mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-03-01 10:59:16 +00:00
395 lines
16 KiB
Plaintext
395 lines
16 KiB
Plaintext
[[new]]
|
|
= What's New in Spring Security 6.4
|
|
|
|
Spring Security 6.4 provides a number of new features.
|
|
Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.
|
|
|
|
== Deprecation Notices
|
|
|
|
As we get closer to Spring Security 7, it's important to stay up to date on deprecations.
|
|
As such, this section points out deprecations in the 6.4 release.
|
|
|
|
* *Method Security* - `AuthorizationManager#check` is deprecated in favor of `AuthorizationManager#authorize`.
|
|
This is primarily to allow the return type to be an interface instead of a concrete class.
|
|
If you are invoking `AuthorizationManager#check`, please invoke `AuthorizationManager#authorize` instead.
|
|
+
|
|
Relatedly, `AuthorizationEventPublisher#publishEvent` that takes an `AuthorizationDecision` is deprecated in favor of a method of the same name that takes an `AuthorizationResult` interface instead.
|
|
* *Method Security* - `PrePostTemplateDefaults` is deprecated in favor of the more generic `AnnotationTemplateExpressionDefaults` as there is now meta-annotation property support for `@AuthenticationPrincipal` and `@CurrentSecurityContext` as well.
|
|
If you are constructing a `PrePostTemplateDefaults`, change this out for an `AnnotationTemplateExpressionDefaults`.
|
|
* *OAuth 2.0* - `NimbusOpaqueTokenIntrospector` has been deprecated in favor of `SpringOpaqueTokenIntrospector` in order to remove Spring Security OAuth 2.0 Resource Server's reliance on the `oidc-oauth2-sdk` package.
|
|
If you are constructing a `NimbusOpaqueTokenIntrospector`, replace it with ``SpringOpaqueTokenIntrospector``'s constructor
|
|
* *OAuth 2.0* - `DefaultAuthorizationCodeTokenResponseClient`, `DefaultClientCredentialsTokenResponseClient`, `DefaultJwtBearerTokenResponseClient`, `DefaultPasswordTokenResponseClient`, `DefaultRefreshTokenTokenResponseClient`, and `DefaultTokenExchangeTokenResponseClient` are deprecated in favor of their `RestClient` equivalents.
|
|
+
|
|
Relatedly,`JwtBearerGrantRequestEntityConverter`, `OAuth2AuthorizationCodeGrantRequestEntityConverter`, `OAuth2ClientCredentialsGrantRequestEntityConverter`, `OAuth2PasswordGrantRequestEntityConverter`, `OAuth2RefreshTokenGrantRequestEntityConverter` are deprecated in favor of providing an instance of `DefaultOAuth2TokenRequestParametersConverter` to one of the above token response clients
|
|
+
|
|
For example, if you have the following arrangement:
|
|
+
|
|
[source,java]
|
|
----
|
|
private static class MyCustomConverter
|
|
extends AbstractOAuth2AuthorizationGrantRequestEntityConverter<OAuth2AuthorizationCodeGrantRequest> {
|
|
@Override
|
|
protected MultiValueMap<String, String> createParameters
|
|
(OAuth2AuthorizationCodeGrantRequest request) {
|
|
MultiValueMap<String, String> parameters = super.createParameters(request);
|
|
parameters.add("custom", "value");
|
|
return parameters;
|
|
}
|
|
}
|
|
|
|
@Bean
|
|
OAuth2AccessTokenResponseClient authorizationCode() {
|
|
DefaultAuthorizationCodeTokenResponseClient client =
|
|
new DefaultAuthorizationCodeTokenResponseClient();
|
|
Converter<AuthorizationCodeGrantRequest, RequestEntity<?>> entityConverter =
|
|
new OAuth2AuthorizationCodeGrantRequestEntityConverter();
|
|
entityConverter.setParametersConverter(new MyCustomConverter());
|
|
client.setRequestEntityConverter(entityConverter);
|
|
return client;
|
|
}
|
|
----
|
|
+
|
|
This configuration is deprecated since it uses `DefaultAuthorizationCodeTokenResponseClient` and `OAuth2AuthorizationCodeGrantRequestEntityConverter`.
|
|
The recommended configuration is now:
|
|
+
|
|
[source,java]
|
|
----
|
|
private static class MyCustomConverter implements Converter<OAuth2AuthorizationCodeGrantRequest, Map<String, String>> {
|
|
@Override
|
|
public MultiValueMap<String, String> convert(OAuth2AuthorizeCodeGrantRequest request) {
|
|
MultiValueMap<String, String> parameters = OAuth2AuthorizationCodeGrantRequest.defaultParameters(request);
|
|
parameters.add("custom", "value");
|
|
return parameters;
|
|
}
|
|
}
|
|
|
|
@Bean
|
|
OAuth2AccessTokenResponseClient authorizationCode() {
|
|
RestClientAuthorizationCodeTokenResponseClient client =
|
|
new RestClientAuthorizationCodeTokenResponseClient();
|
|
client.setParametersConverter(new MyCustomConverter());
|
|
return client;
|
|
}
|
|
----
|
|
|
|
|
|
* *SAML 2.0* - Unversioned OpenSAML implementations of Spring Security SAML 2.0 Service Provider's interfaces have been deprecated in favor of versioned ones.
|
|
For example, `OpenSamlAuthenticationTokenConverter` is now replaced by `OpenSaml4AuthenticationTokenConverter` and `OpenSaml5AuthenticationTokenConverter`.
|
|
If you are constructing one of these deprecated versions, please replace it with the one that corresponds to the OpenSAML version you are using.
|
|
* *SAML 2.0* - Methods surrounding `AssertingPartyDetails` are deprecated in favor of equivalent methods that use the `AssertingPartyMetadata` interface.
|
|
* *LDAP* - Usages of `DistinguishedName` are now deprecated in order to align with Spring LDAP's deprecations
|
|
|
|
== One-Time Token Login
|
|
|
|
* Spring Security now xref:servlet/authentication/onetimetoken.adoc[supports One-Time Token Login] via the `oneTimeTokenLogin()` DSL, including xref:servlet/authentication/onetimetoken.adoc#customize-generate-consume-token[JDBC support].
|
|
|
|
== Passkeys
|
|
|
|
Spring Security now has xref:servlet/authentication/passkeys.adoc[Passkeys] support.
|
|
|
|
== Method Security
|
|
|
|
* All xref:servlet/authorization/method-security.adoc#meta-annotations[method security annotations] now support {spring-framework-api-url}org/springframework/core/annotation/AliasFor.html[Framework's `@AliasFor`]
|
|
* `@AuthenticationPrincipal` and `@CurrentSecurityContext` now support xref:servlet/authorization/method-security.adoc#_templating_meta_annotation_expressions[annotation templates].
|
|
+
|
|
This means that you can now use Spring's meta-annotation support like so:
|
|
+
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
@Target(TargetType.TYPE)
|
|
@Retention(RetentionPolicy.RUNTIME)
|
|
@AuthenticationPrincipal("claims['{claim}']")
|
|
@interface CurrentUsername {
|
|
String claim() default "sub";
|
|
}
|
|
|
|
// ...
|
|
|
|
@GetMapping
|
|
public String method(@CurrentUsername("username") String username) {
|
|
// ...
|
|
}
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
annotation CurrentUsername(val claim: String = "sub")
|
|
|
|
// ...
|
|
|
|
@GetMapping
|
|
fun method(@CurrentUsername("username") val username: String): String {
|
|
// ...
|
|
}
|
|
----
|
|
======
|
|
* https://github.com/spring-projects/spring-security/issues/13490[Several] https://github.com/spring-projects/spring-security/issues/13234[improvements] https://github.com/spring-projects/spring-security/issues/15097[were made] to align Security's annotation search with ``AbstractFallbackMethodSecurityMetadataSource``'s algorithm.
|
|
This aids in migration from earlier versions of Spring Security.
|
|
* Native applications can now xref:servlet/authorization/method-security.adoc#authorize-return-object-aot[use `@AuthorizeReturnObject`]
|
|
* Native applications can now xref:servlet/authorization/method-security.adoc#pre-post-authorize-aot[reference beans in `@PreAuthorize` and `@PostAuthorize`]
|
|
* `SecurityAnnotationScanners` offers https://github.com/spring-projects/spring-security/issues/15700[a convenient API] for scanning for Security annotations and for adding Security's selection and templating features to custom annotations
|
|
|
|
== OAuth 2.0
|
|
|
|
* `oauth2Login()` now accepts https://github.com/spring-projects/spring-security/pull/15237[`OAuth2AuthorizationRequestResolver` as a `@Bean`]
|
|
* `ClientRegistrations` now supports externally obtained configuration
|
|
* Added `loginPage()` to DSL in reactive `oauth2Login()`
|
|
* OIDC Back-Channel support now accepts https://github.com/spring-projects/spring-security/issues/15003[logout tokens of type `logout+jwt`]
|
|
* `RestClient` can now be xref:servlet/oauth2/index.adoc#oauth2-client-access-protected-resources[configured] with `OAuth2ClientHttpRequestInterceptor` to xref:servlet/oauth2/index.adoc#oauth2-client-accessing-protected-resources-example[make protected resources requests]
|
|
* Added `RestClient`-based implementations of `OAuth2AccessTokenResponseClient` for more consistent configuration of access token requests.
|
|
+
|
|
To opt-in to using `RestClient` support, simply publish a bean for each grant type as in the following example:
|
|
+
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
@Configuration
|
|
public class SecurityConfig {
|
|
|
|
@Bean
|
|
public OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> authorizationCodeAccessTokenResponseClient() {
|
|
return new RestClientAuthorizationCodeTokenResponseClient();
|
|
}
|
|
|
|
@Bean
|
|
public OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenAccessTokenResponseClient() {
|
|
return new RestClientRefreshTokenTokenResponseClient();
|
|
}
|
|
|
|
@Bean
|
|
public OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsAccessTokenResponseClient() {
|
|
return new RestClientClientCredentialsTokenResponseClient();
|
|
}
|
|
|
|
@Bean
|
|
public OAuth2AccessTokenResponseClient<JwtBearerGrantRequest> jwtBearerAccessTokenResponseClient() {
|
|
return new RestClientJwtBearerTokenResponseClient();
|
|
}
|
|
|
|
@Bean
|
|
public OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> tokenExchangeAccessTokenResponseClient() {
|
|
return new RestClientTokenExchangeTokenResponseClient();
|
|
}
|
|
|
|
}
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@Configuration
|
|
class SecurityConfig {
|
|
|
|
@Bean
|
|
fun authorizationCodeAccessTokenResponseClient(): OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> {
|
|
return RestClientAuthorizationCodeTokenResponseClient()
|
|
}
|
|
|
|
@Bean
|
|
fun refreshTokenAccessTokenResponseClient(): OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> {
|
|
return RestClientRefreshTokenTokenResponseClient()
|
|
}
|
|
|
|
@Bean
|
|
fun clientCredentialsAccessTokenResponseClient(): OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> {
|
|
return RestClientClientCredentialsTokenResponseClient()
|
|
}
|
|
|
|
@Bean
|
|
fun jwtBearerAccessTokenResponseClient(): OAuth2AccessTokenResponseClient<JwtBearerGrantRequest> {
|
|
return RestClientJwtBearerTokenResponseClient()
|
|
}
|
|
|
|
@Bean
|
|
fun tokenExchangeAccessTokenResponseClient(): OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> {
|
|
return RestClientTokenExchangeTokenResponseClient()
|
|
}
|
|
|
|
}
|
|
----
|
|
======
|
|
* Token Exchange now https://github.com/spring-projects/spring-security/issues/15534[supports refresh tokens]
|
|
|
|
== SAML 2.0
|
|
|
|
* Added xref:servlet/saml2/opensaml.adoc[OpenSAML 5 Support].
|
|
Now you can use either OpenSAML 4 or OpenSAML 5; by default, Spring Security will select the right implementations based on what's on your classpath.
|
|
* Using EntityIDs for the `registrationId` is simplified.
|
|
+
|
|
A common pattern is to identify asserting parties by their `entityID`.
|
|
In previous versions, this required directly configuring `OpenSamlAuthenticationRequestResolver`.
|
|
Now, the request resolver looks by default for the `registrationId` https://github.com/spring-projects/spring-security/issues/15017[as a request parameter] in addition to looking for it in the path.
|
|
This allows you to use `RelyingPartyRegistrations` or `OpenSaml4/5AssertingPartyMetadataRepository` without also needing to modify the `registrationId` values or customize the request resolver.
|
|
+
|
|
Relatedly, you can now configure your `authenticationRequestUri` to xref:servlet/saml2/login/authentication-requests.adoc#configuring-authentication-request-uri[contain a query parameter]
|
|
* Asserting Parties can now be refreshed in the background according to the metadata's expiry.
|
|
+
|
|
For example, you can now use xref:servlet/saml2/metadata.adoc#using-assertingpartymetadatarepository[`OpenSaml5AssertingPartyMetadataRepository`] to do:
|
|
+
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
@Component
|
|
public class RefreshableRelyingPartyRegistrationRepository implements IterableRelyingPartyRegistrationRepository {
|
|
private final AssertingPartyMetadataRepository assertingParties = OpenSaml5AssertingPartyMetadataRepository
|
|
.fromTrustedMetadataLocation("https://idp.example.org").build();
|
|
|
|
@Override
|
|
public RelyingPartyRegistration findByRegistrationId(String registrationId) {
|
|
AssertingPartyMetadata assertingParty = this.assertingParties.findByEntityId(registrationId);
|
|
return RelyingPartyRegistration.withAssertingPartyMetadata(assertingParty)
|
|
// relying party configurations
|
|
.build();
|
|
}
|
|
|
|
// ...
|
|
}
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@Component
|
|
open class RefreshableRelyingPartyRegistrationRepository: IterableRelyingPartyRegistrationRepository {
|
|
private val assertingParties: AssertingPartyMetadataRepository = OpenSaml5AssertingPartyMetadataRepository
|
|
.fromTrustedMetadataLocation("https://idp.example.org").build()
|
|
|
|
override fun findByRegistrationId(String registrationId): RelyingPartyRegistration {
|
|
val assertingParty = this.assertingParties.findByEntityId(registrationId)
|
|
return RelyingPartyRegistration.withAssertingPartyMetadata(assertingParty)
|
|
// relying party configurations
|
|
.build()
|
|
}
|
|
|
|
// ...
|
|
}
|
|
----
|
|
======
|
|
+
|
|
This implementation also supports the validation of a metadata's signature.
|
|
* You can now sign https://github.com/spring-projects/spring-security/pull/14916[relying party metadata]
|
|
* `RelyingPartyRegistrationRepository` results can now be javadoc:org.springframework.security.saml2.provider.service.registration.CachingRelyingPartyRegistrationRepository[cached].
|
|
This is helpful if you want to defer the loading of the registration values til after application startup.
|
|
It is also helpful if you want to control when metadata gets refreshed via Spring Cache.
|
|
* To align with the SAML 2.0 standard, the metadata endpoint now https://github.com/spring-projects/spring-security/issues/15147[uses the `application/samlmetadata+xml` MIME type]
|
|
|
|
== Web
|
|
|
|
* CSRF BREACH tokens are now https://github.com/spring-projects/spring-security/issues/15187[more consistent]
|
|
* The Remember Me cookie now is https://github.com/spring-projects/spring-security/pull/15203[more customizable]
|
|
* Security Filter Chain finds more invalid configurations.
|
|
For example, a filter chain declared after an any-request filter chain is invalid since it will never be invoked:
|
|
+
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
@Bean
|
|
@Order(0)
|
|
SecurityFilterChain api(HttpSecurity http) throws Exception {
|
|
http
|
|
// implicit securityMatcher("/**")
|
|
.authorizeHttpRequests(...)
|
|
.httpBasic(...)
|
|
|
|
return http.build();
|
|
}
|
|
|
|
@Bean
|
|
@Order(1)
|
|
SecurityFilterChain app(HttpSecurity http) throws Exception {
|
|
http
|
|
.securityMatcher("/app/**")
|
|
.authorizeHttpRequests(...)
|
|
.formLogin(...)
|
|
|
|
return http.build();
|
|
}
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@Bean
|
|
@Order(0)
|
|
fun api(val http: HttpSecurity): SecurityFilterChain {
|
|
http {
|
|
authorizeHttpRequests {
|
|
// ...
|
|
}
|
|
}
|
|
return http.build()
|
|
}
|
|
|
|
@Bean
|
|
@Order(1)
|
|
fun app(val http: HttpSecurity): SecurityFilterChain {
|
|
http {
|
|
securityMatcher("/app/**")
|
|
authorizeHttpRequests {
|
|
// ...
|
|
}
|
|
}
|
|
return http.build()
|
|
}
|
|
----
|
|
======
|
|
You can read more https://github.com/spring-projects/spring-security/issues/15220[in the related ticket].
|
|
* `ServerHttpSecurity` now https://github.com/spring-projects/spring-security/issues/15974[picks up `ServerWebExchangeFirewall` as a `@Bean`]
|
|
|
|
== Observability
|
|
|
|
Observability now supports xref:servlet/integrations/observability.adoc#observability-tracing-disable[toggling authorization, authentication, and request observations separately]
|
|
For example, to turn off filter chain observations, you can publish a `@Bean` like this one:
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
@Bean
|
|
SecurityObservationSettings allSpringSecurityObservations() {
|
|
return SecurityObservationSettings.withDefaults()
|
|
.shouldObserveFilterChains(false).build();
|
|
}
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
@Bean
|
|
fun allSpringSecurityObservations(): SecurityObservationSettings {
|
|
return SecurityObservationSettings.builder()
|
|
.shouldObserveFilterChains(false).build()
|
|
}
|
|
----
|
|
======
|
|
|
|
== Kotlin
|
|
|
|
* The Kotlin DSL now supports https://github.com/spring-projects/spring-security/issues/14935[SAML 2.0] and https://github.com/spring-projects/spring-security/issues/15171[`GrantedAuthorityDefaults`] and https://github.com/spring-projects/spring-security/issues/15136[`RoleHierarchy`] ``@Bean``s
|
|
* `@PreFilter` and `@PostFilter` are https://github.com/spring-projects/spring-security/pull/15095[now supported] in Kotlin
|
|
* The Kotlin Reactive DSL now supports https://github.com/spring-projects/spring-security/pull/15013[`SecurityContextRepository`]
|
|
|
|
== Acl
|
|
|
|
* `AclAuthorizationStrategyImpl` now https://github.com/spring-projects/spring-security/issues/4186[supports `RoleHierarchy`]
|