6.4.13
- BCryptPasswordEncoderTests should password limit of 72 bytes #18133
- Bump com.fasterxml.jackson:jackson-bom from 2.18.4.1 to 2.18.5 #18108
- Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #18148
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.11 to 1.0.13 #18140
- Bump org-aspectj from 1.9.24 to 1.9.25 #18139
- Bump org.hibernate.orm:hibernate-core from 6.6.33.Final to 6.6.34.Final #18109
- Update Spring Data 2024.1.12 #18179
- Update to Reactor 2024.0.12 #18178
- Update to Spring Framework 6.2.13 #18177
Thank you to all the contributors who worked on this release:
@Kehrlann
7.0.0
- Add a minimal authorization server configuration #18153
- Mark
GrantedAuthority#getAuthorityas@Nullable#18014 - Polish SimpleGrantedAuthority #18062
- Correct the org.springframework.security.config.annotation.web.LogoutDsl's property description #18026
- Fix webauthn multifactor authentication #18163
- Bump org.jetbrains.kotlin:kotlin-bom from 2.2.20 to 2.2.21 #18099
- Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.20 to 2.2.21 #18100
- Bump tools.jackson:jackson-bom from 3.0.0 to 3.0.1 #18097
- Update to Reactor 2025.0.0 #18173
- Update to Spring Data 2025.1.0 #18174
- Update to Spring Framework 7.0.0 #18172
- Update to Spring LDAP 4.0.0 #18175
Thank you to all the contributors who worked on this release:
@Kehrlann, @SimonVonXCVII, @quaff, and @therepanic
6.5.7
- Add Include-Code for the Password Storage page #18054
- Default WebAuthnConfigurer#rpName to rpId #18131
- Document effects of disabling CORS #18129
typvalues should not be case-sensitive inJwtTypeValidator#18101- BCryptPasswordEncoderTests should password limit of 72 bytes #18136
- Fix GenerateOneTimeTokenRequestResolver ignored if username param not present #18074
- GenerateOneTimeTokenFilter should not attempt to generate a token with a null token request #18088
- Bump com.fasterxml.jackson:jackson-bom from 2.18.4.1 to 2.18.5 #18110
- Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #18149
- Bump io.spring.gradle:spring-security-release-plugin from 1.0.11 to 1.0.13 #18141
- Bump org-aspectj from 1.9.24 to 1.9.25 #18142
- Bump org.hibernate.orm:hibernate-core from 6.6.33.Final to 6.6.34.Final #18111
- Update to Reactor 2024.0.12 #18181
- Update to Spring Data 2024.1.12 #18182
- Update to Spring Framework 6.2.13 #18180
Thank you to all the contributors who worked on this release:
@himanshu-pareek, @marcusdacoregio, and @namest504
7.0.0-RC3
WebAuthnAuthenticationFilteris not getting post-processed byEnableMfaFiltersPostProcessor#18128- AOT hints for authorization server Jackson 3 types should be registered #18146
- JdbcRegisteredClientRepository should support Jackson 3 #18143
- RequestHeaderAuthenticationFilter#getPreAuthenticatedPrincipal should be declared
@Nullable#18046
7.0.0-RC1
- Align setRetrieveUserInfo() between OidcUserService and OidcReactiveOAuth2UserService #18057
- Consider disabling device_code grant by default #17998
- Enable PKCE by default #17507
- Enable PKCE by default in authorization server #18020
- Favor Relative Redirects by Default #16300
- Remove cache from (Reactive)OidcIdTokenDecoderFactory #16647
- Remove OidcUserService.setAccessibleScopes() #18056
- Remove setOidcUserMapper() in OidcUserService and OidcReactiveOAuth2UserService #18060
- Remove unnecessary throws Exception from spring-security-config #17957
- Add
@EnableGlobalMultiFactorAuthentication#17954 - Add
GrantedAuthorities.FACTOR_*_AUTHORITY#17952 - Add
RequiredFactor.Builder.Authority()#18033 - Add
TestingAuthenticationToken(Object principal,Object credential,String... authorities)#17980 - Add AccessDeniedHandler that Ties Authorities to Authentication Entry Points #17934
- Add AllAuthorities(Reactive)AuthorizationManager #17916
- Add AllFactorsAuthorizationManager #17997
- Add DefaultAuthorizationManagerFactory.additionalAuthorization #17942
- Add FactorGrantedAuthority #17996
- Add Jackson 3 support and deprecate Jackson 2 one #17832
- Add Predicate for authorizationConsentRequired for device code grant #18016
- Add RequiredAuthoritiesAuthorizationManager #18028
- Add SecurityMockMvcResultMatchers.withAuthorities(String...) #17974
- Add support for OAuth 2.0 Dynamic Client Registration Protocol #17964
- AllFactorsAuthorizationManager -> AllRequiredFactorsAuthorizationManager #18031
- Allow OAuth2AuthorizationRequest to be extended #18049
- Authentication should use FactorGrantedAuthority #18001
- Create AuthorizationManagerFactories.multiFactor #18032
- Default Login Page Should Pre-populate Username Field If Already Logged In #17935
- DelegatingAuthenticationEntryPoint should use RequestMatcherEntry #17915
- DelegatingMissingAuthorityAccessDeniedHandler Should Use RequiredFactorErrors #18002
- Document Multi-Factor Simple to Complex #18029
- Fix-typos #18035
- HttpSecurity should allow for
AuthorizationManager<? super RequestAuthorizationContext>#17931 - Implement OAuth 2.0 Protected Resource Metadata #17244
- Improve Passivity when Merging Authorities #18052
- Providers Should Add an Authority Representing Successful Authentication #17933
- Security Expressions Should Allow Returning an AuthorizationManager #17936
- Support Automatically Checking for Required Authorities in Authorization Rules #17900
- Support injecting clock into token generation code #18017
- Use
AuthorizationManagerFactoryin Kotlin DSL #17860
- DelegatingAuthenticationEntryPoint.Builder should not throw exception when default entry point is specified #17955
- Deprecate
CacheControlServerHttpHeadersWriter.CACHE_CONTRTOL_VALUE#18058 - Fix typo in AuthenticationProvider Javadoc #17967
- HttpSecurity.oauth2AuthorizationServer should not automatically set
HttpSecurity.securityMatcher#17965 - Mismatch Between DefaultLoginPageGeneratingFilter and DelegatingMissingAuthorityAccessDeniedHandler #18000
- Move FACTOR_ constants to FactorGrantedAuthority #18030
- Prevent Duplicate
GrantedAuthority#getAuthority()at time of Authentication #17981 - ProviderManager.copyDetails Changes Authentication to new Type #18027
- Update terminology to HTTP Service Clients #17947
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 #18079
- Bump com.password4j:password4j from 1.8.2 to 1.8.4 #17904
- Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE #17982
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 #18043
- Bump io.mockk:mockk from 1.14.5 to 1.14.6 #17983
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.5 to 0.0.6 #18055
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17903
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 #17970
- Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 #17949
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 #17943
- Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.15 #18064
- Update JUnit 6.0.0 #18040
- Update to Reactor 2025.0.0-RC1 #18087
- Update to Spring Data 2025.1.0-RC1 #18085
- Update to Spring Framework 7.0.0-RC1 #18084
- Update to Spring LDAP 4.0.0-RC1 #18086
- Bump antora from 3.2.0-alpha.9 to 3.2.0-alpha.10 in /docs #18009
- Remove Deprecations #13068
- Update to Reactor 2025.0.0-SNAPSHOT #18041
Thank you to all the contributors who worked on this release:
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17911
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17914
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17905
- Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17906
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17907
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17908
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17909
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17910
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17912
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17913
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17903
- Bump com.password4j:password4j from 1.8.2 to 1.8.4 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17904
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17917
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17918
- Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17919
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17920
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17921
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17922
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17923
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17924
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17925
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17926
- Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17929
- Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17937
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17943
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17945
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17930
- Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17938
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17944
- Add DefaultAuthorizationManagerFactory.additionalAuthorization by @therepanic in https://github.com/spring-projects/spring-security/pull/17942
- Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17949
- Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17950
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17970
- Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17977
- Bump io.mockk:mockk from 1.14.5 to 1.14.6 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17984
- Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17985
- Bump org.hibernate.orm:hibernate-core from 6.6.29.Final to 6.6.31.Final by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18010
- Bump org.hibernate.orm:hibernate-core from 6.6.29.Final to 6.6.31.Final by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18011
- Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17978
- Bump io.mockk:mockk from 1.14.5 to 1.14.6 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17983
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.4 to 0.0.5 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17992
- Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17976
- Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/17982
- Bump antora from 3.2.0-alpha.9 to 3.2.0-alpha.10 in /docs by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18009
- Enhancements to Authentication#toBuilder by @jzheaux in https://github.com/spring-projects/spring-security/pull/18050
- Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18038
- Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18039
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18044
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18045
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18043
- Fix typo in AuthenticationProvider Javadoc by @parthokr in https://github.com/spring-projects/spring-security/pull/17967
- Fix-typos by @ngocnhan-tran1996 in https://github.com/spring-projects/spring-security/pull/18035
- Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.15 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18064
- Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18065
- Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18068
- Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18067
- Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18066
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.5 to 0.0.6 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18055
- Add Jackson 3 support and deprecate Jackson 2 one by @sdeleuze in https://github.com/spring-projects/spring-security/pull/17832
- Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18081
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18080
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18082
- Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18083
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 by @dependabot[bot] in https://github.com/spring-projects/spring-security/pull/18079
- @parthokr made their first contribution in https://github.com/spring-projects/spring-security/pull/17967
- @sdeleuze made their first contribution in https://github.com/spring-projects/spring-security/pull/17832
Full Changelog: https://github.com/spring-projects/spring-security/compare/7.0.0-M3...7.0.0-RC1
6.5.6
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 #18082
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #17930
- Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17929
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 #18045
- Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 #17950
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 #17945
- Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final #18039
- Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 #18083
- Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 #18067
- Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 #18068
6.4.12
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 #18080
- Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE #17985
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 #18044
- Bump io.mockk:mockk from 1.14.5 to 1.14.6 #17984
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 #17944
- Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final #18038
- Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 #18081
- Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 #18065
- Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 #18066
6.4.11
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #17921
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 #17909
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17918
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17905
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final #17917
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final #17907
- Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 #17919
- Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 #17906
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17920
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17908
6.5.5
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17922
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17911
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17923
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17910
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #17924
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #17913
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #17925
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #17912
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17926
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #17914