7.1.0-M2

⭐ New Features

• Fail on compiler warnings for spring-security-javascript #18569
• TestingAuthenticationToken.credentials should be @Nullable #18615
• Ability to configure authenticationDetailsSource in AnonymousConfigurer #17878
• Add @Nullable to changePassword parameters in UserDetailsManager #18271
• Add missing @Nullable to setters of Nullable fields #18618
• Create Checkstyle Rules for Nullability Usage #18564
• Document RegisteredClient.ClientSettings #18614
• Enable Null checking in spring-security-ldap via JSpecify #17818
• Enable Null checking in spring-security-oauth2-core via JSpecify #17820
• Fail on compiler warnings for spring-security-access #18555
• Fail on compiler warnings for spring-security-acl #18557
• Fail on compiler warnings for spring-security-bom #18576
• Fail on compiler warnings for spring-security-dependencies #18568
• Fail on compiler warnings for spring-security-kerberos-client #18570
• Fail on compiler warnings for spring-security-taglibs #18578
• Fail spring-security-cas on javadoc warnings #18517
• Fail spring-security-ldap on javadoc warnings #18547
• Fail spring-security-messaging on javadoc warnings #18546
• Fail spring-security-oauth2-authorization-server on javadoc warnings #18602
• Fail spring-security-oauth2-core on javadoc warnings #18603
• Fail spring-security-oauth2-jose on javadoc warnings #18604
• Fail spring-security-rsocket on javadoc warnings #18605
• Fail spring-security-saml2-service-provider on javadoc warnings #18606
• Fail spring-security-taglibs on javadoc warnings #18607
• Fail spring-security-webauthn on javadoc warnings #18608
• Fix compiler warnings in spring-security-acl #18626
• Fix compiler warnings in spring-security-aspects #18581
• Fix HttpSecurity javadoc formatting #18526
• Fix javadoc warnings for spring-security-config #18545
• Fix javadoc warnings for spring-security-data #18532
• Fix Javadoc warnings in spring-security-crypto #18519
• Introduce resource_metadata parameter resolver for BearerTokenAuthenticationEntryPoint #18542
• Null safety via JSpecify spring-security-access #18398
• Null safety via JSpecify spring-security-acl #18401
• Null safety via JSpecify spring-security-aspects #18400
• Null safety via JSpecify spring-security-kerberos #18397
• Null safety via JSpecify spring-security-kerberos-client #18552
• Null safety via JSpecify spring-security-kerberos-core #18549
• Null safety via JSpecify spring-security-kerberos-web #18550
• Remove @NullUnmarked #18491
• Remove compiler warnings for spring-security-cas #18579
• Remove compiler warnings for spring-security-docs #18601
• Remove compiler warnings for spring-security-kerberos-core #18571
• Remove compiler warnings for spring-security-kerberos-test #18572
• Remove compiler warnings for spring-security-kerberos-web #18573
• Remove compiler warnings for spring-security-messaging #18575
• Remove compiler warnings for spring-security-oauth2-authorization-server #18562
• Remove compiler warnings for spring-security-rsocket #18567
• Remove compiler warnings for spring-security-saml2-service-provider #18577
• Remove compiler warnings for spring-security-webauthn #18556
• Remove compiler warnings in spring-security-data #18580
• Remove compiler warnings in spring-security-ldap #18559
• Support hasScope in Method Security #18151

🪲 Bug Fixes

• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #18595
• ExpressionJwtGrantedAuthoritiesConverter is undocumented #18300
• Fix docs #18488
• Fix typo in authorize-http-requests.adoc #18600
• Fix typos in contributing guide #18635

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.25 to 1.5.26 #18588
• Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27 #18637
• Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27 #18628
• Bump ch.qos.logback:logback-classic from 1.5.27 to 1.5.28 #18697
• Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 #18529
• Bump com.fasterxml.jackson:jackson-bom from 2.20.2 to 2.21.0 #18696
• Bump com.jayway.jsonpath:json-path from 2.9.0 to 2.10.0 #18690
• Bump github/codeql-action from 3 to 4 #18669
• Bump gradle-wrapper from 9.2.1 to 9.3.1 #18700
• Bump io.freefair.gradle:aspectj-plugin from 8.13.1 to 8.14.4 #18664
• Bump io.micrometer:context-propagation from 1.1.3 to 1.2.0 #18671
• Bump io.micrometer:context-propagation from 1.2.0 to 1.2.1 #18702
• Bump io.micrometer:micrometer-observation from 1.14.14 to 1.16.2 #18689
• Bump io.mockk:mockk from 1.14.7 to 1.14.9 #18597
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #18533
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.10 to 0.0.11 #18636
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.10 to 0.0.11 #18612
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.9 to 0.0.10 #18554
• Bump jakarta.xml.bind:jakart...

7.0.3

⭐ New Features

• Fix Javadoc warnings in spring-security-web #18473
• Fix/gradle 9 deprecations #18485
• Fix/gradle 9 deprecations #18477
• Replace method call with 'Builder.configureMessageConverters()' #18378
• Replacing use of deprecated 'check' in authorization documentation #18390
• Use DefaultParameterNameDiscoverer#getSharedInstance #18481

🪲 Bug Fixes

• Authorization Server fails to start with multiple PasswordEncoder beans #18645
• BearerTokenAuthenticationEntryPoint uses context path #18528
• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #18594
• Document Client PKCE settings #18304
• Fix docs typo X-Requested-By -> X-Requested-With #18123
• Fix Formatting in mfa.adoc #18134
• Fix typo in documentation #18344
• Fix typos #18121

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24 #18384
• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.28 #18684
• Bump ch.qos.logback:logback-classic from 1.5.28 to 1.5.29 #18711
• Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 #18660
• Bump com.webauthn4j:webauthn4j-core from 0.29.7.RELEASE to 0.31.0.RELEASE #18687
• Bump gradle-wrapper from 8.14 to 8.14.4 #18705
• Bump io.mockk:mockk from 1.14.7 to 1.14.9 #18681
• Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2 #18658
• Bump io.projectreactor:reactor-bom from 2025.0.2 to 2025.0.3 #18717
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #18683
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.13 to 1.0.14 #18725
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.4 to 4.0.5 #18706
• Bump org-apache-maven-resolver from 1.9.24 to 1.9.25 #18309
• Bump org-aspectj from 1.9.25 to 1.9.25.1 #18326
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.5.2 #18346
• Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12 #18327
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 #18682
• Bump org.junit:junit-bom from 6.0.1 to 6.0.2 #18385
• Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2 #18655
• Bump org.springframework.ldap:spring-ldap-core from 4.0.0 to 4.0.1 #18316
• Bump org.springframework.ldap:spring-ldap-core from 4.0.1 to 4.0.2 #18733
• Bump org.springframework:spring-framework-bom from 7.0.3 to 7.0.4 #18732
• Bump org.springframework:spring-framework-bom from 7.0.3-SNAPSHOT to 7.0.4-SNAPSHOT #18657
• Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22 #18651
• Bump tools.jackson:jackson-bom from 3.0.3 to 3.0.4 #18659
• Update Antora UI Spring to v0.4.25 #18249
• Update to Spring Framework 7.0.3 #18667
• Update to spring-data-bom 2025.1.3 #18735

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Been24, @Fr05ty-hub, @Kehrlann, @Rigu1, @bloomsei, @martinboulais, @ngocnhan-tran1996, @paulvas, @rwinch, @therepanic, and @vincentstradiot

6.5.8

⭐ New Features

• Add @FunctionalInterface to RequestMatcher #18337
• Spring Security 7 should provide migration path from request-matcher="ant" #18211
• Stop deploying JavaDoc outside of Antora #18199

🪲 Bug Fixes

• Add Missing Migration Pages to Navigation #18313
• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #18235
• Fix typo in "Preparing for 7.0" in reference to PathPatternRequestMatcher #18336
• Fix typo in AnnotationTemplateExpressionDefaults documentation #18176
• Fix typos in documentation depenendencies->dependencies #18208

🔨 Dependency Upgrades

• Bump @antora/atlas-extension from 1.0.0-alpha.2 to 1.0.0-alpha.5 in /docs #18675
• Bump @antora/collector-extension from 1.0.1 to 1.0.2 in /docs #18677
• Bump @springio/antora-extensions from 1.14.4 to 1.14.7 in /docs #18676
• Bump antora from 3.2.0-alpha.8 to 3.2.0-alpha.11 in /docs #18679
• Bump ch.qos.logback:logback-classic from 1.5.20 to 1.5.21 #18192
• Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22 #18321
• Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24 #18387
• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.25 #18525
• Bump ch.qos.logback:logback-classic from 1.5.25 to 1.5.26 #18591
• Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27 #18631
• Bump ch.qos.logback:logback-classic from 1.5.27 to 1.5.28 #18678
• Bump ch.qos.logback:logback-classic from 1.5.28 to 1.5.29 #18710
• Bump gradle-wrapper from 8.14 to 8.14.4 #18704
• Bump io.micrometer:context-propagation from 1.1.3 to 1.1.4 #18703
• Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14 #18279
• Bump io.mockk:mockk from 1.14.6 to 1.14.7 #18275
• Bump io.projectreactor:reactor-bom from 2024.0.12 to 2024.0.13 #18293
• Bump io.projectreactor:reactor-bom from 2024.0.13 to 2024.0.14 #18495
• Bump io.projectreactor:reactor-bom from 2024.0.14 to 2024.0.15 #18716
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #18535
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.13 to 1.0.14 #18724
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.4 to 4.0.5 #18670
• Bump org-apache-maven-resolver from 1.9.24 to 1.9.25 #18292
• Bump org-aspectj from 1.9.25 to 1.9.25.1 #18329
• Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12 #18352
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 #18590
• Bump org.hibernate.orm:hibernate-core from 6.6.34.Final to 6.6.36.Final #18193
• Bump org.hibernate.orm:hibernate-core from 6.6.36.Final to 6.6.38.Final #18241
• Bump org.hibernate.orm:hibernate-core from 6.6.38.Final to 6.6.39.Final #18308
• Bump org.hibernate.orm:hibernate-core from 6.6.39.Final to 6.6.40.Final #18351
• Bump org.hibernate.orm:hibernate-core from 6.6.40.Final to 6.6.41.Final #18524
• Bump org.hibernate.orm:hibernate-core from 6.6.41.Final to 6.6.42.Final #18632
• Bump org.springframework.data:spring-data-bom from 2024.1.12 to 2024.1.13 #18320
• Bump org.springframework.ldap:spring-ldap-core from 3.2.15 to 3.2.16 #18322
• Bump org.springframework:spring-framework-bom from 6.2.13 to 6.2.14 #18206
• Bump org.springframework:spring-framework-bom from 6.2.14 to 6.2.15 #18323
• Bump org.springframework:spring-framework-bom from 6.2.15 to 6.2.16 #18731
• Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22 #18649
• Update Antora UI Spring to v0.4.25 #18402

🔩 Build Updates

• Remove unnecessary Gradle wrapper from buildSrc #18692

❤️ Contributors

Thank you to all the contributors who worked on this release:

@garvit-joshi, @ghusta, @kucoll, and @rwinch

7.1.0-M1

⭐ New Features

• Add nullability contract to PasswordEncoder#encode #18334
• Create Jackson Mixin for OneTimeTokenAuthenticationToken #18096
• Fix javadoc warnings for spring-security-oauth2-client #18483
• Fix spring-security-oauth2-core compiler warnings #18482
• Replacing use of deprecated 'check' in authorization documentation #18471
• Update to JDK 25 (release = 17) #18512
• Use DefaultParameterNameDiscoverer#getSharedInstance #18484

🪲 Bug Fixes

• Add Missing @NullMarked #18514
• Broken OAuth2AuthorizationRequestRedirectFilter constructor tests #18507
• Fix duplicated use-authorization-manager in docs #18478
• Fix Nullability on Collections/Arrays #18511

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.25 #18521
• Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2 #18494
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.6 to 0.0.9 #18371
• Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2 #18520
• Bump org.springframework:spring-framework-bom from 7.0.3-SNAPSHOT to 7.0.3 #18515
• Update jococo 0.8.14 #18508
• Update to Gradle 9.2.1 #18510
• Update to Kotlin 2.3.0 #18509

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dasog94, @marcusdacoregio, @paulvas, @qkrrlgus114, and @scordio

7.0.2

🪲 Bug Fixes

• AuthorizationWebProxyConfiguration should only be active when both spring-security-web and spring-webmvc are on the classpath #18315

7.0.1

⭐ New Features

• Stop deploying JavaDoc outside of Antora #18200

🪲 Bug Fixes

• An unexpected dependency appeared for spring-security-config of spring-security-web #18307
• Fix "typ" header value in NimbusJwtEncoder-encoded JWT #18270
• Fix broken link to Spring Boot docs #18236
• Fix documentation resource server sample title #18231
• Fix MyCustomDsl to use csrf(Customizer) instead of removed csrf().disabled() #18223
• Fix typo in AnnotationTemplateExpressionDefaults documentation #18255
• Fix typos in documentation depenendencies->dependencies #18209
• NimbusJwtEncoder produces JWT with wrong "typ" header value #18269
• OAuth2AuthorizationEndpointFilter should be applied after AuthorizationFilter #18251
• Remove requireProofKey warning for non-auth-code flows #18221
• Remove throws from MyCustomDsl in docs #18224

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.20 to 1.5.21 #18214
• Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22 #18311
• Bump com.fasterxml.jackson:jackson-bom from 2.20.0 to 2.20.1 #18245
• Bump com.unboundid:unboundid-ldapsdk from 7.0.3 to 7.0.4 #18262
• Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #18189
• Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14 #18277
• Bump io.mockk:mockk from 1.14.6 to 1.14.7 #18274
• Bump io.projectreactor:reactor-bom from 2025.0.0 to 2025.0.1 #18289
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.13 #18187
• Bump org-aspectj from 1.9.24 to 1.9.25 #18186
• Bump org.apache.kerby:kerb-simplekdc from 2.1.0 to 2.1.1 #18215
• Bump org.junit:junit-bom from 6.0.0 to 6.0.1 #18188
• Bump org.springframework.data:spring-data-bom from 2025.1.0 to 2025.1.1 #18312
• Bump org.springframework:spring-framework-bom from 7.0.0 to 7.0.1 #18213
• Bump org.springframework:spring-framework-bom from 7.0.1 to 7.0.2 #18310
• Bump tools.jackson:jackson-bom from 3.0.1 to 3.0.2 #18212
• Bump tools.jackson:jackson-bom from 3.0.2 to 3.0.3 #18244

🔩 Build Updates

• Add Test for ServletRequestPathUtils.parseAndCache(method=null) #18166
• Bump antora from 3.2.0-alpha.10 to 3.2.0-alpha.11 in /docs #18238

❤️ Contributors

Thank you to all the contributors who worked on this release:

@L33gn21, @ghusta, @ronodhirSoumik, @rwinch, @sach429, and @ziqin

7.0.0

⭐ New Features

• Add a minimal authorization server configuration #18153
• Mark GrantedAuthority#getAuthority as @Nullable #18014
• Polish SimpleGrantedAuthority #18062

🪲 Bug Fixes

• Correct the org.springframework.security.config.annotation.web.LogoutDsl's property description #18026
• Fix webauthn multifactor authentication #18163

🔨 Dependency Upgrades

• Bump org.jetbrains.kotlin:kotlin-bom from 2.2.20 to 2.2.21 #18099
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.20 to 2.2.21 #18100
• Bump tools.jackson:jackson-bom from 3.0.0 to 3.0.1 #18097
• Update to Reactor 2025.0.0 #18173
• Update to Spring Data 2025.1.0 #18174
• Update to Spring Framework 7.0.0 #18172
• Update to Spring LDAP 4.0.0 #18175

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Kehrlann, @SimonVonXCVII, @quaff, and @therepanic

6.5.7

⭐ New Features

• Add Include-Code for the Password Storage page #18054
• Default WebAuthnConfigurer#rpName to rpId #18131
• Document effects of disabling CORS #18129

🪲 Bug Fixes

• typ values should not be case-sensitive in JwtTypeValidator #18101
• BCryptPasswordEncoderTests should password limit of 72 bytes #18136
• Fix GenerateOneTimeTokenRequestResolver ignored if username param not present #18074
• GenerateOneTimeTokenFilter should not attempt to generate a token with a null token request #18088

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.18.4.1 to 2.18.5 #18110
• Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #18149
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.11 to 1.0.13 #18141
• Bump org-aspectj from 1.9.24 to 1.9.25 #18142
• Bump org.hibernate.orm:hibernate-core from 6.6.33.Final to 6.6.34.Final #18111
• Update to Reactor 2024.0.12 #18181
• Update to Spring Data 2024.1.12 #18182
• Update to Spring Framework 6.2.13 #18180

❤️ Contributors

Thank you to all the contributors who worked on this release:

@himanshu-pareek, @marcusdacoregio, and @namest504

6.4.13

⭐ New Features

• Default WebAuthnConfigurer#rpName to rpId #18115
• Document effects of disabling CORS #18117

🪲 Bug Fixes

• BCryptPasswordEncoderTests should password limit of 72 bytes #18133

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.18.4.1 to 2.18.5 #18108
• Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #18148
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.11 to 1.0.13 #18140
• Bump org-aspectj from 1.9.24 to 1.9.25 #18139
• Bump org.hibernate.orm:hibernate-core from 6.6.33.Final to 6.6.34.Final #18109
• Update Spring Data 2024.1.12 #18179
• Update to Reactor 2024.0.12 #18178
• Update to Spring Framework 6.2.13 #18177

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Kehrlann

7.0.0-RC3

⭐ New Features

• Default WebAuthnConfigurer#rpName to rpId #18132
• Document effects of disabling CORS #18130

🪲 Bug Fixes

• WebAuthnAuthenticationFilter is not getting post-processed by EnableMfaFiltersPostProcessor #18128
• AOT hints for authorization server Jackson 3 types should be registered #18146
• JdbcRegisteredClientRepository should support Jackson 3 #18143
• RequestHeaderAuthenticationFilter#getPreAuthenticatedPrincipal should be declared @Nullable #18046