This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.3!

What’s New in Spring Security 6.5

Spring Security 6.5 provides a number of new features. Below are the highlights of the release, or you can view the release notes for a detailed listing of each feature and bug fix.

Breaking Changes

Observability

The security.security.reached.filter.section key name was corrected to spring.security.reached.filter.section. Note that this may affect reports that operate on this key name.

OAuth

gh-16386 - Enable PKCE for confidential clients using ClientRegistration.clientSettings.requireProofKey=true for servlet and reactive applications

WebAuthn

gh-16282 - JDBC Persistence for WebAuthn/Passkeys
gh-16397 - Added the ability to configure a custom HttpMessageConverter for Passkeys using the optional messageConverter property on the webAuthn DSL.
gh-16396 - Added the ability to configure a custom PublicKeyCredentialCreationOptionsRepository

One-Time Token Login

gh-16291 - oneTimeTokenLogin() now supports customizing GenerateOneTimeTokenRequest via GenerateOneTimeTokenRequestResolver