Sourced from org.springframework.security:spring-security-bom's releases.

6.3.9

⭐ New Features

• Add link to docs zip file to the reference #16798
• Clarify WebInvocationPrivilegeEvaluator JavaDoc #16548
• Fix attribute name in http.adoc #16776
• Fix Spring Framework reference link #16718
• Fix WebFlux authentication reference link #16719
• Update ServerOAuth2AuthorizedClientExchangeFilterFunction javadoc #16555

🪲 Bug Fixes

• Do not validate parameters in ServerBearerTokenAuthenticationConverter and DefaultBearerTokenResolver if not enabled #16039
• Fix the request matcher patterns in the documentation #16713
• setCookieCustomizer should not reset withHttpOnlyFalse httpOnly setting #16822
• Sorting in AuthorizationAdvisorProxyFactory should be thread-safe #16834
• Use correct message prompt in AuthorizeReturnObjectMethodInterceptor constructor #16829
• XML config does not apply request-handler-ref to CsrfAuthenticationStrategy #16801

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 #16769
• Bump io.projectreactor:reactor-bom from 2023.0.16 to 2023.0.17 #16942
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.3 to 1.0.4 #16916
• Bump org-aspectj from 1.9.22.1 to 1.9.24 #16927
• Bump org-eclipse-jetty from 11.0.24 to 11.0.25 #16759
• Bump org.springframework.ldap:spring-ldap-core from 3.2.11 to 3.2.12 #16957
• Bump org.springframework:spring-framework-bom from 6.1.18 to 6.1.19 #16958

🔩 Build Updates

• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.16 to 1.0.0-alpha.17 in /docs #16809
• Release 6.3.9 #16973

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Bragolgirith, @​dependabot[bot], @​jonah1und1, @​kse-music, and @​ngocnhan-tran1996

• f635425 Release 6.3.9
• a5d9633 Bump org.springframework:spring-framework-bom from 6.1.18 to 6.1.19
• 99c4f58 Bump org.springframework.ldap:spring-ldap-core from 3.2.11 to 3.2.12
• c1aa99f Enforce BCrypt password length for new passwords only
• eb01394 Bump io.projectreactor:reactor-bom from 2023.0.16 to 2023.0.17
• 0d3d6f7 Bump org-aspectj from 1.9.22.1 to 1.9.24
• eb83c35 Bump io.spring.gradle:spring-security-release-plugin from 1.0.3 to 1.0.4
• 3c0fef5 Polish gh-16039
• da94fbe Evaluate URI query parameter only if enabled
• 857ef6f WithHttpOnlyCookie defaults to false
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)