For the latest stable version, please use Spring Security 6.5.3!spring-doc.cn

What’s New in Spring Security 6.0

Spring Security 6.0 provides a number of new features. Below are the highlights of the release.spring-doc.cn

Baseline Changes

Spring Security 6 requires JDK 17spring-doc.cn

Breaking Changes

gh-8980 - Remove unsafe/deprecated Encryptors.querableText(CharSequence,CharSequence). Instead use data storage to encrypt values.spring-doc.cn
gh-11520 - Remember Me uses SHA256 by defaultspring-doc.cn
gh-8819 - Move filters to web package Reorganize importsspring-doc.cn
gh-7349 - Move filter and token to appropriate packages Reorganize importsspring-doc.cn
gh-11026 - Use RequestAttributeSecurityContextRepository instead of NullSecurityContextRepositoryspring-doc.cn
gh-11827 - Change default authority for oauth2Login()spring-doc.cn
gh-10347 - Remove UsernamePasswordAuthenticationToken check in BasicAuthenticationFilterspring-doc.cn
gh-11923 - Remove WebSecurityConfigurerAdapter. Instead, create a SecurityFilterChain bean.spring-doc.cn
gh-11899 - Use MvcRequestMatcher by default if Spring MVC is present. You can configure a different RequestMatcher by using the request-matcher attribute from <http>.spring-doc.cn
Change use-authorization-manager="true" to default If the application uses use-expressions="true" or access-decision-manager-ref switch to use-expressions="false" or authorization-manager-ref, respectively. If application relies on the implicit <intercept-url pattern="/**" access="permitAll"/>, this is no longer implicit and needs to be specified. Or use use-authorization-manager="false"spring-doc.cn
gh-11939 - Remove deprecated antMatchers, mvcMatchers, regexMatchers helper methods from Java Configuration. Instead, use requestMatchers or HttpSecurity#securityMatchers.spring-doc.cn
gh-11985 - Remove deprecated constructors in Argon2PasswordEncoder, SCryptPasswordEncoder and Pbkdf2PasswordEncoder.spring-doc.cn
gh-11960 - Default to Xor CSRF protection for servlet and reactive spring-doc.cn
gh-12019 - Remove deprecated method setTokenFromMultipartDataEnabled from CsrfWebFilterspring-doc.cn
gh-12020 - Remove deprecated method tokenFromMultipartDataEnabled from Java Configurationspring-doc.cn
gh-9429 - Authentication(Web)Filter rethrows `AuthenticationServiceException`sspring-doc.cn
gh-11027, gh-11466 - Authorization on every dispatcher typespring-doc.cn
gh-11110 - Require explicit session saves by defaultspring-doc.cn
gh-11057 - Remove MessageSourceAware from ExceptionTranslationWebFilterspring-doc.cn
gh-12202 - Remove OAuth deprecationsspring-doc.cn
gh-10556 - Remove EOL OpenSaml 3 Support. Use the OpenSaml 4 Support instead.spring-doc.cn
gh-11077 - Remove SAML deprecationsspring-doc.cn
- Remove Converter constructors from Saml2MetadataFilter and Saml2AuthenticationTokenConverterspring-doc.cn
- Remove Saml2AuthenticationRequestContextResolver and Saml2AuthenticationRequestFactory and implementationsspring-doc.cn
- Remove Saml2AuthenticationToken(String, String, String, String, List)spring-doc.cn
- Remove RelyingPartyRegistration.ProviderDetails and related methodsspring-doc.cn
- Remove OpenSamlAuthenticationProviderspring-doc.cn
gh-12180 - Register FilterChainProxy for all dispatcher typesspring-doc.cn

Core

gh-11446 - Add native image support for @PreAuthorizespring-doc.cn
gh-11737 - Add native image support for @PostAuthorizespring-doc.cn
Instrumentation of AuthenticationManager, AuthorizationManager, and FilterChainProxyspring-doc.cn
Instrumentation of ReactiveAuthenticationManager, ReactiveAuthorizationManager, and WebFilterChainProxyspring-doc.cn

LDAP

gh-9276 - LdapAuthoritiesPopulator is post-processedspring-doc.cn

Web

gh-11432 - CookieServerCsrfTokenRepository supports maxagespring-doc.cn