional for RFC 8414 and required for OpenID Connect #​7573

🪲 Bug Fixes

• Form login requiresAuthenticationMatcher is not used in WebFlux #​7867
• Form Login authenticationFailureHandler is not used in ServerHttpSecurity #​7866
• BasicAuthenticationFilter ignores credentials charset #​7859
• Default LDIF file not picked up in LDAP "unboundid" mode #​7852
• Incorrect LDIF file example in LDAP documentation #​7849
• Use the custom ServerRequestCache that the user configures #​7753
• RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #​7751
• Disabling logout in WebFlux does nothing #​7742
• Saml2Authentication isn't serializable #​7739
• Docs ServerRSocketFactoryCustomizer->ServerRSocketFactoryProcessor #​7738
• CompositeServerHttpHeadersWriter Should Execute Sequentially #​7732
• DelegatingServerAuthenticationSuccessHandler Should Execute Sequentially #​7729
• DelegatingServerLogoutHandler Should Execute Sequentially #​7725
• WebFlux oauth2Login returns 500 when bad client credentials #​7703
• Correctly configure authorization requests repository for OAuth2 login #​7690
• Correctly configure authorization requests repository for OAuth2 login #​7689
• DefaultReactiveOAuth2AuthorizedClientManager never calls UnAuthenticatedServerOAuth2AuthorizedClientRepository #​7684
• Update @​MessageMapping to match input/output cardinality #​7669
• Add http and https spring.schema mappings #​7623
• Avoid toString in favor of getName in order to extract sid #​6354

🔨 Dependency Upgrades

• Update to Spring Boot 2.2.4 #​7909
• Update to org.slf4j 1.7.30 #​7908
• Update to org.powermock 2.0.5 #​7907
• Update to hibernate-validator 6.1.2.Final #​7906
• Update to hibernate-entitymanager 5.4.10.Final #​7905
• Update to org.aspectj 1.9.5 #​7904
• Update to httpclient 4.5.11 #​7903
• Update to commons-codec 1.14 #​7899
• Update to com.squareup.okhttp3 3.14.6 #​7898
• Update to Jackson 2.10.2 #​7897
• Update to Reactor Dysprosium SR4 #​7896
• Update to Spring Data Moore SR3 #​7895
• Update to Spring Framework 5.2.3 #​7894
• Update nimbus-jose-jwt because of CVE-2019-17195 #​7570

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​rhamedy
• @​Atry
• @​fhanik
• @​quaff
• @​joshiste
• @​eleftherias
• @​LeeHainie

v5.2.1.RELEASE

Compare Source

⭐ New Features

• Fix variable reference in sample code #​7571
• spring-security-saml2-service-provider impossible to use different format of assertionConsumerServiceUrlTemplate #​7565
• Add Resource Server Multi-tenancy Documentation #​7532
• Update SAML sample to use boot auto config #​7521
• Add Reactive CSRF Documentation #​6487

🪲 Bug Fixes

• Restore Removed Throws Clauses #​7580
• CsrfWebFilter should handle multipart/form-data #​7576
• Make saveAuthorizedClient save the authorized client #​7551
• DefaultReactiveOAuth2AuthorizedClientManager.saveAuthorizedClient does not save authorized client #​7546
• throws Exception was removed from WebSecurityConfigurerAdapter#configure(WebSecurity) #​7541
• SAML2 Provider SubjectConfirmation validation failure #​7514
• SAML2 Provider AuthNRequest Hardcoded Protocol Binding #​7513
• Clock skew to check access token expiration has wrong sign #​7511

🔨 Dependency Upgrades

• Upgrade to Spring Boot 2.2.0.RELEASE #​7566

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​fhanik
• @​mftruso
• @​jzheaux
• @​philsttr
• @​rweisleder
• @​ramonPires

v5.2.0.RELEASE

Compare Source

⭐ New Features

• Add Hello RSocket Sample #​7504
• Add RSocket Reference #​7502
• CookieServerCsrfRepositoryTests should not start domain with a dot #​7500
• Add OAuth2 Resource Server to Modules Section #​7498
• Initial saml2 login docs #​7495
• SAML 2 Assertion - Always require signature validation #​7490
• Add Reactive Messaging CurrentSecurityContextPrincipalArgumentResolver #​7488
• CurrentSecurityContextArgumentResolver polishes #​7487
• Add ClientRegistration.withClientRegistration(ClientRegistration) #​7486
• Add hasAuthority method to RSocketSecurity #​7478
• Align Servlet ExchangeFilterFunction CoreSubscriber #​7476
• WebFluxSecurityConfiguration does not configure oauth2Client #​7470
• Allow to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec #​7467
• Add ability to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec #​7466
• Document Clear-Site-Data Support #​7463
• Document RFC 8414 Support #​7462
• Document Bearer Token Propagation #​7461
• Document Reactive Mock Jwt Testing #​7460
• Fixed typo in comment #​7458
• Use Schedulers.boundedElastic() #​7457
• AbstractUserDetailsReactiveAuthenticationManager uses newParallel #​7456
• Add hasAnyAuthority method in AuthorizePayloadsSpec.Access #​7455
• Add denyAll method in AuthorizePayloadsSpec.Access #​7451
• AuthenticationFilter's methods should be private #​7447
• AuthenticationFilter should provide session fixation protection #​7446
• Use Jwt.Builder #​7443
• Add AuthorizePayloadsSpec.Access denyAll, hasAnyRole, hasAnyAuthority #​7437
• Add AuthorizePayloadsSpec.Access hasAuthority #​7435
• Document Resource Server User-Info Usage #​7431
• Document Reactive Opaque Token Usage #​7430
• Document NimbusReactiveJwtDecoder #​7425
• Document Mock Jwt Testing #​7424
• Servlet ExchangeFilterFunctions should align #​7422
• Document Opaque Token Usage #​7420
• ServletBearerExchangeFilterFunction should propagate Authentication #​7418
• Document NimbusJwtDecoder #​7408
• Document Jwt.Builder #​7407
• Document OAuth2AuthenticatedPrincipal #​7406
• DefaultReactiveOAuth2AuthorizedClientManager should default ServerWebExchange #​7390
• Make OAuth2User extends OAuth2AuthenticatedPrincipal #​7383
• OAuth2User should extend OAuth2AuthenticatedPrincipal #​7378
• SamlAuthenticationProvider should propagate actual validation errors #​7375
• Add Reactive Messaging AuthenticationPrincipalArgumentResolver #​7363
• Allow Custom PayloadInterceptor to be Added #​7362
• Default RSocketSecurity #​7361
• Add nonce to OIDC Authentication Request #​7337
• Introduce LogoutSuccessEvent #​7306
• Mock Jwt should ensure that CSRF is not required #​7170
• Document BearerTokenResolver in reference #​6254
• Consider adding nonce to OIDC Authentication Request #​4442
• SEC-2680: Fire an event when logout has finished #​2900

🪲 Bug Fixes

• Correctly populate the AuthNRequest attributes #​7496
• AuthNRequest#Destination contains the SP entity ID, not the IDP SSO URI #​7494
• AbstractUserDetailsReactiveAuthenticationManager default Scheduler should be disposed #​7492
• Always validate saml2 signatures #​7491
• CurrentSecurityContext Javadoc should be about SecurityContext #​7489
• Fix AuthorizationPayloadInterceptor order using PayloadInterceptorOrd… #​7450
• SAML Response Skew is using the wrong type #​7448
• Jwt.Builder should keep notBefore as an Instant #​7442
• AuthorizePayloadsSpec uses AUTHENTICATION for AuthorizationPayloadInterceptor #​7434
• RSocketMessageHandlerITests could hang #​7415
• RSocketSecurity anyRequest delegates to anyExchange #​7414
• OpenSamlAuthenticationProvider should not throw AuthenticationServiceException #​7377
• OpenSamlAuthenticationProvider should propagate validation errors #​7376
• OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri #​7036

🔨 Dependency Upgrades

• Update to Spring Data Moore-RELEASE #​7506
• Remaining dependency upgrades for 5.2.0 #​7505
• Upgrade JSON jackson library to 2.10.0 #​7480
• Release/dependencies for 5.2 ga #​7471
• Update the AspectJ Gradle Plugin to 4.0.2 #​7427
• Update to Gradle 5.6.2 #​7412
• Upgrade to OpenSaml 3.4.3 #​7392
• Upgrade embedded Apache Tomcat to 9.0.24 #​7384

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​rchigvintsev
• @​munilvc
• @​sdoxsee
• @​jgrandja
• @​jascama
• @​bedla
• @​mkheck
• @​fhanik
• @​larsgrefer
• @​okohub
• @​eberttc
• @​eddumelendez
• @​evfool

v5.1.13.RELEASE

Compare Source

🪲 Bug Fixes

• SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #​9059

🔨 Dependency Upgrades

• Update to Spring Boot 2.1.17.RELEASE #​9078
• Update to Hibernate Validator 6.0.21 #​9077
• Update to org.aspectj 1.9.6 #​9076
• Update to GAE 1.9.82 [#​9075](https://redirect.github.com/spring-projects/spr