⏪ Breaking Changes
⭐ New Features
- Add
discoverJwsAlgorithms()inNimbusJwtDecoder#17788 - Add AuthorizationManagerFactory #17673
- Add Builders for all Authentication implementations #17861
- Add OneTimeTokenAuthentication #17799
- Add option to disable anonymous authentication in
RSocketSecurity#17159 - Add password4j implementation of PasswordEncoder #17825
- Add SecurityAssertions #17844
- Align NimbusJwtDecoder HTTP timeout defaults with Nimbus by setting to 500ms #17669
- Allow multiple ServerLogoutHandler instances in ServerHttpSecurity #17381
- Allow specifying a ServerAuthenticationConverter for x509() #17382
- AuthenticatedMatcher#withRoles should only check roles #17843
- Change
@Beanmethod signature to return RsaKeyConversionServicePostProcessor instead of BeanFactoryPostProcessor #17672 - Enable Null checking in spring-security-cas via JSpecify #17826
- Enable Null checking in spring-security-data via JSpecify #17789
- Enable Null checking in spring-security-messaging via JSpecify #17817
- Enable Null checking in spring-security-rsocket via JSpecify #17827
- Enable Null checking in spring-security-taglibs via JSpecify #17828
- Enable Null checking in spring-security-test via JSpecify #17840
- Enable Null checking in spring-security-webauthn via JSpecify #17839
- Integrate Spring Authorization Server #17880
- Move Access API to Separate Module #17847
- Move Spring Security Kerberos Extension into Spring Security #17879
- Propagate Authorities From Previous Authentications #17862
- Remove PortResolver #15971
- Remove redundant code in document #17813
- RequestMatchers should implement equals and hashCode #17842
- SpringTestContext should register a WebTestClient Bean #17780
- Support
@ClientRegistrationIdat Class Level #17838 - Support Modular Spring Security Configuration #16258
🪲 Bug Fixes
- APIs should Use
Supplier<? extends@nullableAuthentication>#17814 - AuthorizationManager should allow null Authentication #17795
🔨 Dependency Upgrades
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #17872
- Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #17834
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #17856
- Bump io.projectreactor:reactor-bom from 2025.0.0-M6 to 2025.0.0-M7 #17866
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.2 to 0.0.3 #17765
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.3 to 0.0.4 #17776
- Bump org-opensaml5 from 5.1.5 to 5.1.6 #17809
- Bump org.jetbrains.kotlin:kotlin-bom from 2.2.0 to 2.2.20 #17871
- Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.0 to 2.2.20 #17873
- Bump org.springframework.data:spring-data-bom from 2025.1.0-M5 to 2025.1.0-M6 #17888
- Bump org.springframework:spring-framework-bom from 7.0.0-M8 to 7.0.0-M9 #17876
🔩 Build Updates
- Bump
@antora/atlas-extension from 1.0.0-alpha.2 to 1.0.0-alpha.5 in /docs #17886 - Fix misleading variable name in authentication filter #17751
- Remove unused import #17750
❤️ Contributors
Thank you to all the contributors who worked on this release:
@bbudano, @blake-bauman, @frido37, @jaehwan02, @jzheaux, @kse-music, @mehrdadbozorgmehr, @ngocnhan-tran1996, @quaff, @sjohnr, and @therepanic