Update What's New

jzheaux · jzheaux · commit 4787efb40b10 · 2024-11-18T15:51:24.000-07:00
diff --git a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
@@ -1528,6 +1528,7 @@ We expose `MethodSecurityExpressionHandler` using a `static` method to ensure th
 
 You can also <<subclass-defaultmethodsecurityexpressionhandler,subclass `DefaultMessageSecurityExpressionHandler`>> to add your own custom authorization expressions beyond the defaults.
 
+[[pre-post-authorize-aot]]
 === Working with AOT
 
 Spring Security will scan all beans in the application context for methods that use `@PreAuthorize` or `@PostAuthorize`.
@@ -2462,6 +2463,7 @@ And if they do have that authority, they'll see:
 You can also add the Spring Boot property `spring.jackson.default-property-inclusion=non_null` to exclude the null value from serialization, if you also don't want to reveal the JSON key to an unauthorized user.
 ====
 
+[[authorize-return-object-aot]]
 === Working with AOT
 
 Spring Security will scan all beans in the application context for methods that use `@AuthorizeReturnObject`.
diff --git a/docs/modules/ROOT/pages/whats-new.adoc b/docs/modules/ROOT/pages/whats-new.adoc
@@ -4,6 +4,89 @@
 Spring Security 6.4 provides a number of new features.
 Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.
 
+== Deprecation Notices
+
+As we get closer to Spring Security 7, it's important to stay up to date on deprecations.
+As such, this section points out deprecations in the 6.4 release.
+
+* *Method Security* - `AuthorizationManager#check` is deprecated in favor of `AuthorizationManager#authorize`.
+This is primarily to allow the return type to be an interface instead of a concrete class.
+If you are invoking `AuthorizationManager#check`, please invoke `AuthorizationManager#authorize` instead.
++
+Relatedly, `AuthorizationEventPublisher#publishEvent` that takes an `AuthorizationDecision` is deprecated in favor of a method of the same name that takes an `AuthorizationResult` interface instead.
+* *Method Security* - `PrePostTemplateDefaults` is deprecated in favor of the more generic `AnnotationTemplateExpressionDefaults` as there is now meta-annotation property support for `@AuthenticationPrincipal` and `@CurrentSecurityContext` as well.
+If you are constructing a `PrePostTemplateDefaults`, change this out for an `AnnotationTemplateExpressionDefaults`.
+* *OAuth 2.0* - `NimbusOpaqueTokenIntrospector` has been deprecated in favor of `SpringOpaqueTokenIntrospector` in order to remove Spring Security OAuth 2.0 Resource Server's reliance on the `oidc-oauth2-sdk` package.
+If you are constructing a `NimbusOpaqueTokenIntrospector`, replace it with ``SpringOpaqueTokenIntrospector``'s constructor
+* *OAuth 2.0* - `DefaultAuthorizationCodeTokenResponseClient`, `DefaultClientCredentialsTokenResponseClient`, `DefaultJwtBearerTokenResponseClient`, `DefaultPasswordTokenResponseClient`, `DefaultRefreshTokenTokenResponseClient`, and `DefaultTokenExchangeTokenResponseClient` are deprecated in favor of their `RestClient` equivalents.
++
+Relatedly,`JwtBearerGrantRequestEntityConverter`, `OAuth2AuthorizationCodeGrantRequestEntityConverter`, `OAuth2ClientCredentialsGrantRequestEntityConverter`, `OAuth2PasswordGrantRequestEntityConverter`, `OAuth2RefreshTokenGrantRequestEntityConverter` are deprecated in favor of providing an instance of `DefaultOAuth2TokenRequestParametersConverter` to one of the above token response clients
++
+For example, if you have the following arrangement:
++
+[source,java]
+----
+private static class MyCustomConverter
+    extends AbstractOAuth2AuthorizationGrantRequestEntityConverter<OAuth2AuthorizationCodeGrantRequest> {
+	@Override
+    protected MultiValueMap<String, String> createParameters
+            (OAuth2AuthorizationCodeGrantRequest request) {
+		MultiValueMap<String, String> parameters = super.createParameters(request);
+		parameters.add("custom", "value");
+		return parameters;
+    }
+}
+
+@Bean
+OAuth2AccessTokenResponseClient authorizationCode() {
+	DefaultAuthorizationCodeTokenResponseClient client =
+        new DefaultAuthorizationCodeTokenResponseClient();
+	Converter<AuthorizationCodeGrantRequest, RequestEntity<?>> entityConverter =
+        new OAuth2AuthorizationCodeGrantRequestEntityConverter();
+	entityConverter.setParametersConverter(new MyCustomConverter());
+	client.setRequestEntityConverter(entityConverter);
+    return client;
+}
+----
++
+This configuration is deprecated since it uses `DefaultAuthorizationCodeTokenResponseClient` and `OAuth2AuthorizationCodeGrantRequestEntityConverter`.
+The recommended configuration is now:
++
+[source,java]
+----
+private static class MyCustomConverter implements Converter<OAuth2AuthorizationCodeGrantRequest, Map<String, String>> {
+	@Override
+    public MultiValueMap<String, String> convert(OAuth2AuthorizeCodeGrantRequest request) {
+		MultiValueMap<String, String> parameters = OAuth2AuthorizationCodeGrantRequest.defaultParameters(request);
+		parameters.add("custom", "value");
+		return parameters;
+    }
+}
+
+@Bean
+OAuth2AccessTokenResponseClient authorizationCode() {
+	RestClientAuthorizationCodeTokenResponseClient client =
+        new RestClientAuthorizationCodeTokenResponseClient();
+	client.setParametersConverter(new MyCustomConverter());
+    return client;
+}
+----
+
+
+* *SAML 2.0* - Unversioned OpenSAML implementations of Spring Security SAML 2.0 Service Provider's interfaces have been deprecated in favor of versioned ones.
+For example, `OpenSamlAuthenticationTokenConverter` is now replaced by `OpenSaml4AuthenticationTokenConverter` and `OpenSaml5AuthenticationTokenConverter`.
+If you are constructing one of these deprecated versions, please replace it with the one that corresponds to the OpenSAML version you are using.
+* *SAML 2.0* - Methods surrounding `AssertingPartyDetails` are deprecated in favor of equivalent methods that use the `AssertingPartyMetadata` interface.
+* *LDAP* - Usages of `DistinguishedName` are now deprecated in order to align with Spring LDAP's deprecations
+
+== One-Time Token Login
+
+* Spring Security now xref:servlet/authentication/onetimetoken.adoc[supports One-Time Token Login] via the `oneTimeTokenLogin()` DSL, including xref:servlet/authentication/onetimetoken.adoc#customize-generate-consume-token[JDBC support].
+
+== Passkeys
+
+Spring Security now has xref:servlet/authentication/passkeys.adoc[Passkeys] support.
+
 == Method Security
 
 * All xref:servlet/authorization/method-security.adoc#meta-annotations[method security annotations] now support {spring-framework-api-url}org/springframework/core/annotation/AliasFor.html[Framework's `@AliasFor`]
@@ -48,10 +131,14 @@ fun method(@CurrentUsername("username") val username: String): String {
 ======
 * https://github.com/spring-projects/spring-security/issues/13490[Several] https://github.com/spring-projects/spring-security/issues/13234[improvements] https://github.com/spring-projects/spring-security/issues/15097[were made] to align Security's annotation search with ``AbstractFallbackMethodSecurityMetadataSource``'s algorithm.
 This aids in migration from earlier versions of Spring Security.
+* Native applications can now xref:servlet/authorization/method-security.adoc#authorize-return-object-aot[use `@AuthorizeReturnObject`]
+* Native applications can now xref:servlet/authorization/method-security.adoc#pre-post-authorize-aot[reference beans in `@PreAuthorize` and `@PostAuthorize`]
+* `SecurityAnnotationScanners` offers https://github.com/spring-projects/spring-security/issues/15700[a convenient API] for scanning for Security annotations and for adding Security's selection and templating features to custom annotations
 
 == OAuth 2.0
 
 * `oauth2Login()` now accepts https://github.com/spring-projects/spring-security/pull/15237[`OAuth2AuthorizationRequestResolver` as a `@Bean`]
+* `ClientRegistrations` now supports externally obtained configuration
 * Added `loginPage()` to DSL in reactive `oauth2Login()`
 * OIDC Back-Channel support now accepts https://github.com/spring-projects/spring-security/issues/15003[logout tokens of type `logout+jwt`]
 * `RestClient` can now be xref:servlet/oauth2/index.adoc#oauth2-client-access-protected-resources[configured] with `OAuth2ClientHttpRequestInterceptor` to xref:servlet/oauth2/index.adoc#oauth2-client-accessing-protected-resources-example[make protected resources requests]
@@ -131,7 +218,7 @@ class SecurityConfig {
 }
 ----
 ======
-* Deprecated `Default*` implementations of `OAuth2AccessTokenResponseClient`
+* Token Exchange now https://github.com/spring-projects/spring-security/issues/15534[supports refresh tokens]
 
 == SAML 2.0
 
@@ -197,15 +284,15 @@ This implementation also supports the validation of a metadata's signature.
 * You can now sign https://github.com/spring-projects/spring-security/pull/14916[relying party metadata]
 * `RelyingPartyRegistrationRepository` results can now be javadoc:org.springframework.security.saml2.provider.service.registration.CachingRelyingPartyRegistrationRepository[cached].
 This is helpful if you want to defer the loading of the registration values til after application startup.
-It is also helpful if you want to control when metadata gets refreshed.
+It is also helpful if you want to control when metadata gets refreshed via Spring Cache.
 * To align with the SAML 2.0 standard, the metadata endpoint now https://github.com/spring-projects/spring-security/issues/15147[uses the `application/samlmetadata+xml` MIME type]
 
 == Web
 
 * CSRF BREACH tokens are now https://github.com/spring-projects/spring-security/issues/15187[more consistent]
 * The Remember Me cookie now is https://github.com/spring-projects/spring-security/pull/15203[more customizable]
-* Security Filter Chain is now improved.
-Specifically, the following arrangement is invalid since an any request filter chain comes before all other filter chains:
+* Security Filter Chain finds more invalid configurations.
+For example, a filter chain declared after an any-request filter chain is invalid since it will never be invoked:
 +
 [tabs]
 ======
@@ -217,6 +304,7 @@ Java::
 @Order(0)
 SecurityFilterChain api(HttpSecurity http) throws Exception {
     http
+        // implicit securityMatcher("/**")
         .authorizeHttpRequests(...)
         .httpBasic(...)
 
@@ -264,14 +352,36 @@ fun app(val http: HttpSecurity): SecurityFilterChain {
 ----
 ======
 You can read more https://github.com/spring-projects/spring-security/issues/15220[in the related ticket].
+* `ServerHttpSecurity` now https://github.com/spring-projects/spring-security/issues/15974[picks up `ServerWebExchangeFirewall` as a `@Bean`]
 
-== One-Time Token Login
-
-Spring Security now xref:servlet/authentication/onetimetoken.adoc[supports One-Time Token Login] via the `oneTimeTokenLogin()` DSL.
+== Observability
 
-== Passkeys
+Observability now supports xref:servlet/integrations/observability.adoc#observability-tracing-disable[toggling authorization, authentication, and request observations separately]
+For example, to turn off filter chain observations, you can publish a `@Bean` like this one:
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+SecurityObservationSettings allSpringSecurityObservations() {
+	return SecurityObservationSettings.withDefaults()
+            .shouldObserveFilterChains(false).build();
+}
+----
 
-Spring Security now has xref:servlet/authentication/passkeys.adoc[Passkeys] support.
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun allSpringSecurityObservations(): SecurityObservationSettings {
+    return SecurityObservationSettings.builder()
+            .shouldObserveFilterChains(false).build()
+}
+----
+======
 
 == Kotlin
 
