Update What's New
This commit is contained in:
Josh Cummings
parent
5c71e0e3d7
commit
06febf7857
|
|
@ -12,6 +12,7 @@ For example, if you were deployed to `https://rp.example.com` and you gave your
|
|||
|
||||
and the result would be a redirect that included a `SAMLRequest` parameter containing the signed, deflated, and encoded `<saml2:AuthnRequest>`.
|
||||
|
||||
[configuring-authentication-request-uri]
|
||||
== Configuring the `<saml2:AuthnRequest>` Endpoint
|
||||
|
||||
To configure the endpoint differently from the default, you can set the value in `saml2Login`:
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor()
|
|||
----
|
||||
======
|
||||
|
||||
[using-assertingpartymetadatarepository]
|
||||
=== Using `AssertingPartyMetadataRepository`
|
||||
|
||||
You can also be more targeted than `RelyingPartyRegistrations` by using `AssertingPartyMetadataRepository`, an interface that allows for only retrieving the asserting party metadata.
|
||||
|
|
|
|||
|
|
@ -4,6 +4,194 @@
|
|||
Spring Security 6.4 provides a number of new features.
|
||||
Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.
|
||||
|
||||
- https://github.com/spring-projects/spring-security/issues/4186[gh-4186] - Support `RoleHierarchy` in `AclAuthorizationStrategyImpl`
|
||||
- https://github.com/spring-projects/spring-security/issues/15136[gh-15136] - Support `RoleHierarchy` Bean in `authorizeHttpRequests` Kotlin DSL
|
||||
== Method Security
|
||||
|
||||
* All xref:servlet/authorization/method-security.adoc#using_metannotation-method-interceptors[method security annotations] now support {spring-framework-api-url}org/springframework/core/annotation/AliasFor.html[Framework's `@AliasFor`]
|
||||
* `@AuthenticationPrincipal` and `@CurrentSecurityContext` now support xref:servlet/authorization/method-security.adoc#_templating_meta_annotation_expressions[annotation templates].
|
||||
+
|
||||
This means that you can now use Spring's meta-annotation support like so:
|
||||
+
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Target(TargetType.TYPE)
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@AuthenticationPrincipal("claims['{claim}']")
|
||||
@interface CurrentUsername {
|
||||
String claim() default "sub";
|
||||
}
|
||||
|
||||
// ...
|
||||
|
||||
@GetMapping
|
||||
public String method(@CurrentUsername("username") String username) {
|
||||
// ...
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
annotation CurrentUsername(val claim: String = "sub")
|
||||
|
||||
// ...
|
||||
|
||||
@GetMapping
|
||||
fun method(@CurrentUsername("username") val username: String): String {
|
||||
// ...
|
||||
}
|
||||
----
|
||||
======
|
||||
* https://github.com/spring-projects/spring-security/issues/13490[Several] https://github.com/spring-projects/spring-security/issues/13234[improvements] https://github.com/spring-projects/spring-security/issues/15097[were made] to align Security's annotation search with ``AbstractFallbackMethodSecurityMetadataSource``'s algorithm.
|
||||
This aids in migration from earlier versions of Spring Security.
|
||||
|
||||
== OAuth 2.0
|
||||
|
||||
* `oauth2Login()` now accepts https://github.com/spring-projects/spring-security/pull/15237[`OAuth2AuthorizationRequestResolver` as a `@Bean`]
|
||||
* OIDC Back-Channel support now accepts https://github.com/spring-projects/spring-security/issues/15003[logout tokens of type `logout+jwt`]
|
||||
|
||||
== SAML 2.0
|
||||
|
||||
* Added xref:servlet/saml2/opensaml.adoc[OpenSAML 5 Support].
|
||||
Now you can use either OpenSAML 4 or OpenSAML 5; by default, Spring Security will select the write implementations based on what's on your classpath.
|
||||
* Using EntityIDs for the `registrationId` is simplified.
|
||||
+
|
||||
A common pattern is to identify asserting parties by their `entityID`.
|
||||
In previous versions, this required directly configuring `OpenSamlAuthenticationRequestResolver`.
|
||||
Now, the request resolver looks by default for the `registrationId` https://github.com/spring-projects/spring-security/issues/15017[as a request parameter] in addition to looking for it in the path.
|
||||
This allows you to use `RelyingPartyRegistrations` or `OpenSaml4/5AssertingPartyMetadataRepository` without also needing to modify the `registrationId` values or customize the request resolver.
|
||||
+
|
||||
Relatedly, you can now configure your `authenticationRequestUri` to xref:servlet/saml2/login/authentication-requests.adoc#configuring-authentication-request-uri[contain a query parameter]
|
||||
* Asserting Parties can now be refreshed in the background according to the metadata's expiry.
|
||||
+
|
||||
For example, you can now use xref:servlet/saml2/metadata.adoc#using-assertingpartymetadatarepository[`OpenSaml5AssertingPartyMetadataRepository`] to do:
|
||||
+
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Component
|
||||
public class RefreshableRelyingPartyRegistrationRepository implements IterableRelyingPartyRegistrationRepository {
|
||||
private final AssertingPartyMetadataRepository assertingParties = OpenSaml5AssertingPartyMetadataRepository
|
||||
.fromTrustedMetadataLocation("https://idp.example.org").build();
|
||||
|
||||
@Override
|
||||
public RelyingPartyRegistration findByRegistrationId(String registrationId) {
|
||||
AssertingPartyMetadata assertingParty = this.assertingParties.findByEntityId(registrationId);
|
||||
return RelyingPartyRegistration.withAssertingPartyMetadata(assertingParty)
|
||||
// relying party configurations
|
||||
.build();
|
||||
}
|
||||
|
||||
// ...
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Component
|
||||
open class RefreshableRelyingPartyRegistrationRepository: IterableRelyingPartyRegistrationRepository {
|
||||
private val assertingParties: AssertingPartyMetadataRepository = OpenSaml5AssertingPartyMetadataRepository
|
||||
.fromTrustedMetadataLocation("https://idp.example.org").build()
|
||||
|
||||
override fun findByRegistrationId(String registrationId): RelyingPartyRegistration {
|
||||
val assertingParty = this.assertingParties.findByEntityId(registrationId)
|
||||
return RelyingPartyRegistration.withAssertingPartyMetadata(assertingParty)
|
||||
// relying party configurations
|
||||
.build()
|
||||
}
|
||||
|
||||
// ...
|
||||
}
|
||||
----
|
||||
======
|
||||
+
|
||||
This implementation also supports the validation of a metadata's signature.
|
||||
* You can now sign https://github.com/spring-projects/spring-security/pull/14916[relying party metadata]
|
||||
* `RelyingPartyRegistrationRepository` results can now be javadoc:org.springframework.security.saml2.provider.service.registration.CachingRelyingPartyRegistrationRepository[cached].
|
||||
This is helpful if you want to defer the loading of the registration values til after application startup.
|
||||
It is also helpful if you want to control when metadata gets refreshed.
|
||||
* To align with the SAML 2.0 standard, the metadata endpoint now https://github.com/spring-projects/spring-security/issues/15147[uses the `application/samlmetadata+xml` MIME type]
|
||||
|
||||
== Web
|
||||
|
||||
* CSRF BREACH tokens are now https://github.com/spring-projects/spring-security/issues/15187[more consistent]
|
||||
* The Remember Me cookie now is https://github.com/spring-projects/spring-security/pull/15203[more customizable]
|
||||
* Security Filter Chain is now improved.
|
||||
Specifically, the following arrangement is invalid since an any request filter chain comes before all other filter chains:
|
||||
+
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
@Order(0)
|
||||
SecurityFilterChain api(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeHttpRequests(...)
|
||||
.httpBasic(...)
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
@Order(1)
|
||||
SecurityFilterChain app(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.securityMatcher("/app/**")
|
||||
.authorizeHttpRequests(...)
|
||||
.formLogin(...)
|
||||
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
@Order(0)
|
||||
fun api(val http: HttpSecurity): SecurityFilterChain {
|
||||
http {
|
||||
authorizeHttpRequests {
|
||||
// ...
|
||||
}
|
||||
}
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
@Order(1)
|
||||
fun app(val http: HttpSecurity): SecurityFilterChain {
|
||||
http {
|
||||
securityMatcher("/app/**")
|
||||
authorizeHttpRequests {
|
||||
// ...
|
||||
}
|
||||
}
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
======
|
||||
You can read more https://github.com/spring-projects/spring-security/issues/15220[in the related ticket].
|
||||
|
||||
== Kotlin
|
||||
|
||||
* The Kotlin DSL now supports https://github.com/spring-projects/spring-security/issues/14935[SAML 2.0] and https://github.com/spring-projects/spring-security/issues/15171[`GrantedAuthorityDefaults`] and https://github.com/spring-projects/spring-security/issues/15136[`RoleHierarchy`] ``@Bean``s
|
||||
* `@PreFilter` and `@PostFilter` are https://github.com/spring-projects/spring-security/pull/15095[now supported] in Kotlin
|
||||
* The Kotlin Reactive DSL now supports https://github.com/spring-projects/spring-security/pull/15013[`SecurityContextRepository`]
|
||||
|
||||
== Acl
|
||||
|
||||
* `AclAuthorizationStrategyImpl` now https://github.com/spring-projects/spring-security/issues/4186[supports `RoleHierarchy`]
|
||||
|
|
|
|||
Loading…
Reference in New Issue