What’s New in Spring Security 7.0

The Spring Security Kerberos Extension is now part of Spring Security. See the Kerberos section of the reference for details.spring-doc.cn

Spring Authorization Server is now part of Spring Security. See the OAuth 2.0 Authorization Server section of the reference for details.spring-doc.cn

Added Support for Multi-Factor Authenticationspring-doc.cn

Removed AuthorizationManager#check in favor of AuthorizationManager#authorizespring-doc.cn

Added AllAuthoritiesAuthorizationManager and AllAuthoritiesReactiveAuthorizationManager along with corresponding methods for Authorizing HttpServletRequests and method security expressions.spring-doc.cn

Added AuthorizationManagerFactory for creating AuthorizationManager instances in request-based and method-based authorization componentsspring-doc.cn

Added Authentication.Builder for mutating and merging Authentication instancesspring-doc.cn

Moved Access API (AccessDecisionManager, AccessDecisionVoter, etc.) to a new module, spring-security-accessspring-doc.cn

Support modular configuration in Servlets and WebFluxspring-doc.cn

Removed and() from the HttpSecurity DSL in favor of using the lambda methodsspring-doc.cn

Removed authorizeRequests in favor of authorizeHttpRequestsspring-doc.cn

Simplified expression migration for authorizeRequestsspring-doc.cn

Added support for SPA-based CSRF configurationspring-doc.cn

Added support for binding missing authorities to authentication mechanisms.spring-doc.cn

Added Password4j-based password encoders providing alternative implementations for popular hashing algorithms:spring-doc.cn

Added support to Authorized objects for Spring Data typesspring-doc.cn

Removed ApacheDsContainer and related Apache DS support in favor of UnboundIDspring-doc.cn

Removed support for password grantspring-doc.cn

Added OAuth2 Support for HTTP Service Clientsspring-doc.cn

Added support for custom JwkSource in NimbusJwtDecoder, allowing usage of Nimbus’s JwkSourceBuilder APIspring-doc.cn

Added builder for NimbusJwtEncoder, supports specifying an EC or RSA key pair or a secret keyspring-doc.cn

Added support for @ClientRegistrationId at the type level, eliminating the need for method level repetitionspring-doc.cn

Added support for OAuth 2.0 Dynamic Registration Protocolspring-doc.cn

Enabled PKCE by default in OAuth 2.0 Authorization Serverspring-doc.cn

Removed API methods based on AssertingPartyDetails class in favor of AssertingPartyMetadata interfacespring-doc.cn

Removed GET request support from Saml2AuthenticationTokenConverterspring-doc.cn

Added JDBC-based AssertingPartyMetadataRepositoryspring-doc.cn

Made so that SLO still returns <saml2:LogoutResponse> even when validation failsspring-doc.cn

Removed Open SAML 4 support; applications should migrate to Open SAML 5spring-doc.cn

Add SecurityMockMvcResultMatchers.withAuthorities(String…​)spring-doc.cn

Removed MvcRequestMatcher and AntPathRequestMatcher in favor of PathPatternRequestMatcherspring-doc.cn

Added SubjectX500PrincipalExtractorspring-doc.cn

Added support for propagating exceptions in Authorized proxies through Spring MVC controllersspring-doc.cn

Added support to Authorized objects for Spring MVC typesspring-doc.cn

Added support to Default Login Page to show factors based on factor.type and factor.reason parametersspring-doc.cn

Changed LoginUrlAuthenticationEntryPoint to favor relative redirects by defaultspring-doc.cn