Fork me on GitHub


Plugin Version Spring Security Framework Version Hippo CMS Release Version
2.0.x 5.1.1.RELEASE 13.x
1.1.x 4.2.x.RELEASE for 12.x,
4.0.x.RELEASE for 11.x and 10.x
12.x, 11.x, 10.x
0.03.xx 3.2.x.RELEASE 7.9.x, 7.8.x
0.02.xx 3.0.x.RELEASE 7.8.x, 7.7.x
0.01.xx 3.0.x.RELEASE 7.7.x

Release Notes (2.x)


  • [HIPFORGE-245] - [HST Spring Security Support] Upgrade for Spring v5

Release Notes (1.x or earlier)


  • Fixing NPE when user is not found.
  • Supporting providing user's first name, last name and e-mail address as UserDetails object of Spring Security Authentication.


  • Removing org.springframework.dao.DataAccessException in API because it is pulled in by spring-tx jar which is not included by HST-2 any more.
  • Upgrading Spring Security Framework to 4.0.4.
  • Adding dependency exclusions in Spring Security Framework dependencies because it is safer for HST-2 to pull in Spring Framework dependencies.
  • Adding basic authentication example in a commented block.


  • Use delegating repository instead of pooling repository when authenticating a user.


  • Compatible with Spring Security 4.0.x and Hippo CMS 10


  • Let SpringSecurityValve extend org.hippoecm.hst.core.container.AbstractBaseOrderableValve
  • Polishing demo project and improving site/javadoc documentation


  • Upgrading Spring Security Framework dependency and Hippo CMS 7.8
  • Adding URL exclusions example in demo to bypass authentication on requests from Channel Manager


  • Remove project specific components. The followings were removed because they were too project specific and not generic enough:
    • HippoEmailUserDetailsServiceImpl
    • HippoUserDetailsServiceImpl
    • HippoUsernamePasswordAuthenticationFilter
    • Hippo Specific Authentication Login/Logout/Remember Me filters (HippoLoginFilter, HippoLogoutFilter, HippoTokenBasedRememberMeServices, etc) and components
  • HIPPLUG-666: Avoid NPE when password is not stored in UserDetails
  • Note: Please do not use the released versions [0.02.01, 0.02.04] because they have some project specific additions which will not be supported in the future.


  • Better support of Spring Security within the Channel Manager
  • Add the support of Remember Me
  • Enable user authentication using their email


  • Initial release.