2022-11-18 16:57:17 -07:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[[migration]]
							 
						 
					
						
							
								
									
										
										
										
											2025-05-28 15:48:17 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								= Migrating to 7.0
							 
						 
					
						
							
								
									
										
										
										
											2023-05-12 15:43:14 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								:spring-security-reference-base-url: https://docs.spring.io/spring-security/reference
							 
						 
					
						
							
								
									
										
										
										
											2022-11-18 16:57:17 -07:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-05-28 15:48:17 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Spring Security 6.5 is the last release in the 6.x generation of Spring Security.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								It provides strategies for configuring breaking changes to use the 7.0 way before updating.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								We recommend you use 6.5 and {spring-security-reference-base-url}/6.5/migration-7/index.html[its preparation steps] to simplify updating to 7.0.
							 
						 
					
						
							
								
									
										
										
										
											2022-11-18 16:57:17 -07:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-05-28 15:48:17 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								After updating to 6.5, follow this guide to perform any remaining migration or cleanup steps.
							 
						 
					
						
							
								
									
										
										
										
											2022-11-18 16:57:17 -07:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-04-03 11:02:46 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								And recall that if you run into trouble, the preparation guide includes opt-out steps to revert to 5.x behaviors.
							 
						 
					
						
							
								
									
										
										
										
											2022-11-18 16:57:17 -07:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-05-28 15:48:17 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								== Update to Spring Security 7
							 
						 
					
						
							
								
									
										
										
										
											2022-11-18 16:57:17 -07:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-05-28 15:48:17 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								The first step is to ensure you are the latest patch release of Spring Boot 4.0.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Next, you should ensure you are on the latest patch release of Spring Security 7.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								For directions, on how to update to Spring Security 7 visit the xref:getting-spring-security.adoc[] section of the reference guide.
							 
						 
					
						
							
								
									
										
										
										
											2025-04-03 11:02:46 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-10-17 11:24:48 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								=== Migrate from Jackson 2 to Jackson 3
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								The configuration of Jackson 2 `ObjectMapper` with `SecurityJackson2Modules` should be replaced by the configuration of
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Jackson 3 `JsonMapper.Builder` with `SecurityJacksonModules`. See the
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md[Jackson 3 Migration Guide] for more details.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								It is recommended to replace the configuration of
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								individual modules like `CoreJacksonModule` by the module detection from `SecurityJacksonModules` as it enables
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								automatic inclusion of type information and configure a `PolymorphicTypeValidator` that handles the validation of class
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								names.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								The Jackson 3 support uses the same format than the now deprecated Jackson 2 one, so class instances serialized with
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Jackson 2 should be deserializable with the Jackson 3 support.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								`spring-security-oauth2-authorization-server` now uses Jackson 3 by default. If you want to continue
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								to use the deprecated Jackson 2 support, the transitive dependency on Jackson 3 (`tools.jackson.core:jackson-databind`)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								should be excluded and a dependency on Jackson 2 (`com.fasterxml.jackson.core:jackson-databind`) should be added.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-04-03 11:02:46 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								== Perform Application-Specific Steps
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Next, there are steps you need to perform based on whether it is a xref:migration/servlet/index.adoc[Servlet] or xref:migration/reactive.adoc[Reactive] application.