Spring Security latest version

v7.1.0

« Changelog History

Spring Security v7.1.0 Release Notes

Release Date: 2026-06-09 // 4 days ago

🛠 🪲 Bug Fixes
- 🔒 Opaque token introspectors should not allow empty credentials #19201
⬆️ 🔨 Dependency Upgrades
- 🔒 Bump @springio/antora-extensions from 1.14.11 to 1.14.12 in /docs #19235
- 🔒 Bump actions/checkout from 6.0.2 to 6.0.3 #19271
- 🔒 Bump antora from 3.2.0-alpha.11 to 3.2.0-alpha.12 in /docs #19181
- 🔒 Bump ch.qos.logback:logback-classic from 1.5.32 to 1.5.33 #19228
- 🔒 Bump ch.qos.logback:logback-classic from 1.5.33 to 1.5.34 #19268
- 🔒 Bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 #19133
- 🔒 Bump com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.22.0 #19246
- 🔒 Bump com.google.code.gson:gson from 2.13.2 to 2.14.0 #19125
- 🔒 Bump com.nimbusds:oauth2-oidc-sdk from 11.37 to 11.37.1 #19157
- 🔒 Bump com.nimbusds:oauth2-oidc-sdk from 11.37 to 11.37.2 #19195
- 🚀 Bump com.webauthn4j:webauthn4j-core from 0.31.3.RELEASE to 0.31.5.RELEASE #19148
- 🚀 Bump com.webauthn4j:webauthn4j-core from 0.31.5.RELEASE to 0.31.6.RELEASE #19263
- 🔒 Bump gradle-wrapper from 9.4.1 to 9.5.0 #19135
- 🔒 Bump gradle-wrapper from 9.5.0 to 9.5.1 #19171
- 🔒 Bump io-micrometer from 1.16.5 to 1.17.0 #19287
- 🔒 Bump io.mockk:mockk from 1.14.9 to 1.14.11 #19244
- 🔒 Bump io.projectreactor:reactor-bom from 2025.0.5 to 2025.0.6 #19296
- 🔒 Bump org-jetbrains-kotlin from 2.3.20 to 2.3.21 #19126
- 🔒 Bump org-jetbrains-kotlin from 2.3.21 to 2.4.0 #19264
- 🔒 Bump org-opensaml5 from 5.2.1 to 5.2.2 #19176
- 🔒 Bump org.apache.maven:maven-resolver-provider from 3.9.15 to 3.9.16 #19190
- 🔒 Bump org.apereo.cas.client:cas-client-core from 4.1.0 to 4.1.1 #19200
- 🔒 Bump org.hibernate.orm:hibernate-core from 7.3.1.Final to 7.3.2.Final #19119
- 🔒 Bump org.hibernate.orm:hibernate-core from 7.3.2.Final to 7.3.3.Final #19149
- 🔒 Bump org.hibernate.orm:hibernate-core from 7.3.3.Final to 7.3.4.Final #19165
- 🔒 Bump org.hibernate.orm:hibernate-core from 7.3.4.Final to 7.3.5.Final #19191
- 🔒 Bump org.hibernate.orm:hibernate-core from 7.3.5.Final to 7.3.6.Final #19211
- 🔒 Bump org.hibernate.orm:hibernate-core from 7.3.6.Final to 7.4.0.Final #19226
- 🔒 Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.10.2 to 1.11.0 #19166
- 🔒 Bump org.junit:junit-bom from 6.0.3 to 6.1.0 #19197
- 🔒 Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 #19169
- 🔒 Bump org.springframework.data:spring-data-bom from 2025.1.5 to 2025.1.6 #19290
- 🔒 Bump org.springframework.ldap:spring-ldap-core from 4.0.3 to 4.1.0 #19291
- 🔒 Bump org.springframework:spring-framework-bom from 7.0.7 to 7.0.8 #19285
- 🚀 Bump spring-io/spring-release-actions from 0.0.4 to 0.0.5 #19179
- 🔒 Bump tools.jackson:jackson-bom from 3.1.2 to 3.1.3 #19147
- 🔒 Bump tools.jackson:jackson-bom from 3.1.3 to 3.1.4 #19245
- 🔒 Bump tools.jackson:jackson-bom from 3.1.4 to 3.2.0 #19286
- ⚡️ Update to spring-data-bom 2026.0.0 #19303
⚡️ 🔩 Build Updates
- 🚀 Release 7.1.0 #19218

Previous changes from v7.1.0-RC1

⭐ New Features
- ➕ Add AllRequiredFactorsAuthorizationManager.anyOf #18960
- ➕ Add PreFlightRequestFilter Support #18926
- ➕ Add ConditionalAuthorizationManager #18919
- ➕ Add MultiFactorCondition.WEBAUTHN_REGISTERED #18923
- ➕ Add PreFlightRequestFilter Support #18980
- ➕ Add PrincipalResolver to ExchangeFilterFunctions #18888
- ➕ Add Support DPoP Customization #17202
- ➕ Add XML Based shouldWriteHeadersEagerly tests #19019
- 🔒 AuthorizationManagerFactories.when #18920
- 🔒 Clarify @WithSecurityContext thread scope #18812
- 🔒 Construct SecureRandom in BCryptPasswordEncoder #18560
- 🔒 Enable Null checking in spring-security-oauth2-authorization-server via JSpecify #18937
- 🔒 Enable Null checking in spring-security-oauth2-client via JSpecify #17819
- 🔒 Enable Null checking in spring-security-oauth2-resource-server via JSpecify #17822
- 🔒 Exclude build output directories from nohttp source set #18928
- 🔒 Implement equals and hashCode in ImmutablePublicKeyCredentialUserEntity #18883
- 👌 Improve And/Or-RequestMatcher/ServerWebExchangeMatcher API #18479
- 🔒 Merge Add CredentialRecordOwnerAuthorizationManager #19006
- 🔒 Move InetAddressMatcher to spring-security-core #18979
- 💅 Polish oauth2-client tests with missing Content-Type header #19008
- 🔒 Prefer dispatcher context for authorize tag beans #18822
- 🔒 Publish authentication events in WebAuthn #18938
- 🔒 Relax client_id validation in AtJwtBuilder #18890
- ✂ Remove compiler warnings for spring-security-access #18738
- ✂ Remove compiler warnings in spring-security-web #18820
- ✂ Remove Unnecessary ObjectProvider roleHierarchy parameter #18921
- 🔒 Revert snapshots to Spring Framework 7.0.+ #19024
- 👌 Support Customizer<AdditionalRequiredFactorsBuilder>> #18922
- 📚 Use idiomatic Kotlin in custom filter documentation #18976
🛠 🪲 Bug Fixes
- Fix equals nullability annotations for jspecify compliance #18930
- Merge Handle null value in OnCommittedResponseWrapper header methods #18991
⬆️ 🔨 Dependency Upgrades
- Bump @springio/antora-extensions from 1.14.7 to 1.14.9 in /docs #18946
- Bump @springio/antora-extensions from 1.14.9 to 1.14.10 in /docs #19030
- Bump @springio/antora-extensions from 1.14.9 to 1.14.11 in /docs #19053
- Bump @springio/asciidoctor-extensions from 1.0.0-alpha.17 to 1.0.0-alpha.18 in /docs #18913
- Bump actions/upload-artifact from 7.0.0 to 7.0.1 #19091
- Bump com.fasterxml.jackson:jackson-bom from 2.21.1 to 2.21.2 #18965
- Bump com.nimbusds:oauth2-oidc-sdk from 11.34 to 11.35 #18977
- Bump com.nimbusds:oauth2-oidc-sdk from 11.35 to 11.37 #19002
- Bump com.webauthn4j:webauthn4j-core from 0.31.1.RELEASE to 0.31.2.RELEASE #19020
- Bump com.webauthn4j:webauthn4j-core from 0.31.2.RELEASE to 0.31.3.RELEASE #19107
- Bump gradle-wrapper from 9.4.0 to 9.4.1 #18959
- Bump io.micrometer:micrometer-observation from 1.16.4 to 1.16.5 #19065
- Bump io.projectreactor:reactor-bom from 2025.0.4 to 2025.0.5 #19079
- Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.12 to 0.0.13 #19067
- Bump org-bouncycastle from 1.83 to 1.84 #19066
- Bump org-jetbrains-kotlin from 2.3.10 to 2.3.20 #18915
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.6 to 5.6.1 #19106
- Bump org.apache.maven:maven-resolver-provider from 3.9.14 to 3.9.15 #19105
- Bump org.apereo.cas.client:cas-client-core from 4.0.4 to 4.1.0 #18974
- Bump org.hibernate.orm:hibernate-core from 7.2.7.Final to 7.3.0.Final #18917
- Bump org.hibernate.orm:hibernate-core from 7.3.0.Final to 7.3.1.Final #19063
- Bump org.jetbrains.dokka from 2.1.0 to 2.2.0 #18998
- Bump org.jetbrains.dokka:dokka-gradle-plugin from 2.1.0 to 2.2.0 #18999
- Bump org.seleniumhq.selenium:htmlunit3-driver from 4.41.0 to 4.43.0 #19060
- Bump org.seleniumhq.selenium:selenium-java from 4.41.0 to 4.42.0 #19056
- Bump org.seleniumhq.selenium:selenium-java from 4.41.0 to 4.43.0 #19062
- Bump org.springframework.data:spring-data-bom from 2025.1.4 to 2025.1.5 #19104
- Bump org.springframework.ldap:spring-ldap-core from 4.0.2 to 4.0.3 #19097
- Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6 #18993
- Bump spring-io/spring-release-actions from 0.0.3 to 0.0.4 #19092
- Bump spring-io/spring-security-release-tools from 1.0.14 to 1.0.15 #18942
- Bump spring-io/spring-security-release-tools/.github/workflows/perform-release.yml from 1.0.14 to 1.0.15 #18944
- Bump spring-io/spring-security-release-tools/.github/workflows/test.yml from 1.0.14 to 1.0.15 #18943
- Bump spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml from 1.0.14 to 1.0.15 #18945
- Bump tools.jackson:jackson-bom from 3.1.0 to 3.1.1 #19003
- Bump tools.jackson:jackson-bom from 3.1.1 to 3.1.2 #19061
❤️ Contributors

🚀 Thank you to all the contributors who worked on this release:

@aspan, @dasog94, @evgeniycheban, @franticticktick, @gbaso, @jkuhel, @ribafish, @rwinch, @suuuuuuminnnnnn, @therepanic, @wonderfulrosemari, @yxinot, and @ziqin