Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-23 02:38:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
spring-security/docs/modules/ROOT/pages/whats-new.adoc
Rob Winch 9f839384e9
Use non-redundant ids in password4j docs 
Documentation ids no longer need to be globally unique, so they
do not need to include the path. This makes the ids less verbose and
integrates with include-code extension better.

Issue gh-17706
2025-09-15 11:00:51 -05:00

77 lines
4.1 KiB
Plaintext
Raw Blame History

[[new]]
= What's New in Spring Security 7.0
Spring Security 7.0 provides a number of new features.
Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.
== Removals
Being a major release, there are a number of deprecated APIs that are removed in Spring Security 7.
Each section that follows will indicate the more notable removals as well as the new features in that module
== Modules
* The https://github.com/spring-projects/spring-security-kerberos[Spring Security Kerberos Extension] is now part of Spring Security. See the xref:servlet/authentication/kerberos/index.adoc[Kerberos] section of the reference for details.
== Core
* Removed `AuthorizationManager#check` in favor of `AuthorizationManager#authorize`
* Added xref:servlet/authorization/architecture.adoc#authz-authorization-manager-factory[`AuthorizationManagerFactory`] for creating `AuthorizationManager` instances in xref:servlet/authorization/authorize-http-requests.adoc#customizing-authorization-managers[request-based] and xref:servlet/authorization/method-security.adoc#customizing-authorization-managers[method-based] authorization components
* Added `Authentication.Builder` for mutating and merging `Authentication` instances
* Moved Access API (`AccessDecisionManager`, `AccessDecisionVoter`, etc.) to a new module, `spring-security-access`
== Config
* Support modular configuration in xref::servlet/configuration/java.adoc#modular-httpsecurity-configuration[Servlets] and xref::reactive/configuration/webflux.adoc#modular-serverhttpsecurity-configuration[WebFlux]
* Removed `and()` from the `HttpSecurity` DSL in favor of using the lambda methods
* Removed `authorizeRequests` in favor of `authorizeHttpRequests`
* Simplified expression migration for `authorizeRequests`
* Added support for SPA-based CSRF configuration:
Java::
+
[source,java,role="primary"]
----
http.csrf((csrf) -> csrf.spa());
----
== Crypto
* Added Password4j-based password encoders providing alternative implementations for popular hashing algorithms:
** `Argon2Password4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-argon2[Argon2]
** `BcryptPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-bcrypt[BCrypt]
** `ScryptPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-scrypt[SCrypt]
** `Pbkdf2Password4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-pbkdf2[PBKDF2]
** `BalloonHashingPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-balloon[Balloon Hashing]
== Data
* Added support to Authorized objects for Spring Data types
== LDAP
* Removed `ApacheDsContainer` and related Apache DS support in favor of UnboundID
== OAuth 2.0
* Removed support for password grant
* Added OAuth2 Support for xref:features/integrations/rest/http-interface.adoc[HTTP Interface Integration]
* Added support for custom `JwkSource` in `NimbusJwtDecoder`, allowing usage of Nimbus's `JwkSourceBuilder` API
* Added builder for `NimbusJwtEncoder`, supports specifying an EC or RSA key pair or a secret key
* Added support for `@ClientRegistrationId` at the xref:features/integrations/rest/http-interface.adoc#type[type level], eliminating the need for method level repetition
== SAML 2.0
* Removed API methods based on `AssertingPartyDetails` class in favor of `AssertingPartyMetadata` interface
* Removed GET request support from `Saml2AuthenticationTokenConverter`
* Added JDBC-based `AssertingPartyMetadataRepository`
* Made so that SLO still returns `<saml2:LogoutResponse>` even when validation fails
* Removed Open SAML 4 support; applications should migrate to Open SAML 5
== Web
* Removed `MvcRequestMatcher` and `AntPathRequestMatcher` in favor of `PathPatternRequestMatcher`
* Added javadoc:org.springframework.security.web.authentication.preauth.x509.SubjectX500PrincipalExtractor[]
* Added support for propagating exceptions in Authorized proxies through Spring MVC controllers
* Added support to Authorized objects for Spring MVC types
Reference in New Issue View Git Blame Copy Permalink