2022-11-18 16:57:17 -07:00
[[migration]]
2025-05-28 15:48:17 -06:00
= Migrating to 7.0
2023-05-12 15:43:14 -05:00
:spring-security-reference-base-url: https://docs.spring.io/spring-security/reference
2022-11-18 16:57:17 -07:00
2025-05-28 15:48:17 -06:00
Spring Security 6.5 is the last release in the 6.x generation of Spring Security.
It provides strategies for configuring breaking changes to use the 7.0 way before updating.
We recommend you use 6.5 and {spring-security-reference-base-url}/6.5/migration-7/index.html[its preparation steps] to simplify updating to 7.0.
2022-11-18 16:57:17 -07:00
2025-05-28 15:48:17 -06:00
After updating to 6.5, follow this guide to perform any remaining migration or cleanup steps.
2022-11-18 16:57:17 -07:00
2025-04-03 11:02:46 -06:00
And recall that if you run into trouble, the preparation guide includes opt-out steps to revert to 5.x behaviors.
2022-11-18 16:57:17 -07:00
2025-05-28 15:48:17 -06:00
== Update to Spring Security 7
2022-11-18 16:57:17 -07:00
2025-05-28 15:48:17 -06:00
The first step is to ensure you are the latest patch release of Spring Boot 4.0.
Next, you should ensure you are on the latest patch release of Spring Security 7.
For directions, on how to update to Spring Security 7 visit the xref:getting-spring-security.adoc[] section of the reference guide.
2025-04-03 11:02:46 -06:00
2025-10-17 11:24:48 +02:00
=== Migrate from Jackson 2 to Jackson 3
The configuration of Jackson 2 `ObjectMapper` with `SecurityJackson2Modules` should be replaced by the configuration of
Jackson 3 `JsonMapper.Builder` with `SecurityJacksonModules`. See the
https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md[Jackson 3 Migration Guide] for more details.
It is recommended to replace the configuration of
individual modules like `CoreJacksonModule` by the module detection from `SecurityJacksonModules` as it enables
automatic inclusion of type information and configure a `PolymorphicTypeValidator` that handles the validation of class
names.
The Jackson 3 support uses the same format than the now deprecated Jackson 2 one, so class instances serialized with
Jackson 2 should be deserializable with the Jackson 3 support.
`spring-security-oauth2-authorization-server` now uses Jackson 3 by default. If you want to continue
to use the deprecated Jackson 2 support, the transitive dependency on Jackson 3 (`tools.jackson.core:jackson-databind`)
should be excluded and a dependency on Jackson 2 (`com.fasterxml.jackson.core:jackson-databind`) should be added.
2025-04-03 11:02:46 -06:00
== Perform Application-Specific Steps
Next, there are steps you need to perform based on whether it is a xref:migration/servlet/index.adoc[Servlet] or xref:migration/reactive.adoc[Reactive] application.
