7.0.0-M3
- Add
discoverJwsAlgorithms()
inNimbusJwtDecoder
#17788 - Add AuthorizationManagerFactory #17673
- Add Builders for all Authentication implementations #17861
- Add OneTimeTokenAuthentication #17799
- Add option to disable anonymous authentication in
RSocketSecurity
#17159 - Add password4j implementation of PasswordEncoder #17825
- Add SecurityAssertions #17844
- Align NimbusJwtDecoder HTTP timeout defaults with Nimbus by setting to 500ms #17669
- Allow multiple ServerLogoutHandler instances in ServerHttpSecurity #17381
- Allow specifying a ServerAuthenticationConverter for x509() #17382
- AuthenticatedMatcher#withRoles should only check roles #17843
- Change
@Bean
method signature to return RsaKeyConversionServicePostProcessor instead of BeanFactoryPostProcessor #17672 - Enable Null checking in spring-security-cas via JSpecify #17826
- Enable Null checking in spring-security-data via JSpecify #17789
- Enable Null checking in spring-security-messaging via JSpecify #17817
- Enable Null checking in spring-security-rsocket via JSpecify #17827
- Enable Null checking in spring-security-taglibs via JSpecify #17828
- Enable Null checking in spring-security-test via JSpecify #17840
- Enable Null checking in spring-security-webauthn via JSpecify #17839
- Integrate Spring Authorization Server #17880
- Move Access API to Separate Module #17847
- Move Spring Security Kerberos Extension into Spring Security #17879
- Propagate Authorities From Previous Authentications #17862
- Remove PortResolver #15971
- Remove redundant code in document #17813
- RequestMatchers should implement equals and hashCode #17842
- SpringTestContext should register a WebTestClient Bean #17780
- Support
@ClientRegistrationId
at Class Level #17838 - Support Modular Spring Security Configuration #16258
- APIs should Use
Supplier<? extends
@NullableAuthentication>
#17814 - AuthorizationManager should allow null Authentication #17795
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #17872
- Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17834
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17856
- Bump io.projectreactor:reactor-bom from 2025.0.0-M6 to 2025.0.0-M7 #17866
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.2 to 0.0.3 #17765
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.3 to 0.0.4 #17776
- Bump org-opensaml5 from 5.1.5 to 5.1.6 #17809
- Bump org.jetbrains.kotlin:kotlin-bom from 2.2.0 to 2.2.20 #17871
- Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.0 to 2.2.20 #17873
- Bump org.springframework.data:spring-data-bom from 2025.1.0-M5 to 2025.1.0-M6 #17888
- Bump org.springframework:spring-framework-bom from 7.0.0-M8 to 7.0.0-M9 #17876
- Bump
@antora
/atlas-extension from 1.0.0-alpha.2 to 1.0.0-alpha.5 in /docs #17886 - Fix misleading variable name in authentication filter #17751
- Remove unused import #17750
Thank you to all the contributors who worked on this release:
@bbudano, @blake-bauman, @frido37, @jaehwan02, @jzheaux, @kse-music, @mehrdadbozorgmehr, @ngocnhan-tran1996, @quaff, @sjohnr, and @therepanic
6.5.4
- Update servlet test method docs to use include-code #17749
- Annonation Scanning Should Fallback to Object when Parameter Matching #17899
- Fix double-slash when basePath is root #17841
- Fix traceId discrepancy in case error in servlet web #17796
- Reference should advise avoiding post-authorization on writes #17798
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #17893
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #17874
- Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17895
- Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17854
- Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17836
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17894
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17858
- Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17767
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #17766
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #17759
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.28.Final #17853
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.28.Final #17837
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #17896
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #17897
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #17855
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #17791
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #17771
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #17758
- Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #17773
Thank you to all the contributors who worked on this release:
@jkuhel and @therepanic
6.4.10
- Annonation Scanning Should Fallback to Object when Parameter Matching #17898
- Fix traceId discrepancy in case error in servlet web #17134
- Reference should advise avoiding post-authorization on writes #17797
- Remove MockWebServer from JwtIssuerAuthenticationManagerResolverTests #17869
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17792
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17778
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17769
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #17892
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #17857
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #17777
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #17768
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #17755
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.28.Final #17851
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.28.Final #17835
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final #17890
- Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 #17891
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17889
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17877
- Update to nimbus-jose-jwt:9.37.4 #17875
Thank you to all the contributors who worked on this release:
@nkonev
7.0.0-M2
- Add ExpressionTemplateValueProvider #17448
- Add META-INF/LICENSE.txt to published jars #17640
- Add OAuth2User to OidcUser Conversion Params #17626
- Apply missing diamond operators #17310
- Clarify instructional nature when when withDefaultPasswordEncoder is used in documentation #17624
- Correct
@NonNull
and@Nullable
package name #17512 - Enable Null checking in spring-security-core via JSpecify #17534
- Enable Null checking in spring-security-crypto via JSpecify #17533
- Extract spring-security-webauthn #17586
- Improve authoritiesClaimName validation in JwtGrantedAuthoritiesConverter #17247
- Improve Spring Boot's integration with PathPatternRequestMatcher.Builder #17746
- Make stricter IP format check in
IpAddressMatcher
#17500 - Polish document #17654
- Polish ExpressionTemplateValueProvider JavaDoc #17666
- Remove OpenSAML 4 support #17707
- Replace "shameless coverage code" in SecurityNamespaceHandlerTests with meaningful tests #17689
- Simplify error message for unsupported Security XSD versions #17488
- Use 2004-present Copyright #17635
- AuthorizationManager null safety annotation on generic type is incorrectly specified #17667
- OpenSamlAssertingPartyDetails Should Be Serializable #17728
- Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.19.2 #17589
- Bump com.nimbusds:oauth2-oidc-sdk from 11.26 to 11.26.1 #17644
- Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17700
- Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17681
- Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17657
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17697
- Bump io.projectreactor:reactor-bom from 2025.0.0-M5 to 2025.0.0-M6 #17703
- Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #17619
- Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #17590
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #17725
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17620
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17588
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.1 to 0.0.2 #17591
- Bump org-eclipse-jetty from 11.0.25 to 11.0.26 #17743
- Bump org-opensaml5 from 5.1.2 to 5.1.5 #17734
- Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17691
- Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17679
- Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17670
- Bump org.gretty:gretty from 4.1.6 to 4.1.7 #17618
- Bump org.gretty:gretty from 4.1.6 to 4.1.7 #17587
- Bump org.hibernate.orm:hibernate-core from 7.0.6.Final to 7.0.8.Final #17649
- Bump org.hibernate.orm:hibernate-core from 7.0.8.Final to 7.0.10.Final #17693
- Bump org.hibernate.orm:hibernate-core from 7.0.8.Final to 7.0.10.Final #17678
- Bump org.hibernate.orm:hibernate-core from 7.0.8.Final to 7.0.9.Final #17658
- Bump org.jetbrains.kotlin:kotlin-bom from 2.2.0 to 2.2.10 #17721
- Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.0 to 2.2.10 #17719
- Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.34.1 to 4.34.2 #17648
- Bump org.springframework.data:spring-data-bom from 2025.1.0-M4 to 2025.1.0-M5 #17740
- Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #17722
- Bump org.springframework:spring-framework-bom from 7.0.0-M7 to 7.0.0-M8 #17724
- Support UnboundID LDAP SDK 7.0 #14772
- Bump
@antora
/collector-extension from 1.0.1 to 1.0.2 in /docs #17712 - Bump
@springio
/antora-extensions from 1.14.6 to 1.14.7 in /docs #17564 - Bump antora from 3.2.0-alpha.8 to 3.2.0-alpha.9 in /docs #17714
- Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.19.2 #17617
- Update to UnboundID 7.0.3 #17730
Thank you to all the contributors who worked on this release:
@DeepDhamala, @chanbinme, @mheath, @ml054, @ngocnhan-tran1996, @seongm1n, and @therepanic
6.5.3
- Add META-INF/LICENSE.txt to published jars #17639
- Update Angular documentation links in csrf.adoc #17653
- Update Shibboleth Repository URL #17637
- Use 2004-present Copyright #17634
- Add Missing Navigation in Preparing for 7.0 Guide #17731
- DPoP authentication throws JwtDecoderFactory ClassNotFoundException #17249
- OpenSamlAssertingPartyDetails Should Be Serializable #17727
- Use final values in equals and hashCode #17621
- Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17739
- Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17690
- Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17684
- Bump com.webauthn4j:webauthn4j-core from 0.29.4.RELEASE to 0.29.5.RELEASE #17661
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17615
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17599
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17737
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17701
- Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17614
- Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #17647
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #17733
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #17711
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17612
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17598
- Bump org-eclipse-jetty from 11.0.25 to 11.0.26 #17742
- Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17613
- Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17595
- Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17760
- Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17692
- Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17683
- Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #17671
- Bump org.gretty:gretty from 4.1.6 to 4.1.7 #17616
- Bump org.gretty:gretty from 4.1.6 to 4.1.7 #17597
- Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.23.Final #17646
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.24.Final #17660
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #17694
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #17685
- Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.34.1 to 4.34.2 #17650
- Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17645
- Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #17757
- Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17651
- Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17596
- Bump org.springframework:spring-framework-bom from 6.2.9 to 6.2.10 #17735
Thank you to all the contributors who worked on this release:
@codingtim
6.4.9
- Add META-INF/LICENSE.txt to published jars #17638
- Update Angular documentation links in csrf.adoc #17652
- Update Shibboleth Repository URL #17636
- Use 2004-present Copyright #17633
- OpenSamlAssertingPartyDetails Should Be Serializable #17622
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17611
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17604
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17756
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 #17699
- Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24 #17643
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #17741
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.11 #17717
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17609
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10 #17603
- Bump org-eclipse-jetty from 11.0.25 to 11.0.26 #17736
- Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17607
- Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17602
- Bump org.gretty:gretty from 4.1.6 to 4.1.7 #17641
- Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.23.Final #17630
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.24.Final #17659
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #17695
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.25.Final #17680
- Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17696
- Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17682
- Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17642
- Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17600
- Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.9 #17738
- Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #17745
- Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17610
- Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17601
- Bump org.springframework:spring-framework-bom from 6.2.9 to 6.2.10 #17744
6.4.8
<websocket-message-broker>
should pick up a bean namedcsrfChannelInterceptor
#17494- Fix securityContextRepository() initialization in oauth2Login() DSL #17502
- Support add nested security configurers during builder initialization #17020
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17464
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17433
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17413
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17393
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17370
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17348
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17336
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17576
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17548
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17519
- Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17463
- Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17431
- Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17574
- Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17551
- Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17529
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17373
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17339
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17281
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17273
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17465
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17435
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17409
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17392
- Bump org.hibernate.orm:hibernate-core from 6.6.19.Final to 6.6.20.Final #17490
- Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final #17550
- Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final #17521
- Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final #17575
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17480
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17434
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17405
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17390
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17366
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17350
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17282
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17272
- Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17577
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17462
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17432
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17418
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17391
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17372
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17347
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17278
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17274
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17461
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17410
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17394
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17368
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17340
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17280
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17271
- Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17578
- Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17549
Thank you to all the contributors who worked on this release:
@kse-music and @marcusdacoregio
6.5.2
<websocket-message-broker>
should pick up a bean namedcsrfChannelInterceptor
#17495- Add 7.0 Migration Steps for Messaging PathPattern Usage #17509
- EnableReactiveMethodSecurity should not import Servlet configuration #17545
- Fix equals and hashCode in
PathPatternRequestMatcher
to include HTTP method #17337 - Fix securityContextRepository() initialization in oauth2Login() DSL #17557
- OAuth2Login DSL should support post-processing AuthenticationProvider implementations #17176
- Websocket XML config should pick up PathPatternMessageMatcher.Builder #17508
- Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE #17483
- Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE #17444
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17470
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17441
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17398
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17375
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17354
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17335
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17570
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17554
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17520
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17467
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17407
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17376
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17349
- Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17572
- Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17556
- Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17539
- Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17469
- Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17445
- Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17555
- Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17528
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17377
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17353
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17279
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17261
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17408
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final #17403
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.20.Final #17491
- Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final #17552
- Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final #17522
- Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final #17571
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17466
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17443
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17404
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17374
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17352
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17276
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17270
- Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 #17569
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17468
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17442
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17406
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17401
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17277
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17264
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17481
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17411
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17395
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17378
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17355
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17275
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17268
- Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17568
- Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 #17553
Thank you to all the contributors who worked on this release:
@fkowal and @therepanic
7.0.0-M1
- Address BouncyCastle's deprecated AESFastEngine usage #16164
- Default to XorCsrfChannelInterceptor in XML configuration #17323
- Don't cache WebSocket request in RequestCache #16741
- Improve JdbcUserDetailsManager.userExists method #14649
- Remove .and() and non lambda methods from DSL #13067
- Remove
authorizeRequests
#15174 - Remove AbstractConfiguredSecurityBuilder apply method #17498
- Remove AbstractSecurityWebSocketMessageBrokerConfigurer #17328
- Remove ApacheDS #13852
- Remove APPLICATION_JSON_UTF8 usage #17070
- Remove AssertingPartyDetails from APIs in favor of AssertingPartyMetadata #17304
- Remove deprecated classes moved to other packages #17330
- Remove deprecated elements from DaoAuthenticationProvider #17315
- Remove deprecated elements of RoleHierarchyImpl #17313
- Remove deprecated elements using AuthorizationDecision #17322
- Remove deprecated implementations of OAuth2AccessTokenResponseClient #16909
- Remove deprecated methods from CookieServerCsrfTokenRepository #14139
- Remove deprecations from CookieCsrfTokenRepository #14132
- Remove EnableWebMvcSecurity #17311
- Remove HandlerMappingIntrospector Usage #16886
- Remove LazyCsrfTokenRepository #13196
- Remove Nimbus(Reactive)OpaqueTokenIntrospector #17326
- Remove no-version Open SAML implementations #17306
- Remove PrePostTemplateDefaults #17312
- Remove RelyingPartyRegistration deprecations #17329
- Remove RequestVariablesExtractor #17320
- Remove Resource Owner Password Credentials grant #17446
- Remove shouldFilterAllDispatcherTypes #17505
- Remove shouldFilterAllDispatcherTypes #12139
- Remove usage of PathMatcher in messaging #17501
- Use
LdapName
instead ofDistinguishedName
#17325
- Add basePath to PathPatternParserRequestMatcherBuilderFactoryBean #17579
- Add BearerTokenAuthenticationConverter #14791
- Add default authorizationRequestBaseUri to DefaultOAuth2AuthorizationRequestResolver #16384
- Add Equals and HashCode methods for better comparison. #16842
- Add JdbcAssertingPartyMetadataRepository #17077
- Add null check for authentication token in JwtAuthenticationProvider #17251
- Add NullReturningMethodAuthorizationDeniedHandler #17084
- Add OAuth Support for HTTP Interface Client #16858
- Add PathPatternRequestMatcher static factory shortcuts #17476
- Add possibility to customize JwkSource of NimbusJwtDecoder #17046
- Add Support Credentialless COEP Header #17027
- Add Support Extracting DN From X500Principal #16984
- Add TestMockHttpServletRequests #17450
- Add Twitter/X to CommonOAuth2Provider #16510
- Add username property to UsernameNotFoundException #17179
- Begin Spring Security 7 to 8 Migration Guide #17182
- Create CsrfCustomizer for SPA configuration #16966
- Create demonstration of include-code usage #17163
- Create Spring Security 7.0.x branch #17047
- Decouple SAML 2.0 Single Logout from the authenticated principal's type #11338
- Deprecate the X5T JOSE Header name #17130
- Exceptions for Authorized Objects should propagate when returned from a Controller #17074
- Fix the problem of not deserializing SwitchUserGrantedAuthority in Webflux #17064
- Force Snapshot Build is separate workflow #17558
- Improve logging clarity in CsrfFilter #17425
- Improve OAuth2ResourceServerConfigurer to eliminate deprecated operations #16963
- Include UsernameNotFoundException in BadCredentialsException #16512
- JwtTimestampsValidator can require exp and nbf claims #17030
- Kotlin 2.2 Upgrade #16884
- Make AuthorizationProxyFactory.proxy generic #16996
- NimbusJwtEncoder should simplify constructing with javax.security Keys #17033
- Polish Webauthn4JRelyingPartyOperations #17224
- Remove 32-byte minimum keyLength restriction in
Base64StringKeyGenerator
#17091 - Remove GET request support from Saml2AuthenticationTokenConverter #17108
- Replace deprecated #check calls with #authorize #16965
- Replace deprecated NimbusReactiveOpaqueTokenIntrospector with SpringReactiveOpaqueTokenIntrospector #16964
- Send saml logout response even when validation errors happen #14676
- Setup include-code extension for docs #17162
- Simplify Expression Migration for authorizeRequests #17504
- Simplify Websocket Csrf Processor XML Configuration #17248
- Standarize Mock Request Paths #17449
- Support Filtering Events in SpringAuthorizationEventPublisher #17503
- Support Spring Data container types for AuthorizeReturnObject #16953
- Update document regarding Stream usage #17219
- Update Type Validation Defaults #17181
- Use UserWebTestClientConfigurer #17496
- We should remove usage of PathMatcher in web modules #16887
- DataTargetVisitor should be package private to support AOT #17561
- Fix users schema documentation #17190
- Fixed link to CSRF checks on rubyonrails.org site #17319
- Remove the redundant punctuation marks in the comments #17075
- UnboundIdContainer fails with TestContext #17543
- Update HttpSecurity javadoc to use authorizeHttpRequests #17225
- Update JwtIssuerAuthenticationManagerResolver constructor javadoc #17486
- Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17458
- Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17430
- Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17422
- Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17397
- Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17360
- Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17344
- Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17288
- Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17262
- Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17252
- Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.19.2 #17567
- Bump com.webauthn4j:webauthn4j-core from 0.29.1.RELEASE to 0.29.2.RELEASE #17092
- Bump com.webauthn4j:webauthn4j-core from 0.29.2.RELEASE to 0.29.3.RELEASE #17193
- Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE #17478
- Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE #17429
- Bump io-spring-javaformat from 0.0.43 to 0.0.45 #17150
- Bump io-spring-javaformat from 0.0.45 to 0.0.46 #17200
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17479
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17423
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17396
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17363
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17346
- Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17332
- Bump io.micrometer:micrometer-observation from 1.14.6 to 1.14.7 #17093
- Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8 #17222
- Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17517
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17456
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17427
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17421
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17402
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17361
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17343
- Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17333
- Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17538
- Bump io.projectreactor:reactor-bom from 2025.0.0-M2 to 2025.0.0-M3 #17104
- Bump io.projectreactor:reactor-bom from 2025.0.0-M3 to 2025.0.0-M4 #17227
- Bump io.projectreactor:reactor-bom from 2025.0.0-M4 to 2025.0.0-M5 #17526
- Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 #17205
- Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 #17090
- Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17457
- Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17527
- Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10 #17213
- Bump org.hibernate.orm:hibernate-core from 7.0.0.CR1 to 7.0.0.CR2 #17114
- Bump org.hibernate.orm:hibernate-core from 7.0.0.CR2 to 7.0.0.Final #17149
- Bump org.hibernate.orm:hibernate-core from 7.0.0.Final to 7.0.1.Final #17228
- Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.2.Final #17269
- Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.2.Final #17242
- Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.3.Final #17362
- Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.3.Final #17342
- Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.3.Final #17331
- Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final #17459
- Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final #17428
- Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final #17420
- Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final #17399
- Bump org.hibernate.orm:hibernate-core from 7.0.4.Final to 7.0.5.Final #17489
- Bump org.hibernate.orm:hibernate-core from 7.0.5.Final to 7.0.6.Final #17518
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17460
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17417
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17400
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17364
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17351
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17286
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17267
- Update com.nimbusds dependencies #17542
- Update to Kotlin 2.2 #17380
- Update to Spring Data 2025.1.0-M4 #17560
- Update to Spring Framework 7.0.0-M7 #17559
- Bump
@springio
/antora-extensions from 1.14.4 to 1.14.6 in /docs #17515 - Remove deprecated Cookie method usage #17006
Thank you to all the contributors who worked on this release:
@1livv, @DeepDhamala, @FerencKemeny, @GrmpfNarf, @JohnNiang, @Lidoca, @M-Faheem-Khan, @Shenker93, @big-cir, @chanbinme, @chschu, @evga7, @evgeniycheban, @fa11enangel, @felhag, @fjacobs, @franticticktick, @gamemock, @huhdy32, @kiruthiga1793, @kse-music, @marbon87, @milaneuh, @msqr, @ngocnhan-tran1996, @pat-mccusker, @quaff, @ronodhirSoumik, @rwinch, @surajbh123, @therepanic, @wapkch, and @yuezk
6.4.7
- ClearSiteDataHeaderWriter log is misleading #17165
- Fix inconsistent constructor declaration for
ReactiveAuthorizationManagerMethodSecurityConfiguration
#17197 - Fix to allow multiple AuthenticationFilter instances to process each request #17215
- Use HttpStatus in back-channel logout filters #17156
- Bump com.fasterxml.jackson:jackson-bom from 2.18.4 to 2.18.4.1 #17229
- Bump io-spring-javaformat from 0.0.43 to 0.0.45 #17148
- Bump io-spring-javaformat from 0.0.45 to 0.0.46 #17199
- Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8 #17221
- Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19 #17230
- Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 #17206
- Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10 #17212
- Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final #17183
- Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final #17253
- Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 #17254
- Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 #17237
- Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 #17236
Thank you to all the contributors who worked on this release:
@damable-nuvolex