For the latest stable version, please use Documentation 6.1.0!

What’s New in Spring Security 6.0

Spring Security 6.0 provides a number of new features. Below are the highlights of the release.

Baseline Changes

  • Spring Security 6 requires JDK 17

Breaking Changes

  • gh-8980 - Remove unsafe/deprecated Encryptors.querableText(CharSequence,CharSequence). Instead use data storage to encrypt values.

  • gh-11520 - Remember Me uses SHA256 by default

  • gh-8819 - Move filters to web package Reorganize imports

  • gh-7349 - Move filter and token to appropriate packages Reorganize imports

  • gh-11026 - Use RequestAttributeSecurityContextRepository instead of NullSecurityContextRepository

  • gh-11827 - Change default authority for oauth2Login()

  • gh-10347 - Remove UsernamePasswordAuthenticationToken check in BasicAuthenticationFilter

  • gh-11923 - Remove WebSecurityConfigurerAdapter. Instead, create a SecurityFilterChain bean.

  • gh-11899 - Use MvcRequestMatcher by default if Spring MVC is present. You can configure a different RequestMatcher by using the request-matcher attribute from <http>.

  • Change use-authorization-manager="true" to default If the application uses use-expressions="true" or access-decision-manager-ref switch to use-expressions="false" or authorization-manager-ref, respectively. If application relies on the implicit <intercept-url pattern="/**" access="permitAll"/>, this is no longer implicit and needs to be specified. Or use use-authorization-manager="false"

  • gh-11939 - Remove deprecated antMatchers, mvcMatchers, regexMatchers helper methods from Java Configuration. Instead, use requestMatchers or HttpSecurity#securityMatchers.

  • gh-11985 - Remove deprecated constructors in Argon2PasswordEncoder, SCryptPasswordEncoder and Pbkdf2PasswordEncoder.

  • gh-11960 - Default to Xor CSRF protection for servlet and reactive

  • gh-12019 - Remove deprecated method setTokenFromMultipartDataEnabled from CsrfWebFilter

  • gh-12020 - Remove deprecated method tokenFromMultipartDataEnabled from Java Configuration

  • gh-9429 - Authentication(Web)Filter rethrows `AuthenticationServiceException`s

  • gh-11027, gh-11466 - Authorization on every dispatcher type

  • gh-11110 - Require explicit session saves by default

  • gh-11057 - Remove MessageSourceAware from ExceptionTranslationWebFilter

  • gh-12202 - Remove OAuth deprecations

  • gh-10556 - Remove EOL OpenSaml 3 Support. Use the OpenSaml 4 Support instead.

  • gh-11077 - Remove SAML deprecations

    • Remove Converter constructors from Saml2MetadataFilter and Saml2AuthenticationTokenConverter

    • Remove Saml2AuthenticationRequestContextResolver and Saml2AuthenticationRequestFactory and implementations

    • Remove Saml2AuthenticationToken(String, String, String, String, List)

    • Remove RelyingPartyRegistration.ProviderDetails and related methods

    • Remove OpenSamlAuthenticationProvider

  • gh-12180 - Register FilterChainProxy for all dispatcher types


  • gh-11446 - Add native image support for @PreAuthorize

  • gh-11737 - Add native image support for @PostAuthorize

  • Instrumentation of AuthenticationManager, AuthorizationManager, and FilterChainProxy

  • Instrumentation of ReactiveAuthenticationManager, ReactiveAuthorizationManager, and WebFilterChainProxy


  • gh-9276 - LdapAuthoritiesPopulator is post-processed


  • gh-11432 - CookieServerCsrfTokenRepository supports maxage