|
| 1 | +## [4.3.2] - 2026-03-28 |
| 2 | +### Features |
| 3 | +- HTMX-aware AuthenticationEntryPoint for session expiry handling |
| 4 | + - Adds HtmxAwareAuthenticationEntryPoint that detects HTMX requests (HX-Request: true) and, instead of a 302 redirect, returns: |
| 5 | + - Status: 401 Unauthorized |
| 6 | + - Header: HX-Redirect: <loginUrl> |
| 7 | + - Body: {"error":"authentication_required","message":"Session expired. Please log in.","loginUrl":"<loginUrl>"} |
| 8 | + - Preserves existing behavior for non-HTMX requests by delegating to the underlying AuthenticationEntryPoint. |
| 9 | + - Auto-configuration: HtmxAwareAuthenticationEntryPointConfiguration registers the entry point only if no AuthenticationEntryPoint bean is provided by the consumer (@ConditionalOnMissingBean). The bean is marked @Primary to avoid NoUniqueBeanDefinitionException if multiple candidates exist. |
| 10 | + - Login entry point selection: |
| 11 | + - When spring.security.oauth2.enabled=true, wraps CustomOAuth2AuthenticationEntryPoint (failureHandler intentionally null to allow the expected redirect behavior). |
| 12 | + - Otherwise wraps LoginUrlAuthenticationEntryPoint. |
| 13 | + - Security configuration update: WebSecurityConfig now always wires exceptionHandling().authenticationEntryPoint(authenticationEntryPoint) using the injected bean (HTMX-aware by default), not just when OAuth2 is enabled. This centralizes and standardizes exception handling. |
| 14 | + - Response details and robustness: |
| 15 | + - Sets response character encoding to UTF-8 and content type to application/json;charset=UTF-8. |
| 16 | + - Escapes backslash, quote, newline, carriage return, and tab in the loginUrl JSON value. |
| 17 | + - Processes HX-Request header case-insensitively. |
| 18 | + - Skips writing if the response is already committed. |
| 19 | + - Consumer override: Define your own AuthenticationEntryPoint bean to replace the default behavior. |
| 20 | + |
| 21 | +### Fixes |
| 22 | +- HTMX redirect respects servlet context path |
| 23 | + - When server.servlet.context-path is configured (e.g., /app), the HX-Redirect header and the JSON loginUrl now prepend the context path (e.g., /app/user/login.html), aligning with LoginUrlAuthenticationEntryPoint behavior. |
| 24 | +- Build and test deprecation/compilation cleanups |
| 25 | + - Gradle: Replace deprecated Groovy space-assignment with equals assignment for testLogging.exceptionFormat (compatible with Gradle 9, required for Gradle 10). |
| 26 | + - Tests: Suppress “removal” warning (in addition to “deprecation”) in UserEmailServiceTest where an intentionally deprecated 4-parameter initiateAdminPasswordReset method is exercised. |
| 27 | + |
| 28 | +### Breaking Changes |
| 29 | +- None. The HTMX-aware entry point is opt-out (overridable) and delegates non-HTMX requests to the existing behavior. WebSecurityConfig now always sets an AuthenticationEntryPoint, but the bean is compatible and designed to preserve existing redirect behavior for standard browser flows. |
| 30 | + |
| 31 | +### Refactoring |
| 32 | +- Security configuration streamlined |
| 33 | + - Exception handling is now configured once in securityFilterChain using the injected AuthenticationEntryPoint rather than conditionally in the OAuth2 setup path, reducing duplication and potential inconsistency. |
| 34 | + |
| 35 | +### Documentation |
| 36 | +- Added HTMX Support documentation |
| 37 | + - README: New “HTMX Support” section explaining the 401 + HX-Redirect behavior, JSON payload, and how to override via a custom AuthenticationEntryPoint bean. Updated features list and table of contents accordingly. |
| 38 | + - CHANGELOG.md: Added [Unreleased] entry describing the new HTMX-aware AuthenticationEntryPoint and configuration/override notes. |
| 39 | + - CLAUDE.md: Listed HtmxAwareAuthenticationEntryPoint under Security and documented AuthenticationEntryPoint as an extension point. |
| 40 | +- Install instructions updated to 4.3.2 |
| 41 | + - README dependency coordinates changed from 4.3.1 to 4.3.2 (Maven and Gradle snippets). |
| 42 | + |
| 43 | +### Testing |
| 44 | +- Comprehensive tests for the new HTMX entry point |
| 45 | + - HtmxAwareAuthenticationEntryPointTest: |
| 46 | + - Verifies 401 status, content type with UTF-8, HX-Redirect header, JSON body content, case-insensitive HX-Request handling, response-committed shortcut, and correct delegation for non-HTMX requests. |
| 47 | + - Servlet context path handling tests: |
| 48 | + - Ensure HX-Redirect and JSON loginUrl include the servlet context path when non-empty and are unchanged when empty. |
| 49 | + - HtmxAwareAuthenticationEntryPointConfigurationTest: |
| 50 | + - Validates auto-registration for OAuth2 enabled/disabled paths, and that a user-defined AuthenticationEntryPoint prevents library bean registration (confirming @ConditionalOnMissingBean behavior). |
| 51 | + |
| 52 | +### Other Changes |
| 53 | +- Dependency updates |
| 54 | + - Spring Boot Gradle plugin: 4.0.3 → 4.0.4. |
| 55 | + - Testcontainers (core/junit-jupiter/mariadb/postgresql): 2.0.3 → 2.0.4. |
| 56 | + - Gradle wrapper: 9.4.0 → 9.4.1. |
| 57 | +- Version bump for development |
| 58 | + - gradle.properties set to 4.3.2-SNAPSHOT. |
| 59 | + |
1 | 60 | ## [Unreleased] |
2 | 61 | ### Features |
3 | 62 | - HTMX-aware AuthenticationEntryPoint for session expiry handling (#294) |
|
0 commit comments