⏪ Breaking Changes
- Align setRetrieveUserInfo() between OidcUserService and OidcReactiveOAuth2UserService #18057
- Consider disabling device_code grant by default #17998
- Enable PKCE by default #17507
- Enable PKCE by default in authorization server #18020
- Favor Relative Redirects by Default #16300
- Remove cache from (Reactive)OidcIdTokenDecoderFactory #16647
- Remove OidcUserService.setAccessibleScopes() #18056
- Remove setOidcUserMapper() in OidcUserService and OidcReactiveOAuth2UserService #18060
- Remove unnecessary throws Exception from spring-security-config #17957
⭐ New Features
- Add
@EnableGlobalMultiFactorAuthentication
#17954 - Add
GrantedAuthorities.FACTOR_*_AUTHORITY
#17952 - Add
RequiredFactor.Builder.
Authority()
#18033 - Add
TestingAuthenticationToken(Object principal,Object credential,String... authorities)
#17980 - Add AccessDeniedHandler that Ties Authorities to Authentication Entry Points #17934
- Add AllAuthorities(Reactive)AuthorizationManager #17916
- Add AllFactorsAuthorizationManager #17997
- Add DefaultAuthorizationManagerFactory.additionalAuthorization #17942
- Add FactorGrantedAuthority #17996
- Add Jackson 3 support and deprecate Jackson 2 one #17832
- Add Predicate for authorizationConsentRequired for device code grant #18016
- Add RequiredAuthoritiesAuthorizationManager #18028
- Add SecurityMockMvcResultMatchers.withAuthorities(String...) #17974
- Add support for OAuth 2.0 Dynamic Client Registration Protocol #17964
- AllFactorsAuthorizationManager -> AllRequiredFactorsAuthorizationManager #18031
- Allow OAuth2AuthorizationRequest to be extended #18049
- Authentication should use FactorGrantedAuthority #18001
- Create AuthorizationManagerFactories.multiFactor #18032
- Default Login Page Should Pre-populate Username Field If Already Logged In #17935
- DelegatingAuthenticationEntryPoint should use RequestMatcherEntry #17915
- DelegatingMissingAuthorityAccessDeniedHandler Should Use RequiredFactorErrors #18002
- Document Multi-Factor Simple to Complex #18029
- Fix-typos #18035
- HttpSecurity should allow for
AuthorizationManager<? super RequestAuthorizationContext>
#17931 - Implement OAuth 2.0 Protected Resource Metadata #17244
- Improve Passivity when Merging Authorities #18052
- Providers Should Add an Authority Representing Successful Authentication #17933
- Security Expressions Should Allow Returning an AuthorizationManager #17936
- Support Automatically Checking for Required Authorities in Authorization Rules #17900
- Support injecting clock into token generation code #18017
- Use
AuthorizationManagerFactory
in Kotlin DSL #17860
🪲 Bug Fixes
- DelegatingAuthenticationEntryPoint.Builder should not throw exception when default entry point is specified #17955
- Deprecate
CacheControlServerHttpHeadersWriter.CACHE_CONTRTOL_VALUE
#18058 - Fix typo in AuthenticationProvider Javadoc #17967
- HttpSecurity.oauth2AuthorizationServer should not automatically set
HttpSecurity.securityMatcher
#17965 - Mismatch Between DefaultLoginPageGeneratingFilter and DelegatingMissingAuthorityAccessDeniedHandler #18000
- Move FACTOR_ constants to FactorGrantedAuthority #18030
- Prevent Duplicate
GrantedAuthority#getAuthority()
at time of Authentication #17981 - ProviderManager.copyDetails Changes Authentication to new Type #18027
- Update terminology to HTTP Service Clients #17947
🔨 Dependency Upgrades
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 #18079
- Bump com.password4j:password4j from 1.8.2 to 1.8.4 #17904
- Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE #17982
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 #18043
- Bump io.mockk:mockk from 1.14.5 to 1.14.6 #17983
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.5 to 0.0.6 #18055
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #17903
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 #17970
- Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 #17949
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 #17943
- Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.15 #18064
- Update JUnit 6.0.0 #18040
- Update to Reactor 2025.0.0-RC1 #18087
- Update to Spring Data 2025.1.0-RC1 #18085
- Update to Spring Framework 7.0.0-RC1 #18084
- Update to Spring LDAP 4.0.0-RC1 #18086
🔩 Build Updates
- Bump antora from 3.2.0-alpha.9 to 3.2.0-alpha.10 in /docs #18009
- Remove Deprecations #13068
- Update to Reactor 2025.0.0-SNAPSHOT #18041
❤️ Contributors
Thank you to all the contributors who worked on this release:
@iigolovko, @ngocnhan-tran1996, @parthokr, @rohan-naik07, @sdeleuze, and @therepanic
What's Changed
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 by @dependabot[bot] in #17911
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in #17914
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17905
- Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 by @dependabot[bot] in #17906
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final by @dependabot[bot] in #17907
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in #17908
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 by @dependabot[bot] in #17909
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17910
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 by @dependabot[bot] in #17912
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final by @dependabot[bot] in #17913
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17903
- Bump com.password4j:password4j from 1.8.2 to 1.8.4 by @dependabot[bot] in #17904
- Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.29.Final by @dependabot[bot] in #17917
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17918
- Bump org.springframework.data:spring-data-bom from 2024.1.9 to 2024.1.10 by @dependabot[bot] in #17919
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in #17920
- Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.11 by @dependabot[bot] in #17921
- Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 by @dependabot[bot] in #17922
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 by @dependabot[bot] in #17923
- Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final by @dependabot[bot] in #17924
- Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 by @dependabot[bot] in #17925
- Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 by @dependabot[bot] in #17926
- Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE by @dependabot[bot] in #17929
- Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 by @dependabot[bot] in #17937
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 by @dependabot[bot] in #17943
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 by @dependabot[bot] in #17945
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 by @dependabot[bot] in #17930
- Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 by @dependabot[bot] in #17938
- Bump org.gretty:gretty from 4.1.7 to 4.1.10 by @dependabot[bot] in #17944
- Add DefaultAuthorizationManagerFactory.additionalAuthorization by @therepanic in #17942
- Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 by @dependabot[bot] in #17949
- Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 by @dependabot[bot] in #17950
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 by @dependabot[bot] in #17970
- Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 by @dependabot[bot] in #17977
- Bump io.mockk:mockk from 1.14.5 to 1.14.6 by @dependabot[bot] in #17984
- Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE by @dependabot[bot] in #17985
- Bump org.hibernate.orm:hibernate-core from 6.6.29.Final to 6.6.31.Final by @dependabot[bot] in #18010
- Bump org.hibernate.orm:hibernate-core from 6.6.29.Final to 6.6.31.Final by @dependabot[bot] in #18011
- Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 by @dependabot[bot] in #17978
- Bump io.mockk:mockk from 1.14.5 to 1.14.6 by @dependabot[bot] in #17983
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.4 to 0.0.5 by @dependabot[bot] in #17992
- Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 by @dependabot[bot] in #17976
- Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE by @dependabot[bot] in #17982
- Bump antora from 3.2.0-alpha.9 to 3.2.0-alpha.10 in /docs by @dependabot[bot] in #18009
- Enhancements to Authentication#toBuilder by @jzheaux in #18050
- Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final by @dependabot[bot] in #18038
- Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final by @dependabot[bot] in #18039
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 by @dependabot[bot] in #18044
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 by @dependabot[bot] in #18045
- Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 by @dependabot[bot] in #18043
- Fix typo in AuthenticationProvider Javadoc by @parthokr in #17967
- Fix-typos by @ngocnhan-tran1996 in #18035
- Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.15 by @dependabot[bot] in #18064
- Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 by @dependabot[bot] in #18065
- Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 by @dependabot[bot] in #18068
- Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 by @dependabot[bot] in #18067
- Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 by @dependabot[bot] in #18066
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.5 to 0.0.6 by @dependabot[bot] in #18055
- Add Jackson 3 support and deprecate Jackson 2 one by @sdeleuze in #17832
- Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 by @dependabot[bot] in #18081
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 by @dependabot[bot] in #18080
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 by @dependabot[bot] in #18082
- Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 by @dependabot[bot] in #18083
- Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 by @dependabot[bot] in #18079
New Contributors
Full Changelog: 7.0.0-M3...7.0.0-RC1