spring-security - 米舟开源

spring-projects/spring-security

Watch

Star

Fork

简介统计版本

18 hours ago

spring-security

spring-projects

⏪ Breaking Changes

Remove PortResolver #17524
Support Expression Templates by Default #17763

⭐ New Features

Add discoverJwsAlgorithms() in NimbusJwtDecoder #17788
Add AuthorizationManagerFactory #17673
Add Builders for all Authentication implementations #17861
Add OneTimeTokenAuthentication #17799
Add option to disable anonymous authentication in RSocketSecurity #17159
Add password4j implementation of PasswordEncoder #17825
Add SecurityAssertions #17844
Align NimbusJwtDecoder HTTP timeout defaults with Nimbus by setting to 500ms #17669
Allow multiple ServerLogoutHandler instances in ServerHttpSecurity #17381
Allow specifying a ServerAuthenticationConverter for x509() #17382
AuthenticatedMatcher#withRoles should only check roles #17843
Change @Bean method signature to return RsaKeyConversionServicePostProcessor instead of BeanFactoryPostProcessor #17672
Enable Null checking in spring-security-cas via JSpecify #17826
Enable Null checking in spring-security-data via JSpecify #17789
Enable Null checking in spring-security-messaging via JSpecify #17817
Enable Null checking in spring-security-rsocket via JSpecify #17827
Enable Null checking in spring-security-taglibs via JSpecify #17828
Enable Null checking in spring-security-test via JSpecify #17840
Enable Null checking in spring-security-webauthn via JSpecify #17839
Integrate Spring Authorization Server #17880
Move Access API to Separate Module #17847
Move Spring Security Kerberos Extension into Spring Security #17879
Propagate Authorities From Previous Authentications #17862
Remove PortResolver #15971
Remove redundant code in document #17813
RequestMatchers should implement equals and hashCode #17842
SpringTestContext should register a WebTestClient Bean #17780
Support @ClientRegistrationId at Class Level #17838
Support Modular Spring Security Configuration #16258

🪲 Bug Fixes

APIs should Use Supplier<? extends @Nullable Authentication> #17814
AuthorizationManager should allow null Authentication #17795

🔨 Dependency Upgrades

Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #17872
Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17834
Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17856
Bump io.projectreactor:reactor-bom from 2025.0.0-M6 to 2025.0.0-M7 #17866
Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.2 to 0.0.3 #17765
Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.3 to 0.0.4 #17776
Bump org-opensaml5 from 5.1.5 to 5.1.6 #17809
Bump org.jetbrains.kotlin:kotlin-bom from 2.2.0 to 2.2.20 #17871
Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.0 to 2.2.20 #17873
Bump org.springframework.data:spring-data-bom from 2025.1.0-M5 to 2025.1.0-M6 #17888
Bump org.springframework:spring-framework-bom from 7.0.0-M8 to 7.0.0-M9 #17876

🔩 Build Updates

Bump @antora/atlas-extension from 1.0.0-alpha.2 to 1.0.0-alpha.5 in /docs #17886
Fix misleading variable name in authentication filter #17751
Remove unused import #17750

❤️ Contributors

Thank you to all the contributors who worked on this release:

@bbudano, @blake-bauman, @frido37, @jaehwan02, @jzheaux, @kse-music, @mehrdadbozorgmehr, @ngocnhan-tran1996, @quaff, @sjohnr, and @therepanic

18 hours ago

spring-security

spring-projects

⭐ New Features

Update servlet test method docs to use include-code #17749

🪲 Bug Fixes

Annonation Scanning Should Fallback to Object when Parameter Matching #17899
Fix double-slash when basePath is root #17841
Fix traceId discrepancy in case error in servlet web #17796
Reference should advise avoiding post-authorization on writes #17798

🔨 Dependency Upgrades

Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #17893
Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #17874
Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17895
Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17854
Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17836
Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17894
Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17858
Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17767
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #17766
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #17759
Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.28.Final #17853
Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.28.Final #17837
Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #17896
Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #17897
Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #17855
Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #17791
Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #17771
Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #17758
Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #17773

❤️ Contributors

Thank you to all the contributors who worked on this release:

@jkuhel and @therepanic

18 hours ago

spring-security

spring-projects

🪲 Bug Fixes

Annonation Scanning Should Fallback to Object when Parameter Matching #17898
Fix traceId discrepancy in case error in servlet web #17134
Reference should advise avoiding post-authorization on writes #17797
Remove MockWebServer from JwtIssuerAuthenticationManagerResolverTests #17869

🔨 Dependency Upgrades

Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17792
Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17778
Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17769
Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #17892
Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #17857
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #17777
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #17768
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #17755
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.28.Final #17851
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.28.Final #17835
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final #17890
Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 #17891
Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17889
Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17877
Update to nimbus-jose-jwt:9.37.4 #17875

❤️ Contributors

Thank you to all the contributors who worked on this release:

@nkonev

28 days ago

spring-security

spring-projects

⭐ New Features

Add ExpressionTemplateValueProvider #17448
Add META-INF/LICENSE.txt to published jars #17640
Add OAuth2User to OidcUser Conversion Params #17626
Apply missing diamond operators #17310
Clarify instructional nature when when withDefaultPasswordEncoder is used in documentation #17624
Correct @NonNull and @Nullable package name #17512
Enable Null checking in spring-security-core via JSpecify #17534
Enable Null checking in spring-security-crypto via JSpecify #17533
Extract spring-security-webauthn #17586
Improve authoritiesClaimName validation in JwtGrantedAuthoritiesConverter #17247
Improve Spring Boot's integration with PathPatternRequestMatcher.Builder #17746
Make stricter IP format check in IpAddressMatcher #17500
Polish document #17654
Polish ExpressionTemplateValueProvider JavaDoc #17666
Remove OpenSAML 4 support #17707
Replace "shameless coverage code" in SecurityNamespaceHandlerTests with meaningful tests #17689
Simplify error message for unsupported Security XSD versions #17488
Use 2004-present Copyright #17635

🪲 Bug Fixes

AuthorizationManager null safety annotation on generic type is incorrectly specified #17667
OpenSamlAssertingPartyDetails Should Be Serializable #17728

🔨 Dependency Upgrades

Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.19.2 #17589
Bump com.nimbusds:oauth2-oidc-sdk from 11.26 to 11.26.1 #17644
Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17700
Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17681
Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17657
Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17697
Bump io.projectreactor:reactor-bom from 2025.0.0-M5 to 2025.0.0-M6 #17703
Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #17619
Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #17590
Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #17725
Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17620
Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17588
Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.1 to 0.0.2 #17591
Bump org-eclipse-jetty from 11.0.25 to 11.0.26 #17743
Bump org-opensaml5 from 5.1.2 to 5.1.5 #17734
Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17691
Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17679
Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17670
Bump org.gretty:gretty from 4.1.6 to 4.1.7 #17618
Bump org.gretty:gretty from 4.1.6 to 4.1.7 #17587
Bump org.hibernate.orm:hibernate-core from 7.0.6.Final to 7.0.8.Final #17649
Bump org.hibernate.orm:hibernate-core from 7.0.8.Final to 7.0.10.Final #17693
Bump org.hibernate.orm:hibernate-core from 7.0.8.Final to 7.0.10.Final #17678
Bump org.hibernate.orm:hibernate-core from 7.0.8.Final to 7.0.9.Final #17658
Bump org.jetbrains.kotlin:kotlin-bom from 2.2.0 to 2.2.10 #17721
Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.0 to 2.2.10 #17719
Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.34.1 to 4.34.2 #17648
Bump org.springframework.data:spring-data-bom from 2025.1.0-M4 to 2025.1.0-M5 #17740
Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #17722
Bump org.springframework:spring-framework-bom from 7.0.0-M7 to 7.0.0-M8 #17724
Support UnboundID LDAP SDK 7.0 #14772

🔩 Build Updates

Bump @antora/collector-extension from 1.0.1 to 1.0.2 in /docs #17712
Bump @springio/antora-extensions from 1.14.6 to 1.14.7 in /docs #17564
Bump antora from 3.2.0-alpha.8 to 3.2.0-alpha.9 in /docs #17714
Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.19.2 #17617
Update to UnboundID 7.0.3 #17730

❤️ Contributors

Thank you to all the contributors who worked on this release:

@DeepDhamala, @chanbinme, @mheath, @ml054, @ngocnhan-tran1996, @seongm1n, and @therepanic

28 days ago

spring-security

spring-projects

⭐ New Features

Add META-INF/LICENSE.txt to published jars #17639
Update Angular documentation links in csrf.adoc #17653
Update Shibboleth Repository URL #17637
Use 2004-present Copyright #17634

🪲 Bug Fixes

Add Missing Navigation in Preparing for 7.0 Guide #17731
DPoP authentication throws JwtDecoderFactory ClassNotFoundException #17249
OpenSamlAssertingPartyDetails Should Be Serializable #17727
Use final values in equals and hashCode #17621

🔨 Dependency Upgrades

Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17739
Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17690
Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17684
Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17661
Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17615
Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17599
Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17737
Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17701
Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17614
Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #17647
Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #17733
Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #17711
Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17612
Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17598
Bump org-eclipse-jetty from 11.0.25 to 11.0.26 #17742
Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17613
Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17595
Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17760
Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17692
Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17683
Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17671
Bump org.gretty:gretty from 4.1.6 to 4.1.7 #17616
Bump org.gretty:gretty from 4.1.6 to 4.1.7 #17597
Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.23.Final #17646
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.24.Final #17660
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #17694
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #17685
Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.34.1 to 4.34.2 #17650
Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17645
Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #17757
Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17651
Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17596
Bump org.springframework:spring-framework-bom from 6.2.9 to 6.2.10 #17735

❤️ Contributors

Thank you to all the contributors who worked on this release:

@codingtim

28 days ago

spring-security

spring-projects

⭐ New Features

Add META-INF/LICENSE.txt to published jars #17638
Update Angular documentation links in csrf.adoc #17652
Update Shibboleth Repository URL #17636
Use 2004-present Copyright #17633

🪲 Bug Fixes

OpenSamlAssertingPartyDetails Should Be Serializable #17622

🔨 Dependency Upgrades

Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17611
Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17604
Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17756
Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17699
Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #17643
Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #17741
Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #17717
Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17609
Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17603
Bump org-eclipse-jetty from 11.0.25 to 11.0.26 #17736
Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17607
Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17602
Bump org.gretty:gretty from 4.1.6 to 4.1.7 #17641
Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.23.Final #17630
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.24.Final #17659
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #17695
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #17680
Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17696
Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17682
Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17642
Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17600
Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.9 #17738
Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #17745
Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17610
Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17601
Bump org.springframework:spring-framework-bom from 6.2.9 to 6.2.10 #17744

2025-07-22 02:34:22

spring-security

spring-projects

🪲 Bug Fixes

<websocket-message-broker> should pick up a bean named csrfChannelInterceptor #17494
Fix securityContextRepository() initialization in oauth2Login() DSL #17502
Support add nested security configurers during builder initialization #17020

🔨 Dependency Upgrades

Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17464
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17433
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17413
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17393
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17370
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17348
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17336
Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17576
Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17548
Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17519
Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17463
Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17431
Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17574
Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17551
Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17529
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17373
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17339
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17281
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17273
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17465
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17435
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17409
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17392
Bump org.hibernate.orm:hibernate-core from 6.6.19.Final to 6.6.20.Final #17490
Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final #17550
Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final #17521
Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final #17575
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17480
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17434
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17405
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17390
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17366
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17350
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17282
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17272
Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17577
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17462
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17432
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17418
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17391
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17372
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17347
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17278
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17274
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17461
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17410
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17394
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17368
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17340
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17280
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17271
Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17578
Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17549

❤️ Contributors

Thank you to all the contributors who worked on this release:

@kse-music and @marcusdacoregio

2025-07-22 02:34:18

spring-security

spring-projects

🪲 Bug Fixes

<websocket-message-broker> should pick up a bean named csrfChannelInterceptor #17495
Add 7.0 Migration Steps for Messaging PathPattern Usage #17509
EnableReactiveMethodSecurity should not import Servlet configuration #17545
Fix equals and hashCode in PathPatternRequestMatcher to include HTTP method #17337
Fix securityContextRepository() initialization in oauth2Login() DSL #17557
OAuth2Login DSL should support post-processing AuthenticationProvider implementations #17176
Websocket XML config should pick up PathPatternMessageMatcher.Builder #17508

🔨 Dependency Upgrades

Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE #17483
Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE #17444
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17470
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17441
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17398
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17375
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17354
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17335
Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17570
Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17554
Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17520
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17467
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17407
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17376
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17349
Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17572
Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17556
Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17539
Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17469
Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17445
Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17555
Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17528
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17377
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17353
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17279
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17261
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17408
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17403
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.20.Final #17491
Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final #17552
Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final #17522
Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final #17571
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17466
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17443
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17404
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17374
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17352
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17276
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17270
Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17569
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17468
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17442
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17406
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17401
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17277
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17264
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17481
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17411
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17395
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17378
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17355
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17275
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17268
Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17568
Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17553

❤️ Contributors

Thank you to all the contributors who worked on this release:

@fkowal and @therepanic

2025-07-21 23:25:10

spring-security

spring-projects

⏪ Breaking Changes

Address BouncyCastle's deprecated AESFastEngine usage #16164
Default to XorCsrfChannelInterceptor in XML configuration #17323
Don't cache WebSocket request in RequestCache #16741
Improve JdbcUserDetailsManager.userExists method #14649
Remove .and() and non lambda methods from DSL #13067
Remove authorizeRequests #15174
Remove AbstractConfiguredSecurityBuilder apply method #17498
Remove AbstractSecurityWebSocketMessageBrokerConfigurer #17328
Remove ApacheDS #13852
Remove APPLICATION_JSON_UTF8 usage #17070
Remove AssertingPartyDetails from APIs in favor of AssertingPartyMetadata #17304
Remove deprecated classes moved to other packages #17330
Remove deprecated elements from DaoAuthenticationProvider #17315
Remove deprecated elements of RoleHierarchyImpl #17313
Remove deprecated elements using AuthorizationDecision #17322
Remove deprecated implementations of OAuth2AccessTokenResponseClient #16909
Remove deprecated methods from CookieServerCsrfTokenRepository #14139
Remove deprecations from CookieCsrfTokenRepository #14132
Remove EnableWebMvcSecurity #17311
Remove HandlerMappingIntrospector Usage #16886
Remove LazyCsrfTokenRepository #13196
Remove Nimbus(Reactive)OpaqueTokenIntrospector #17326
Remove no-version Open SAML implementations #17306
Remove PrePostTemplateDefaults #17312
Remove RelyingPartyRegistration deprecations #17329
Remove RequestVariablesExtractor #17320
Remove Resource Owner Password Credentials grant #17446
Remove shouldFilterAllDispatcherTypes #17505
Remove shouldFilterAllDispatcherTypes #12139
Remove usage of PathMatcher in messaging #17501
Use LdapName instead of DistinguishedName #17325

⭐ New Features

Add basePath to PathPatternParserRequestMatcherBuilderFactoryBean #17579
Add BearerTokenAuthenticationConverter #14791
Add default authorizationRequestBaseUri to DefaultOAuth2AuthorizationRequestResolver #16384
Add Equals and HashCode methods for better comparison. #16842
Add JdbcAssertingPartyMetadataRepository #17077
Add null check for authentication token in JwtAuthenticationProvider #17251
Add NullReturningMethodAuthorizationDeniedHandler #17084
Add OAuth Support for HTTP Interface Client #16858
Add PathPatternRequestMatcher static factory shortcuts #17476
Add possibility to customize JwkSource of NimbusJwtDecoder #17046
Add Support Credentialless COEP Header #17027
Add Support Extracting DN From X500Principal #16984
Add TestMockHttpServletRequests #17450
Add Twitter/X to CommonOAuth2Provider #16510
Add username property to UsernameNotFoundException #17179
Begin Spring Security 7 to 8 Migration Guide #17182
Create CsrfCustomizer for SPA configuration #16966
Create demonstration of include-code usage #17163
Create Spring Security 7.0.x branch #17047
Decouple SAML 2.0 Single Logout from the authenticated principal's type #11338
Deprecate the X5T JOSE Header name #17130
Exceptions for Authorized Objects should propagate when returned from a Controller #17074
Fix the problem of not deserializing SwitchUserGrantedAuthority in Webflux #17064
Force Snapshot Build is separate workflow #17558
Improve logging clarity in CsrfFilter #17425
Improve OAuth2ResourceServerConfigurer to eliminate deprecated operations #16963
Include UsernameNotFoundException in BadCredentialsException #16512
JwtTimestampsValidator can require exp and nbf claims #17030
Kotlin 2.2 Upgrade #16884
Make AuthorizationProxyFactory.proxy generic #16996
NimbusJwtEncoder should simplify constructing with javax.security Keys #17033
Polish Webauthn4JRelyingPartyOperations #17224
Remove 32-byte minimum keyLength restriction in Base64StringKeyGenerator #17091
Remove GET request support from Saml2AuthenticationTokenConverter #17108
Replace deprecated #check calls with #authorize #16965
Replace deprecated NimbusReactiveOpaqueTokenIntrospector with SpringReactiveOpaqueTokenIntrospector #16964
Send saml logout response even when validation errors happen #14676
Setup include-code extension for docs #17162
Simplify Expression Migration for authorizeRequests #17504
Simplify Websocket Csrf Processor XML Configuration #17248
Standarize Mock Request Paths #17449
Support Filtering Events in SpringAuthorizationEventPublisher #17503
Support Spring Data container types for AuthorizeReturnObject #16953
Update document regarding Stream usage #17219
Update Type Validation Defaults #17181
Use UserWebTestClientConfigurer #17496
We should remove usage of PathMatcher in web modules #16887

🪲 Bug Fixes

DataTargetVisitor should be package private to support AOT #17561
Fix users schema documentation #17190
Fixed link to CSRF checks on rubyonrails.org site #17319
Remove the redundant punctuation marks in the comments #17075
UnboundIdContainer fails with TestContext #17543
Update HttpSecurity javadoc to use authorizeHttpRequests #17225
Update JwtIssuerAuthenticationManagerResolver constructor javadoc #17486

🔨 Dependency Upgrades

Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17458
Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17430
Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17422
Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17397
Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17360
Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17344
Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17288
Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17262
Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17252
Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.19.2 #17567
Bump com.webauthn4j:webauthn4j-core from 0.29.1.RELEASE to 0.29.2.RELEASE #17092
Bump com.webauthn4j:webauthn4j-core from 0.29.2.RELEASE to 0.29.3.RELEASE #17193
Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE #17478
Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE #17429
Bump io-spring-javaformat from 0.0.43 to 0.0.45 #17150
Bump io-spring-javaformat from 0.0.45 to 0.0.46 #17200
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17479
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17423
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17396
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17363
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17346
Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17332
Bump io.micrometer:micrometer-observation from 1.14.6 to 1.14.7 #17093
Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8 #17222
Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17517
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17456
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17427
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17421
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17402
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17361
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17343
Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17333
Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17538
Bump io.projectreactor:reactor-bom from 2025.0.0-M2 to 2025.0.0-M3 #17104
Bump io.projectreactor:reactor-bom from 2025.0.0-M3 to 2025.0.0-M4 #17227
Bump io.projectreactor:reactor-bom from 2025.0.0-M4 to 2025.0.0-M5 #17526
Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 #17205
Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 #17090
Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17457
Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17527
Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10 #17213
Bump org.hibernate.orm:hibernate-core from 7.0.0.CR1 to 7.0.0.CR2 #17114
Bump org.hibernate.orm:hibernate-core from 7.0.0.CR2 to 7.0.0.Final #17149
Bump org.hibernate.orm:hibernate-core from 7.0.0.Final to 7.0.1.Final #17228
Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.2.Final #17269
Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.2.Final #17242
Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.3.Final #17362
Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.3.Final #17342
Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.3.Final #17331
Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final #17459
Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final #17428
Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final #17420
Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final #17399
Bump org.hibernate.orm:hibernate-core from 7.0.4.Final to 7.0.5.Final #17489
Bump org.hibernate.orm:hibernate-core from 7.0.5.Final to 7.0.6.Final #17518
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17460
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17417
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17400
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17364
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17351
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17286
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17267
Update com.nimbusds dependencies #17542
Update to Kotlin 2.2 #17380
Update to Spring Data 2025.1.0-M4 #17560
Update to Spring Framework 7.0.0-M7 #17559

🔩 Build Updates

Bump @springio/antora-extensions from 1.14.4 to 1.14.6 in /docs #17515
Remove deprecated Cookie method usage #17006

❤️ Contributors

Thank you to all the contributors who worked on this release:

@1livv, @DeepDhamala, @FerencKemeny, @GrmpfNarf, @JohnNiang, @Lidoca, @M-Faheem-Khan, @Shenker93, @big-cir, @chanbinme, @chschu, @evga7, @evgeniycheban, @fa11enangel, @felhag, @fjacobs, @franticticktick, @gamemock, @huhdy32, @kiruthiga1793, @kse-music, @marbon87, @milaneuh, @msqr, @ngocnhan-tran1996, @pat-mccusker, @quaff, @ronodhirSoumik, @rwinch, @surajbh123, @therepanic, @wapkch, and @yuezk

2025-06-16 23:08:24

spring-security

spring-projects

6.4.7 🪲 Bug Fixes

ClearSiteDataHeaderWriter log is misleading #17165
Fix inconsistent constructor declaration for ReactiveAuthorizationManagerMethodSecurityConfiguration #17197
Fix to allow multiple AuthenticationFilter instances to process each request #17215
Use HttpStatus in back-channel logout filters #17156

🔨 Dependency Upgrades

Bump com.fasterxml.jackson:jackson-bom from 2.18.4 to 2.18.4.1 #17229
Bump io-spring-javaformat from 0.0.43 to 0.0.45 #17148
Bump io-spring-javaformat from 0.0.45 to 0.0.46 #17199
Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8 #17221
Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19 #17230
Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 #17206
Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10 #17212
Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final #17183
Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17253
Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17254
Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17237
Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17236

❤️ Contributors

Thank you to all the contributors who worked on this release:

@damable-nuvolex