This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.2!

What’s New in Spring Security 5.8

Spring Security 5.8 provides a number of new features. Below are the highlights of the release.

Core

Session Handling Improvements

  • gh-6125 - improved session creation and access

  • gh-11392 - Support deferring lookup of SecurityContext

AuthorizationManager API

  • gh-11493 - AuthorizationManager supports SpEL

  • Additional XML support for AuthorizationManager

  • gh-11393 - Additional DSL support for AuthorizationManager

  • Additional XML Support for `AuthorizationManager

  • gh-11304 - AuthorizationManager supports RoleHierarchy

  • gh-11076 - AuthorizationManager supports WebSockets

  • gh-11326 - AuthorizationManager supports AspectJ

  • gh-4841, gh-9401 - ReactiveAuthorizationManager supports method security

  • gh-11625 - Support AuthorizationManager composition

Misc

  • gh-10973 - SecurityContextHolderStrategy can be published as a @Bean

Config

  • gh-11771 - HttpSecurityDsl should support apply method

OAuth

  • gh-11590 - Deprecate Resource Owner Password Grant

  • gh-11383 - Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri

  • gh-11661 - Add OpaqueTokenAuthenticationConverter

  • gh-11232 - ClientRegistrations#rest defines 30s connect and read timeouts

  • gh-11638 - Refresh remote JWK when unknown KID error occurs

SAML

  • gh-11286 - Support configuring multiple relying party logout bindings

  • gh-11065 - Allow custom relay state for AuthnRequests

  • gh-11468 - Simplify AuthnRequest#id access

Web

  • gh-11073 - Add DelegatingServerHttpHeadersWriter

  • gh-4001 - Add servlet support for CSRF BREACH protection

  • gh-11959 - Add reactive support for CSRF BREACH protection

  • gh-11464 - Remember Me supports SHA256 algorithm

  • gh-11908 - Make X-Xss-Protection header value configurable in ServerHttpSecurity

  • gh-11347 - Simplify Java Configuration RequestMatcher Usage

  • gh-9159 - Add securityMatcher as an alias on requestMatcher in HttpSecurity

  • gh-11952 - Add csrfTokenRequestResolver to CsrfDsl

  • gh-11916 - HttpSecurityConfiguration picks up ContentNegotiationStrategy bean

  • gh-11971 - Additional support for AuthorizationFilter running for all dispatcher types

Test

  • gh-6899 - @WithMockUser works as meta-annotation