On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.RC2. This release comes with 50+ tickets closed.

As always we look forward to hearing your feedback! You can find the highlights below:

Table of Contents

• Simplified DSL for OAuth2

• WebClient Extensions

• Servlet Enhancements

  • OAuth2

    • Token Request Configuration

    • More Provider Configuration Metadata Available

    • Resource Server Claims Mapping

    • RestOperations Support

  • Other Improvements

    • X.509 Principal Extractor

    • LDAP Custom Environment Variables

• WebFlux Enhancements

  • OAuth2 Resource Server

  • OAuth2 Client

  • Redirect to Https

• Dependency Updates

Simplified DSL for OAuth2

In the beginning, the Spring Security DSL had two oauths:

http
    .oauth2Login()...

and

http
    .oauth2()
        .client()...

which made some sense, since one was an authentication mechanism, like formLogin and openidLogin and the others--client, resourceServer, and authorizationServer--were a bit more like OAuth 2.0 personalities.

In the end, though, that separation felt like needless extra typing, so we resolved to flatten out the hierarchy, which means that, as of this release, we now have:

http
    .oauth2Login()...
    .oauth2Client()...
    .oauth2ResourceServer()

There are no functionality or feature changes tied to this refactoring of the DSL, just less typing for you.

WebClient Extensions

The team has been hard at work with WebClient, and we are excited to announce some new OAuth 2.0 WebClient extensions for both Servlet and WebFlux applications. These extensions make it easy to transmit OAuth 2.0 authorities seamlessly from machine to machine.

Read up on all the details in the OAuth 2.0 Web Client master ticket.

Servlet Enhancements

OAuth2

Token Request Configuration

The first part of the OAuth 2.0 journey was spec compliance. This next release introduces much more support for configuring Spring Security to work with providers that extend or deviate from the spec.

For example, it’s now possible to customize the token request made from a client to the authorization server.

Resource Server Claims Mapping

Along those same lines, Resource Server is shipping with support for customizing the claim set that is parsed from incoming JWTs. This is handy when the application needs to add or remove a claim or needs to parse a claim in a custom way:

NimbusJwtDecoderJwkSupport decoder = // ...
decoder.setClaimSetConverter(
    MappedJwtClaimSetConverter
        .withDefaults("custom-date", this::convertToInstant));

More Provider Configuration Metadata Available

And the journey towards spec compliance also continues. In this release, support for collecting and providing any metadata returned from the OIDC Provider Configuration endpoint was added.

Now, ClientRegistration ships with getConfigurationMetadata which sits alongside methods targeted at specific properties and returns the entire map of provider attributes.

RestOperations Support

This release also ships with support for complete customization of the HTTP request to various endpoints.

This is handy for configuring timeouts, discovery, caching and otherwise taking full advantage of RestTemplate’s sophistication when communicating with an authorization server.

Other Improvements

X.509 Principal Extractor

Support has also been added for deriving the X.509 principal via a strategy.

LDAP Custom Environment Variables

And support was added for configuring custom environment variables that inform the creation of an LdapContext.

WebFlux Enhancements

OAuth2 Resource Server

Several features initially released for the Servlet-based Resource Server were added in RC2 on the WebFlux side. The reactive capabilities are similar, with a small but important exception.

In Spring Security WebFlux, it is more typical to have an authentication manager per request type. In this release, then, WebFlux ships with authentication manager configuration for Resource Server:

http
    .oauth2ResourceServer()
        .authenticationManager(customAuthenticationManager())

This is helpful in situations where the application needs to do some custom conversion of the Jwt to a set of granted authorities.

OAuth2 Client

The @RegisteredOAuth2AuthorizedClient annotation now supports the client_credentials grant in WebFlux.

Redirect to Https

Last but not least, https redirection support has been added to WebFlux and is accessible through http.redirectToHttps() or directly via the HttpsRedirectWebFilter.

Dependency Updates

And we’ve updated our dependencies to be on the latest and greatest to ensure our transitive dependencies are up to date.

Project Site | Reference | Help