V1.80.0
API Changes
- core: Added PickResult.copyWithSubchannel() and PickResult.copyWithStreamTracerFactory() to simplify updating PickResult while preserving metadata. Load balancing policies should now ensure ForwardingSubchannel decorators are unwrapped before being returned in a pick result. (#12658) (eae16b251)
Bug Fixes
- core: Fixed the retry backoff jitter range to [0.8, 1.2] to align with the gRPC A6 specification. Retries will now occur more consistently around the calculated backoff interval. (#12639) (024fdd0ea) core: Fixed a race condition in RetriableStream where inFlightSubStreams counting could become inconsistent during concurrent retry and deadline events. This ensures that client calls (such as blockingUnaryCall) do not hang indefinitely and correctly receive a close signal. (#12649) (73abb4854)
Improvements
- api: Trigger R8's ServiceLoader optimization to reduce necessary configuration when using R8 Full Mode (470219f9c). This allows gRPC to avoid reflection, and the need to specify -keeps for various class’s constructors. Upgrade to protobuf 33.4 (#12615) (50c18f183)
- cronet: Introduced CRONET_READ_BUFFER_SIZE_KEY to allow customizing the read buffer size per-stream via CallOptions. Increasing the buffer size from the 4KB default can significantly improve performance for large messages by reducing JNI and context-switching overhead. (31fdb6c22)
- api: Moved FlagResetRule to api/testFixtures and updated ManagedChannelRegistry to honor the GRPC_ENABLE_RFC3986_URIS feature flag. This ensures that target parsing is consistent across the library when the new URI parser is enabled. (#12608)
- api: Updated NameResolverRegistry to natively support io.grpc.Uri. This is a foundational change that allows gRPC's name resolution system to handle URIs parsed with the new RFC 3986-compliant parser, ensuring more robust target handling. (#12609) (990348876)
- xds: Removed the GRPC_EXPERIMENTAL_XDS_SNI feature flag. SNI determination via xDS is now always enabled and follows gRFC A101, where SNI is derived from xDS configurations like auto_host_sni or UpstreamTlsContext.sni. This ensures that no SNI is sent if not explicitly configured, unless the legacy channel authority fallback is enabled. (#12625) (ac44e9681)
New Features
- core: pick_first shuffling now a weighted shuffle and observes weights from EDS (34dd29042). This finishes the gRFC A113 pick_first: Weighted Random Shuffling support
- netty: Added RFC 3986 support to the unix: name resolver. This enables proper parsing of Unix domain socket URIs, including correct handling of query and fragment components in both hierarchical (e.g., unix:///path) and opaque (e.g., unix:/path) formats. (#12659)
Thanks to
- @becomeStar
- @aymanm-google
- @PetitBaguette
- @stagegrowth
- @wcchoi
- @Gyuhyeok99
7.0.4
- Update
RestTemplateBuilderusage inopaque-token.adoc#18836
- Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18784
- Add Jackson Mixin for WebAuthnAuthentication #18878
- Add Missing OnCommitedResponseWrapper Header Overrides #18799
- Document the change in dependency coordinates with Spring Security 7 #18773
- Ensure tests clear AuthorizationServerContextHolder #18768
- Fix CookieRequestCache parameters #18864
- Fix Flaky Crypto Tests #18842
- Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18897
- HttpMessageConverterAuthenticationSuccessHandler Supports Jackson 3 #18834
- OAuth2DeviceVerificationEndpointFilter should be applied after AuthorizationFilter #18873
- Restore upgradeEncoding condition in DaoAuthenticationProvider #18788
- saveAuthenticationRequest should read relayState from authenticationRequest #18884
- SecurityExpressionRoot#hasAuthority should delegate to AuthorizationManagerFactory#hasAuthority #18487
- ServerHttpSecurityConfiguration should not set userDetailsPasswordService to a null value #18276
- TokenBasedRememberMeServices documentation snippets should compile #18642
- Update request-matcher XML property to support PathPatternRequestMatcher #18737
- Bump
@antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18853 - Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18810
- Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18752
- Bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE #18830
- Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4 #18877
- Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18751
- Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18792
- Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18861
- Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18887
- Bump org.junit:junit-bom from 6.0.2 to 6.0.3 #18743
- Bump org.springframework.data:spring-data-bom from 2025.1.3 to 2025.1.4 #18904
- Bump org.springframework:spring-framework-bom from 7.0.4 to 7.0.5 #18764
- Bump org.springframework:spring-framework-bom from 7.0.5 to 7.0.6 #18905
- Update Antora UI Spring to v0.4.26 #18893
- Update to spring-security-release-tools 1.0.15 #18909
Thank you to all the contributors who worked on this release:
@busoco-sjb, @making, @meliezer, @ngocnhan-tran1996, @rwinch, @sephiroth-j, @therepanic, @thuri, and @ziqin
7.1.0-M3
- Add
postProcessortoSpringOpaqueTokenIntrospectorBuilders #18625 - Add InetAddressMatcher #18634
- Add MessageExpressionAuthorizationManager #18813
- Add missing AOT Runtime Hints #18767
- Add nullability contract to
PasswordEncoder#encodeimplementations #18490 - Add RestClientOpaqueTokenIntrospector #18746
- Add tests for PathPatternRequestMatcher request path caching #18721
- Allow custom token settings for OAuth 2.0 dynamic client registration #18870
- Change
ActiveDirectoryLdapAuthenticationProviderto useLdapClient#18627 - Clarify need for method attribute in JSP authorize tag #18566
- Cleanup #17801
- Document multipart CSRF header option #18757
- Enable Null checking in spring-security-oauth2-jose via JSpecify #17821
- Ensure ID Token is updated after refresh token (Reactive) #17246
- Fail on javadoc warnings for spring-security-aspects #18855
- Fail spring-security-docs on javadoc warnings #18613
- Fix ClientAttributes Javadoc Typos #18802
- Fix compile warning in spring-security-test #18593
- Fix compile warnings for spring-security-config #18596
- Make authenticationConverter customizable in SpringOpaqueTokenIntrospector.Builder #18623
- Make PublicKeyCredentialCreationOptions Serializable #18354
- Mark
CsrfTokenRequestAttributeHandler#setCsrfRequestAttributeNameas Nullable #18620 - Remove unused
@Nullablein Switch User andFactorGrantedAuthority#18765 - Specify charset in
WWW-Authenticatefor Basic Auth #18760 - Support custom
OAuth2AuthenticatedPrincipalin Jwt-based authentication flow #17191 - Support single-line PEM encoded RSA keys in
RsaKeyConverters#18599 - Update servlet/architecture.adoc to use include-code #18536
- Use attributes in Antora to replace the original links #18819
- Use include-code for websocket.adoc #18856
- Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18785
- Add Jackson Mixin for WebAuthnAuthentication #18907
- Add Missing OnCommitedResponseWrapper Header Overrides #18800
- Document Keberose Dependency Coordinates #18786
- Ensure tests clear AuthorizationServerContextHolder #18769
- Fix CookieRequestCache parameters #18865
- Fix Flaky Crypto Tests #18843
- Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18908
- Fix SecurityContextLogoutHandler.logout
@paramresponse Javadoc (cannot be null) #18795 - Fix spring-security-webauthn dependency in passkeys documentation #18866
- HttpMessageConverterAuthenticationSuccessHandler Supports Jackson 3 #18835
- Improve error message for missing access attribute in intercept-url #18530
- Mark
targetDomainObjectas@NullableinPermissionEvaluator#18796 - Update password4j docs to use BcryptPassword4jPasswordEncoder #18232
- Bump
@antora/collector-extension from 1.0.2 to 1.0.3 #18851 - Bump
@antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18852 - Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18808
- Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.31 #18740
- Bump ch.qos.logback:logback-classic from 1.5.31 to 1.5.32 #18748
- Bump com.fasterxml.jackson:jackson-bom from 2.21.0 to 2.21.1 #18778
- Bump com.nimbusds:oauth2-oidc-sdk from 11.33 to 11.34 #18859
- Bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE #18827
- Bump gradle-wrapper from 9.3.1 to 9.4.0 #18849
- Bump io.micrometer:micrometer-observation from 1.16.3 to 1.16.4 #18868
- Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4 #18875
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.11 to 0.0.12 #18828
- Bump minimatch from 3.1.2 to 3.1.5 in /javascript #18811
- Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18747
- Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18789
- Bump org-opensaml5 from 5.2.0 to 5.2.1 #18754
- Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18858
- Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18885
- Bump org.hibernate.orm:hibernate-core from 7.2.4.Final to 7.2.5.Final #18775
- Bump org.hibernate.orm:hibernate-core from 7.2.5.Final to 7.2.6.Final #18826
- Bump org.hibernate.orm:hibernate-core from 7.2.6.Final to 7.2.7.Final #18901
- Bump org.junit:junit-bom from 6.0.2 to 6.0.3 #18741
- Bump org.mockito:mockito-bom from 5.21.0 to 5.22.0 #18825
- Bump org.mockito:mockito-bom from 5.22.0 to 5.23.0 #18881
- Bump org.seleniumhq.selenium:htmlunit3-driver from 4.40.0 to 4.41.0 #18777
- Bump org.seleniumhq.selenium:selenium-java from 4.40.0 to 4.41.0 #18776
- Bump org.springframework.data:spring-data-bom from 2025.1.3 to 2025.1.4 #18902
- Bump org.springframework:spring-framework-bom from 7.0.4 to 7.0.5 #18763
- Bump org.springframework:spring-framework-bom from 7.0.5 to 7.0.6 #18900
- Bump spring-io/spring-security-release-tools/.github/workflows/test.yml from 1.0.13 to 1.0.14 #18728
- Bump tools.jackson:jackson-bom from 3.0.4 to 3.1.0 #18790
- Update Antora UI Spring to v0.4.26 #18894
Thank you to all the contributors who worked on this release:
@023-dev, @DDINGJOO, @Hann244, @chanani, @coehgns, @earlgrey02, @evgeniycheban, @itsmevichu, @jkuhel, @joshlong, @kimyounguk1, @kmw10693, @ngocnhan-tran1996, @nidhogg5, @pahlevani, @rwinch, @scordio, @therepanic, and @wonderfulrosemari
6.5.9
- Update Link to CSRF Docs in FAQ #18616
- Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18544
saveAuthenticationRequestshould readrelayStatefromauthenticationRequest#18872- Add Missing OnCommitedResponseWrapper Header Overrides #18798
- Clarify Resource Server startup expectations #18518
- Correct Reference to Clear-Site-Data Directive enum #18273
- Fix CookieRequestCache parameters #18857
- Fix Flaky Crypto Tests #18841
- Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18896
- Bump
@antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18854 - Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18809
- Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18749
- Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #18779
- Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #18876
- Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18750
- Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18791
- Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18860
- Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18886
- Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #18780
- Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #18829
- Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #18903
Thank you to all the contributors who worked on this release:
@Hann244, @Khyojae, @ghusta, @itsmevichu, @qihaiyan, @rwinch, @therepanic, and @ziqin