What’s New in Spring Security 6.5

Spring Security 6.5 provides a number of new features. Below are the highlights of the release, or you can view the release notes for a detailed listing of each feature and bug fix.spring-doc.cn

New Features

Support for automatic context-propagation with Micrometer (gh-16665)spring-doc.cn
OAuth 2.0 Demonstrating Proof of Possession (DPoP) (gh-16574)spring-doc.cn

Breaking Changes

Observability

The security.security.reached.filter.section key name was corrected to spring.security.reached.filter.section. Note that this may affect reports that operate on this key name.spring-doc.cn

OAuth

gh-16386 - Enable PKCE for confidential clients using ClientRegistration.clientSettings.requireProofKey=true for servlet and reactive applicationsspring-doc.cn
gh-16913 - Prepare OAuth2 Client deprecations for removal in Spring Security 7spring-doc.cn

WebAuthn

gh-16282 - JDBC Persistence for WebAuthn/Passkeysspring-doc.cn
gh-16397 - Added the ability to configure a custom HttpMessageConverter for Passkeys using the optional messageConverter property on the webAuthn DSL.spring-doc.cn
gh-16396 - Added the ability to configure a custom PublicKeyCredentialCreationOptionsRepositoryspring-doc.cn

One-Time Token Login

gh-16291 - oneTimeTokenLogin() now supports customizing GenerateOneTimeTokenRequest via GenerateOneTimeTokenRequestResolver spring-doc.cn