Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update What's New

This commit is contained in:
Josh Cummings 2024-11-18 15:42:02 -07:00
parent b712c24a88
commit 4787efb40b
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 121 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
View File

@ -1528,6 +1528,7 @@ We expose `MethodSecurityExpressionHandler` using a `static` method to ensure th
You can also <<subclass-defaultmethodsecurityexpressionhandler,subclass `DefaultMessageSecurityExpressionHandler`>> to add your own custom authorization expressions beyond the defaults.
[[pre-post-authorize-aot]]
=== Working with AOT
Spring Security will scan all beans in the application context for methods that use `@PreAuthorize` or `@PostAuthorize`.
@ -2462,6 +2463,7 @@ And if they do have that authority, they'll see:
You can also add the Spring Boot property `spring.jackson.default-property-inclusion=non_null` to exclude the null value from serialization, if you also don't want to reveal the JSON key to an unauthorized user.
====
[[authorize-return-object-aot]]
=== Working with AOT
Spring Security will scan all beans in the application context for methods that use `@AuthorizeReturnObject`.

128
docs/modules/ROOT/pages/whats-new.adoc
View File

@ -4,6 +4,89 @@
Spring Security 6.4 provides a number of new features.
Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.
== Deprecation Notices
As we get closer to Spring Security 7, it's important to stay up to date on deprecations.
As such, this section points out deprecations in the 6.4 release.
* *Method Security* - `AuthorizationManager#check` is deprecated in favor of `AuthorizationManager#authorize`.
This is primarily to allow the return type to be an interface instead of a concrete class.
If you are invoking `AuthorizationManager#check`, please invoke `AuthorizationManager#authorize` instead.
+
Relatedly, `AuthorizationEventPublisher#publishEvent` that takes an `AuthorizationDecision` is deprecated in favor of a method of the same name that takes an `AuthorizationResult` interface instead.
* *Method Security* - `PrePostTemplateDefaults` is deprecated in favor of the more generic `AnnotationTemplateExpressionDefaults` as there is now meta-annotation property support for `@AuthenticationPrincipal` and `@CurrentSecurityContext` as well.
If you are constructing a `PrePostTemplateDefaults`, change this out for an `AnnotationTemplateExpressionDefaults`.
* *OAuth 2.0* - `NimbusOpaqueTokenIntrospector` has been deprecated in favor of `SpringOpaqueTokenIntrospector` in order to remove Spring Security OAuth 2.0 Resource Server's reliance on the `oidc-oauth2-sdk` package.
If you are constructing a `NimbusOpaqueTokenIntrospector`, replace it with ``SpringOpaqueTokenIntrospector``'s constructor
* *OAuth 2.0* - `DefaultAuthorizationCodeTokenResponseClient`, `DefaultClientCredentialsTokenResponseClient`, `DefaultJwtBearerTokenResponseClient`, `DefaultPasswordTokenResponseClient`, `DefaultRefreshTokenTokenResponseClient`, and `DefaultTokenExchangeTokenResponseClient` are deprecated in favor of their `RestClient` equivalents.
+
Relatedly,`JwtBearerGrantRequestEntityConverter`, `OAuth2AuthorizationCodeGrantRequestEntityConverter`, `OAuth2ClientCredentialsGrantRequestEntityConverter`, `OAuth2PasswordGrantRequestEntityConverter`, `OAuth2RefreshTokenGrantRequestEntityConverter` are deprecated in favor of providing an instance of `DefaultOAuth2TokenRequestParametersConverter` to one of the above token response clients
+
For example, if you have the following arrangement:
+
[source,java]
----
private static class MyCustomConverter
extends AbstractOAuth2AuthorizationGrantRequestEntityConverter<OAuth2AuthorizationCodeGrantRequest> {
@Override
protected MultiValueMap<String, String> createParameters
(OAuth2AuthorizationCodeGrantRequest request) {
MultiValueMap<String, String> parameters = super.createParameters(request);
parameters.add("custom", "value");
return parameters;
}
}
@Bean
OAuth2AccessTokenResponseClient authorizationCode() {
DefaultAuthorizationCodeTokenResponseClient client =
new DefaultAuthorizationCodeTokenResponseClient();
Converter<AuthorizationCodeGrantRequest, RequestEntity<?>> entityConverter =
new OAuth2AuthorizationCodeGrantRequestEntityConverter();
entityConverter.setParametersConverter(new MyCustomConverter());
client.setRequestEntityConverter(entityConverter);
return client;
}
----
+
This configuration is deprecated since it uses `DefaultAuthorizationCodeTokenResponseClient` and `OAuth2AuthorizationCodeGrantRequestEntityConverter`.
The recommended configuration is now:
+
[source,java]
----
private static class MyCustomConverter implements Converter<OAuth2AuthorizationCodeGrantRequest, Map<String, String>> {
@Override
public MultiValueMap<String, String> convert(OAuth2AuthorizeCodeGrantRequest request) {
MultiValueMap<String, String> parameters = OAuth2AuthorizationCodeGrantRequest.defaultParameters(request);
parameters.add("custom", "value");
return parameters;
}
}
@Bean
OAuth2AccessTokenResponseClient authorizationCode() {
RestClientAuthorizationCodeTokenResponseClient client =
new RestClientAuthorizationCodeTokenResponseClient();
client.setParametersConverter(new MyCustomConverter());
return client;
}
----
* *SAML 2.0* - Unversioned OpenSAML implementations of Spring Security SAML 2.0 Service Provider's interfaces have been deprecated in favor of versioned ones.
For example, `OpenSamlAuthenticationTokenConverter` is now replaced by `OpenSaml4AuthenticationTokenConverter` and `OpenSaml5AuthenticationTokenConverter`.
If you are constructing one of these deprecated versions, please replace it with the one that corresponds to the OpenSAML version you are using.
* *SAML 2.0* - Methods surrounding `AssertingPartyDetails` are deprecated in favor of equivalent methods that use the `AssertingPartyMetadata` interface.
* *LDAP* - Usages of `DistinguishedName` are now deprecated in order to align with Spring LDAP's deprecations
== One-Time Token Login
* Spring Security now xref:servlet/authentication/onetimetoken.adoc[supports One-Time Token Login] via the `oneTimeTokenLogin()` DSL, including xref:servlet/authentication/onetimetoken.adoc#customize-generate-consume-token[JDBC support].
== Passkeys
Spring Security now has xref:servlet/authentication/passkeys.adoc[Passkeys] support.
== Method Security
* All xref:servlet/authorization/method-security.adoc#meta-annotations[method security annotations] now support {spring-framework-api-url}org/springframework/core/annotation/AliasFor.html[Framework's `@AliasFor`]
@ -48,10 +131,14 @@ fun method(@CurrentUsername("username") val username: String): String {
======
* https://github.com/spring-projects/spring-security/issues/13490[Several] https://github.com/spring-projects/spring-security/issues/13234[improvements] https://github.com/spring-projects/spring-security/issues/15097[were made] to align Security's annotation search with ``AbstractFallbackMethodSecurityMetadataSource``'s algorithm.
This aids in migration from earlier versions of Spring Security.
* Native applications can now xref:servlet/authorization/method-security.adoc#authorize-return-object-aot[use `@AuthorizeReturnObject`]
* Native applications can now xref:servlet/authorization/method-security.adoc#pre-post-authorize-aot[reference beans in `@PreAuthorize` and `@PostAuthorize`]
* `SecurityAnnotationScanners` offers https://github.com/spring-projects/spring-security/issues/15700[a convenient API] for scanning for Security annotations and for adding Security's selection and templating features to custom annotations
== OAuth 2.0
* `oauth2Login()` now accepts https://github.com/spring-projects/spring-security/pull/15237[`OAuth2AuthorizationRequestResolver` as a `@Bean`]
* `ClientRegistrations` now supports externally obtained configuration
* Added `loginPage()` to DSL in reactive `oauth2Login()`
* OIDC Back-Channel support now accepts https://github.com/spring-projects/spring-security/issues/15003[logout tokens of type `logout+jwt`]
* `RestClient` can now be xref:servlet/oauth2/index.adoc#oauth2-client-access-protected-resources[configured] with `OAuth2ClientHttpRequestInterceptor` to xref:servlet/oauth2/index.adoc#oauth2-client-accessing-protected-resources-example[make protected resources requests]
@ -131,7 +218,7 @@ class SecurityConfig {
}
----
======
* Deprecated `Default*` implementations of `OAuth2AccessTokenResponseClient`
* Token Exchange now https://github.com/spring-projects/spring-security/issues/15534[supports refresh tokens]
== SAML 2.0
@ -197,15 +284,15 @@ This implementation also supports the validation of a metadata's signature.
* You can now sign https://github.com/spring-projects/spring-security/pull/14916[relying party metadata]
* `RelyingPartyRegistrationRepository` results can now be javadoc:org.springframework.security.saml2.provider.service.registration.CachingRelyingPartyRegistrationRepository[cached].
This is helpful if you want to defer the loading of the registration values til after application startup.
It is also helpful if you want to control when metadata gets refreshed.
It is also helpful if you want to control when metadata gets refreshed via Spring Cache.
* To align with the SAML 2.0 standard, the metadata endpoint now https://github.com/spring-projects/spring-security/issues/15147[uses the `application/samlmetadata+xml` MIME type]
== Web
* CSRF BREACH tokens are now https://github.com/spring-projects/spring-security/issues/15187[more consistent]
* The Remember Me cookie now is https://github.com/spring-projects/spring-security/pull/15203[more customizable]
* Security Filter Chain is now improved.
Specifically, the following arrangement is invalid since an any request filter chain comes before all other filter chains:
* Security Filter Chain finds more invalid configurations.
For example, a filter chain declared after an any-request filter chain is invalid since it will never be invoked:
+
[tabs]
======
@ -217,6 +304,7 @@ Java::
@Order(0)
SecurityFilterChain api(HttpSecurity http) throws Exception {
http
// implicit securityMatcher("/**")
.authorizeHttpRequests(...)
.httpBasic(...)
@ -264,14 +352,36 @@ fun app(val http: HttpSecurity): SecurityFilterChain {
----
======
You can read more https://github.com/spring-projects/spring-security/issues/15220[in the related ticket].
* `ServerHttpSecurity` now https://github.com/spring-projects/spring-security/issues/15974[picks up `ServerWebExchangeFirewall` as a `@Bean`]
== One-Time Token Login
== Observability
Spring Security now xref:servlet/authentication/onetimetoken.adoc[supports One-Time Token Login] via the `oneTimeTokenLogin()` DSL.
Observability now supports xref:servlet/integrations/observability.adoc#observability-tracing-disable[toggling authorization, authentication, and request observations separately]
For example, to turn off filter chain observations, you can publish a `@Bean` like this one:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityObservationSettings allSpringSecurityObservations() {
return SecurityObservationSettings.withDefaults()
.shouldObserveFilterChains(false).build();
}
----
== Passkeys
Spring Security now has xref:servlet/authentication/passkeys.adoc[Passkeys] support.
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun allSpringSecurityObservations(): SecurityObservationSettings {
return SecurityObservationSettings.builder()
.shouldObserveFilterChains(false).build()
}
----
======
== Kotlin