What’s New in Spring Security 6.1

Spring Security 6.1 provides a number of new features. Below are the highlights of the release.

Core

gh-12233 - SecuredAuthorizationManager allows customizing underlying AuthorizationManager
gh-12231 - Add Authority Collection Authorization Manager

OAuth 2.0

gh-10309 - (docs) - Add Nimbus(Reactive)JwtDecoder#withIssuerLocation
gh-12907 - Configure principal claim name in ReactiveJwtAuthenticationConverter

SAML 2.0

gh-12604 - Support AuthnRequestSigned metadata attribute
gh-12846 - Metadata supports multiple entities and EntitiesDescriptor
gh-11828 - (docs) - Add saml2Metadata to DSL
gh-12843 - (docs) - Allow Relying Party to be Deduced from LogoutRequest
gh-10243 - (docs) - Allow Relying Party to be Deduced from SAML Response
gh-12842 - Add RelyingPartyRegistration placeholder resolution component
gh-12845 - Support issuing LogoutResponse after already logged out

Observability

gh-12534 - Customize Authentication and Authorization observation conventions

Web

gh-12751 - Add RequestMatchers factory class
gh-12847 - Propagate variables through And and OrRequestMatcher

Docs

In our ongoing efforts to update Spring Security’s documentation, several additional sections were fully re-written:

gh-13088 - (docs) - Revisit Authorization documentation
gh-12681 - (docs) - Revisit Session Management documentation
gh-13062 - (docs) - Revisit Logout documentation
gh-13089 - Revisit CSRF Documentation