All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- The
totp-spring-boot-starter
dependency is now optional - If using the MFA functionality, add the dependency to your project
- Codacy finding fixed
- Upgrade to Spring Boot 3.3.4
- Moved to Java 21
- Internal code maintainability fixes
- Upgrade to Spring Boot 3.2.0
- Made the AuthenticationManager in the WebSecurityAutoConfig conditional.
- This gives the option to implement your own version of the AuthenticationManager.
- Upgrade to Spring Boot 3.1.5
- Error response in RFC-7807 format
- Added maven wrapper
- Upgrade to Spring Boot 3.0.2
- Upgrade to JDK 17
- Upgrade: from spring-boot 2.5 to 2.6
- Now throwing an Exception in the RequestAuthorizationCustomizer's customize method so that you don't have to wrap exceptions in RuntimeExceptions if they are thrown in the implementing methods.
- Added: additional constructor with customisable request matcher and ObjectMapper.
- Added: Support for custom MFA checks, e.g. to also accept codes from email and SMS.
- Fixed: #20 The label of the 2FA QR code should get the issuer added as well to work properly with all authenticator apps.
- Added: Support for two-factor authentication (2FA, MFA)
- Upgrade: From spring-boot 2.4 to 2.5
- Fix: Inconsistent constructor declaration on bean with name 'nl._42.restsecure.autoconfigure.WebSecurityAutoConfig'
- Fix: circular dependency issue fixed for UserResolver in WebSecurityMvcAutoConfig
- Upgrade: From java 8 to java 11
- Upgrade: From spring-boot 2.2 to 2.4
- Upgrade: From junit 4 to 5
- Upgrade: Pom no longer extends from sonatype pom which is deprecated
- Changed: UserResolver bean is now typed and no longer needs Authentication as argument, also returns an Optional instead of a possible null value
- Added: Extension point for handling AuthenticationExceptions during login
- Fixed: Documentation fixes in readme.md
- Removed
/authentication/handshake
http security configuration and documentation because it was removed a few versions ago already (since 3.0.0). - Added the possibility to implement an
AbstractRestAuthenticationSuccessHandler
to customize behaviour after successful authentication.
- Now it's possible to configure an AbstractUserDetailsService next to other AuthenticationProvider(s).
- Fixed circular dependency
- REST authentication filter now supports
RememberMeServices
- Removed CROWD, separating library from any Authentication Provider implementation
- For CROWD we suggest using the
spring-boot-starter-crowd
- Now using REST to connect crowd server.
- Crowd client properties are now loaded from application.yml instead of a separate crowd.properties file on the classpath.
- Upgraded dependencies to be able to run on java 11
- The /authentication/handshake endpoint is no longer needed because of the 'double submit cookie'.
- The
RestAccessDeniedHandler
no longer checks for aCsrfTokenNotFoundException
to tell that the session is invalid. This because of no longer using the 'Synchronizer Token Pattern' for CSRF protection. Now the request's validity is checked upon aAuthenticationException
. - Code style violations fixed.
- Added tests to gain 100% coverage.
- Package restructuring.
- The custom XsrfHeaderFilter is removed in favor of the Spring Security CookieCsrfTokenRepository.
- 'Double Cookie Submit pattern' now used instead of 'Synchronizer Token Pattern'.
- Added tests for the
/authentication
endpoints.