mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-02-24 16:05:15 +00:00
29 lines
2.3 KiB
Plaintext
29 lines
2.3 KiB
Plaintext
[[new]]
|
|
= What's New in Spring Security 6.0
|
|
|
|
Spring Security 6.0 provides a number of new features.
|
|
Below are the highlights of the release.
|
|
|
|
== Breaking Changes
|
|
|
|
* https://github.com/spring-projects/spring-security/issues/10556[gh-10556] - Remove EOL OpenSaml 3 Support.
|
|
Use the OpenSaml 4 Support instead.
|
|
* https://github.com/spring-projects/spring-security/issues/8980[gh-8980] - Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)`.
|
|
Instead use data storage to encrypt values.
|
|
* https://github.com/spring-projects/spring-security/issues/11520[gh-11520] - Remember Me uses SHA256 by default
|
|
* https://github.com/spring-projects/spring-security/issues/8819 - Move filters to web package
|
|
Reorganize imports
|
|
* https://github.com/spring-projects/spring-security/issues/7349 - Move filter and token to appropriate packages
|
|
Reorganize imports
|
|
* https://github.com/spring-projects/spring-security/issues/11026[gh-11026] - Use `RequestAttributeSecurityContextRepository` instead of `NullSecurityContextRepository`
|
|
* https://github.com/spring-projects/spring-security/pull/11887[gh-11827] - Change default authority for `oauth2Login()`
|
|
* https://github.com/spring-projects/spring-security/issues/10347[gh-10347] - Remove `UsernamePasswordAuthenticationToken` check in `BasicAuthenticationFilter`
|
|
* https://github.com/spring-projects/spring-security/pull/11923[gh-11923] - Remove `WebSecurityConfigurerAdapter`.
|
|
Instead, create a https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter[SecurityFilterChain bean].
|
|
* https://github.com/spring-projects/spring-security/issues/11899[gh-11899] - Use `MvcRequestMatcher` by default if Spring MVC is present.
|
|
You can configure a different `RequestMatcher` by using the https://docs.spring.io/spring-security/reference/servlet/appendix/namespace/http.html#nsa-http-attributes[request-matcher attribute from <http>].
|
|
* Change use-authorization-manager="true" to default
|
|
If the application uses `use-expressions="true"` or `access-decision-manager-ref` switch to `use-expressions="false"` or `authorization-manager-ref`, respectively.
|
|
If application relies on the implicit `<intercept-url pattern="/**" access="permitAll"/>`, this is no longer implicit and needs to be specified.
|
|
Or use `use-authorization-manager="false"`
|