Update dependency org.springframework.security:spring-security-config to v6

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.security:spring-security-config (source)	5.6.12 -> 6.5.5

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-config)

v6.5.5

Compare Source

🔨 Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #​17922
• Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #​17911
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #​17923
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #​17910
• Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #​17924
• Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #​17913
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #​17925
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #​17912
• Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #​17926
• Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #​17914

v6.5.4

Compare Source

⭐ New Features

• Update servlet test method docs to use include-code #​17749

🪲 Bug Fixes

• Annonation Scanning Should Fallback to Object when Parameter Matching #​17899
• Fix double-slash when basePath is root #​17841
• Fix traceId discrepancy in case error in servlet web #​17796
• Reference should advise avoiding post-authorization on writes #​17798

🔨 Dependency Upgrades

• Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #​17893
• Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #​17874
• Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #​17895
• Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #​17854
• Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #​17836
• Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #​17894
• Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #​17858
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #​17767
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #​17766
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #​17759
• Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.28.Final #​17853
• Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.28.Final #​17837
• Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #​17896
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #​17897
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #​17855
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #​17791
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #​17771
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #​17758
• Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #​17773

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​jkuhel and @​therepanic

v6.5.3

Compare Source

⭐ New Features

• Add META-INF/LICENSE.txt to published jars #​17639
• Update Angular documentation links in csrf.adoc #​17653
• Update Shibboleth Repository URL #​17637
• Use 2004-present Copyright #​17634

🪲 Bug Fixes

• Add Missing Navigation in Preparing for 7.0 Guide #​17731
• DPoP authentication throws JwtDecoderFactory ClassNotFoundException #​17249
• OpenSamlAssertingPartyDetails Should Be Serializable #​17727
• Use final values in equals and hashCode #​17621

🔨 Dependency Upgrades

• Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #​17739
• Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #​17690
• Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #​17684
• Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #​17661
• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #​17615
• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #​17599
• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #​17737
• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #​17701
• Bump io.mockk:mockk from 1.14.4 to 1.14.5 #​17614
• Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #​17647
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #​17733
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #​17711
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #​17612
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #​17598
• Bump org-eclipse-jetty from 11.0.25 to 11.0.26 #​17742
• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #​17613
• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #​17595
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #​17760
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #​17692
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #​17683
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #​17671
• Bump org.gretty:gretty from 4.1.6 to 4.1.7 #​17616
• Bump org.gretty:gretty from 4.1.6 to 4.1.7 #​17597
• Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.23.Final #​17646
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.24.Final #​17660
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #​17694
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #​17685
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.34.1 to 4.34.2 #​17650
• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #​17645
• Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #​17757
• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #​17651
• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #​17596
• Bump org.springframework:spring-framework-bom from 6.2.9 to 6.2.10 #​17735

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​codingtim

v6.5.2

Compare Source

🪲 Bug Fixes

• <websocket-message-broker> should pick up a bean named csrfChannelInterceptor #​17495
• Add 7.0 Migration Steps for Messaging PathPattern Usage #​17509
• EnableReactiveMethodSecurity should not import Servlet configuration #​17545
• Fix equals and hashCode in PathPatternRequestMatcher to include HTTP method #​17337
• Fix securityContextRepository() initialization in oauth2Login() DSL #​17557
• OAuth2Login DSL should support post-processing AuthenticationProvider implementations #​17176
• Websocket XML config should pick up PathPatternMessageMatcher.Builder #​17508

🔨 Dependency Upgrades

• Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE #​17444
• Bump io-spring-javaformat from 0.0.46 to 0.0.47 [#​17470](#​17470
• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 [#​17570](#​17570
• Bump io.mockk:mockk from 1.14.2 to 1.14.4 #​17467
• Bump io.mockk:mockk from 1.14.4 to 1.14.5 #​17572
• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #​17469
• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #​17555
• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.20.Final #​17491
• Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final #​17571
• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #​17466
• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #​17569
• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #​17468
• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #​17481
• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #​17568

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​fkowal and @​therepanic

v6.5.1

Compare Source

⭐ New Features

• Create demonstration of include-code usage #​17161
• Setup include-code extension for docs #​17160

🪲 Bug Fixes

• ClearSiteDataHeaderWriter log is misleading #​17166
• Fix to allow multiple AuthenticationFilter instances to process each request #​17216
• Inconsistent constructor declaration on bean with name '_reactiveMethodSecurityConfiguration' #​17210
• OAuth2ResourceServer using authenticationManagerResolver results in tokenAuthenticationManager cannot be null while startup #​17172
• Publishing a default TargetVisitor should not override Spring MVC support #​17189
• Use HttpStatus in back-channel logout filters #​17157

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.18.4 to 2.18.4.1 #​17233
• Bump com.webauthn4j:webauthn4j-core from 0.29.2.RELEASE to 0.29.3.RELEASE #​17192
• Bump io-spring-javaformat from 0.0.43 to 0.0.45 #​17152
• Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8 #​17220
• Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19 #​17232
• Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 #​17204
• Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10 #​17214
• Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final #​17184
• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #​17256
• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #​17257
• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #​17239
• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #​17238

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​evgeniycheban

v6.5.0

Compare Source

⭐ New Features

• Add documentation for DPoP support #​17072
• Add logging to CsrfTokenRequestHandler implementations #​16994
• Add mapping for DPoP in DefaultMapOAuth2AccessTokenResponseConverter #​16806
• Bump Gradle Wrapper from 8.13 to 8.14 #​17018
• ClientRegistrations.fromIssuerLocation does not include failure information #​17015
• Fix Typo In SubjectDnX509PrincipalExtractorTests #​16997
• Implement internal cache in JtiClaimValidator #​17107
• Polish javadoc #​16924
• Remove unused classes #​16935
• Replace NimbusOpaqueTokenIntrospector with SpringOpaqueTokenIntrospector in Documentation #​16962
• RequestHeaderAuthenticationFilter creates a session even if not configured to do so #​17147

🪲 Bug Fixes

• Add FunctionalInterface To X509PrincipalExtractor #​16952
• Change NonNull import from reactor to spring #​16571
• Fix DPoP jkt claim to be JWK SHA-256 thumbprint #​17080
• Minor error in the Handling Logouts documentation #​17049
• SecurityAnnotationScanner's method comparison should use .equals #​17145
• Use proper configuration key in Opaque Token documentation #​17014

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.18.4 #​17069
• Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.19.0 #​16995
• Bump com.google.code.gson:gson from 2.13.0 to 2.13.1 #​16990
• Bump com.webauthn4j:webauthn4j-core from 0.29.0.RELEASE to 0.29.1.RELEASE #​17024
• Bump com.webauthn4j:webauthn4j-core from 0.29.1.RELEASE to 0.29.2.RELEASE #​17095
• Bump io.micrometer:micrometer-observation from 1.14.6 to 1.14.7 #​17096
• Bump io.mockk:mockk from 1.14.0 to 1.14.2 #​17019
• Bump io.projectreactor:reactor-bom from 2023.0.17 to 2023.0.18 #​17111
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.5 to 1.0.6 #​17040
• Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 #​17088
• Bump org-eclipse-jetty from 11.0.24 to 11.0.25 #​16761
• Bump org.hibernate.orm:hibernate-core from 6.6.13.Final to 6.6.14.Final #​17089
• Bump org.hibernate.orm:hibernate-core from 6.6.14.Final to 6.6.15.Final #​17105
• Bump org.seleniumhq.selenium:selenium-java from 4.31.0 to 4.32.0 #​17037
• Bump org.springframework.data:spring-data-bom from 2024.1.4 to 2024.1.5 #​16981
• Bump org.springframework.data:spring-data-bom from 2024.1.5 to 2024.1.6 #​17137
• Bump org.springframework:spring-framework-bom from 6.2.6 to 6.2.7 #​17124

🔩 Build Updates

• Release 6.5.0 #​17138

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​dkowis, @​franticticktick, @​hammadirshad, @​jearton, @​ngocnhan-tran1996, @​quaff, and @​yybmion

v6.4.11

Compare Source

🔨 Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #​17921
• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #​17909
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #​17918
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #​17905
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final #​17917
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final #​17907
• Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 #​17919
• Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 #​17906
• Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #​17920
• Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #​17908

v6.4.10

Compare Source

🪲 Bug Fixes

• Annonation Scanning Should Fallback to Object when Parameter Matching #​17898
• Fix traceId discrepancy in case error in servlet web #​17134
• Reference should advise avoiding post-authorization on writes #​17797
• Remove MockWebServer from JwtIssuerAuthenticationManagerResolverTests #​17869

🔨 Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #​17792
• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #​17778
• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #​17769
• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #​17892
• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #​17857
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #​17777
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #​17768
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #​17755
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.28.Final #​17851
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.28.Final #​17835
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final #​17890
• Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 #​17891
• Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #​17889
• Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #​17877
• Update to nimbus-jose-jwt:9.37.4 #​17875

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​nkonev

v6.4.9

Compare Source

⭐ New Features

• Add META-INF/LICENSE.txt to published jars #​17638
• Update Angular documentation links in csrf.adoc #​17652
• Update Shibboleth Repository URL #​17636
• Use 2004-present Copyright #​17633

🪲 Bug Fixes

• OpenSamlAssertingPartyDetails Should Be Serializable #​17622

🔨 Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #​17611
• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #​17604
• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #​17756
• Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #​17699
• Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #​17643
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #​17741
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #​17717
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #​17609
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #​17603
• Bump org-eclipse-jetty from 11.0.25 to 11.0.26 #​17736
• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #​17607
• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #​17602
• Bump org.gretty:gretty from 4.1.6 to 4.1.7 #​17641
• Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.23.Final #​17630
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.24.Final #​17659
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #​17695
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #​17680
• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #​17696
• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #​17682
• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #​17642
• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #​17600
• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.9 #​17738
• Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #​17745
• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #​17610
• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #​17601
• Bump org.springframework:spring-framework-bom from 6.2.9 to 6.2.10 #​17744

v6.4.8

Compare Source

🪲 Bug Fixes

• <websocket-message-broker> should pick up a bean named csrfChannelInterceptor #​17494
• Fix securityContextRepository() initialization in oauth2Login() DSL #​17502
• Support add nested security configurers during builder initialization #​17020

🔨 Dependency Upgrades

• Bump io-spring-javaformat from 0.0.46 to 0.0.47 #​17464
• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #​17576
• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #​17463
• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #​17574
• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #​17465
• Bump org.hibernate.orm:hibernate-core from 6.6.19.Final to 6.6.20.Final #​17490
• Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final #​17575
• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #​17480
• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #​17577
• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #​17462
• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #​17461
• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #​17578

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​kse-music and @​marcusdacoregio

v6.4.7

Compare Source

🪲 Bug Fixes

• ClearSiteDataHeaderWriter log is misleading #​17165
• Fix inconsistent constructor declaration for ReactiveAuthorizationManagerMethodSecurityConfiguration #​17197
• Fix to allow multiple AuthenticationFilter instances to process each request #​17215
• Use HttpStatus in back-channel logout filters #​17156

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.18.4 to 2.18.4.1 #​17229
• Bump io-spring-javaformat from 0.0.43 to 0.0.45 #​17148
• Bump io-spring-javaformat from 0.0.45 to 0.0.46 #​17199
• Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8 #​17221
• Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19 #​17230
• Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 #​17206
• Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10 #​17212
• Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final #​17183
• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #​17253
• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #​17254
• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #​17237
• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #​17236

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​damable-nuvolex

v6.4.6

Compare Source

⭐ New Features

• Bump Gradle Wrapper from 8.13 to 8.14 #​17017
• ClientRegistrations.fromIssuerLocation does not include failure information #​17016
• RequestHeaderAuthenticationFilter creates a session even if not configured to do so #​17146

🪲 Bug Fixes

• Clear Site Data references non-existent constructor #​17034
• Ensure Serializable Components Have Serialization Sample #​17038
• Minor error in the Handling Logouts documentation #​17048
• NPE in BaseOpenSamlAuthenticationProvider #​17008
• SecurityAnnotationScanner's method comparison should use .equals #​17143
• StrictFirewallServerWebExchange should still protect when request is mutated #​17032
• Use proper configuration key in Opaque Token documentation #​17013

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.18.3 to 2.18.4 #​17065
• Bump io.micrometer:micrometer-observation from 1.14.6 to 1.14.7 #​17094
• Bump io.projectreactor:reactor-bom from 2023.0.17 to 2023.0.18 #​17110
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.5 to 1.0.6 #​17042
• Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 #​17086
• Bump org.hibernate.orm:hibernate-core from 6.6.13.Final to 6.6.14.Final #​17087
• Bump org.hibernate.orm:hibernate-core from 6.6.14.Final to 6.6.15.Final #​17103
• Bump org.springframework.data:spring-data-bom from 2024.1.4 to 2024.1.5 #​16983
• Bump org.springframework:spring-framework-bom from 6.2.6 to 6.2.7 #​17121

🔩 Build Updates

• Release Security 6.4.6 #​17139

v6.4.5

Compare Source

⭐ New Features

• Add link to docs zip file to the reference #​16799
• Fix attribute name in http.adoc #​16784
• Update ServerOAuth2AuthorizedClientExchangeFilterFunction javadoc #​16783

🪲 Bug Fixes

• [Docs] Broken link on Spring MVC Test Integration page #​16785
• ServerBearerTokenAuthenticationConverter validates parameters when not enabled #​16901
• Clarify WebInvocationPrivilegeEvaluator JavaDoc #​16782
• CookieServerCsrfTokenRepository.withHttpOnlyFalse() ineffective if setCookieCustomizer() is used #​16862
• Correct closing tag in default PassKey HTML form #​16601
• Fix WebAuthn saves Anonymous PublicKeyCredentialUserEntity #​16606
• OpenSaml support should preserve encrypted elements for further analysis #​16367
• Sorting in AuthorizationAdvisorProxyFactory should be thread-safe #​16837
• WebFlux reference links to Servlet docs #​16786
• XML config does not apply request-handler-ref to CsrfAuthenticationStrategy #​16844

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 #​16767
• Bump io.micrometer:micrometer-observation from 1.14.5 to 1.14.6 #​16938
• Bump io.projectreactor:reactor-bom from 2023.0.16 to 2023.0.17 #​16944
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.3 to 1.0.4 #​16919
• Bump org-aspectj from 1.9.22.1 to 1.9.24 #​16928
• Bump org-eclipse-jetty from 11.0.24 to 11.0.25 #​16758
• Bump org.hibernate.orm:hibernate-core from 6.6.12.Final to 6.6.13.Final #​16895
• Bump org.springframework.ldap:spring-ldap-core from 3.2.11 to 3.2.12 #​16960
• Bump org.springframework:spring-framework-bom from 6.2.5 to 6.2.6 #​16959

🔩 Build Updates

• Bump spring-io/spring-doc-actions from 0.0.19 to 0.0.20 #​16894
• Release 6.4.5 #​16972

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​AB-xdev, @​Borghii, and @​dependabot[bot]

v6.4.4

Compare Source

🪲 Bug Fixes

• Add testRuntimeOnly junit-platform-launcher #​16756
• Align Method Traversal Algorithm with Spring Framework #​16751
• Disable Flaky WebAuthnWebDriverTests #​16753
• Fix @PostResult example in method-security doc #​16628
• Grammar Fixes in OAuth 2.0 JavaDoc #​16619

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 #​16649
• Bump com.fasterxml.jackson:jackson-bom from 2.18.2 to 2.18.3 #​16692
• Bump com.webauthn4j:webauthn4j-core from 0.28.5.RELEASE to 0.28.6.RELEASE #​16691
• Bump io.micrometer:micrometer-observation from 1.14.4 to 1.14.5 #​16715
• Bump io.mockk:mockk from 1.13.16 to 1.13.17 #​16675
• Bump io.projectreactor:reactor-bom from 2023.0.15 to 2023.0.16 #​16725
• Bump org.hibernate.orm:hibernate-core from 6.6.10.Final to 6.6.11.Final #​16748
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.23 to 4.33.24 #​16669
• Bump org.slf4j:slf4j-api from 2.0.16 to 2.0.17 #​16650
• Bump org.springframework.data:spring-data-bom from 2024.1.3 to 2024.1.4 #​16749
• Bump org.springframework:spring-framework-bom from 6.2.3 to 6.2.4 #​16733

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Kuba15, @​dependabot[bot], and @​pat-mccusker

v6.4.3

Compare Source

⭐ New Features

• Add Support disableDefaultRegistrationPage to WebAuthnDsl #​16395

🪲 Bug Fixes

• withValue used incorrectly #​16527
• Fix for JdbcOneTimeTokenService cleanupExpiredTokens failing with PostgreSQL #​16344
• Fix GenerateOneTimeTokenWebFilter double publish of chain.filter(...) #​16459
• Fix Kotlin DSL webAuthn { } #​16338
• Fix loader has changed while resolving nodes in WebAuthnWebDriverTests #​16463
• Fix logoutRequestRepository not set on Saml2RelyingPartyInitiatedLogoutSuccessHandler #​16310
• Implement Serializable for WebAuthnAuthentication #​16285
• Make AuthorizationDecision Serializable #​16544
• Make PublicKeyCredentialRequestOptions Serializable Backport #​16584
• Make Saml2AuthenticationToken Serializable #​16287
• Make WebAuthnAuthentication Serializable #​16273
• Make WebAuthnAuthenticationRequestToken Serializable #​16602
• Make WebAuthnAuthenticationTokenRequest Serializable #​16481
• Misconfigured OAuth2LoginAuthenticationFilter when combining OAuth2 login and OAuth2 client configuration #​16466
• OTT Should Use non-static member to capture the last OneTimeToken #​16471
• webauthn js should ensure allowCredentials[].id is an ArrayBuffer #​16440

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.15 to 1.5.16 #​16364
• Bump com.nimbusds:oauth2-oidc-sdk from 9.43.5 to 9.43.6 #​16598
• Bump com.webauthn4j:webauthn4j-core from 0.28.4.RELEASE to 0.28.5.RELEASE #​16523
• Bump io.micrometer:micrometer-observation from 1.14.3 to 1.14.4 #​16565
• Bump io.mockk:mockk from 1.13.14 to

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.