3 Releases published by 1 person

• 7.0.0-M1

  published Jul 21, 2025

• 6.5.2

  published Jul 21, 2025

• 6.4.8

  published Jul 21, 2025

28 Pull requests merged by 2 people

• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9

  #17604 merged Jul 23, 2025

• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10

  #17603 merged Jul 23, 2025

• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11

  #17602 merged Jul 23, 2025

• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9

  #17601 merged Jul 23, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8

  #17600 merged Jul 23, 2025

• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9

  #17599 merged Jul 23, 2025

• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10

  #17598 merged Jul 23, 2025

• Bump org.gretty:gretty from 4.1.6 to 4.1.7

  #17597 merged Jul 23, 2025

• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9

  #17596 merged Jul 23, 2025

• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11

  #17595 merged Jul 23, 2025

• Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24

  #17590 merged Jul 23, 2025

• Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.19.2

  #17589 merged Jul 23, 2025

• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10

  #17588 merged Jul 23, 2025

• Bump org.gretty:gretty from 4.1.6 to 4.1.7

  #17587 merged Jul 23, 2025

• Support add nested security configurers during builder initialization

  #17020 merged Jul 21, 2025

• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9

  #17578 merged Jul 21, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8

  #17577 merged Jul 21, 2025

• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9

  #17576 merged Jul 21, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final

  #17575 merged Jul 21, 2025

• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11

  #17574 merged Jul 21, 2025

• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11

  #17573 merged Jul 21, 2025

• Bump io.mockk:mockk from 1.14.4 to 1.14.5

  #17572 merged Jul 21, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final

  #17571 merged Jul 21, 2025

• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9

  #17570 merged Jul 21, 2025

• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9

  #17568 merged Jul 21, 2025

• Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.19.2

  #17567 merged Jul 21, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8

  #17569 merged Jul 21, 2025

• Bump @springio/antora-extensions from 1.14.6 to 1.14.7

  #17565 merged Jul 21, 2025

23 Pull requests opened by 4 people

• Bump @springio/antora-extensions from 1.14.6 to 1.14.7 in /docs

  #17564 opened Jul 21, 2025

• Bump @springio/antora-extensions from 1.14.6 to 1.14.7 in /docs

  #17566 opened Jul 21, 2025

• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.1 to 0.0.2

  #17591 opened Jul 23, 2025

• Bump org.gretty:gretty from 4.1.6 to 4.1.7

  #17592 opened Jul 23, 2025

• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10

  #17593 opened Jul 23, 2025

• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11

  #17594 opened Jul 23, 2025

• Add Referrer-Policy header to default security headers

  #17606 opened Jul 23, 2025

• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11

  #17607 opened Jul 24, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final

  #17608 opened Jul 24, 2025

• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10

  #17609 opened Jul 24, 2025

• Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9

  #17610 opened Jul 24, 2025

• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9

  #17611 opened Jul 24, 2025

• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10

  #17612 opened Jul 24, 2025

• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11

  #17613 opened Jul 24, 2025

• Bump io.mockk:mockk from 1.14.4 to 1.14.5

  #17614 opened Jul 24, 2025

• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9

  #17615 opened Jul 24, 2025

• Bump org.gretty:gretty from 4.1.6 to 4.1.7

  #17616 opened Jul 24, 2025

• Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.19.2

  #17617 opened Jul 24, 2025

• Bump org.gretty:gretty from 4.1.6 to 4.1.7

  #17618 opened Jul 24, 2025

• Bump io.spring.develocity.conventions from 0.0.23 to 0.0.24

  #17619 opened Jul 24, 2025

• Bump io.spring.gradle:spring-security-release-plugin from 1.0.6 to 1.0.10

  #17620 opened Jul 24, 2025

• Use final values in equals and hashCode

  #17621 opened Jul 24, 2025

• Update index.adoc

  #17624 opened Jul 24, 2025

13 Issues closed by 4 people

• Add OAuth2User to OidcUser Conversion Params

  #17626 closed Jul 25, 2025

• Configuring RelyingPartyRegistration no longer works with just a metadata uri

  #17318 closed Jul 23, 2025

• Back‑port CVE‑2025‑53864 fix (nimbus‑jose‑jwt) to Spring Security 6.5.x

  #17583 closed Jul 23, 2025

• Extract spring-security-webauthn

  #17586 closed Jul 22, 2025

• Enable Null checking in spring-security-core via JSpecify

  #17534 closed Jul 22, 2025

• Enable Null checking in spring-security-crypto via JSpecify

  #17533 closed Jul 22, 2025

• Clarify/Enhance `@PermitAll` Behavior When Used with `requestMatchers().authenticated()`

  #17562 closed Jul 22, 2025

• Update What's New in Spring Security 7

  #17582 closed Jul 21, 2025

• Cannot add security configurers during builder initialization

  #17581 closed Jul 21, 2025

• Cannot add security configurers during builder initialization

  #17580 closed Jul 21, 2025

• Cannot add security configurers during builder initialization

  #17011 closed Jul 21, 2025

• UnboundIdContainer fails with TestContext

  #17543 closed Jul 21, 2025

• Add basePath to PathPatternParserRequestMatcherBuilderFactoryBean

  #17579 closed Jul 21, 2025

10 Issues opened by 6 people

• OIDC token-request client-secret %3D instead of = for padding

  #17629 opened Jul 25, 2025

• Default `OidcUser` conversion may return mismatch between `OAuth2User.getName()` and `OidcUser.getName()`

  #17628 opened Jul 25, 2025

• Oidc(ReactiveOAuth2)UserService uses userNameAttributeName when user info endpoint not invoked

  #17627 opened Jul 25, 2025

• Default retrieveUserInfo for OidcUserService & OidcReactiveOAuth2UserService are inconsistent

  #17625 opened Jul 25, 2025

• Remove usage of `SpringSecurityCoreVersion.SERIAL_VERSION_UID`

  #17623 opened Jul 24, 2025

• java.io.NotSerializableException: org.opensaml.saml.saml2.metadata.impl.EntityDescriptorImpl after upgrading from 6.4 to 6.5

  #17622 opened Jul 24, 2025

• SAML Signature Certificate Rollover

  #17605 opened Jul 23, 2025

• Add AuthorizationManagerFactory

  #17585 opened Jul 22, 2025

• Use final fields in equals and hashCode of PathPatternRequestMatcher

  #17584 opened Jul 22, 2025

• API key authentication support

  #17563 opened Jul 20, 2025

29 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Add ExpressionTemplateValueProvider

  #17448 commented on Jul 23, 2025 • 3 new comments

• Allow multiple ServerLogoutHandler instances in WebFlux

  #17381 commented on Jul 24, 2025 • 2 new comments

• Update Shibboleth repository URL

  #17477 commented on Jul 23, 2025 • 0 new comments

• Remove ACL access implementations in favor of `AclPermissionEvaluator`

  #17475 commented on Jul 23, 2025 • 0 new comments

• Fix PublicKeyCredentialType.PUBLIC_KEY comparison with Spring Session

  #17223 commented on Jul 21, 2025 • 0 new comments

• Fix traceId discrepancy in case error in servlet web

  #17134 commented on Jul 23, 2025 • 0 new comments

• Add SpEL support for nested username extraction in OAuth2 user info

  #16857 commented on Jul 25, 2025 • 0 new comments

• Implement Serial for PublicKeyCredentialCreationOptions

  #16455 commented on Jul 25, 2025 • 0 new comments

• Consider removing com.nimbusds:oauth2-oidc-sdk dependency

  #14245 commented on Jul 24, 2025 • 0 new comments

• @PreAuthorize not working in Spring Security 6+ due to deprecation

  #17487 commented on Jul 23, 2025 • 0 new comments

• WebAuthn: credential registration fails with an unknown credential type error

  #17164 commented on Jul 23, 2025 • 0 new comments

• OpenID Connect Oauth2 Logout Token not using custom jwt alg

  #15273 commented on Jul 23, 2025 • 0 new comments

• Null safety via JSpecify

  #16882 commented on Jul 22, 2025 • 0 new comments

• Unhandled AuthenticationServiceException in the default exception handing of http filter chain (Resource Server)

  #17234 commented on Jul 21, 2025 • 0 new comments

• Deprecation warning about authorizeRequests should also contain XML guidance

  #17259 commented on Jul 21, 2025 • 0 new comments

• Consider warning when EnableTransactionManagement has lower precedence than EnableMethodSecurity

  #17544 commented on Jul 21, 2025 • 0 new comments

• JwtDecoderFactory is missing and throws ClassNotFoundException with Bearer token and spring-boot:3.5.0

  #17249 commented on Jul 21, 2025 • 0 new comments

• Consider making UserInfo request opt-in instead of default in Spring Security 7

  #16843 commented on Jul 21, 2025 • 0 new comments

• Consider Enabling PKCE for Authorization Code by Default

  #16391 commented on Jul 21, 2025 • 0 new comments

• Favor Relative Redirects by Default

  #16300 commented on Jul 21, 2025 • 0 new comments

• Remove PortResolver

  #15971 commented on Jul 21, 2025 • 0 new comments

• Consider Signing Metadata by Default

  #15182 commented on Jul 21, 2025 • 0 new comments

• Should OidcIdToken implement equals?

  #15156 commented on Jul 21, 2025 • 0 new comments

• Default Servlet Headers Should Include Referrer-Policy

  #13567 commented on Jul 21, 2025 • 0 new comments

• Support UnboundID LDAP SDK 7.0

  #14772 commented on Jul 21, 2025 • 0 new comments

• Remove Deprecations

  #13068 commented on Jul 21, 2025 • 0 new comments

• Restructure AuthenticationServiceException handling

  #12134 commented on Jul 21, 2025 • 0 new comments

• Remove authorizeRequests

  #11954 commented on Jul 21, 2025 • 0 new comments

• Remove SecurityContextPersistenceFilter in Favor of Explicit Saves

  #9634 commented on Jul 21, 2025 • 0 new comments