This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.3.4!

What’s New in Spring Security 6.1

Spring Security 6.1 provides a number of new features. Below are the highlights of the release.

Core

  • gh-12233 - SecuredAuthorizationManager allows customizing underlying AuthorizationManager

  • gh-12231 - Add Authority Collection Authorization Manager

OAuth 2.0

  • gh-10309 - (docs) - Add Nimbus(Reactive)JwtDecoder#withIssuerLocation

  • gh-12907 - Configure principal claim name in ReactiveJwtAuthenticationConverter

SAML 2.0

  • gh-12604 - Support AuthnRequestSigned metadata attribute

  • gh-12846 - Metadata supports multiple entities and EntitiesDescriptor

  • gh-11828 - (docs) - Add saml2Metadata to DSL

  • gh-12843 - (docs) - Allow Relying Party to be Deduced from LogoutRequest

  • gh-10243 - (docs) - Allow Relying Party to be Deduced from SAML Response

  • gh-12842 - Add RelyingPartyRegistration placeholder resolution component

  • gh-12845 - Support issuing LogoutResponse after already logged out

Observability

  • gh-12534 - Customize Authentication and Authorization observation conventions

Web

  • gh-12751 - Add RequestMatchers factory class

  • gh-12847 - Propagate variables through And and OrRequestMatcher

Docs

In our ongoing efforts to update Spring Security’s documentation, several additional sections were fully re-written: