3. What’s New in Spring Security 4.2

3. What’s New in Spring Security 4.2
Prev	Part I. Preface	Next

Among other things, Spring Security 4.2 brings early support for Spring Framework 5. You can find the change logs for 4.2.0.M1, 4.2.0.RC1, 4.2.0.RELEASE which closes over 80 issues. The overwhelming majority of these features were contributed by the community. Below you can find the highlights of this release.

3.1 Web Improvements

#3812 - Jackson Support
#4116 - Referrer Policy
#3938 - Add HTTP response splitting prevention
#3949 - Add bean reference support to @AuthenticationPrincipal.
#3978 - Support for Standford WebAuth and Shibboleth using the newly added RequestAttributeAuthenticationFilter.
#4076 - Document Proxy Server Configuration
#3795 - ConcurrentSessionFilter supports InvalidSessionStrategy
#3904 - Add CompositeLogoutHandler

3.2 Configuration Improvements

#3956 - Central configuration of the default role prefix. See the issue for details.
#4102 - Custom default configuration in WebSecurityConfigurerAdapter. See Section 5.10, “Custom DSLs”
#3899 - concurrency-control@max-sessions supports unlimited sessions.
#4097 - intercept-url@request-matcher-ref adds more powerful request matching support to the XML namespace.
#3990 - Support for constructing RoleHierarchy from Map (i.e. yml)
#4062 - Custom cookiePath to CookieCsrfTokenRepository
#3794 - Allow configuration of InvalidSessionStrategy on SessionManagementConfigurer
#4020 - Fix Exposing Beans for defaultMethodExpressionHandler can prevent Method Security

3.3 Miscellaneous

#4080 - Spring 5 support
#4095 - Add UserBuilder
#4018 - Fix after csrf() is invoked, future MockMvc invocations use original CsrfTokenRepository
Version Updates

Prev	Up	Next
2. Introduction	Home	4. Samples and Guides (Start Here)