From 4787efb40b1005938e3847888ce5778fb963da28 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:42:02 -0700 Subject: [PATCH] Update What's New --- .../authorization/method-security.adoc | 2 + docs/modules/ROOT/pages/whats-new.adoc | 128 ++++++++++++++++-- 2 files changed, 121 insertions(+), 9 deletions(-) diff --git a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc index 7d827291a1..6980435ca2 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc @@ -1528,6 +1528,7 @@ We expose `MethodSecurityExpressionHandler` using a `static` method to ensure th You can also <> to add your own custom authorization expressions beyond the defaults. +[[pre-post-authorize-aot]] === Working with AOT Spring Security will scan all beans in the application context for methods that use `@PreAuthorize` or `@PostAuthorize`. @@ -2462,6 +2463,7 @@ And if they do have that authority, they'll see: You can also add the Spring Boot property `spring.jackson.default-property-inclusion=non_null` to exclude the null value from serialization, if you also don't want to reveal the JSON key to an unauthorized user. ==== +[[authorize-return-object-aot]] === Working with AOT Spring Security will scan all beans in the application context for methods that use `@AuthorizeReturnObject`. diff --git a/docs/modules/ROOT/pages/whats-new.adoc b/docs/modules/ROOT/pages/whats-new.adoc index 6bd6bbacc0..f62f720861 100644 --- a/docs/modules/ROOT/pages/whats-new.adoc +++ b/docs/modules/ROOT/pages/whats-new.adoc @@ -4,6 +4,89 @@ Spring Security 6.4 provides a number of new features. Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix. +== Deprecation Notices + +As we get closer to Spring Security 7, it's important to stay up to date on deprecations. +As such, this section points out deprecations in the 6.4 release. + +* *Method Security* - `AuthorizationManager#check` is deprecated in favor of `AuthorizationManager#authorize`. +This is primarily to allow the return type to be an interface instead of a concrete class. +If you are invoking `AuthorizationManager#check`, please invoke `AuthorizationManager#authorize` instead. ++ +Relatedly, `AuthorizationEventPublisher#publishEvent` that takes an `AuthorizationDecision` is deprecated in favor of a method of the same name that takes an `AuthorizationResult` interface instead. +* *Method Security* - `PrePostTemplateDefaults` is deprecated in favor of the more generic `AnnotationTemplateExpressionDefaults` as there is now meta-annotation property support for `@AuthenticationPrincipal` and `@CurrentSecurityContext` as well. +If you are constructing a `PrePostTemplateDefaults`, change this out for an `AnnotationTemplateExpressionDefaults`. +* *OAuth 2.0* - `NimbusOpaqueTokenIntrospector` has been deprecated in favor of `SpringOpaqueTokenIntrospector` in order to remove Spring Security OAuth 2.0 Resource Server's reliance on the `oidc-oauth2-sdk` package. +If you are constructing a `NimbusOpaqueTokenIntrospector`, replace it with ``SpringOpaqueTokenIntrospector``'s constructor +* *OAuth 2.0* - `DefaultAuthorizationCodeTokenResponseClient`, `DefaultClientCredentialsTokenResponseClient`, `DefaultJwtBearerTokenResponseClient`, `DefaultPasswordTokenResponseClient`, `DefaultRefreshTokenTokenResponseClient`, and `DefaultTokenExchangeTokenResponseClient` are deprecated in favor of their `RestClient` equivalents. ++ +Relatedly,`JwtBearerGrantRequestEntityConverter`, `OAuth2AuthorizationCodeGrantRequestEntityConverter`, `OAuth2ClientCredentialsGrantRequestEntityConverter`, `OAuth2PasswordGrantRequestEntityConverter`, `OAuth2RefreshTokenGrantRequestEntityConverter` are deprecated in favor of providing an instance of `DefaultOAuth2TokenRequestParametersConverter` to one of the above token response clients ++ +For example, if you have the following arrangement: ++ +[source,java] +---- +private static class MyCustomConverter + extends AbstractOAuth2AuthorizationGrantRequestEntityConverter { + @Override + protected MultiValueMap createParameters + (OAuth2AuthorizationCodeGrantRequest request) { + MultiValueMap parameters = super.createParameters(request); + parameters.add("custom", "value"); + return parameters; + } +} + +@Bean +OAuth2AccessTokenResponseClient authorizationCode() { + DefaultAuthorizationCodeTokenResponseClient client = + new DefaultAuthorizationCodeTokenResponseClient(); + Converter> entityConverter = + new OAuth2AuthorizationCodeGrantRequestEntityConverter(); + entityConverter.setParametersConverter(new MyCustomConverter()); + client.setRequestEntityConverter(entityConverter); + return client; +} +---- ++ +This configuration is deprecated since it uses `DefaultAuthorizationCodeTokenResponseClient` and `OAuth2AuthorizationCodeGrantRequestEntityConverter`. +The recommended configuration is now: ++ +[source,java] +---- +private static class MyCustomConverter implements Converter> { + @Override + public MultiValueMap convert(OAuth2AuthorizeCodeGrantRequest request) { + MultiValueMap parameters = OAuth2AuthorizationCodeGrantRequest.defaultParameters(request); + parameters.add("custom", "value"); + return parameters; + } +} + +@Bean +OAuth2AccessTokenResponseClient authorizationCode() { + RestClientAuthorizationCodeTokenResponseClient client = + new RestClientAuthorizationCodeTokenResponseClient(); + client.setParametersConverter(new MyCustomConverter()); + return client; +} +---- + + +* *SAML 2.0* - Unversioned OpenSAML implementations of Spring Security SAML 2.0 Service Provider's interfaces have been deprecated in favor of versioned ones. +For example, `OpenSamlAuthenticationTokenConverter` is now replaced by `OpenSaml4AuthenticationTokenConverter` and `OpenSaml5AuthenticationTokenConverter`. +If you are constructing one of these deprecated versions, please replace it with the one that corresponds to the OpenSAML version you are using. +* *SAML 2.0* - Methods surrounding `AssertingPartyDetails` are deprecated in favor of equivalent methods that use the `AssertingPartyMetadata` interface. +* *LDAP* - Usages of `DistinguishedName` are now deprecated in order to align with Spring LDAP's deprecations + +== One-Time Token Login + +* Spring Security now xref:servlet/authentication/onetimetoken.adoc[supports One-Time Token Login] via the `oneTimeTokenLogin()` DSL, including xref:servlet/authentication/onetimetoken.adoc#customize-generate-consume-token[JDBC support]. + +== Passkeys + +Spring Security now has xref:servlet/authentication/passkeys.adoc[Passkeys] support. + == Method Security * All xref:servlet/authorization/method-security.adoc#meta-annotations[method security annotations] now support {spring-framework-api-url}org/springframework/core/annotation/AliasFor.html[Framework's `@AliasFor`] @@ -48,10 +131,14 @@ fun method(@CurrentUsername("username") val username: String): String { ====== * https://github.com/spring-projects/spring-security/issues/13490[Several] https://github.com/spring-projects/spring-security/issues/13234[improvements] https://github.com/spring-projects/spring-security/issues/15097[were made] to align Security's annotation search with ``AbstractFallbackMethodSecurityMetadataSource``'s algorithm. This aids in migration from earlier versions of Spring Security. +* Native applications can now xref:servlet/authorization/method-security.adoc#authorize-return-object-aot[use `@AuthorizeReturnObject`] +* Native applications can now xref:servlet/authorization/method-security.adoc#pre-post-authorize-aot[reference beans in `@PreAuthorize` and `@PostAuthorize`] +* `SecurityAnnotationScanners` offers https://github.com/spring-projects/spring-security/issues/15700[a convenient API] for scanning for Security annotations and for adding Security's selection and templating features to custom annotations == OAuth 2.0 * `oauth2Login()` now accepts https://github.com/spring-projects/spring-security/pull/15237[`OAuth2AuthorizationRequestResolver` as a `@Bean`] +* `ClientRegistrations` now supports externally obtained configuration * Added `loginPage()` to DSL in reactive `oauth2Login()` * OIDC Back-Channel support now accepts https://github.com/spring-projects/spring-security/issues/15003[logout tokens of type `logout+jwt`] * `RestClient` can now be xref:servlet/oauth2/index.adoc#oauth2-client-access-protected-resources[configured] with `OAuth2ClientHttpRequestInterceptor` to xref:servlet/oauth2/index.adoc#oauth2-client-accessing-protected-resources-example[make protected resources requests] @@ -131,7 +218,7 @@ class SecurityConfig { } ---- ====== -* Deprecated `Default*` implementations of `OAuth2AccessTokenResponseClient` +* Token Exchange now https://github.com/spring-projects/spring-security/issues/15534[supports refresh tokens] == SAML 2.0 @@ -197,15 +284,15 @@ This implementation also supports the validation of a metadata's signature. * You can now sign https://github.com/spring-projects/spring-security/pull/14916[relying party metadata] * `RelyingPartyRegistrationRepository` results can now be javadoc:org.springframework.security.saml2.provider.service.registration.CachingRelyingPartyRegistrationRepository[cached]. This is helpful if you want to defer the loading of the registration values til after application startup. -It is also helpful if you want to control when metadata gets refreshed. +It is also helpful if you want to control when metadata gets refreshed via Spring Cache. * To align with the SAML 2.0 standard, the metadata endpoint now https://github.com/spring-projects/spring-security/issues/15147[uses the `application/samlmetadata+xml` MIME type] == Web * CSRF BREACH tokens are now https://github.com/spring-projects/spring-security/issues/15187[more consistent] * The Remember Me cookie now is https://github.com/spring-projects/spring-security/pull/15203[more customizable] -* Security Filter Chain is now improved. -Specifically, the following arrangement is invalid since an any request filter chain comes before all other filter chains: +* Security Filter Chain finds more invalid configurations. +For example, a filter chain declared after an any-request filter chain is invalid since it will never be invoked: + [tabs] ====== @@ -217,6 +304,7 @@ Java:: @Order(0) SecurityFilterChain api(HttpSecurity http) throws Exception { http + // implicit securityMatcher("/**") .authorizeHttpRequests(...) .httpBasic(...) @@ -264,14 +352,36 @@ fun app(val http: HttpSecurity): SecurityFilterChain { ---- ====== You can read more https://github.com/spring-projects/spring-security/issues/15220[in the related ticket]. +* `ServerHttpSecurity` now https://github.com/spring-projects/spring-security/issues/15974[picks up `ServerWebExchangeFirewall` as a `@Bean`] -== One-Time Token Login +== Observability -Spring Security now xref:servlet/authentication/onetimetoken.adoc[supports One-Time Token Login] via the `oneTimeTokenLogin()` DSL. +Observability now supports xref:servlet/integrations/observability.adoc#observability-tracing-disable[toggling authorization, authentication, and request observations separately] +For example, to turn off filter chain observations, you can publish a `@Bean` like this one: +[tabs] +====== +Java:: ++ +[source,java,role="primary"] +---- +@Bean +SecurityObservationSettings allSpringSecurityObservations() { + return SecurityObservationSettings.withDefaults() + .shouldObserveFilterChains(false).build(); +} +---- -== Passkeys - -Spring Security now has xref:servlet/authentication/passkeys.adoc[Passkeys] support. +Kotlin:: ++ +[source,kotlin,role="secondary"] +---- +@Bean +fun allSpringSecurityObservations(): SecurityObservationSettings { + return SecurityObservationSettings.builder() + .shouldObserveFilterChains(false).build() +} +---- +====== == Kotlin