Releases: spring-projects/spring-security
Releases Β· spring-projects/spring-security
7.0.0
β New Features
- Add a minimal authorization server configuration #18153
- Mark
GrantedAuthority#getAuthorityas@Nullable#18014 - Polish SimpleGrantedAuthority #18062
πͺ² Bug Fixes
- Correct the org.springframework.security.config.annotation.web.LogoutDsl's property description #18026
- Fix webauthn multifactor authentication #18163
π¨ Dependency Upgrades
- Bump org.jetbrains.kotlin:kotlin-bom from 2.2.20 to 2.2.21 #18099
- Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.20 to 2.2.21 #18100
- Bump tools.jackson:jackson-bom from 3.0.0 to 3.0.1 #18097
- Update to Reactor 2025.0.0 #18173
- Update to Spring Data 2025.1.0 #18174
- Update to Spring Framework 7.0.0 #18172
- Update to Spring LDAP 4.0.0 #18175
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@Kehrlann, @SimonVonXCVII, @quaff, and @therepanic
Contributors
quaff, Kehrlann, and 2 other contributors
Assets 2
6.5.7
β New Features
- Add Include-Code for the Password Storage page #18054
- Default WebAuthnConfigurer#rpName to rpId #18131
- Document effects of disabling CORS #18129
πͺ² Bug Fixes
typvalues should not be case-sensitive inJwtTypeValidator#18101- BCryptPasswordEncoderTests should password limit of 72 bytes #18136
- Fix GenerateOneTimeTokenRequestResolver ignored if username param not present #18074
- GenerateOneTimeTokenFilter should not attempt to generate a token with a null token request #18088
π¨ Dependency Upgrades
- Bump com.fasterxml.jackson:jackson-bom from 2.18.4.1 to 2.18.5 #18110
- Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #18149
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.11 to 1.0.13 #18141
- Bump org-aspectj from 1.9.24 to 1.9.25 #18142
- Bump org.hibernate.orm:hibernate-core from 6.6.33.Final to 6.6.34.Final #18111
- Update to Reactor 2024.0.12 #18181
- Update to Spring Data 2024.1.12 #18182
- Update to Spring Framework 6.2.13 #18180
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
Contributors
marcusdacoregio, himanshu-pareek, and namest504
Assets 2
6.4.13
β New Features
πͺ² Bug Fixes
- BCryptPasswordEncoderTests should password limit of 72 bytes #18133
π¨ Dependency Upgrades
- Bump com.fasterxml.jackson:jackson-bom from 2.18.4.1 to 2.18.5 #18108
- Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #18148
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.11 to 1.0.13 #18140
- Bump org-aspectj from 1.9.24 to 1.9.25 #18139
- Bump org.hibernate.orm:hibernate-core from 6.6.33.Final to 6.6.34.Final #18109
- Update Spring Data 2024.1.12 #18179
- Update to Reactor 2024.0.12 #18178
- Update to Spring Framework 6.2.13 #18177
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
Contributors
Kehrlann
Assets 2
7.0.0-RC3
β New Features
πͺ² Bug Fixes
WebAuthnAuthenticationFilteris not getting post-processed byEnableMfaFiltersPostProcessor#18128- AOT hints for authorization server Jackson 3 types should be registered #18146
- JdbcRegisteredClientRepository should support Jackson 3 #18143
- RequestHeaderAuthenticationFilter#getPreAuthenticatedPrincipal should be declared
@Nullable#18046
7.0.0-RC1
βͺ Breaking Changes
- Align setRetrieveUserInfo() between OidcUserService and OidcReactiveOAuth2UserService #18057
- Consider disabling device_code grant by default #17998
- Enable PKCE by default #17507
- Enable PKCE by default in authorization server #18020
- Favor Relative Redirects by Default #16300
- Remove cache from (Reactive)OidcIdTokenDecoderFactory #16647
- Remove OidcUserService.setAccessibleScopes() #18056
- Remove setOidcUserMapper() in OidcUserService and OidcReactiveOAuth2UserService #18060
- Remove unnecessary throws Exception from spring-security-config #17957
β New Features
- Add
@EnableGlobalMultiFactorAuthentication#17954 - Add
GrantedAuthorities.FACTOR_*_AUTHORITY#17952 - Add
RequiredFactor.Builder.Authority()#18033 - Add
TestingAuthenticationToken(Object principal,Object credential,String... authorities)#17980 - Add AccessDeniedHandler that Ties Authorities to Authentication Entry Points #17934
- Add AllAuthorities(Reactive)AuthorizationManager #17916
- Add AllFactorsAuthorizationManager #17997
- Add DefaultAuthorizationManagerFactory.additionalAuthorization #17942
- Add FactorGrantedAuthority #17996
- Add Jackson 3 support and deprecate Jackson 2 one #17832
- Add Predicate for authorizationConsentRequired for device code grant #18016
- Add RequiredAuthoritiesAuthorizationManager #18028
- Add SecurityMockMvcResultMatchers.withAuthorities(String...) #17974
- Add support for OAuth 2.0 Dynamic Client Registration Protocol #17964
- AllFactorsAuthorizationManager -> AllRequiredFactorsAuthorizationManager #18031
- Allow OAuth2AuthorizationRequest to be extended #18049
- Authentication should use FactorGrantedAuthority #18001
- Create AuthorizationManagerFactories.multiFactor #18032
- Default Login Page Should Pre-populate Username Field If Already Logged In #17935
- DelegatingAuthenticationEntryPoint should use RequestMatcherEntry #17915
- DelegatingMissingAuthorityAccessDeniedHandler Should Use RequiredFactorErrors #18002
- Document Multi-Factor Simple to Complex #18029
- Fix-typos #18035
- HttpSecurity should allow for
AuthorizationManager<? super RequestAuthorizationContext>#17931 - Implement OAuth 2.0 Protected Resource Metadata #17244
- Improve Passivity when Merging Authorities #18052
- Providers Should Add an Authority Representing Successful Authentication #17933
- Security Expressions Should Allow Returning an AuthorizationManager #17936
- Support Automatically Checking for Required Authorities in Authorization Rules #17900
- Support injecting clock into token generation code #18017
- Use
AuthorizationManagerFactoryin Kotlin DSL #17860
πͺ² Bug Fixes
- DelegatingAuthenticationEntryPoint.Builder should not throw exception when default entry point is specified #17955
- Deprecate
CacheControlServerHttpHeadersWriter.CACHE_CONTRTOL_VALUE#18058 - Fix typo in AuthenticationProvider Javadoc #17967
- HttpSecurity.oauth2AuthorizationServer should not automatically set
HttpSecurity.securityMatcher#17965 - Mismatch Between DefaultLoginPageGeneratingFilter and DelegatingMissingAuthorityAccessDeniedHandler #18000
- Move FACTOR_ constants to FactorGrantedAuthority #18030
- Prevent Duplicate
GrantedAuthority#getAuthority()at time of Authentication #17981 - ProviderManager.copyDetails Changes Authentication to new Type #18027
- Update terminology to HTTP Service Clients #17947
π¨ Dependency Upgrades
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 #18079
- Bump com.password4j:password4j from 1.8.2 to 1.8.4 #17904
- Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE #17982
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 #18043
- Bump io.mockk:mockk from 1.14.5 to 1.14.6 #17983
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.5 to 0.0.6 #18055
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17903
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 #17970
- Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 #17949
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 #17943
- Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.15 #18064
- Update JUnit 6.0.0 #18040
- Update to Reactor 2025.0.0-RC1 #18087
- Update to Spring Data 2025.1.0-RC1 #18085
- Update to Spring Framework 7.0.0-RC1 #18084
- Update to Spring LDAP 4.0.0-RC1 #18086
π© Build Updates
- Bump antora from 3.2.0-alpha.9 to 3.2.0-alpha.10 in /docs #18009
- Remove Deprecations #13068
- Update to Reactor 2025.0.0-SNAPSHOT #18041
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@iigolovko, @ngocnhan-tran1996, @parthokr, @rohan-naik07, @sdeleuze, and @therepanic
What's Changed
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 by @dependabot[bot] in #17911
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in #17914
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17905
- Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 by @dependabot[bot] in https://github.com/spring-projec...
Contributors
sdeleuze, jzheaux, and 6 other contributors
Assets 2
6.5.6
π¨ Dependency Upgrades
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 #18082
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #17930
- Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17929
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 #18045
- Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 #17950
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 #17945
- Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final #18039
- Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 #18083
- Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 #18067
- Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 #18068
6.4.12
π¨ Dependency Upgrades
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 #18080
- Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE #17985
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 #18044
- Bump io.mockk:mockk from 1.14.5 to 1.14.6 #17984
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 #17944
- Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final #18038
- Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 #18081
- Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 #18065
- Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 #18066
6.5.5
π¨ Dependency Upgrades
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17922
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17911
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17923
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17910
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #17924
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #17913
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #17925
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #17912
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17926
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17914
6.4.11
π¨ Dependency Upgrades
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #17921
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #17909
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17918
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17905
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final #17917
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final #17907
- Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 #17919
- Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 #17906
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17920
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17908
7.0.0-M3
βͺ Breaking Changes
β New Features
- Add
discoverJwsAlgorithms()inNimbusJwtDecoder#17788 - Add AuthorizationManagerFactory #17673
- Add Builders for all Authentication implementations #17861
- Add OneTimeTokenAuthentication #17799
- Add option to disable anonymous authentication in
RSocketSecurity#17159 - Add password4j implementation of PasswordEncoder #17825
- Add SecurityAssertions #17844
- Align NimbusJwtDecoder HTTP timeout defaults with Nimbus by setting to 500ms #17669
- Allow multiple ServerLogoutHandler instances in ServerHttpSecurity #17381
- Allow specifying a ServerAuthenticationConverter for x509() #17382
- AuthenticatedMatcher#withRoles should only check roles #17843
- Change
@Beanmethod signature to return RsaKeyConversionServicePostProcessor instead of BeanFactoryPostProcessor #17672 - Enable Null checking in spring-security-cas via JSpecify #17826
- Enable Null checking in spring-security-data via JSpecify #17789
- Enable Null checking in spring-security-messaging via JSpecify #17817
- Enable Null checking in spring-security-rsocket via JSpecify #17827
- Enable Null checking in spring-security-taglibs via JSpecify #17828
- Enable Null checking in spring-security-test via JSpecify #17840
- Enable Null checking in spring-security-webauthn via JSpecify #17839
- Integrate Spring Authorization Server #17880
- Move Access API to Separate Module #17847
- Move Spring Security Kerberos Extension into Spring Security #17879
- Propagate Authorities From Previous Authentications #17862
- Remove PortResolver #15971
- Remove redundant code in document #17813
- RequestMatchers should implement equals and hashCode #17842
- SpringTestContext should register a WebTestClient Bean #17780
- Support
@ClientRegistrationIdat Class Level #17838 - Support Modular Spring Security Configuration #16258
πͺ² Bug Fixes
- APIs should Use
Supplier<? extends@nullableAuthentication>#17814 - AuthorizationManager should allow null Authentication #17795
π¨ Dependency Upgrades
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #17872
- Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17834
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17856
- Bump io.projectreactor:reactor-bom from 2025.0.0-M6 to 2025.0.0-M7 #17866
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.2 to 0.0.3 #17765
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.3 to 0.0.4 #17776
- Bump org-opensaml5 from 5.1.5 to 5.1.6 #17809
- Bump org.jetbrains.kotlin:kotlin-bom from 2.2.0 to 2.2.20 #17871
- Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.0 to 2.2.20 #17873
- Bump org.springframework.data:spring-data-bom from 2025.1.0-M5 to 2025.1.0-M6 #17888
- Bump org.springframework:spring-framework-bom from 7.0.0-M8 to 7.0.0-M9 #17876
π© Build Updates
- Bump
@antora/atlas-extension from 1.0.0-alpha.2 to 1.0.0-alpha.5 in /docs #17886 - Fix misleading variable name in authentication filter #17751
- Remove unused import #17750
β€οΈ Contributors
Thank you to all the contributors who worked on this release:
@bbudano, @blake-bauman, @frido37, @jaehwan02, @jzheaux, @kse-music, @mehrdadbozorgmehr, @ngocnhan-tran1996, @quaff, @sjohnr, and @therepanic
Contributors
quaff, nullable, and 10 other contributors