Update spring security to v6 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.security:spring-security-oauth2-core (source)	5.8.5 -> 6.1.3
org.springframework.security:spring-security-oauth2-jose (source)	5.8.5 -> 6.1.3
org.springframework.security:spring-security-oauth2-client (source)	5.8.5 -> 6.1.3
org.springframework.security:spring-security-oauth2-resource-server (source)	5.8.5 -> 6.1.3
org.springframework.security:spring-security-core (source)	5.8.5 -> 6.1.3
org.springframework.security:spring-security-config (source)	5.8.5 -> 6.1.3
org.springframework.security:spring-security-web (source)	5.8.5 -> 6.1.3
org.springframework.security:spring-security-crypto (source)	5.8.5 -> 6.1.3

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-oauth2-core)

v6.1.3

Compare Source

⭐ New Features

• Add MvcRequestMatcher reference documentation #​13726
• Refactor for readability #​13472
• requestMatchers servlet validation error should include information about servlet paths #​13722
• requestMatchers should not count servlets without mappings #​13724

🪲 Bug Fixes

• Add return statement of the roleHierachy method in the servlet/author… #​13596
• Fix typo in docs #​13637
• Referrer Header is set in Reactive Web Applications by default, although doc says it is not. #​13590
• RequestMatcherMetadataResponseResolver only shows last RelyingPartyRegistration #​13700
• saml2Login should not override OpenSaml4AuthenticationProvider bean #​13655
• The bean 'preFilterAuthorizationAdvisor', defined in class path resource could not be registered #​13580
• Update links in adocs #​13632

🔨 Dependency Upgrades

• Update io.projectreactor to 2022.0.10 #​13674
• Update logback-classic to 1.4.11 #​13669
• Update micrometer-observation to 1.10.10 #​13672
• Update mockk to 1.13.7 #​13673
• Update org.aspectj to 1.9.20 #​13676
• Update org.springframework.data to 2022.0.9 #​13677
• Update reactor-netty to 1.1.10 #​13675
• Update spring-ldap-core to 3.0.5 #​13678

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​galmegiz
• @​limvik

v6.1.2

Compare Source

⭐ New Features

• Improve RequestMatcher Validation #​13557
• Improve Security Filters Documentation #​13414
• Optimize Querying of RequestCache -> continue parameter #​13488
• Optimize Querying of RequestCache -> continue parameter #​13482

🪲 Bug Fixes

• Error message should show underlying Client Authentication method #​13498
• Javadoc for AuthorizationFilter#filterErrorDispatch is wrong #​13465
• once-per-request="true" does not work in XML configuration #​13494
• Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #​13199
• Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration #​13421
• Unable to Use hasIpAddress() Method After Migrating to authorizeHttpRequests() in Spring Security 6 #​13478
• update l179 of jwt docs #​13480
• Use default PathPatternParser instance #​13464

🔨 Dependency Upgrades

• Update io.projectreactor to 2022.0.9 #​13525
• Update jakarta.websocket to 2.1.1 #​13526
• Update micrometer-observation to 1.10.9 #​13524
• Update org.springframework to 6.0.11 #​13527
• Update org.springframework.data to 2022.0.8 #​13528
• Update org.springframework.data to 2022.0.8 #​13522

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​sueszli

v6.1.1

Compare Source

⭐ New Features

• Add initial Native section to reference docs #​13236
• Align Resource Server documentation with Boot's capabilities #​13239
• Convert to Asciidoctor Tabs #​13407
• Document How to Handle Method Security in Native Image #​13237
• Improve javadoc about deprecation of .and() and non-Customizer methods #​13273
• Make eclipse/vscode project import work #​13284
• Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #​13229
• mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #​13254
• Use Antora name of security #​13331

🪲 Bug Fixes

• Additional filters registered when using Custom DSL #​13282
• AOT Fails to proxy #​13369
• CasAuthenticationFilter.successfulAuthentication missing call to securityContextRepository.saveContext #​13243
• DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #​13223
• Deprecated hint on BasicAuthenticationFilter #​13279
• Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13193
• Fix Antora Warnings #​13294
• Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13221
• Fix Documentation Title #​13318
• Fix legacy-websocket-configuration cross-reference #​13206
• Fix type on method-security.adoc #​13212
• http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13209
• Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #​13218
• No longer maintained net.sourceforge.nekohtml with known security issues #​13287
• Provide meaningful error when invalid client-authentication-method is provided #​13309
• Proxy Server section is not linked in nav #​13324
• Use consistent list of micrometer tags in web observation handler #​13190
• UserBuilder does not allow authorities to be overridden #​13290

🔨 Dependency Upgrades

• Update cas-client-core to 4.0.2 #​13342
• Update com.nimbusds to 9.43.3 #​13335
• Update hsqldb to 2.7.2 #​13343
• Update io.projectreactor to 2022.0.8 #​13338
• Update io.rsocket to 1.1.4 #​13340
• Update io.spring.javaformat to 0.0.39 #​13341
• Update logback-classic to 1.4.8 #​13334
• Update micrometer-observation to 1.10.8 #​13337
• Update org.jetbrains.kotlin to 1.8.22 #​13344
• Update org.springframework to 6.0.10 #​13345
• Update org.springframework.data to 2022.0.7 #​13346
• Update reactor-netty to 1.1.8 #​13339
• Update spring-ldap-core to 3.0.4 #​13347
• Update unboundid-ldapsdk to 6.0.9 #​13336

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​dkorotych
• @​mariodmpereira

v6.1.0

Compare Source

v6.0.6

Compare Source

⭐ New Features

• requestMatchers servlet validation error should include information about servlet paths #​13721
• requestMatchers should not count servlets without mappings #​13720

🪲 Bug Fixes

• Doc : typo in Custom DSLs section #​13325
• Fix typo in docs #​13605
• Referrer Header is set in Reactive Web Applications by default, although doc says it is not. #​13589
• saml2Login should not override OpenSaml4AuthenticationProvider bean #​13654
• The bean 'preFilterAuthorizationAdvisor', defined in class path resource could not be registered #​13579
• Update links in adocs #​13565

🔨 Dependency Upgrades

• Update io.projectreactor to 2022.0.10 #​13710
• Update logback-classic to 1.4.11 #​13707
• Update micrometer-observation to 1.10.10 #​13708
• Update mockk to 1.13.7 #​13709
• Update org.aspectj to 1.9.20 #​13712
• Update org.springframework.data to 2022.0.9 #​13713
• Update reactor-netty to 1.1.10 #​13711
• Update spring-ldap-core to 3.0.5 #​13714

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​bigfang
• @​ghusta
• @​limvik

v6.0.5

Compare Source

⭐ New Features

• Improve RequestMatcher Validation #​13556
• Improve Security Filters Documentation #​13413
• Optimize Querying of RequestCache -> continue parameter #​13487
• Optimize Querying of RequestCache -> continue parameter #​13481

🪲 Bug Fixes

• Error message should show underlying Client Authentication method #​13496
• Javadoc for AuthorizationFilter#filterErrorDispatch is wrong #​13456
• once-per-request="true" does not work in XML configuration #​13491
• Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #​13198
• Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration #​13420
• Unable to Use hasIpAddress() Method After Migrating to authorizeHttpRequests() in Spring Security 6 #​13477
• Use default PathPatternParser instance #​13463

🔨 Dependency Upgrades

• Update io.projectreactor to 2022.0.9 #​13518
• Update jakarta.websocket to 2.1.1 #​13519
• Update micrometer-observation to 1.10.9 #​13517
• Update org.springframework to 6.0.11 #​13520
• Update org.springframework.data to 2022.0.8 #​13521

v6.0.4

Compare Source

⭐ New Features

• Add initial Native section to reference docs #​12029
• Align Resource Server documentation with Boot's capabilities #​13238
• Convert to Asciidoctor Tabs #​13406
• Document How to Handle Method Security in Native Image #​13226
• Error On Unsupported Client Authentication Methods #​13240
• Make eclipse/vscode project import work #​12930
• Mention that authorizeHttpRequests does not support GrantedAuthorityDefaults #​13228
• mockOAuth2Login() does not work in collaboration with Spring Cloud Gateway and TokenRelayGatewayFilter #​13253
• Use Antora name of security #​13330

🪲 Bug Fixes

• Additional filters registered when using Custom DSL #​13281
• AffirmativeBased vs. AuthorizationManagers.anyOf(...) documentation #​13086
• AOT Fails to proxy #​13368
• AuthorizationAnnotationUtils.findUniqueAnnotation broken for synthetic methods #​13153
• Clarify that Kotlin DSL needs an import #​13102
• DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(OAuth2AuthorizationCodeGrantRequest) can return null #​13222
• Delete duplicate line from oauth2/client/core.adoc #​13233
• Deprecated hint on BasicAuthenticationFilter #​13278
• Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13192
• Fix Antora Warnings #​13293
• Fix code snippets in Authorize HttpServletRequest #​13125
• Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13220
• Fix Documentation Title #​13317
• Fix legacy-websocket-configuration cross-reference #​13205
• http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13208
• java.lang.IllegalArgumentException: Context does not have an entry for key [class io.micrometer.core.instrument.Timer$Sample] #​13133
• Links between migration docs are out of date #​13156
• Migration to EnableMethodSecurity break Transactional on custom PermissionEvaluator #​13217
• No longer maintained net.sourceforge.nekohtml with known security issues #​13286
• Proxy Server section is not linked in nav #​13323
• RememberMeAuthenticationFilter does not use SecurityContextRepository configured in HttpSecurity #​13127
• rolePrefix with empty string returns HTTP 400 as of version 6.0.3 #​13079
• SAML login fails in Internet Explorer 11 #​13141
• SimpleAroundFilterObservation.wrap calls scope.close() duplicated #​12787
• Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator #​13084
• Spring Security SAML signature validation issue #​13182
• The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added. #​13008
• Use consistent list of micrometer tags in web observation handler #​13179
• X-XSS-Protection is now disabled #​13129

🔨 Dependency Upgrades

• Update com.nimbusds to 9.43.3 #​13352
• Update hsqldb to 2.7.2 #​13359
• Update io.projectreactor to 2022.0.8 #​13355
• Update io.rsocket to 1.1.4 #​13357
• Update io.spring.javaformat to 0.0.39 #​13358
• Update jackson-bom to 2.14.3 #​13349
• Update jackson-databind to 2.14.3 #​13350
• Update jackson-datatype-jsr310 to 2.14.3 #​13351
• Update junit-bom to 5.9.3 #​13360
• Update junit-platform-launcher to 1.9.3 #​13362
• Update logback-classic to 1.4.8 #​13348
• Update micrometer-observation to 1.10.8 #​13354
• Update org.junit.jupiter to 5.9.3 #​13361
• Update org.springframework to 6.0.10 #​13363
• Update org.springframework.data to 2022.0.7 #​13364
• Update reactor-netty to 1.1.8 #​13356
• Update spring-ldap-core to 3.0.4 #​13365
• Update unboundid-ldapsdk to 6.0.9 #​13353

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​krios2146
• @​jzheaux
• @​skynavga
• @​dfrommi
• @​jvalkeal

v6.0.3

Compare Source

v6.0.2

Compare Source

⭐ New Features

• CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler #​12651
• Document @EnableWebFluxSecurity requiring @Configuration in 6.0.0 #​12444
• Move classpath checks to class member variable #​11437
• Reenable R2dbcReactiveOAuth2AuthorizedClientServiceTests Tests #​12339
• Revisit Session Management Documentation #​12680
• Spring Security 6.0 Migration Guide Should Mention @Configuration Meta-Annotation Removal From Configuration Annotations #​12498
• Update broken links, correct gradle command for Windows OS. #​12336

🪲 Bug Fixes

• 200 response is returned when ObservationMarkingRequestRejectedHandler is in use #​12548
• @EnableReactiveMethodSecurity#useAuthorizationManager should be true #​12506
• A typo in form login doc #​12678
• Adjusts setRequestHandler javadoc in CsrfWebFilter #​12467
• AuthorizationManager method security documentation should use AnnotationMatchingPointcut #​12517
• DefaultSavedRequest.doesRequestMatch does not work, when matchingRequestParameterName is set #​12671
• Document XMLObject retreival for Asserting Party metadata #​12729
• Document XMLObject retreival for Asserting Party metadata #​12728
• Duplicate words. #​12471
• Fix CSRF protection provided by @EnableWebSocketSecurity / Stomp #​12378
• gradlew nativeTest fails with Failed to instantiate [org.springframework.security.test.context.support.WithUserDetailsSecurityContextFactory]: No default constructor found #​12614
• Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #​12459
• javax.json.bind.Jsonb to jakarta.json.bind.Jsonb #​12616
• NimbusJwtDecoder unknown KID scenario is not correctly tested #​12495
• No provider found for OAuth2AuthorizationCodeAuthenticationToken when running Spring Native Reactive app using OAuth2 #​12615
• NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #​12687
• Security observations are not setting their parent osbervation #​12524
• SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #​12579
• Spring Security 6.0.1 ObservationFilterChainDecorator produce wrong instrument names #​12490
• SwitchUserFilter not working in Spring Security 6 #​12511
• Update expression-based.adoc #​12363
• Update multitenancy.adoc #​12474
• WebTestUtilsTestRuntimeHints should only be invoked for Servlet #​12622
• Wrong name of the filter in the SecurityContextHolderFilter diagram #​12527

🔨 Dependency Upgrades

• Update hibernate-core to 6.1.7.Final #​12707
• Update io.projectreactor to 2022.0.3 #​12701
• Update io.spring.nohttp to 0.0.11 #​12703
• Update jackson-bom to 2.14.2 #​12696
• Update jackson-databind to 2.14.2 #​12697
• Update jackson-datatype-jsr310 to 2.14.2 #​12698
• Update jakarta.servlet.jsp-api to 3.1.1 #​12704
• Update junit-bom to 5.9.2 #​12708
• Update junit-platform-launcher to 1.9.2 #​12710
• Update maven-resolver-provider to 3.8.7 #​12705
• Update micrometer-observation to 1.10.4 #​12699
• Update mockk to 1.13.4 #​12700
• Update org.aspectj to 1.9.19 #​12706
• Update org.junit.jupiter to 5.9.2 #​12709
• Update org.springframework to 6.0.5 #​12711
• Update org.springframework.data to 2022.0.2 #​12712
• Update reactor-netty to 1.1.3 #​12702
• Update spring-ldap-core to 3.0.1 #​12713

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​dmitriygrushin
• @​donhuvy
• @​sakaeda11
• @​deleze
• @​wldomiciano

v6.0.1

Compare Source

⭐ New Features

• Add EnableWebSecurity migration steps to 5.8 guide #​12354
• Replace deprecated set-state set-output GitHub Action's commands #​12299

🪲 Bug Fixes

• codes in spring security docs fail to work #​12342
• codes in spring security docs fail to work #​12341
• DefaultLdapAuthoritiesPopulator throws NullPointerException #​12409
• Error in ACLS document #​12270
• Fix AuthorizationFilter diagram in docs #​12288
• Incorrect Javadoc for class ExpressionAuthorizationDecision #​12435
• Incorrect sample code in securityMatcher migration docs #​12303
• Incorrect sample code in securityMatcher migration docs #​12302
• It's not possible to disable micrometer obversability #​12268
• ProxyFactoryBean on AuthenticationManager does not work in native mode #​12367
• SecurityContextHolderFilter does not apply to async dispatch #​12369
• SecurityContextHolderFilter does not apply to async dispatch #​12368

🔨 Dependency Upgrades

• Update hibernate-core to 6.1.6.Final #​12423
• Update httpclient to 4.5.14 #​12421
• Update io.projectreactor to 2022.0.1 #​12419
• Update jackson-bom to 2.14.1 #​12413
• Update jackson-databind to 2.14.1 #​12414
• Update jackson-datatype-jsr310 to 2.14.1 #​12415
• Update logback-classic to 1.4.5 #​12412
• Update micrometer-observation to 1.10.2 #​12417
• Update mockk to 1.13.3 #​12418
• Update org.eclipse.jetty to 11.0.13 #​12422
• Update org.jetbrains.kotlin to 1.7.22 #​12424
• Update org.springframework to 6.0.3 #​12426
• Update reactor-netty to 1.1.1 #​12420
• Update slf4j-api to 2.0.6 #​12425
• Update unboundid-ldapsdk to 6.0.7 #​12416

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​mojavelinux

v6.0.0

Compare Source

⏪ Breaking Changes

• CsrfAuthenticationStrategy is not consistent with CsrfFilter #​12235
• Register FilterChainProxy for all dispatcher types #​12180

⭐ New Features

• Add test runtime hints for annotations using @WithSecurityContext #​12215
• Add WebTestUtils test runtime hints #​12216
• Align with Servlet API 6 #​12146
• Document Configure Default SessionAuthenticationStrategy #​12192
• Document DelegatingSecurityContextRepository #​12185
• Improve deprecation notice in WebSecurityConfigurerAdapter #​12262
• Log a warning when AuthorizationGrantType does not exactly match a pre-defined constant #​12234
• Migration guide for the removal of CAS #​12163
• Polish Span and Meter Names #​12225
• Register FilterChainProxy for All Dispatcher Types Migration Steps #​12212
• Restructure 6.0 Migration Guide #​12242
• Support Jakarta WebSocket 2.1 #​12148

🪲 Bug Fixes

• CsrfAuthenticationStrategy does not check for existing token #​12241
• Ensure instrumentation names align with semantic conventions #​12156
• Incorrect scope map fix #​12207
• SAML logout: Incorrect log messages #​12210
• Saml2MetadataFilter response should configure writer to UTF-8 #​12223

🔨 Dependency Upgrades

• Update micrometer-observation to 1.10.1 #​12250
• Update org.springframework to 6.0.0 #​12255
• Update org.springframework.data to 2022.0.0 #​12256
• Update r2dbc-h2 to 1.0.0.RELEASE #​12251
• Update slf4j-api to 2.0.4 #​12254
• Update spring-ldap-core to 3.0.0 #​12257

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jzheaux

v5.8.6

Compare Source

⭐ New Features

• Closes #​11450 - Add Java beans configuration for Remmember Me Docs #​13570
• Dependencies are resolved from appropriate repositories #​13582
• requestMatchers servlet validation error should include information about servlet paths #​13667
• requestMatchers should not count servlets without mappings #​13666

🪲 Bug Fixes

• Fix Bearer Token RestTemplate Support example #​13434
• Referrer Header is set in Reactive Web Applications by default, although doc says it is not. #​13561
• The bean 'preFilterAuthorizationAdvisor', defined in class path resource could not be registered #​13572

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.35 #​13702
• Update org.aspectj to 1.9.20 #​13704
• Update org.springframework.data to 2021.2.15 #​13705
• Update reactor-netty to 1.0.35 #​13703

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​erichaagdev
• @​petrovskimario
• @​daniel-shuy

---

Configuration

📅 Schedule: Branch creation - "after 7am and before 11am every weekday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 6.x releases. But if you manually upgrade to 6.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.