For the latest stable version, please use Spring Security 6.3.4!

What’s New in Spring Security 5.8

Spring Security 5.8 provides a number of new features. Below are the highlights of the release.

Core

Session Handling Improvements

  • gh-6125 - improved session creation and access

  • gh-11392 - Support deferring lookup of SecurityContext

AuthorizationManager API

  • gh-11493 - AuthorizationManager supports SpEL

  • Additional XML support for AuthorizationManager

  • gh-11393 - Additional DSL support for AuthorizationManager

  • Additional XML Support for `AuthorizationManager

  • gh-11304 - AuthorizationManager supports RoleHierarchy

  • gh-11076 - AuthorizationManager supports WebSockets

  • gh-11326 - AuthorizationManager supports AspectJ

  • gh-4841, gh-9401 - ReactiveAuthorizationManager supports method security

  • gh-11625 - Support AuthorizationManager composition

Misc

  • gh-10973 - SecurityContextHolderStrategy can be published as a @Bean

Config

  • gh-11771 - HttpSecurityDsl should support apply method

OAuth

  • gh-11590 - Deprecate Resource Owner Password Grant

  • gh-11383 - Add baseScheme, baseHost, basePort and basePath to the post_logout_redirect_uri

  • gh-11661 - Add OpaqueTokenAuthenticationConverter

  • gh-11232 - ClientRegistrations#rest defines 30s connect and read timeouts

  • gh-11638 - Refresh remote JWK when unknown KID error occurs

SAML

  • gh-11286 - Support configuring multiple relying party logout bindings

  • gh-11065 - Allow custom relay state for AuthnRequests

  • gh-11468 - Simplify AuthnRequest#id access

Web

  • gh-11073 - Add DelegatingServerHttpHeadersWriter

  • gh-4001 - Add servlet support for CSRF BREACH protection

  • gh-11959 - Add reactive support for CSRF BREACH protection

  • gh-11464 - Remember Me supports SHA256 algorithm

  • gh-11908 - Make X-Xss-Protection header value configurable in ServerHttpSecurity

  • gh-11347 - Simplify Java Configuration RequestMatcher Usage

  • gh-9159 - Add securityMatcher as an alias on requestMatcher in HttpSecurity

  • gh-11952 - Add csrfTokenRequestResolver to CsrfDsl

  • gh-11916 - HttpSecurityConfiguration picks up ContentNegotiationStrategy bean

  • gh-11971 - Additional support for AuthorizationFilter running for all dispatcher types

Test

  • gh-6899 - @WithMockUser works as meta-annotation