Migrating from 3.4.0 to 3.5.0

Encrypted Bookmarks for view models

This release automatically encrypts the bookmarks for view models so that they are not susceptible to forgery or serialization attacks.

The encyrption is performed using an instance of HmacAuthority. By default, the framework creates a random instance each time it is started, meaning that any bookmarks (for view models, not entities) become invalid if the application is restarted, using the following code:

@Configuration
class EnableHmacAuthority {
    @Bean
    public HmacAuthority hmacAuthority() {
        return HmacAuthority.HmacSHA256.randomInstance();
    }
}

To override this behaviour (so that bookmarks are not invalidated), provide your own instance of this bean. It’s up to you how you choose to keep the seed value secret.