Prepare for Spring Security 6.4

Closes gh-15155
2024-05-24 11:28:50 -03:00 · 2024-05-24 11:28:50 -03:00 · f6ea99d8a3
parent ddcaeb5c20
commit f6ea99d8a3
13 changed files with 5318 additions and 333 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -54,6 +54,31 @@ updates:
        update-types:
          - version-update:semver-major
          - version-update:semver-minor
  - package-ecosystem: gradle
    target-branch: 6.3.x
    directory: /
    schedule:
      interval: daily
      time: '03:00'
      timezone: Etc/UTC
    labels:
      - 'type: dependency-upgrade'
    registries:
      - spring-milestones
    ignore:
      - dependency-name: com.nimbusds:nimbus-jose-jwt
      - dependency-name: org.python:jython
      - dependency-name: org.apache.directory.server:*
      - dependency-name: org.junit:junit-bom
        update-types:
          - version-update:semver-major
      - dependency-name: org.mockito:mockito-bom
        update-types:
          - version-update:semver-major
      - dependency-name: '*'
        update-types:
          - version-update:semver-major
          - version-update:semver-minor
  - package-ecosystem: gradle
    target-branch: main
    directory: /
@ -83,6 +108,7 @@ updates:
        update-types:
          - version-update:semver-major
          - version-update:semver-minor
  - package-ecosystem: github-actions
    target-branch: 5.8.x
    directory: /
@ -93,6 +119,26 @@ updates:
      - 'in: build'
    ignore:
      - dependency-name: sjohnr/*
  - package-ecosystem: github-actions
    target-branch: 6.2.x
    directory: /
    schedule:
      interval: weekly
    labels:
      - 'type: task'
      - 'in: build'
    ignore:
      - dependency-name: sjohnr/*
  - package-ecosystem: github-actions
    target-branch: 6.3.x
    directory: /
    schedule:
      interval: weekly
    labels:
      - 'type: task'
      - 'in: build'
    ignore:
      - dependency-name: sjohnr/*
  - package-ecosystem: github-actions
    target-branch: main
    directory: /
@ -125,6 +171,11 @@ updates:
    directory: /docs
    schedule:
      interval: weekly
  - package-ecosystem: npm
    target-branch: 6.3.x
    directory: /docs
    schedule:
      interval: weekly
  - package-ecosystem: npm
    target-branch: 6.2.x
    directory: /docs
--- a/.github/workflows/release-scheduler.yml
+++ b/.github/workflows/release-scheduler.yml
@ -11,7 +11,7 @@ jobs:
    strategy:
      matrix:
        # List of active maintenance branches.
-        branch: [ main, 6.2.x, 6.1.x, 5.8.x ]
+        branch: [ main, 6.3.x, 6.2.x, 5.8.x ]
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
--- a/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java
+++ b/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2009-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -96,7 +96,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 			pc.getReaderContext()
 				.fatal("You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or "
 						+ "spring-security-3.1.xsd schema or spring-security-3.2.xsd schema or spring-security-4.0.xsd schema "
-						+ "with Spring Security 6.3. Please update your schema declarations to the 6.3 schema.",
+						+ "with Spring Security 6.4. Please update your schema declarations to the 6.4 schema.",
 						element);
 		}
 		String name = pc.getDelegate().getLocalName(element);
@ -221,7 +221,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 	private boolean matchesVersionInternal(Element element) {
 		String schemaLocation = element.getAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "schemaLocation");
-		return schemaLocation.matches("(?m).*spring-security-6\\.3.*.xsd.*")
+		return schemaLocation.matches("(?m).*spring-security-6\\.4.*.xsd.*")
 				|| schemaLocation.matches("(?m).*spring-security.xsd.*")
 				|| !schemaLocation.matches("(?m).*spring-security.*");
 	}
--- a/config/src/main/resources/META-INF/spring.schemas
+++ b/config/src/main/resources/META-INF/spring.schemas
@ -1,4 +1,21 @@
-http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-6.3.xsd
+#
 # Copyright 2002-2024 the original author or authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-6.4.xsd
 http\://www.springframework.org/schema/security/spring-security-6.4.xsd=org/springframework/security/config/spring-security-6.4.xsd
 http\://www.springframework.org/schema/security/spring-security-6.3.xsd=org/springframework/security/config/spring-security-6.3.xsd
 http\://www.springframework.org/schema/security/spring-security-6.2.xsd=org/springframework/security/config/spring-security-6.2.xsd
 http\://www.springframework.org/schema/security/spring-security-6.1.xsd=org/springframework/security/config/spring-security-6.1.xsd
@ -23,7 +40,8 @@ http\://www.springframework.org/schema/security/spring-security-2.0.xsd=org/spri
 http\://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.2.xsd=org/springframework/security/config/spring-security-2.0.2.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.4.xsd=org/springframework/security/config/spring-security-2.0.4.xsd
-https\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-6.3.xsd
+https\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-6.4.xsd
 https\://www.springframework.org/schema/security/spring-security-6.4.xsd=org/springframework/security/config/spring-security-6.4.xsd
 https\://www.springframework.org/schema/security/spring-security-6.3.xsd=org/springframework/security/config/spring-security-6.3.xsd
 https\://www.springframework.org/schema/security/spring-security-6.2.xsd=org/springframework/security/config/spring-security-6.2.xsd
 https\://www.springframework.org/schema/security/spring-security-6.1.xsd=org/springframework/security/config/spring-security-6.1.xsd
--- a/config/src/main/resources/org/springframework/security/config/spring-security-6.4.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.4.rnc
--- a/config/src/main/resources/org/springframework/security/config/spring-security-6.4.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.4.xsd
--- a/config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java
+++ b/config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -65,7 +65,7 @@ public class XsdDocumentedTests {
 	String schema31xDocumentLocation = "org/springframework/security/config/spring-security-3.1.xsd";
-	String schemaDocumentLocation = "org/springframework/security/config/spring-security-6.3.xsd";
+	String schemaDocumentLocation = "org/springframework/security/config/spring-security-6.4.xsd";
 	XmlSupport xml = new XmlSupport();
@ -151,8 +151,8 @@ public class XsdDocumentedTests {
 				.list((dir, name) -> name.endsWith(".xsd"));
 		// @formatter:on
 		assertThat(schemas.length)
-			.withFailMessage("the count is equal to 25, if not then schemaDocument needs updating")
+			.withFailMessage("the count is equal to 26, if not then schemaDocument needs updating")
-			.isEqualTo(25);
+			.isEqualTo(26);
 	}
 	/**
--- a/config/src/test/resources/org/springframework/security/config/method-security.xml
+++ b/config/src/test/resources/org/springframework/security/config/method-security.xml
@ -1,12 +1,28 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
  ~ Copyright 2002-2024 the original author or authors.
  ~
  ~ Licensed under the Apache License, Version 2.0 (the "License");
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~
  ~      https://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->
 <b:beans xmlns="http://www.springframework.org/schema/security"
 	xmlns:b="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:tx="http://www.springframework.org/schema/tx"
 	xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 		http://www.springframework.org/schema/tx https://www.springframework.org/schema/tx/spring-tx.xsd
-		http://www.springframework.org/schema/security org/springframework/security/config/spring-security-6.3.xsd">
+		http://www.springframework.org/schema/security org/springframework/security/config/spring-security-6.4.xsd">
 	<tx:annotation-driven />
--- a/docs/modules/ROOT/pages/servlet/appendix/namespace/index.adoc
+++ b/docs/modules/ROOT/pages/servlet/appendix/namespace/index.adoc
@ -6,4 +6,4 @@ This appendix provides a reference to the elements available in the security nam
 If you haven't used the namespace before, please read the xref:servlet/configuration/xml-namespace.adoc#ns-config[introductory chapter] on namespace configuration, as this is intended as a supplement to the information there.
 Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose.
 The namespace is written in https://relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema.
-If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/main/config/src/main/resources/org/springframework/security/config/spring-security-6.3.rnc[schema file] directly.
+If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/main/config/src/main/resources/org/springframework/security/config/spring-security-6.4.rnc[schema file] directly.
--- a/docs/modules/ROOT/pages/whats-new.adoc
+++ b/docs/modules/ROOT/pages/whats-new.adoc
@ -1,307 +1,5 @@
 [[new]]
-= What's New in Spring Security 6.3
+= What's New in Spring Security 6.4
-Spring Security 6.3 provides a number of new features.
+Spring Security 6.4 provides a number of new features.
 Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.
 == Passive JDK Serialization Support
 When it comes to its support for JDK-serialized security components, Spring Security has historically been quite aggressive, supporting each serialization version for only one Spring Security minor version.
 This meant that if you had JDK-serialized security components, then they would need to be evacuated before upgrading to the next Spring Security version since they would no longer be deserializable.
 Now that Spring Security performs a minor release every six months, this became a much larger pain point.
 To address that, Spring Security now will https://spring.io/blog/2024/01/19/spring-security-6-3-adds-passive-jdk-serialization-deserialization-for[maintain passivity with JDK serialization], like it does with JSON serialization, making for more seamless upgrades.
 == Authorization
 An ongoing theme for the last several releases has been to refactor and improve Spring Security's authorization subsystem.
 Starting with replacing the `AccessDecisionManager` API with `AuthorizationManager` it's now come to the point where we are able to add several exciting new features.
 === Annotation Parameters - https://github.com/spring-projects/spring-security/issues/14480[#14480]
 The first 6.3 feature is https://github.com/spring-projects/spring-security/issues/14480[support for annotation parameters].
 Consider Spring Security's support for xref:servlet/authorization/method-security.adoc#meta-annotations[meta-annotations] like this one:
 [tabs]
 ======
 Java::
 +
 [source,java,role="primary"]
 ----
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
@PreAuthorize("hasAuthority('SCOPE_message:read')")
 public @interface HasMessageRead {}
 ----
 Kotlin::
 +
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
@PreAuthorize("hasAuthority('SCOPE_message:read')")
 annotation class HasMessageRead
 ----
 ======
 Before this release, something like this is only helpful when it is used widely across the codebase.
 But now, xref:servlet/authorization/method-security.adoc#_templating_meta_annotation_expressions[you can add parameters] like so:
 [tabs]
 ======
 Java::
 +
 [source,java,role="primary"]
 ----
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
@PreAuthorize("hasAuthority('SCOPE_{scope}')")
 public @interface HasScope {
 	String scope();
 }
 ----
 Kotlin::
 +
 [source,kotlin,role="secondary"]
 ----
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
@PreAuthorize("hasAuthority('SCOPE_{scope}')")
 annotation class HasScope (val scope:String)
 ----
 ======
 making it possible to do things like this:
 [tabs]
 ======
 Java::
 +
 [source,java,role="primary"]
 ----
@HasScope("message:read")
 public String method() { ... }
 ----
 Kotlin::
 +
 [source,kotlin,role="secondary"]
 ----
@HasScope("message:read")
 fun method(): String { ... }
 ----
 ======
 and apply your SpEL expression in several more places.
 === Secure Return Values - https://github.com/spring-projects/spring-security/issues/14596[#14596], https://github.com/spring-projects/spring-security/issues/14597[#14597]
 Since the early days of Spring Security, you've been able to xref:servlet/authorization/method-security.adoc#use-preauthorize[annotate Spring beans with `@PreAuthorize` and `@PostAuthorize`].
 But controllers, services, and repositories are not the only things you care to secure.
 For example, what about a domain object `Order` where only admins should be able to call the `Order#getPayment` method?
 Now in 6.3, https://github.com/spring-projects/spring-security/issues/14597[you can annotate those methods], too.
 First, annotate the `getPayment` method like you would a Spring bean:
 [tabs]
 ======
 Java::
 +
 [source,java,role="primary"]
 ----
 public class Order {
 	@HasScope("payment:read")
 	Payment getPayment() { ... }
 }
 ----
 Kotlin::
 +
 [source,kotlin,role="secondary"]
 ----
 class Order {
 	@HasScope("payment:read")
 	fun getPayment(): Payment { ... }
 }
 ----
 ======
 And then xref:servlet/authorization/method-security.adoc#authorize-object[annotate your Spring Data repository with `@AuthorizeReturnObject`] like so:
 [tabs]
 ======
 Java::
 +
 [source,java,role="primary"]
 ----
 public interface OrderRepository implements CrudRepository<Order, String> {
 	@AuthorizeReturnObject
 	Optional<Order> findOrderById(String id);
 }
 ----
 Kotlin::
 +
 [source,kotlin,role="secondary"]
 ----
 interface OrderRepository : CrudRepository<Order, String> {
    @AuthorizeReturnObject
    fun findOrderById(id: String?): Optional<Order?>?
 }
 ----
 ======
 At that point, Spring Security will protect any `Order` returned from `findOrderById` by way of https://github.com/spring-projects/spring-security/issues/14596[proxying the `Order` instance].
 === Error Handling - https://github.com/spring-projects/spring-security/issues/14598[#14598], https://github.com/spring-projects/spring-security/issues/14600[#14600], https://github.com/spring-projects/spring-security/issues/14601[#14601]
 In this release, you can also https://github.com/spring-projects/spring-security/issues/14601[intercept and handle failure at the method level] with its last new method security annotation.
 When you xref:servlet/authorization/method-security.adoc#fallback-values-authorization-denied[annotate a method with `@HandleAuthorizationDenied`] like so:
 [tabs]
 ======
 Java::
 +
 [source,java,role="primary"]
 ----
 public class Payment {
    @HandleAuthorizationDenied(handlerClass=Mask.class)
    @PreAuthorize("hasAuthority('card:read')")
    public String getCreditCardNumber() { ... }
 }
 ----
 Kotlin::
 +
 [source,kotlin,role="secondary"]
 ----
 class Payment {
    @HandleAuthorizationDenied(handlerClass=Mask.class)
    @PreAuthorize("hasAuthority('card:read')")
    fun getCreditCardNumber(): String { ... }
 }
 ----
 ======
 and publish a `Mask` bean:
 [tabs]
 ======
 Java::
 +
 [source,java,role="primary"]
 ----
@Component
 public class Mask implements MethodAuthorizationDeniedHandler {
 	@Override
    public Object handleDeniedInvocation(MethodInvocation invocation, AuthorizationResult result) {
 		return "***";
    }
 }
 ----
 Kotlin::
 +
 [source,kotlin,role="secondary"]
 ----
@Component
 class Mask : MethodAuthorizationDeniedHandler {
    fun handleDeniedInvocation(invocation: MethodInvocation?, result: AuthorizationResult?): Any = "***"
 }
 ----
 ======
 then any unauthorized call to `Payment#getCreditCardNumber` will return `\***` instead of the number.
 You can see all these features at work together in https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/data[the latest Spring Security Data sample].
 == Compromised Password Checking - https://github.com/spring-projects/spring-security/issues/7395[#7395]
 If you are going to let users pick passwords, it's critical to ensure that such a password isn't already compromised.
 Spring Security 6.3 makes this as simple as xref:features/authentication/password-storage.adoc#authentication-compromised-password-check[publishing a `CompromisedPasswordChecker` bean]:
 [tabs]
 ======
 Java::
 +
 [source,java,role="primary"]
 ----
@Bean
 public CompromisedPasswordChecker compromisedPasswordChecker() {
    return new HaveIBeenPwnedRestApiPasswordChecker();
 }
 ----
 Kotlin::
 +
 [source,kotlin,role="secondary"]
 ----
@Bean
 fun compromisedPasswordChecker(): CompromisedPasswordChecker = HaveIBeenPwnedRestApiPasswordChecker()
 ----
 ======
 == `spring-security-rsa` is now part of Spring Security - https://github.com/spring-projects/spring-security/issues/14202[#14202]
 Since 2017, Spring Security has been undergoing a long-standing initiative to fold various Spring Security extensions into Spring Security proper.
 In 6.3, `spring-security-rsa` becomes the latest of these projects which will help the team maintain and add features to it, long-term.
 `spring-security-rsa` provides a number of https://github.com/spring-projects/spring-security/blob/main/crypto/src/main/java/org/springframework/security/crypto/encrypt/RsaSecretEncryptor.java[handy `BytesEncryptor`] https://github.com/spring-projects/spring-security/blob/main/crypto/src/main/java/org/springframework/security/crypto/encrypt/RsaRawEncryptor.java[implementations] as well as https://github.com/spring-projects/spring-security/blob/main/crypto/src/main/java/org/springframework/security/crypto/encrypt/KeyStoreKeyFactory.java[a simpler API for working with ``KeyStore``s].
 == OAuth 2.0 Token Exchange Grant - https://github.com/spring-projects/spring-security/issues/5199[#5199]
 One of https://github.com/spring-projects/spring-security/issues/5199[the most highly-voted OAuth 2.0 features] in Spring Security is now in place in 6.3, which is the support for https://datatracker.ietf.org/doc/html/rfc8693#section-2[the OAuth 2.0 Token Exchange grant].
 For xref:servlet/oauth2/client/authorization-grants.adoc#token-exchange-grant-access-token[any client configured for token exchange], you can activate it in Spring Security by adding a `TokenExchangeAuthorizedClientProvider` instance to your `OAuth2AuthorizedClientManager` like so:
 [tabs]
 ======
 Java::
 +
 [source,java,role="primary"]
 ----
@Bean
 public OAuth2AuthorizedClientProvider tokenExchange() {
 	return new TokenExchangeOAuth2AuthorizedClientProvider();
 }
 ----
 Kotlin::
 +
 [source,kotlin,role="secondary"]
 ----
@Bean
 fun tokenExchange(): OAuth2AuthorizedClientProvider = TokenExchangeOAuth2AuthorizedClientProvider()
 ----
 ======
 and then xref:servlet/oauth2/client/authorized-clients.adoc#oauth2Client-registered-authorized-client[use the `@RegisteredOAuth2AuthorizedClient` annotation] as per usual to retrieve the appropriate token with the expanded privileges your resource server needs.
 == Additional Highlights
 - https://github.com/spring-projects/spring-security/pull/14655[gh-14655] - Add `DelegatingAuthenticationConverter`
 - https://github.com/spring-projects/spring-security/issues/6192[gh-6192] - Add Concurrent Sessions Control on WebFlux (xref:reactive/authentication/concurrent-sessions-control.adoc[docs])
 - https://github.com/spring-projects/spring-security/pull/14193[gh-14193] - Added support for CAS Gateway Authentication
 - https://github.com/spring-projects/spring-security/issues/13259[gh-13259] - Customize when UserInfo is called
 - https://github.com/spring-projects/spring-security/pull/14168[gh-14168] - Introduce Customizable AuthorizationFailureHandler in OAuth2AuthorizationRequestRedirectFilter
 - https://github.com/spring-projects/spring-security/issues/14672[gh-14672] - Customize mapping the OidcUser from OidcUserRequest and OidcUserInfo
 - https://github.com/spring-projects/spring-security/issues/13763[gh-13763] - Simplify configuration of reactive OAuth2 Client component model
 - https://github.com/spring-projects/spring-security/issues/14758[gh-14758] - Update reactive OAuth2 docs landing page with examples (xref:reactive/oauth2/index.adoc[docs])
 - https://github.com/spring-projects/spring-security/issues/10538[gh-10538] - Support Certificate-Bound JWT Access Token Validation
 - https://github.com/spring-projects/spring-security/pull/14265[gh-14265] - Support Nested username in UserInfo response
 - https://github.com/spring-projects/spring-security/pull/14265[gh-14449] - Add `SecurityContext` argument resolver
 - https://github.com/spring-projects/spring-security/issues/11440[gh-11440] - Simplify Disabling `application/x-www-form-urlencoded` Encoding Client ID and Secret (xref:servlet/oauth2/client/client-authentication.adoc#_authenticate_using_client_secret_basic[servlet docs], xref:reactive/oauth2/client/client-authentication.adoc#_authenticate_using_client_secret_basic[reactive docs])
 And for an exhaustive list, please see the release notes for https://github.com/spring-projects/spring-security/releases/tag/6.3.0-RC1[6.3.0-RC1], https://github.com/spring-projects/spring-security/releases/tag/6.3.0-M3[6.3.0-M3], https://github.com/spring-projects/spring-security/releases/tag/6.3.0-M2[6.3.0-M2], and https://github.com/spring-projects/spring-security/releases/tag/6.3.0-M1[6.3.0-M1].
--- a/git/hooks/prepare-forward-merge
+++ b/git/hooks/prepare-forward-merge
@ -4,7 +4,7 @@ require 'net/http'
 require 'yaml'
 require 'logger'
-$main_branch = "6.3.x"
+$main_branch = "6.4.x"
 $log = Logger.new(STDOUT)
 $log.level = Logger::WARN
--- a/gradle.properties
+++ b/gradle.properties
@ -1,5 +1,21 @@
 #
 # Copyright 2002-2024 the original author or authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 springBootVersion=3.1.1
-version=6.3.1-SNAPSHOT
+version=6.4.0-SNAPSHOT
 samplesBranch=main
 org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError
 org.gradle.parallel=true
--- a/taglibs/src/main/resources/META-INF/security.tld
+++ b/taglibs/src/main/resources/META-INF/security.tld
@ -1,26 +1,26 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <!--
- ~ Copyright 2002-2014 the original author or authors.
+  ~ Copyright 2002-2024 the original author or authors.
- ~
+  ~
- ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
- ~ you may not use this file except in compliance with the License.
+  ~ you may not use this file except in compliance with the License.
- ~ You may obtain a copy of the License at
+  ~ You may obtain a copy of the License at
- ~
+  ~
- ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~      https://www.apache.org/licenses/LICENSE-2.0
- ~
+  ~
- ~ Unless required by applicable law or agreed to in writing, software
+  ~ Unless required by applicable law or agreed to in writing, software
- ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
- ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- ~ See the License for the specific language governing permissions and
+  ~ See the License for the specific language governing permissions and
- ~ limitations under the License.
+  ~ limitations under the License.
-->
+  -->
 <taglib xmlns="http://java.sun.com/xml/ns/j2ee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee https://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
        version="2.0">
    <description>Spring Security Authorization Tag Library</description>
-    <tlib-version>6.3</tlib-version>
+    <tlib-version>6.4</tlib-version>
    <short-name>security</short-name>
    <uri>http://www.springframework.org/security/tags</uri>