3. What’s New in Spring Security 4.2

Among other things, Spring Security 4.2 brings early support for Spring Framework 5. You can find the change logs for 4.2.0.M1 , 4.2.0.RC1 , 4.2.0.RELEASE which closes over 80 issues. The overwhelming majority of these features were contributed by the community. Below you can find the highlights of this release.

3.1 Web Improvements

#3812 - Jackson Support
#4116 - Referrer Policy
#3938 - Add HTTP response splitting prevention
#3949 - Add bean reference support to @AuthenticationPrincipal.
#3978 - Support for Standford WebAuth and Shibboleth using the newly added RequestAttributeAuthenticationFilter .
#4076 - Document Proxy Server Configuration
#3795 - ConcurrentSessionFilter supports InvalidSessionStrategy
#3904 - Add CompositeLogoutHandler

3.2 Configuration Improvements

#3956 - Central configuration of the default role prefix . See the issue for details.
#4102 - Custom default configuration in WebSecurityConfigurerAdapter. See Section 5.10, “Custom DSLs”
#3899 - [email protected] supports unlimited sessions.
#4097 - [email protected] adds more powerful request matching support to the XML namespace.
#3990 - Support for constructing RoleHierarchy from Map (i.e. yml)
#4062 - Custom cookiePath to CookieCsrfTokenRepository
#3794 - Allow configuration of InvalidSessionStrategy on SessionManagementConfigurer
#4020 - Fix Exposing Beans for defaultMethodExpressionHandler can prevent Method Security

3.3 Miscellaneous

#4080 - Spring 5 support
#4095 - Add UserBuilder
#4018 - Fix after csrf() is invoked, future MockMvc invocations use original CsrfTokenRepository
Version Updates

Docs

Docs4dev

Title here

3. What’s New in Spring Security 4.2

3.1 Web Improvements

3.2 Configuration Improvements

3.3 Miscellaneous