This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.1.11!

What’s New in Spring Security 6.0

Spring Security 6.0 provides a number of new features. Below are the highlights of the release.

Baseline Changes

  • Spring Security 6 requires JDK 17

Breaking Changes

  • gh-8980 - Remove unsafe/deprecated Encryptors.querableText(CharSequence,CharSequence). Instead use data storage to encrypt values.

  • gh-11520 - Remember Me uses SHA256 by default

  • gh-8819 - Move filters to web package Reorganize imports

  • gh-7349 - Move filter and token to appropriate packages Reorganize imports

  • gh-11026 - Use RequestAttributeSecurityContextRepository instead of NullSecurityContextRepository

  • gh-11827 - Change default authority for oauth2Login()

  • gh-10347 - Remove UsernamePasswordAuthenticationToken check in BasicAuthenticationFilter

  • gh-11923 - Remove WebSecurityConfigurerAdapter. Instead, create a SecurityFilterChain bean.

  • gh-11899 - Use MvcRequestMatcher by default if Spring MVC is present. You can configure a different RequestMatcher by using the request-matcher attribute from <http>.

  • Change use-authorization-manager="true" to default If the application uses use-expressions="true" or access-decision-manager-ref switch to use-expressions="false" or authorization-manager-ref, respectively. If application relies on the implicit <intercept-url pattern="/**" access="permitAll"/>, this is no longer implicit and needs to be specified. Or use use-authorization-manager="false"

  • gh-11939 - Remove deprecated antMatchers, mvcMatchers, regexMatchers helper methods from Java Configuration. Instead, use requestMatchers or HttpSecurity#securityMatchers.

  • gh-11985 - Remove deprecated constructors in Argon2PasswordEncoder, SCryptPasswordEncoder and Pbkdf2PasswordEncoder.

  • gh-11960 - Default to Xor CSRF protection for servlet and reactive

  • gh-12019 - Remove deprecated method setTokenFromMultipartDataEnabled from CsrfWebFilter

  • gh-12020 - Remove deprecated method tokenFromMultipartDataEnabled from Java Configuration

  • gh-9429 - Authentication(Web)Filter rethrows `AuthenticationServiceException`s

  • gh-11027, gh-11466 - Authorization on every dispatcher type

  • gh-11110 - Require explicit session saves by default

  • gh-11057 - Remove MessageSourceAware from ExceptionTranslationWebFilter

  • gh-12202 - Remove OAuth deprecations

  • gh-10556 - Remove EOL OpenSaml 3 Support. Use the OpenSaml 4 Support instead.

  • gh-11077 - Remove SAML deprecations

    • Remove Converter constructors from Saml2MetadataFilter and Saml2AuthenticationTokenConverter

    • Remove Saml2AuthenticationRequestContextResolver and Saml2AuthenticationRequestFactory and implementations

    • Remove Saml2AuthenticationToken(String, String, String, String, List)

    • Remove RelyingPartyRegistration.ProviderDetails and related methods

    • Remove OpenSamlAuthenticationProvider

  • gh-12180 - Register FilterChainProxy for all dispatcher types

Core

  • gh-11446 - Add native image support for @PreAuthorize

  • gh-11737 - Add native image support for @PostAuthorize

  • Instrumentation of AuthenticationManager, AuthorizationManager, and FilterChainProxy

  • Instrumentation of ReactiveAuthenticationManager, ReactiveAuthorizationManager, and WebFilterChainProxy

LDAP

  • gh-9276 - LdapAuthoritiesPopulator is post-processed

Web

  • gh-11432 - CookieServerCsrfTokenRepository supports maxage