What’s New in Spring Security 6.1

Spring Security 6.1 provides a number of new features. Below are the highlights of the release.

Core

  • gh-12233 - SecuredAuthorizationManager allows customizing underlying AuthorizationManager

  • gh-12231 - Add Authority Collection Authorization Manager

OAuth 2.0

  • gh-10309 - (docs) - Add Nimbus(Reactive)JwtDecoder#withIssuerLocation

  • gh-12907 - Configure principal claim name in ReactiveJwtAuthenticationConverter

SAML 2.0

  • gh-12604 - Support AuthnRequestSigned metadata attribute

  • gh-12846 - Metadata supports multiple entities and EntitiesDescriptor

  • gh-11828 - (docs) - Add saml2Metadata to DSL

  • gh-12843 - (docs) - Allow Relying Party to be Deduced from LogoutRequest

  • gh-10243 - (docs) - Allow Relying Party to be Deduced from SAML Response

  • gh-12842 - Add RelyingPartyRegistration placeholder resolution component

  • gh-12845 - Support issuing LogoutResponse after already logged out

Observability

  • gh-12534 - Customize Authentication and Authorization observation conventions

Web

  • gh-12751 - Add RequestMatchers factory class

  • gh-12847 - Propagate variables through And and OrRequestMatcher

Docs

In our ongoing efforts to update Spring Security’s documentation, several additional sections were fully re-written: