github spring-projects/spring-security 7.0.0-RC1

latest releases: 6.5.6, 6.4.12
pre-release18 hours ago

⏪ Breaking Changes

  • Align setRetrieveUserInfo() between OidcUserService and OidcReactiveOAuth2UserService #18057
  • Consider disabling device_code grant by default #17998
  • Enable PKCE by default #17507
  • Enable PKCE by default in authorization server #18020
  • Favor Relative Redirects by Default #16300
  • Remove cache from (Reactive)OidcIdTokenDecoderFactory #16647
  • Remove OidcUserService.setAccessibleScopes() #18056
  • Remove setOidcUserMapper() in OidcUserService and OidcReactiveOAuth2UserService #18060
  • Remove unnecessary throws Exception from spring-security-config #17957

⭐ New Features

  • Add @EnableGlobalMultiFactorAuthentication #17954
  • Add GrantedAuthorities.FACTOR_*_AUTHORITY #17952
  • Add RequiredFactor.Builder.Authority() #18033
  • Add TestingAuthenticationToken(Object principal,Object credential,String... authorities) #17980
  • Add AccessDeniedHandler that Ties Authorities to Authentication Entry Points #17934
  • Add AllAuthorities(Reactive)AuthorizationManager #17916
  • Add AllFactorsAuthorizationManager #17997
  • Add DefaultAuthorizationManagerFactory.additionalAuthorization #17942
  • Add FactorGrantedAuthority #17996
  • Add Jackson 3 support and deprecate Jackson 2 one #17832
  • Add Predicate for authorizationConsentRequired for device code grant #18016
  • Add RequiredAuthoritiesAuthorizationManager #18028
  • Add SecurityMockMvcResultMatchers.withAuthorities(String...) #17974
  • Add support for OAuth 2.0 Dynamic Client Registration Protocol #17964
  • AllFactorsAuthorizationManager -> AllRequiredFactorsAuthorizationManager #18031
  • Allow OAuth2AuthorizationRequest to be extended #18049
  • Authentication should use FactorGrantedAuthority #18001
  • Create AuthorizationManagerFactories.multiFactor #18032
  • Default Login Page Should Pre-populate Username Field If Already Logged In #17935
  • DelegatingAuthenticationEntryPoint should use RequestMatcherEntry #17915
  • DelegatingMissingAuthorityAccessDeniedHandler Should Use RequiredFactorErrors #18002
  • Document Multi-Factor Simple to Complex #18029
  • Fix-typos #18035
  • HttpSecurity should allow for AuthorizationManager<? super RequestAuthorizationContext> #17931
  • Implement OAuth 2.0 Protected Resource Metadata #17244
  • Improve Passivity when Merging Authorities #18052
  • Providers Should Add an Authority Representing Successful Authentication #17933
  • Security Expressions Should Allow Returning an AuthorizationManager #17936
  • Support Automatically Checking for Required Authorities in Authorization Rules #17900
  • Support injecting clock into token generation code #18017
  • Use AuthorizationManagerFactory in Kotlin DSL #17860

🪲 Bug Fixes

  • DelegatingAuthenticationEntryPoint.Builder should not throw exception when default entry point is specified #17955
  • Deprecate CacheControlServerHttpHeadersWriter.CACHE_CONTRTOL_VALUE #18058
  • Fix typo in AuthenticationProvider Javadoc #17967
  • HttpSecurity.oauth2AuthorizationServer should not automatically set HttpSecurity.securityMatcher #17965
  • Mismatch Between DefaultLoginPageGeneratingFilter and DelegatingMissingAuthorityAccessDeniedHandler #18000
  • Move FACTOR_ constants to FactorGrantedAuthority #18030
  • Prevent Duplicate GrantedAuthority#getAuthority() at time of Authentication #17981
  • ProviderManager.copyDetails Changes Authentication to new Type #18027
  • Update terminology to HTTP Service Clients #17947

🔨 Dependency Upgrades

  • Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 #18079
  • Bump com.password4j:password4j from 1.8.2 to 1.8.4 #17904
  • Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE #17982
  • Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 #18043
  • Bump io.mockk:mockk from 1.14.5 to 1.14.6 #17983
  • Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.5 to 0.0.6 #18055
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17903
  • Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 #17970
  • Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 #17949
  • Bump org.gretty:gretty from 4.1.7 to 4.1.10 #17943
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.15 #18064
  • Update JUnit 6.0.0 #18040
  • Update to Reactor 2025.0.0-RC1 #18087
  • Update to Spring Data 2025.1.0-RC1 #18085
  • Update to Spring Framework 7.0.0-RC1 #18084
  • Update to Spring LDAP 4.0.0-RC1 #18086

🔩 Build Updates

  • Bump antora from 3.2.0-alpha.9 to 3.2.0-alpha.10 in /docs #18009
  • Remove Deprecations #13068
  • Update to Reactor 2025.0.0-SNAPSHOT #18041

❤️ Contributors

Thank you to all the contributors who worked on this release:

@iigolovko, @ngocnhan-tran1996, @parthokr, @rohan-naik07, @sdeleuze, and @therepanic

What's Changed

  • Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 by @dependabot[bot] in #17911
  • Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in #17914
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17905
  • Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 by @dependabot[bot] in #17906
  • Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final by @dependabot[bot] in #17907
  • Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in #17908
  • Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 by @dependabot[bot] in #17909
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17910
  • Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 by @dependabot[bot] in #17912
  • Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final by @dependabot[bot] in #17913
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17903
  • Bump com.password4j:password4j from 1.8.2 to 1.8.4 by @dependabot[bot] in #17904
  • Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final by @dependabot[bot] in #17917
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17918
  • Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 by @dependabot[bot] in #17919
  • Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in #17920
  • Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 by @dependabot[bot] in #17921
  • Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 by @dependabot[bot] in #17922
  • Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17923
  • Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final by @dependabot[bot] in #17924
  • Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 by @dependabot[bot] in #17925
  • Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in #17926
  • Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE by @dependabot[bot] in #17929
  • Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 by @dependabot[bot] in #17937
  • Bump org.gretty:gretty from 4.1.7 to 4.1.10 by @dependabot[bot] in #17943
  • Bump org.gretty:gretty from 4.1.7 to 4.1.10 by @dependabot[bot] in #17945
  • Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 by @dependabot[bot] in #17930
  • Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 by @dependabot[bot] in #17938
  • Bump org.gretty:gretty from 4.1.7 to 4.1.10 by @dependabot[bot] in #17944
  • Add DefaultAuthorizationManagerFactory.additionalAuthorization by @therepanic in #17942
  • Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 by @dependabot[bot] in #17949
  • Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 by @dependabot[bot] in #17950
  • Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 by @dependabot[bot] in #17970
  • Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 by @dependabot[bot] in #17977
  • Bump io.mockk:mockk from 1.14.5 to 1.14.6 by @dependabot[bot] in #17984
  • Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE by @dependabot[bot] in #17985
  • Bump org.hibernate.orm:hibernate-core from 6.6.29.Final to 6.6.31.Final by @dependabot[bot] in #18010
  • Bump org.hibernate.orm:hibernate-core from 6.6.29.Final to 6.6.31.Final by @dependabot[bot] in #18011
  • Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 by @dependabot[bot] in #17978
  • Bump io.mockk:mockk from 1.14.5 to 1.14.6 by @dependabot[bot] in #17983
  • Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.4 to 0.0.5 by @dependabot[bot] in #17992
  • Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 by @dependabot[bot] in #17976
  • Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE by @dependabot[bot] in #17982
  • Bump antora from 3.2.0-alpha.9 to 3.2.0-alpha.10 in /docs by @dependabot[bot] in #18009
  • Enhancements to Authentication#toBuilder by @jzheaux in #18050
  • Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final by @dependabot[bot] in #18038
  • Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final by @dependabot[bot] in #18039
  • Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 by @dependabot[bot] in #18044
  • Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 by @dependabot[bot] in #18045
  • Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 by @dependabot[bot] in #18043
  • Fix typo in AuthenticationProvider Javadoc by @parthokr in #17967
  • Fix-typos by @ngocnhan-tran1996 in #18035
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.15 by @dependabot[bot] in #18064
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 by @dependabot[bot] in #18065
  • Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 by @dependabot[bot] in #18068
  • Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 by @dependabot[bot] in #18067
  • Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 by @dependabot[bot] in #18066
  • Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.5 to 0.0.6 by @dependabot[bot] in #18055
  • Add Jackson 3 support and deprecate Jackson 2 one by @sdeleuze in #17832
  • Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 by @dependabot[bot] in #18081
  • Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 by @dependabot[bot] in #18080
  • Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 by @dependabot[bot] in #18082
  • Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 by @dependabot[bot] in #18083
  • Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 by @dependabot[bot] in #18079

New Contributors

Full Changelog: 7.0.0-M3...7.0.0-RC1

Don't miss a new spring-security release

NewReleases is sending notifications on new releases.