Fork me on GitHub


Plugin Version Spring Security Version brXM Release Version
4.x 5.6.1 15.x
3.x 5.2.1.RELEASE 14.x
2.x 5.2.1.RELEASE in 2.1.0,
5.1.1.RELEASE in 2.0.0
1.1.x 4.2.x.RELEASE for 12.x,
4.0.x.RELEASE for 11.x and 10.x
12.x, 11.x, 10.x
0.03.xx 3.2.x.RELEASE 7.9.x, 7.8.x
0.02.xx 3.0.x.RELEASE 7.8.x, 7.7.x
0.01.xx 3.0.x.RELEASE 7.7.x

Release Notes


Release date: 27 June 2022

  • HIPFORGE-421
    Upgrade plugin to support brXM 15, mainly build on Java 11 and upgrade the demo project to version 15.
  • Dependency management: extend from hippo-cms7-project 15 to inherit versions, notably:
    - Spring framework dependency version goes from 5.2.1.RELEASE to 5.3.18
    - Spring Security dependency version goes from 5.2.1.RELEASE to 5.6.1
    Note that the dependencies have 'provided' scope so the dependencies are not pulled in.

3.1.0 (Unreleased)

Release date: TBD

  • HIPFORGE-353
    - Bump (provided) Spring dependency version from 5.2.1.RELEASE to 5.2.8.RELEASE
    - Bump (provided) Spring Security dependency version from 5.2.1.RELEASE to 5.3.4.RELEASE
    - Bump (provided) commons-beanutils dependency version from 1.8.0 to 1.9.4


Release date: 06 March 2020


Release date: 17 December 2019

  • HIPFORGE-245 - Upgrade for Spring 5.2.1.RELEASE and Bloomreach CMS version 13.2 and up. If there's already an applicationContext-security.xml in your project, add an entry to allow "_cmssessioncontext", see Configuration page.
  • Make the Essentials installer plugin work again and improve its log messages on exception.


Release date: 18 January 2019

  • HIPFORGE-245 - Upgrade for Spring 5.1.1.RELEASE and Bloomreach CMS version 13.0


Release date: 22 March 2017

  • Fixing NPE when user is not found.
  • Supporting providing user's first name, last name and e-mail address as UserDetails object of Spring Security Authentication.


  • Removing org.springframework.dao.DataAccessException in API because it is pulled in by spring-tx jar which is not included by HST-2 any more.
  • Upgrading Spring Security Framework to 4.0.4.
  • Adding dependency exclusions in Spring Security Framework dependencies because it is safer for HST-2 to pull in Spring Framework dependencies.
  • Adding basic authentication example in a commented block.


  • Use delegating repository instead of pooling repository when authenticating a user.


  • Compatible with Spring Security 4.0.x and Hippo CMS 10


  • Let SpringSecurityValve extend org.hippoecm.hst.core.container.AbstractBaseOrderableValve
  • Polishing demo project and improving site/javadoc documentation


  • Upgrading Spring Security Framework dependency and Hippo CMS 7.8
  • Adding URL exclusions example in demo to bypass authentication on requests from Channel Manager


  • Remove project specific components. The followings were removed because they were too project specific and not generic enough:
    • HippoEmailUserDetailsServiceImpl
    • HippoUserDetailsServiceImpl
    • HippoUsernamePasswordAuthenticationFilter
    • Hippo Specific Authentication Login/Logout/Remember Me filters (HippoLoginFilter, HippoLogoutFilter, HippoTokenBasedRememberMeServices, etc) and components
  • HIPPLUG-666: Avoid NPE when password is not stored in UserDetails
  • Note: Please do not use the released versions [0.02.01, 0.02.04] because they have some project specific additions which will not be supported in the future.


  • Better support of Spring Security within the Channel Manager
  • Add the support of Remember Me
  • Enable user authentication using their email


  • Initial release.