This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.2! |
What’s New in Spring Security 6.0
Spring Security 6.0 provides a number of new features. Below are the highlights of the release.
Breaking Changes
-
gh-8980 - Remove unsafe/deprecated
Encryptors.querableText(CharSequence,CharSequence)
. Instead use data storage to encrypt values. -
gh-11520 - Remember Me uses SHA256 by default
-
gh-8819 - Move filters to web package Reorganize imports
-
gh-7349 - Move filter and token to appropriate packages Reorganize imports
-
gh-11026 - Use
RequestAttributeSecurityContextRepository
instead ofNullSecurityContextRepository
-
gh-11827 - Change default authority for
oauth2Login()
-
gh-10347 - Remove
UsernamePasswordAuthenticationToken
check inBasicAuthenticationFilter
-
gh-11923 - Remove
WebSecurityConfigurerAdapter
. Instead, create a SecurityFilterChain bean. -
gh-11899 - Use
MvcRequestMatcher
by default if Spring MVC is present. You can configure a differentRequestMatcher
by using the request-matcher attribute from <http>. -
Change use-authorization-manager="true" to default If the application uses
use-expressions="true"
oraccess-decision-manager-ref
switch touse-expressions="false"
orauthorization-manager-ref
, respectively. If application relies on the implicit<intercept-url pattern="/**" access="permitAll"/>
, this is no longer implicit and needs to be specified. Or useuse-authorization-manager="false"
-
gh-11939 - Remove deprecated
antMatchers
,mvcMatchers
,regexMatchers
helper methods from Java Configuration. Instead, userequestMatchers
orHttpSecurity#securityMatchers
. -
gh-11985 - Remove deprecated constructors in
Argon2PasswordEncoder
,SCryptPasswordEncoder
andPbkdf2PasswordEncoder
. -
gh-11960 - Default to Xor CSRF protection for servlet and reactive
-
gh-12019 - Remove deprecated method
setTokenFromMultipartDataEnabled
fromCsrfWebFilter
-
gh-12020 - Remove deprecated method
tokenFromMultipartDataEnabled
from Java Configuration -
gh-9429 -
Authentication(Web)Filter
rethrows `AuthenticationServiceException`s -
gh-11110 - Require explicit session saves by default
-
gh-11057 - Remove
MessageSourceAware
fromExceptionTranslationWebFilter
-
gh-12202 - Remove OAuth deprecations
-
gh-10556 - Remove EOL OpenSaml 3 Support. Use the OpenSaml 4 Support instead.
-
gh-11077 - Remove SAML deprecations
-
Remove
Converter
constructors fromSaml2MetadataFilter
andSaml2AuthenticationTokenConverter
-
Remove
Saml2AuthenticationRequestContextResolver
andSaml2AuthenticationRequestFactory
and implementations -
Remove
Saml2AuthenticationToken(String, String, String, String, List)
-
Remove
RelyingPartyRegistration.ProviderDetails
and related methods -
Remove
OpenSamlAuthenticationProvider
-
-
gh-12180 - Register
FilterChainProxy
for all dispatcher types
Core
-
gh-11446 - Add native image support for
@PreAuthorize
-
gh-11737 - Add native image support for
@PostAuthorize
-
Instrumentation of
AuthenticationManager
,AuthorizationManager
, andFilterChainProxy
-
Instrumentation of
ReactiveAuthenticationManager
,ReactiveAuthorizationManager
, andWebFilterChainProxy
LDAP
-
gh-9276 - LdapAuthoritiesPopulator is post-processed
Web
-
gh-11432 -
CookieServerCsrfTokenRepository
supports maxage