⭐ New Features
- Add
postProcessortoSpringOpaqueTokenIntrospectorBuilders #18625 - Add InetAddressMatcher #18634
- Add MessageExpressionAuthorizationManager #18813
- Add missing AOT Runtime Hints #18767
- Add nullability contract to
PasswordEncoder#encodeimplementations #18490 - Add RestClientOpaqueTokenIntrospector #18746
- Add tests for PathPatternRequestMatcher request path caching #18721
- Allow custom token settings for OAuth 2.0 dynamic client registration #18870
- Change
ActiveDirectoryLdapAuthenticationProviderto useLdapClient#18627 - Clarify need for method attribute in JSP authorize tag #18566
- Cleanup #17801
- Document multipart CSRF header option #18757
- Enable Null checking in spring-security-oauth2-jose via JSpecify #17821
- Ensure ID Token is updated after refresh token (Reactive) #17246
- Fail on javadoc warnings for spring-security-aspects #18855
- Fail spring-security-docs on javadoc warnings #18613
- Fix ClientAttributes Javadoc Typos #18802
- Fix compile warning in spring-security-test #18593
- Fix compile warnings for spring-security-config #18596
- Make authenticationConverter customizable in SpringOpaqueTokenIntrospector.Builder #18623
- Make PublicKeyCredentialCreationOptions Serializable #18354
- Mark
CsrfTokenRequestAttributeHandler#setCsrfRequestAttributeNameas Nullable #18620 - Remove unused
@Nullablein Switch User andFactorGrantedAuthority#18765 - Specify charset in
WWW-Authenticatefor Basic Auth #18760 - Support custom
OAuth2AuthenticatedPrincipalin Jwt-based authentication flow #17191 - Support single-line PEM encoded RSA keys in
RsaKeyConverters#18599 - Update servlet/architecture.adoc to use include-code #18536
- Use attributes in Antora to replace the original links #18819
- Use include-code for websocket.adoc #18856
🪲 Bug Fixes
- Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18785
- Add Jackson Mixin for WebAuthnAuthentication #18907
- Add Missing OnCommitedResponseWrapper Header Overrides #18800
- Document Keberose Dependency Coordinates #18786
- Ensure tests clear AuthorizationServerContextHolder #18769
- Fix CookieRequestCache parameters #18865
- Fix Flaky Crypto Tests #18843
- Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18908
- Fix SecurityContextLogoutHandler.logout
@paramresponse Javadoc (cannot be null) #18795 - Fix spring-security-webauthn dependency in passkeys documentation #18866
- HttpMessageConverterAuthenticationSuccessHandler Supports Jackson 3 #18835
- Improve error message for missing access attribute in intercept-url #18530
- Mark
targetDomainObjectas@NullableinPermissionEvaluator#18796 - Update password4j docs to use BcryptPassword4jPasswordEncoder #18232
🔨 Dependency Upgrades
- Bump
@antora/collector-extension from 1.0.2 to 1.0.3 #18851 - Bump
@antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18852 - Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18808
- Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.31 #18740
- Bump ch.qos.logback:logback-classic from 1.5.31 to 1.5.32 #18748
- Bump com.fasterxml.jackson:jackson-bom from 2.21.0 to 2.21.1 #18778
- Bump com.nimbusds:oauth2-oidc-sdk from 11.33 to 11.34 #18859
- Bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE #18827
- Bump gradle-wrapper from 9.3.1 to 9.4.0 #18849
- Bump io.micrometer:micrometer-observation from 1.16.3 to 1.16.4 #18868
- Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4 #18875
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.11 to 0.0.12 #18828
- Bump minimatch from 3.1.2 to 3.1.5 in /javascript #18811
- Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18747
- Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18789
- Bump org-opensaml5 from 5.2.0 to 5.2.1 #18754
- Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18858
- Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18885
- Bump org.hibernate.orm:hibernate-core from 7.2.4.Final to 7.2.5.Final #18775
- Bump org.hibernate.orm:hibernate-core from 7.2.5.Final to 7.2.6.Final #18826
- Bump org.hibernate.orm:hibernate-core from 7.2.6.Final to 7.2.7.Final #18901
- Bump org.junit:junit-bom from 6.0.2 to 6.0.3 #18741
- Bump org.mockito:mockito-bom from 5.21.0 to 5.22.0 #18825
- Bump org.mockito:mockito-bom from 5.22.0 to 5.23.0 #18881
- Bump org.seleniumhq.selenium:htmlunit3-driver from 4.40.0 to 4.41.0 #18777
- Bump org.seleniumhq.selenium:selenium-java from 4.40.0 to 4.41.0 #18776
- Bump org.springframework.data:spring-data-bom from 2025.1.3 to 2025.1.4 #18902
- Bump org.springframework:spring-framework-bom from 7.0.4 to 7.0.5 #18763
- Bump org.springframework:spring-framework-bom from 7.0.5 to 7.0.6 #18900
- Bump spring-io/spring-security-release-tools/.github/workflows/test.yml from 1.0.13 to 1.0.14 #18728
- Bump tools.jackson:jackson-bom from 3.0.4 to 3.1.0 #18790
- Update Antora UI Spring to v0.4.26 #18894
❤️ Contributors
Thank you to all the contributors who worked on this release:
@023-dev, @DDINGJOO, @Hann244, @chanani, @coehgns, @earlgrey02, @evgeniycheban, @itsmevichu, @jkuhel, @joshlong, @kimyounguk1, @kmw10693, @ngocnhan-tran1996, @nidhogg5, @pahlevani, @rwinch, @scordio, @therepanic, and @wonderfulrosemari