spring-security/docs/modules/ROOT/pages/whats-new.adoc

[[new]]
= What's New in Spring Security 5.8

Spring Security 5.8 provides a number of new features.
Below are the highlights of the release.

== Core

=== Session Handling Improvements
* https://github.com/spring-projects/spring-security/issues/6125[gh-6125] - improved session creation and access
* https://github.com/spring-projects/spring-security/issues/11392[gh-11392] - Support deferring lookup of `SecurityContext`

=== AuthorizationManager API
* https://github.com/spring-projects/spring-security/issues/11493[gh-11493] - `AuthorizationManager` supports SpEL
* Additional XML support for `AuthorizationManager`
* https://github.com/spring-projects/spring-security/pull/11393[gh-11393] - Additional DSL support for `AuthorizationManager`
* Additional XML Support for `AuthorizationManager
* https://github.com/spring-projects/spring-security/issues/11304[gh-11304] - `AuthorizationManager` supports `RoleHierarchy`
* https://github.com/spring-projects/spring-security/issues/11076[gh-11076] - `AuthorizationManager` supports WebSockets
* https://github.com/spring-projects/spring-security/issues/11326[gh-11326] - `AuthorizationManager` supports AspectJ
* https://github.com/spring-projects/spring-security/issues/4841[gh-4841], https://github.com/spring-projects/spring-security/issues/9401[gh-9401] - `ReactiveAuthorizationManager` supports method security
* https://github.com/spring-projects/spring-security/issues/11625[gh-11625] - Support `AuthorizationManager` composition

=== Misc
* https://github.com/spring-projects/spring-security/issues/10973[gh-10973] - `SecurityContextHolderStrategy` can be published as a `@Bean`

== Config

* https://github.com/spring-projects/spring-security/pull/11771[gh-11771] - `HttpSecurityDsl` should support `apply` method

== OAuth

* https://github.com/spring-projects/spring-security/issues/11590[gh-11590] - Deprecate Resource Owner Password Grant
* https://github.com/spring-projects/spring-security/issues/11383[gh-11383] - Add `baseScheme`, `baseHost`, `basePort` and `basePath` to the `post_logout_redirect_uri`
* https://github.com/spring-projects/spring-security/issues/11661[gh-11661] - Add `OpaqueTokenAuthenticationConverter`
* https://github.com/spring-projects/spring-security/pull/11232[gh-11232] - `ClientRegistrations#rest` defines 30s connect and read timeouts
* https://github.com/spring-projects/spring-security/pull/11638[gh-11638] - Refresh remote JWK when unknown KID error occurs

== SAML

* https://github.com/spring-projects/spring-security/issues/11286[gh-11286] - Support configuring multiple relying party logout bindings
* https://github.com/spring-projects/spring-security/issues/11065[gh-11065] - Allow custom relay state for AuthnRequests
* https://github.com/spring-projects/spring-security/issues/11468[gh-11468] - Simplify `AuthnRequest#id` access

== Web
* https://github.com/spring-projects/spring-security/issues/11073[gh-11073] - Add `DelegatingServerHttpHeadersWriter`
* https://github.com/spring-projects/spring-security/issues/4001[gh-4001] - Add xref:servlet/exploits/csrf.adoc#servlet-csrf-configure-request-handler[servlet support] for CSRF BREACH protection
* https://github.com/spring-projects/spring-security/issues/11959[gh-11959] - Add xref:reactive/exploits/csrf.adoc#webflux-csrf-configure-request-handler[reactive support] for CSRF BREACH protection
* https://github.com/spring-projects/spring-security/pull/11464[gh-11464] - Remember Me supports SHA256 algorithm
* https://github.com/spring-projects/spring-security/pull/11908[gh-11908] - Make X-Xss-Protection header value configurable in ServerHttpSecurity
* https://github.com/spring-projects/spring-security/issues/11347[gh-11347] - Simplify Java Configuration `RequestMatcher` Usage
* https://github.com/spring-projects/spring-security/issues/9159[gh-9159] - Add `securityMatcher` as an alias on `requestMatcher` in `HttpSecurity`
* https://github.com/spring-projects/spring-security/issues/11952[gh-11952] - Add `csrfTokenRequestResolver` to `CsrfDsl`
* https://github.com/spring-projects/spring-security/issues/11916[gh-11916] - `HttpSecurityConfiguration` picks up `ContentNegotiationStrategy` bean
* https://github.com/spring-projects/spring-security/issues/11971[gh-11971] - Additional support for `AuthorizationFilter` running for all dispatcher types

== Test
* https://github.com/spring-projects/spring-security/issues/6899[gh-6899] - `@WithMockUser` works as meta-annotation
Extract subsections for preface Issue: gh-2567 2018-03-05 16:56:47 -06:00			`[[new]]`
Prepare for Spring Security 5.8 2022-05-02 16:13:07 -06:00			`= What's New in Spring Security 5.8`
Extract subsections for preface Issue: gh-2567 2018-03-05 16:56:47 -06:00
Prepare for Spring Security 5.8 2022-05-02 16:13:07 -06:00			`Spring Security 5.8 provides a number of new features.`
Extract subsections for preface Issue: gh-2567 2018-03-05 16:56:47 -06:00			`Below are the highlights of the release.`
Add SecurityContextHolderFilter Closes gh-9635 2022-02-18 15:14:34 -06:00
Update What's New Closes gh-12021 2022-10-13 10:13:20 -06:00			`== Core`

			`=== Session Handling Improvements`
			`* https://github.com/spring-projects/spring-security/issues/6125[gh-6125] - improved session creation and access`
			* https://github.com/spring-projects/spring-security/issues/11392[gh-11392] - Support deferring lookup of `SecurityContext`

			`=== AuthorizationManager API`
			* https://github.com/spring-projects/spring-security/issues/11493[gh-11493] - `AuthorizationManager` supports SpEL
			* Additional XML support for `AuthorizationManager`
			* https://github.com/spring-projects/spring-security/pull/11393[gh-11393] - Additional DSL support for `AuthorizationManager`
			* Additional XML Support for `AuthorizationManager
			* https://github.com/spring-projects/spring-security/issues/11304[gh-11304] - `AuthorizationManager` supports `RoleHierarchy`
			* https://github.com/spring-projects/spring-security/issues/11076[gh-11076] - `AuthorizationManager` supports WebSockets
			* https://github.com/spring-projects/spring-security/issues/11326[gh-11326] - `AuthorizationManager` supports AspectJ
			* https://github.com/spring-projects/spring-security/issues/4841[gh-4841], https://github.com/spring-projects/spring-security/issues/9401[gh-9401] - `ReactiveAuthorizationManager` supports method security
			* https://github.com/spring-projects/spring-security/issues/11625[gh-11625] - Support `AuthorizationManager` composition

			`=== Misc`
			* https://github.com/spring-projects/spring-security/issues/10973[gh-10973] - `SecurityContextHolderStrategy` can be published as a `@Bean`

			`== Config`

Update What's New for 5.8 2022-09-14 14:58:48 -05:00			* https://github.com/spring-projects/spring-security/pull/11771[gh-11771] - `HttpSecurityDsl` should support `apply` method
Update What's New Closes gh-12021 2022-10-13 10:13:20 -06:00
			`== OAuth`

			`* https://github.com/spring-projects/spring-security/issues/11590[gh-11590] - Deprecate Resource Owner Password Grant`
			* https://github.com/spring-projects/spring-security/issues/11383[gh-11383] - Add `baseScheme`, `baseHost`, `basePort` and `basePath` to the `post_logout_redirect_uri`
			* https://github.com/spring-projects/spring-security/issues/11661[gh-11661] - Add `OpaqueTokenAuthenticationConverter`
Update What's New for 5.8 2022-09-14 15:13:41 -05:00			* https://github.com/spring-projects/spring-security/pull/11232[gh-11232] - `ClientRegistrations#rest` defines 30s connect and read timeouts
Update What's New Closes gh-12021 2022-10-13 10:13:20 -06:00			`* https://github.com/spring-projects/spring-security/pull/11638[gh-11638] - Refresh remote JWK when unknown KID error occurs`

			`== SAML`

			`* https://github.com/spring-projects/spring-security/issues/11286[gh-11286] - Support configuring multiple relying party logout bindings`
			`* https://github.com/spring-projects/spring-security/issues/11065[gh-11065] - Allow custom relay state for AuthnRequests`
			* https://github.com/spring-projects/spring-security/issues/11468[gh-11468] - Simplify `AuthnRequest#id` access

			`== Web`
			* https://github.com/spring-projects/spring-security/issues/11073[gh-11073] - Add `DelegatingServerHttpHeadersWriter`
Add links to reference in What's New for 5.8 Issue gh-4001 Issue gh-11959 2022-10-13 12:52:01 -05:00			`* https://github.com/spring-projects/spring-security/issues/4001[gh-4001] - Add xref:servlet/exploits/csrf.adoc#servlet-csrf-configure-request-handler[servlet support] for CSRF BREACH protection`
			`* https://github.com/spring-projects/spring-security/issues/11959[gh-11959] - Add xref:reactive/exploits/csrf.adoc#webflux-csrf-configure-request-handler[reactive support] for CSRF BREACH protection`
Update What's New for 5.8 2022-09-20 08:33:38 -03:00			`* https://github.com/spring-projects/spring-security/pull/11464[gh-11464] - Remember Me supports SHA256 algorithm`
Update What's New for 5.8 2022-10-03 11:13:19 +02:00			`* https://github.com/spring-projects/spring-security/pull/11908[gh-11908] - Make X-Xss-Protection header value configurable in ServerHttpSecurity`
Simplify Java Configuration RequestMatcher Usage If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity Closes gh-11347 Closes gh-9159 2022-09-21 10:09:35 -03:00			* https://github.com/spring-projects/spring-security/issues/11347[gh-11347] - Simplify Java Configuration `RequestMatcher` Usage
			* https://github.com/spring-projects/spring-security/issues/9159[gh-9159] - Add `securityMatcher` as an alias on `requestMatcher` in `HttpSecurity`
Update What's New for 5.8 Issue gh-11952 2022-10-05 13:48:18 -05:00			* https://github.com/spring-projects/spring-security/issues/11952[gh-11952] - Add `csrfTokenRequestResolver` to `CsrfDsl`
Update What's New Closes gh-12021 2022-10-13 10:13:20 -06:00			* https://github.com/spring-projects/spring-security/issues/11916[gh-11916] - `HttpSecurityConfiguration` picks up `ContentNegotiationStrategy` bean
			* https://github.com/spring-projects/spring-security/issues/11971[gh-11971] - Additional support for `AuthorizationFilter` running for all dispatcher types

			`== Test`
			* https://github.com/spring-projects/spring-security/issues/6899[gh-6899] - `@WithMockUser` works as meta-annotation