This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.2.4!

What’s New in Spring Security 6.1

Spring Security 6.1 provides a number of new features. Below are the highlights of the release.

Core

gh-12233 - SecuredAuthorizationManager allows customizing underlying AuthorizationManager
gh-12231 - Add Authority Collection Authorization Manager

OAuth 2.0

gh-10309 - (docs) - Add Nimbus(Reactive)JwtDecoder#withIssuerLocation
gh-12907 - Configure principal claim name in ReactiveJwtAuthenticationConverter

SAML 2.0

gh-12604 - Support AuthnRequestSigned metadata attribute
gh-12846 - Metadata supports multiple entities and EntitiesDescriptor
gh-11828 - (docs) - Add saml2Metadata to DSL
gh-12843 - (docs) - Allow Relying Party to be Deduced from LogoutRequest
gh-10243 - (docs) - Allow Relying Party to be Deduced from SAML Response
gh-12842 - Add RelyingPartyRegistration placeholder resolution component
gh-12845 - Support issuing LogoutResponse after already logged out

Observability

gh-12534 - Customize Authentication and Authorization observation conventions

Web

gh-12751 - Add RequestMatchers factory class
gh-12847 - Propagate variables through And and OrRequestMatcher

Docs

In our ongoing efforts to update Spring Security’s documentation, several additional sections were fully re-written:

gh-13088 - (docs) - Revisit Authorization documentation
gh-12681 - (docs) - Revisit Session Management documentation
gh-13062 - (docs) - Revisit Logout documentation
gh-13089 - Revisit CSRF Documentation