This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.5.6!

What’s New in Spring Security 7.0

Spring Security 7.0 provides a number of new features. Below are the highlights of the release, or you can view the release notes for a detailed listing of each feature and bug fix.

Removals

Being a major release, there are a number of deprecated APIs that are removed in Spring Security 7. Each section that follows will indicate the more notable removals as well as the new features in that module

Modules

The Spring Security Kerberos Extension is now part of Spring Security. See the Kerberos section of the reference for details.
Spring Authorization Server is now part of Spring Security. See the OAuth 2.0 Authorization Server section of the reference for details.

Core

Added Support for Multi-Factor Authentication
Removed AuthorizationManager#check in favor of AuthorizationManager#authorize
Added AllAuthoritiesAuthorizationManager and AllAuthoritiesReactiveAuthorizationManager along with corresponding methods for Authorizing HttpServletRequests and method security expressions.
Added AuthorizationManagerFactory for creating AuthorizationManager instances in request-based and method-based authorization components
Added Authentication.Builder for mutating and merging Authentication instances
Moved Access API (AccessDecisionManager, AccessDecisionVoter, etc.) to a new module, spring-security-access

Config

Support modular configuration in Servlets and WebFlux
Removed and() from the HttpSecurity DSL in favor of using the lambda methods
Removed authorizeRequests in favor of authorizeHttpRequests
Simplified expression migration for authorizeRequests
Added support for SPA-based CSRF configuration
Added support for binding missing authorities to authentication mechanisms.
Java
http.csrf((csrf) -> csrf.spa());

Crypto

Added Password4j-based password encoders providing alternative implementations for popular hashing algorithms:
- Argon2Password4jPasswordEncoder - Argon2
- BcryptPassword4jPasswordEncoder - BCrypt
- ScryptPassword4jPasswordEncoder - SCrypt
- Pbkdf2Password4jPasswordEncoder - PBKDF2
- BalloonHashingPassword4jPasswordEncoder - Balloon Hashing

Data

Added support to Authorized objects for Spring Data types

LDAP

Removed ApacheDsContainer and related Apache DS support in favor of UnboundID

OAuth 2.0

Removed support for password grant
Added OAuth2 Support for HTTP Service Clients
Added support for custom JwkSource in NimbusJwtDecoder, allowing usage of Nimbus’s JwkSourceBuilder API
Added builder for NimbusJwtEncoder, supports specifying an EC or RSA key pair or a secret key
Added support for @ClientRegistrationId at the type level, eliminating the need for method level repetition
Added support for OAuth 2.0 Dynamic Registration Protocol
Enabled PKCE by default in OAuth 2.0 Authorization Server

SAML 2.0

Removed API methods based on AssertingPartyDetails class in favor of AssertingPartyMetadata interface
Removed GET request support from Saml2AuthenticationTokenConverter
Added JDBC-based AssertingPartyMetadataRepository
Made so that SLO still returns <saml2:LogoutResponse> even when validation fails
Removed Open SAML 4 support; applications should migrate to Open SAML 5

Test

Add SecurityMockMvcResultMatchers.withAuthorities(String…)

Web

Removed MvcRequestMatcher and AntPathRequestMatcher in favor of PathPatternRequestMatcher
Added SubjectX500PrincipalExtractor
Added support for propagating exceptions in Authorized proxies through Spring MVC controllers
Added support to Authorized objects for Spring MVC types
Added support to Default Login Page to show factors based on factor.type and factor.reason parameters
Changed LoginUrlAuthenticationEntryPoint to favor relative redirects by default