fix(deps): update springsecurityversion to v5 [security] (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.security:spring-security-web (source)	4.2.20.RELEASE → 5.7.13
org.springframework.security:spring-security-core (source)	4.2.20.RELEASE → 5.7.14

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Privilege escalation in spring security

CVE-2021-22112 / GHSA-gq28-h5vg-8prx

More information

Details

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-22112
• https://github.com/spring-projects/spring-security/releases/tag/5.4.4
• https://tanzu.vmware.com/security/cve-2021-22112
• https://www.jenkins.io/security/advisory/2021-02-19/
• http://www.openwall.com/lists/oss-security/2021/02/19/7
• https://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3E
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@​%3Cpluto-scm.portals.apache.org%3E
• https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@​%3Cpluto-dev.portals.apache.org%3E
• https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@​%3Cpluto-dev.portals.apache.org%3E
• https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@​%3Cpluto-dev.portals.apache.org%3E
• https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@​%3Cpluto-dev.portals.apache.org%3E
• https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3E
• https://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@​%3Cpluto-dev.portals.apache.org%3E
• https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3E
• https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://github.com/advisories/GHSA-gq28-h5vg-8prx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Authorization bypass in Spring Security

CVE-2022-22978 / GHSA-hh32-7344-cg2f

More information

Details

In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-22978
• https://tanzu.vmware.com/security/cve-2022-22978
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://spring.io/security/cve-2022-22978
• https://security.netapp.com/advisory/ntap-20220707-0003
• https://github.com/anchore/grype/issues/2158
• https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java
• https://github.com/advisories/GHSA-hh32-7344-cg2f

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications

CVE-2024-38821 / GHSA-c4q5-6c82-3qpw

More information

Details

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

• It must be a WebFlux application
• It must be using Spring's static resources support
• It must have a non-permitAll authorization rule applied to the static resources support

Severity

• CVSS Score: 9.3 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-38821
• https://spring.io/security/cve-2024-38821
• https://github.com/spring-projects/spring-security/commit/0e257b56ce35402558a260ffa6b368982f9a7934
• https://github.com/spring-projects/spring-security/commit/4ce7cde15599c0447163fd46bac616e03318bf5b
• https://security.netapp.com/advisory/ntap-20250124-0006
• https://github.com/advisories/GHSA-c4q5-6c82-3qpw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Erroneous authentication pass in Spring Security

CVE-2024-22257 / GHSA-f3jh-qvm4-mg39

More information

Details

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

Specifically, an application is vulnerable if:

The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.

An application is not vulnerable if any of the following is true:

• The application does not use AuthenticatedVoter#vote directly.
• The application does not pass null to AuthenticatedVoter#vote.

Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-22257
• https://spring.io/security/cve-2024-22257
• https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61
• https://security.netapp.com/advisory/ntap-20240419-0005
• https://github.com/advisories/GHSA-f3jh-qvm4-mg39

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Spring Framework has Authorization Bypass for Case Sensitive Comparisons

CVE-2024-38827 / GHSA-q3v6-hm2v-pw99

More information

Details

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-38827
• https://spring.io/security/cve-2024-38827
• https://github.com/spring-projects/spring-framework/issues/33708
• https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9
• https://github.com/spring-projects/spring-framework/issues/34232
• https://security.netapp.com/advisory/ntap-20250124-0007
• https://github.com/advisories/GHSA-q3v6-hm2v-pw99

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-web)

v5.7.13

Compare Source

v5.7.12

Compare Source

🪲 Bug Fixes

• Check for null Authentication #​14715

v5.7.11

Compare Source

⭐ New Features

• Automate spring-security.xsd #​13819

v5.7.10

Compare Source

🪲 Bug Fixes

• Use default PathPatternParser instance #​13461

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.34 #​13509
• Update org.springframework to 5.3.29 #​13511
• Update org.springframework.data to 2021.2.14 #​13512
• Update reactor-netty to 1.0.34 #​13510

v5.7.9

Compare Source

⭐ New Features

• Convert to Asciidoctor Tabs #​13404
• Use Antora name of security #​13328

🪲 Bug Fixes

• Additional filters registered when using Custom DSL #​13203
• Clarify that Kotlin DSL needs an import #​13092
• Document missing OAuth2LoginAuthenticationFilter set AuthorizationRequestRepository #​13098
• Fix Antora Warnings #​13291
• Fix constant value in XContentTypeOptionsServerHttpHeadersWriter #​13155
• Fix Documentation Title #​13315
• Fix javadoc for migration from WebSecurityConfigurerAdapter #​12996
• Fix typo in SecurityMockMvcResultMatchers.java #​12793
• fix typo of modules.adoc #​12921
• Fix typo overview.adoc #​13269
• http://www.springframework.org/schema/security/spring-security.xsd returns 404 #​13131
• Proxy Server section is not linked in nav #​13313
• Typos in docs #​13283

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.33 #​13373
• Update io.rsocket to 1.1.4 #​13379
• Update org.springframework to 5.3.28 #​13382
• Update org.springframework.data to 2021.2.13 #​13385
• Update reactor-netty to 1.0.33 #​13376

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​Anubhav-2000
• @​SeasonPanPan
• @​amal-stack
• @​1993heqiang
• @​xak2000

v5.7.8

Compare Source

⭐ New Features

• Clarify documentation code snippet(s) (unclear where static imported methods come from) #​6597
• Document relationship between registrationId, EntityID, and resolving a relying party #​12764

🪲 Bug Fixes

• Add test to SimpleUrlAuthenticationSuccessHandlerTests #​12740
• Avoid NPE in FilterInvocation #​12922
• EntityId ignored in xml relying-party-registration #​11898
• Fix a javadoc typo in ReactiveAuthorizationManager #​12998
• Fix a javadoc typo in ReactiveAuthorizationManager #​12978
• Fix typo in SessionManagementConfigurer javadoc #​12820
• Missing spring-security-oauth2 xsds after release #​12804
• NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder holds a reference to JWSVerificationKeySelector before ConfigurableJWTProcessor.setJWSKeySelector is executed #​12960
• RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present #​12664
• SwitchUserFilter should use HttpSessionSecurityContextRepository by default #​12834

🔨 Dependency Upgrades

• Update blockhound to 1.0.8.RELEASE #​13016
• Update io.projectreactor to 2020.0.31 #​13014
• Update logback-classic to 1.2.12 #​13013
• Update org.eclipse.jetty to 9.4.51.v20230217 #​13017
• Update org.springframework to 5.3.27 #​13018
• Update org.springframework.data to 2021.2.11 #​13019
• Update reactor-netty to 1.0.31 #​13015

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​marckchr
• @​yuanhang
• @​twosom
• @​esivakumar18
• @​martin-tarjanyi

v5.7.7

Compare Source

⭐ New Features

• chore: Use cache in continuous-integration-workflow.yml #​12503
• fix unclosed block in docs #​12542

🪲 Bug Fixes

• AuthorizationManager method security documentation should use AnnotationMatchingPointcut #​11095
• Document XMLObject retreival for Asserting Party metadata #​12667
• Fix typo in OAuth 2.0 testing docs #​12437
• Jackson serialization of DefaultSaml2AuthenticatedPrincipal: LinkedMultiValueMap is not in the allowlist #​11785
• NimbusJwtDecoder unknown KID scenario is not correctly tested #​12238
• NPE in HttpSecurity#addFilterBefore when mixing custom DSL and standard #​12637
• SwitchUserFilter not working in Spring Security 6 #​12504
• Wrong name of the filter in the SecurityContextHolderFilter diagram #​11800

🔨 Dependency Upgrades

• Update blockhound to 1.0.7.RELEASE #​12733
• Update hibernate-entitymanager to 5.6.15.Final #​12736
• Update io.projectreactor to 2020.0.28 #​12732
• Update io.spring.nohttp to 0.0.11 #​12734
• Update jackson-bom to 2.13.5 #​12731
• Update org.aspectj to 1.9.19 #​12735
• Update org.springframework to 5.3.25 #​12737
• Update org.springframework.data to 2021.2.8 #​12738

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​jonkjenn
• @​mojavelinux
• @​jongwooo
• @​eleftherias

v5.7.6

Compare Source

⭐ New Features

• Improve deprecation notice in WebSecurityConfigurerAdapter #​12260
• Replace deprecated set-state set-output GitHub Action's commands #​12297

🪲 Bug Fixes

• DefaultLdapAuthoritiesPopulator throws NullPointerException #​12407
• Fix AuthorizationFilter diagram in docs #​12285
• Incorrect scope map fix #​12205
• SAML logout: Incorrect log messages #​12208
• Saml2MetadataFilter response should configure writer to UTF-8 #​12221
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #​12125
• Update the RP-initiated Logout links #​12121

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #​12153
• Update Gradle to 7.5.1 #​12157
• Update hibernate-entitymanager to 5.6.14.Final #​12397
• Update httpclient to 4.5.14 #​12395
• Update io.projectreactor to 2020.0.26 #​12393
• Update jackson-bom to 2.13.4.20221013 #​12391
• Update jackson-databind to 2.13.4.2 #​12392
• Update org.eclipse.jetty to 9.4.50.v20221201 #​12396
• Update org.springframework to 5.3.24 #​12398
• Update org.springframework.data to 2021.2.6 #​12399
• Update reactor-netty to 1.0.26 #​12394

v5.7.5

Compare Source

🪲 Bug Fixes

• Fix AuthorizationFilter incorrectly extending OncePerRequestFilter #​12113
• Fix scope mapping #​12112
• IpAddressServerWebExchangeMatcher throws NullPointerException with framework forward-headers-strategy #​11888

v5.7.4

Compare Source

⭐ New Features

• automatically manage docs version (with collector) #​11955

🪲 Bug Fixes

• AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #​11729
• Build fails with missing project property cloneOutputDirectory #​11979
• GitHubMilestoneApiTests due_on Should Use LocalDate #​11707
• HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #​11727
• NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #​11711
• RemoteJwkSet is not refreshed when encountering an unknown KID #​11723
• RequestRejectedHandler does not reliable prevent Internal Server Error #​11744

🔨 Dependency Upgrades

• Update Gradle Enterprise plugin to 3.11.1 #​11830
• Update hibernate-entitymanager to 5.6.10.Final #​11745
• Update hibernate-entitymanager to 5.6.12.Final #​12016
• Update io.projectreactor to 2020.0.22 #​11743
• Update io.projectreactor to 2020.0.24 #​12012
• Update io.rsocket to 1.1.3 #​12014
• Update jackson-bom to 2.13.4.20221012 #​12008
• Update jackson-databind to 2.13.4.1 #​12009
• Update jackson-datatype-jsr310 to 2.13.4 #​12010
• Update jsonassert to 1.5.1 #​11741
• Update mockk to 1.12.8 #​12011
• Update org.eclipse.jetty to 9.4.48.v20220622 #​11740
• Update org.eclipse.jetty to 9.4.49.v20220914 #​12015
• Update org.springframework to 5.3.22 #​11739
• Update org.springframework to 5.3.23 #​12017
• Update org.springframework.data to 2021.1.6 #​11742
• Update org.springframework.data to 2021.2.4 #​12018
• Update reactor-netty to 1.0.24 #​12013

v5.7.3

Compare Source

⭐ New Features

• Add Kotlin example showing integration with WebTestClient #​9998
• Set permissions for GitHub actions #​11642
• Update javadoc of EnableWebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #​11650

🪲 Bug Fixes

• Add Deprecated annotation to WebSecurity#securityInterceptor #​11637
• Check saganCreateRelease saganDeleteRelease Required Permissions #​11425
• org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #​11605
• RequestAttributeSecurityContextRepository.loadContext(HttpServletRequest) should never return null SecurityContext #​11606
• RequestRejectedHandler does not reliable prevent Internal Server Error #​11672
• Sources and javadocs missing in latest snapshots #​11628
• Spring Security Bcrypt with strength/log rounds = 31 results in 'Bad number of rounds' error although 31 should be ok #​11484
• Update javadoc of HttpSecurity, WebSecurityConfiguration and WebSecurity to reflect deprecation of WebSecurityConfigurerAdapter #​11651

🔨 Dependency Upgrades

• Update hibernate-entitymanager to 5.6.10.Final #​11694
• Update io.projectreactor to 2020.0.22 #​11691
• Update jsonassert to 1.5.1 #​11696
• Update mockk to 1.12.5 #​11690
• Update org.eclipse.jetty to 9.4.48.v20220622 #​11693
• Update org.jetbrains.kotlinx to 1.6.4 #​11695
• Update org.springframework to 5.3.22 #​11697
• Update org.springframework.data to 2021.2.2 #​11698

v5.7.2

Compare Source

⭐ New Features

• Consider updating testing examples to use JUnit Jupiter #​11293

🪲 Bug Fixes

• Some Security Expressions cause NPE when used within @Query #​11289
• CsrfWebFilter null save content-type check #​11341
• Docs example uses access(String) with authorizeHttpRequests() #​11296
• Fix typo in BasicLookupStrategy Javadoc #​11339
• KeyInfo missing in AuthnRequest when using OpenSaml4AuthenticationRequestResolver #​11358
• OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #​11384
• SAML request encoding: on redirect binding, base64 encoded message contains CRLF #​11284
• SecurityContextRepository.loadContext(HttpServletRequest) cache result #​11390
• Should SAML metadata EntityDescriptor tag have the md: prefix? #​11311
• Update opaque-token.adoc #​11303

🔨 Dependency Upgrades

• Update aspectj-plugin to 6.4.3.1 #​11402
• Update hibernate-entitymanager to 5.6.9.Final #​11405
• Update io.projectreactor to 2020.0.20 #​11403
• Update jackson-bom to 2.13.3 #​11399
• Update jackson-databind to 2.13.3 #​11400
• Update jackson-datatype-jsr310 to 2.13.3 #​11401
• Update org.jetbrains.kotlinx to 1.6.3 #​11406
• Update org.opensaml:opensaml-core4 to 4.1.1 #​11410
• Update org.springframework to 5.3.21 #​11407
• Update org.springframework.data to 2021.2.1 #​11408
• Update reactor-netty to 1.0.20 #​11404
• Update spring-ldap-core to 2.4.1 #​11409

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​andrelugomes

v5.7.1

Compare Source

🪲 Bug Fixes

• StrictHttpFirewall incorrectly rejects valid CJKV characters #​11266

v5.7.0

Compare Source

⭐ New Features

• Check Samples should run against the current artifacts #​11199
• Consider replacing an inner loop with Set of authority strings in AuthorityAuthorizationManager#isAuthorized #​11188
• Remember me should detect UserDetailsService bean #​11170
• WebSessionServerSecurityContextRepository provides Mono.cache option #​8422
• X509 should detect UserDetailsService bean #​11174

🪲 Bug Fixes

• @EnableMethodSecurity doesn't resolve annotations on interfaces through a Proxy #​11177
• Add shouldFilterAllDispatcherTypes to Kotlin DSL #​11153
• Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator #​11165
• Multiple .requestMatchers().mvcMatchers() override previous one #​11185

🔨 Dependency Upgrades

• Update aspectj-plugin to 6.4.3 #​11218
• Update com.nimbusds to 9.35 #​11217
• Update htmlunit to 2.61.0 #​11222
• Update htmlunit-driver to 2.61.0 #​11224
• Update io.projectreactor to 2020.0.19 #​11220
• Update mockk to 1.12.4 #​11219
• Update org.jetbrains.kotlin to 1.6.21 #​11223
• Update org.springframework to 5.3.20 #​11225
• Update org.springframework.data to 2021.2.0 #​11228
• Update reactor-netty to 1.1.0-M2 #​11221
• Update spring-data-jpa to 2.7.0-RC1 #​11226
• Update spring-ldap-core to 2.4.0 #​11227

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​evgeniycheban

v5.6.12

Compare Source

🪲 Bug Fixes

• Use default PathPatternParser instance #​13460

🔨 Dependency Upgrades

• Update io.projectreactor to 2020.0.34 #​13505
• Update org.springframework to 5.3.29 #​13508
• Update reactor-netty to 1.0.34 #​13506

v5.6.11

Compare Source

⭐ New Features

• Convert to Asciidoctor Tabs #​13403
• Use Antora name of security #​13327

🪲 Bug Fixes

• Fix Antora Warnings #​13210
• Fix Documentation Title #​13314

🔨 Dependency Upgrades

• Update blockhound to 1.0.8.RELEASE #​13390
• Update hibernate-entitymanager to 5.6.15.Final #​13400
• Update io.projectreactor to 2020.0.33 #​13387
• Update io.rsocket to 1.1.4 #​13392
• Update io.spring.nohttp to 0.0.11 #​13394
• Update jackson-bom to 2.13.5 #​13375
• Update jackson-databind to 2.13.5 #​13378
• Update jackson-datatype-jsr310 to 2.13.5 #​13381
• Update logback-classic to 1.2.12 #​13372
• Update mockk to 1.12.8 #​13384
• Update org.antora.gradle.plugin to 1.0.0 #​13396
• Update org.aspectj to 1.9.19 #​13398
• Update org.eclipse.jetty to 9.4.51.v20230217 #​13399
• Update org.springframework to 5.3.28 #​13401
• Update reactor-netty to 1.0.33 #​13389

v5.6.10

Compare Source

⭐ New Features

• Replace deprecated set-state set-output GitHub Action's commands #​12032
• update generateAntora task to make prereleases unique #​12083

🪲 Bug Fixes

• DefaultLdapAuthoritiesPopulator throws NullPointerException #​12090
• docs: fix realm typo #​12120
• Fix AuthorizationFilter diagram in docs #​12274
• Fix typo in DefaultLoginPageConfigurer Javadoc #​12311
• Fix typo on opaque-token.adoc #​12114
• Fix: Replace tenantRepository with tenants #​12269
• Incorrect scope map fix #​12144
• OAuth 2.0 Resource Server Multi-tenancy - documentation improvement #​12295
• Outdated example in Javadoc of UrlAuthorizationConfigurer #​11487
• Saml2MetadataFilter response should configure writer to UTF-8 #​12026
• SEC-2839: SecurityNamespaceHandler - related to SEC-1455 #​3065
• Update the RP-initiated Logout links #​12081

🔨 Dependency Upgrades

• Change gradle.plugin.org.gretty:gretty:3.0.1 to org.gretty:gretty:3.0.9 #​12152
• Update Gradle to 7.5.1 #​11779
• Update hibernate-entitymanager to 5.6.14.Final #​12388
• Update httpclient to 4.5.14 #​12386
• Update io.projectreactor to 2020.0.26 #​12384
• Update jackson-bom to 2.13.4.20221013 #​12381
• Update jackson-databind to 2.13.4.2 #​12382
• Update mockk to 1.12.8 #​12383
• Update org.eclipse.jetty to 9.4.50.v20221201 #​12387
• Update org.springframework to 5.3.24 #​12389
• Update org.springframework.data to 2021.1.10 #​12390
• Update reactor-netty to 1.0.26 #​12385

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​markkovari
• @​ghusta
• @​mojavelinux
• @​selllami
• @​cbot59

v5.6.9

Compare Source

🪲 Bug Fixes

• Fix AuthorizationFilter incorrectly extending OncePerRequestFilter #​12102
• Fix scope mapping #​12101

v5.6.8

Compare Source

⭐ New Features

• automatically manage docs version (with collector) #​11943

🪲 Bug Fixes

• Add rncToXsd task description to CONTRIBUTING.adoc #​11935
• AuthenticationEventPublisher bean is not picked up if no UserDetailsService bean #​11730
• Build fails with missing project property cloneOutputDirectory #​11969
• GitHubMilestoneApiTests due_on Should Use LocalDate #​11708
• HttpSecurity Bean does not set DefaultAuthenticationEventPublisher #​11728
• NamespaceLdapAuthenticationProviderTests Should Use Dynamic Port #​11712
• RemoteJwkSet is not refreshed when encountering an unknown KID #​11724
• Updated reference to architecture page #​11778

🔨 Dependency Upgrades

• Update Gradle Enterprise plugin to 3.11.1 #​11827
• Update hibernate-entitymanager to 5.6.12.Final #​12005
• Update io.projectreactor to 2020.0.24 #​12001
• Update io.rsocket to 1.1.3 #​12003
• Update jackson-bom to 2.13.4.20221012 #​11997
• Update jackson-databind to 2.13.4.1 #​11998
• Update jackson-datatype-jsr310 to 2.13.4 #​11999
• Update mockk to 1.12.8 #​12000
• Update org.eclipse.jetty to 9.4.49.v20220914 #​12004
• Update org.springframework to 5.3.23 #​12006
• Update org.springframework.data to 2021.1.8 #​12007
• Update reactor-netty to 1.0.24 #​12002

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​rwinch
• @​underground-hill
• @​mojavelinux
• @​jprinet
• @​Kehrlann

v5.6.7

Compare Source

⭐ New Features

• Add Kotlin example showing integration with WebTestClient #​11612
• Set permissions for GitHub actions #​11644

🪲 Bug Fixes

• Add Deprecated annotation to WebSecurity#securityInterceptor #​11636
• Fix saganCreateRelease saganDeleteRelease Required Permissions #​11426
• org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #​11608
• RequestRejectedHandler does not reliable prevent Internal Server Error [#​11673](https://redirect.githu

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.