2018-03-05 16:56:47 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[[new]]
							 
						 
					
						
							
								
									
										
										
										
											2025-04-24 19:48:50 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								= What's New in Spring Security 7.0
							 
						 
					
						
							
								
									
										
										
										
											2018-03-05 16:56:47 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-04-24 19:48:50 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Spring Security 7.0 provides a number of new features.
							 
						 
					
						
							
								
									
										
										
										
											2024-04-17 10:13:49 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.
							 
						 
					
						
							
								
									
										
										
										
											2025-06-12 12:19:37 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-07-21 15:00:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								== Removals
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Being a major release, there are a number of deprecated APIs that are removed in Spring Security 7.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Each section that follows will indicate the more notable removals as well as the new features in that module
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== Core
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Removed `AuthorizationManager#check` in favor of `AuthorizationManager#authorize`
							 
						 
					
						
							
								
									
										
										
										
											2025-09-02 12:47:53 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								* Added xref:servlet/authorization/architecture.adoc#authz-authorization-manager-factory[`AuthorizationManagerFactory`] for creating `AuthorizationManager` instances in xref:servlet/authorization/authorize-http-requests.adoc#customizing-authorization-managers[request-based] and xref:servlet/authorization/method-security.adoc#customizing-authorization-managers[method-based] authorization components
							 
						 
					
						
							
								
									
										
										
										
											2025-07-21 15:00:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== Config
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-08-20 12:24:25 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								* Support modular configuration in xref::servlet/configuration/java.adoc#modular-httpsecurity-configuration[Servlets] and xref::reactive/configuration/webflux.adoc#modular-serverhttpsecurity-configuration[WebFlux]
							 
						 
					
						
							
								
									
										
										
										
											2025-07-21 15:00:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								* Removed `and()` from the `HttpSecurity` DSL in favor of using the lambda methods
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Removed `authorizeRequests` in favor of `authorizeHttpRequests`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Simplified expression migration for `authorizeRequests`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Added support for SPA-based CSRF configuration:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								http.csrf((csrf) -> csrf.spa());
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== Data
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Added support to Authorized objects for Spring Data types
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== LDAP
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Removed `ApacheDsContainer` and related Apache DS support in favor of UnboundID
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== OAuth 2.0
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Removed support for password grant
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Added OAuth2 Support for xref:features/integrations/rest/http-interface.adoc[HTTP Interface Integration]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Added support for custom `JwkSource` in `NimbusJwtDecoder`, allowing usage of Nimbus's `JwkSourceBuilder` API
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Added builder for `NimbusJwtEncoder`, supports specifying an EC or RSA key pair or a secret key
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== SAML 2.0
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Removed API methods based on `AssertingPartyDetails` class in favor of `AssertingPartyMetadata` interface
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Removed GET request support from `Saml2AuthenticationTokenConverter`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Added JDBC-based `AssertingPartyMetadataRepository`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Made so that SLO still returns `<saml2:LogoutResponse>` even when validation fails
							 
						 
					
						
							
								
									
										
										
										
											2025-08-18 15:30:37 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								* Removed Open SAML 4 support; applications should migrate to Open SAML 5
							 
						 
					
						
							
								
									
										
										
										
											2025-07-21 15:00:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-06-12 12:19:37 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								== Web
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-07-21 15:00:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								* Removed `MvcRequestMatcher` and `AntPathRequestMatcher` in favor of `PathPatternRequestMatcher`
							 
						 
					
						
							
								
									
										
										
										
											2025-06-12 12:19:37 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								* Added javadoc:org.springframework.security.web.authentication.preauth.x509.SubjectX500PrincipalExtractor[]
							 
						 
					
						
							
								
									
										
										
										
											2025-07-21 15:00:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								* Added support for propagating exceptions in Authorized proxies through Spring MVC controllers
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Added support to Authorized objects for Spring MVC types