3 Releases published by 1 person

• 6.3.10

  published Jun 16, 2025

• 6.4.7

  published Jun 16, 2025

• 6.5.1

  published Jun 16, 2025

35 Pull requests merged by 6 people

• OAuth2Login DSL should support post-processing AuthenticationProvider implementations

  #17176 merged Jun 20, 2025

• Update document regarding Stream usage

  #17219 merged Jun 20, 2025

• Simplify Websocket Csrf Processor XML Configuration

  #17248 merged Jun 17, 2025

• NimbusJwtEncoder should simplify constructing with javax.security Keys

  #17033 merged Jun 17, 2025

• Polish Webauthn4JRelyingPartyOperations

  #17224 merged Jun 17, 2025

• Add null check for authentication token in JwtAuthenticationProvider

  #17251 merged Jun 17, 2025

• Update HttpSecurity javadoc to use authorizeHttpRequests

  #17225 merged Jun 17, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final

  #17261 merged Jun 17, 2025

• Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1

  #17262 merged Jun 17, 2025

• Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13

  #17263 merged Jun 17, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17264 merged Jun 17, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17265 merged Jun 17, 2025

• Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21

  #17266 merged Jun 17, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17267 merged Jun 17, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17268 merged Jun 17, 2025

• Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.2.Final

  #17269 merged Jun 17, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17271 merged Jun 17, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17272 merged Jun 17, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final

  #17273 merged Jun 17, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17274 merged Jun 17, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17270 merged Jun 17, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final

  #17253 merged Jun 16, 2025

• Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1

  #17252 merged Jun 16, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17257 merged Jun 16, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final

  #17256 merged Jun 16, 2025

• Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13

  #17255 merged Jun 16, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17254 merged Jun 16, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17243 merged Jun 16, 2025

• Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.2.Final

  #17242 merged Jun 16, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17241 merged Jun 16, 2025

• Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21

  #17240 merged Jun 16, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17239 merged Jun 16, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17238 merged Jun 16, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17237 merged Jun 16, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17236 merged Jun 16, 2025

33 Pull requests opened by 9 people

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17275 opened Jun 18, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17276 opened Jun 18, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17277 opened Jun 18, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17278 opened Jun 18, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final

  #17279 opened Jun 18, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17280 opened Jun 18, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final

  #17281 opened Jun 18, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17282 opened Jun 18, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17283 opened Jun 18, 2025

• Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21

  #17284 opened Jun 18, 2025

• Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13

  #17285 opened Jun 18, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17286 opened Jun 18, 2025

• Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.2.Final

  #17287 opened Jun 18, 2025

• Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1

  #17288 opened Jun 18, 2025

• Polish

  #17310 opened Jun 18, 2025

• Remove EnableWebMvcSecurity

  #17311 opened Jun 19, 2025

• Remove PrePostTemplateDefaults

  #17312 opened Jun 19, 2025

• Remove deprecated elements of RoleHierarchyImpl

  #17313 opened Jun 19, 2025

• Removed deprecated Base64 of crypto package

  #17314 opened Jun 19, 2025

• Remove deprecated elements from DaoAuthenticationProvider

  #17315 opened Jun 19, 2025

• WebSecurity#ignoring should not be warned

  #17316 opened Jun 20, 2025

• Adjust log message to include guidance for XML users

  #17317 opened Jun 20, 2025

• Fixed link to CSRF checks on rubyonrails.org site

  #17319 opened Jun 20, 2025

• Remove `RequestVariablesExtractor` in favor of `RequestMatcher#matcher`

  #17320 opened Jun 20, 2025

• Remove deprecated elements using AuthorizationDecision

  #17322 opened Jun 20, 2025

• Default to XorCsrfChannelInterceptor in XML configuration

  #17323 opened Jun 20, 2025

• Convert to use LdapClient instead of SpringSecurityLdapTemplate in Pa…

  #17324 opened Jun 21, 2025

• Use `LdapName` instead of `DistinguishedName`

  #17325 opened Jun 21, 2025

• Remove Nimbus(Reactive)OpaqueTokenIntrospector

  #17326 opened Jun 21, 2025

• Remove JwtIssuer(Reactive)AuthenticationManagerResolver deprecations

  #17327 opened Jun 21, 2025

• Remove AbstractSecurityWebSocketMessageBrokerConfigurer

  #17328 opened Jun 22, 2025

• Remove RelyingPartyRegistration deprecations

  #17329 opened Jun 22, 2025

• Removed deprecated classes

  #17330 opened Jun 22, 2025

7 Issues closed by 3 people

• Update Contribution Guidelines regarding Stream usage

  #17097 closed Jun 20, 2025

• Remove .and() and non lambda methods from DSL

  #13067 closed Jun 20, 2025

• Remove ApacheDSContainer and related support

  #12204 closed Jun 19, 2025

• Remove ApacheDS

  #13852 closed Jun 19, 2025

• NimbusJwtEncoder should simplify constructing with javax.security Keys

  #16267 closed Jun 17, 2025

• Add OAuth Support for HTTP Interface Client

  #16858 closed Jun 17, 2025

• OAuth2RestTemplate cannot acquire a new refresh token

  #17258 closed Jun 16, 2025

25 Issues opened by 5 people

• Add lambda DSL method for featurePolicy

  #17321 opened Jun 20, 2025

• Configuring RelyingPartyRegistration no longer works with just a metadata uri

  #17318 opened Jun 20, 2025

• Remove classes from old locations

  #17309 opened Jun 18, 2025

• Remove RequestVariablesExtractor in favor of RequestMatcher#matcher

  #17308 opened Jun 18, 2025

• Remove AllowFromStrategy in favor of ContentSecurityPolicy

  #17307 opened Jun 18, 2025

• Remove no-version Open SAML implementations

  #17306 opened Jun 18, 2025

• Remove RelyingPartyRegistration deprecations

  #17305 opened Jun 18, 2025

• Remove AssertingPartyDetails from APIs in favor of AssertingPartyMetadata

  #17304 opened Jun 18, 2025

• Remove JwtIssuer(Reactive)AuthenticationManagerResolver deprecations

  #17303 opened Jun 18, 2025

• Remove Nimbus(Reactive)OpaqueTokenIntrospector

  #17302 opened Jun 18, 2025

• Remove DistinguishedName Usage

  #17301 opened Jun 18, 2025

• Remove Base64

  #17300 opened Jun 18, 2025

• Remove deprecated elements using AuthorizationDecision

  #17299 opened Jun 18, 2025

• Remove deprecated elements from DaoAuthenticationProvider

  #17298 opened Jun 18, 2025

• Remove deprecated elements of RoleHierarchyImpl

  #17297 opened Jun 18, 2025

• Remove PrePostTemplateDefaults

  #17296 opened Jun 18, 2025

• Remove AbstractSecurityWebSocketMessageBrokerConfigurer

  #17295 opened Jun 18, 2025

• Remove EnableWebMvcSecurity

  #17294 opened Jun 18, 2025

• Remove ACL access implementations in favor of AclPermissionEvaluator

  #17293 opened Jun 18, 2025

• Fix remember me functionality

  #17292 opened Jun 18, 2025

• Change `ActiveDirectoryLdapAuthenticationProvider` to use `LdapClient`

  #17291 opened Jun 18, 2025

• Change `FilterBasedLdapUserSearch` to use `LdapClient`

  #17290 opened Jun 18, 2025

• Change `PasswordComparisonAuthenticator` to use `LdapClient`

  #17289 opened Jun 18, 2025

• <websocket-message-broker> should use XorCsrfChannelInterceptor by default

  #17260 opened Jun 17, 2025

• Deprecation warning about authorizeRequests should also contain XML guidance

  #17259 opened Jun 16, 2025

17 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Improve authoritiesClaimName validation in JwtGrantedAuthoritiesConverter

  #17247 commented on Jun 19, 2025 • 6 new comments

• Provided uncached way to use (Reactive)OidcIdTokenDecoderFactory

  #16647 commented on Jun 19, 2025 • 4 new comments

• Fix traceId discrepancy in case error in servlet web

  #17134 commented on Jun 22, 2025 • 1 new comment

• Ensure ID Token is updated after refresh token (Reactive)

  #17246 commented on Jun 17, 2025 • 0 new comments

• Fix PublicKeyCredentialType.PUBLIC_KEY comparison with Spring Session

  #17223 commented on Jun 17, 2025 • 0 new comments

• Add Support DPoP Customization

  #17202 commented on Jun 16, 2025 • 0 new comments

• Support custom `OAuth2AuthenticatedPrincipal` in Jwt-based authentication flow

  #17191 commented on Jun 17, 2025 • 0 new comments

• Consider handler bean reference for HandleAuthorizationDenied

  #16970 commented on Jun 20, 2025 • 0 new comments

• Wrong logging for CsrfFilter in trace level

  #17250 commented on Jun 21, 2025 • 0 new comments

• Remove Deprecations

  #13068 commented on Jun 20, 2025 • 0 new comments

• SEC-2856: Make cookie theft detection in remember-me service configurable because it's seriously broken

  #3079 commented on Jun 19, 2025 • 0 new comments

• Post 7.0.0-RC1 Tasks

  #17051 commented on Jun 18, 2025 • 0 new comments

• PathPatternRequestMatcher caching leads to unexpected behavior when forwarding

  #17203 commented on Jun 18, 2025 • 0 new comments

• Deprecate SpringSecurityLdapTemplate

  #17028 commented on Jun 18, 2025 • 0 new comments

• JwtDecoderFactory is missing and throws ClassNotFoundException with Bearer token and spring-boot:3.5.0

  #17249 commented on Jun 16, 2025 • 0 new comments

• Add support dpop customization

  #16940 commented on Jun 16, 2025 • 0 new comments

• Ensure ID Token is updated after refresh token (Reactive)

  #17188 commented on Jun 16, 2025 • 0 new comments