spring-security/docs/modules/ROOT/pages/whats-new.adoc

[[new]]
= What's New in Spring Security 7.0

Spring Security 7.0 provides a number of new features.
Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.

== Removals

Being a major release, there are a number of deprecated APIs that are removed in Spring Security 7.
Each section that follows will indicate the more notable removals as well as the new features in that module

== Modules

* The https://github.com/spring-projects/spring-security-kerberos[Spring Security Kerberos Extension] is now part of Spring Security. See the xref:servlet/authentication/kerberos/index.adoc[Kerberos] section of the reference for details.

== Core

* Added Support for xref:servlet/authentication/adaptive.adoc[Multi-factor Authentication]
* Removed `AuthorizationManager#check` in favor of `AuthorizationManager#authorize`
* Added javadoc:org.springframework.security.authorization.AllAuthoritiesAuthorizationManager[] and javadoc:org.springframework.security.authorization.AllAuthoritiesReactiveAuthorizationManager[] along with corresponding methods for xref:servlet/authorization/authorize-http-requests.adoc#authorize-requests[Authorizing `HttpServletRequests`] and xref:servlet/authorization/method-security.adoc#using-authorization-expression-fields-and-methods[method security expressions].
* Added xref:servlet/authorization/architecture.adoc#authz-authorization-manager-factory[`AuthorizationManagerFactory`] for creating `AuthorizationManager` instances in xref:servlet/authorization/authorize-http-requests.adoc#customizing-authorization-managers[request-based] and xref:servlet/authorization/method-security.adoc#customizing-authorization-managers[method-based] authorization components
* Added `Authentication.Builder` for mutating and merging `Authentication` instances
* Moved Access API (`AccessDecisionManager`, `AccessDecisionVoter`, etc.) to a new module, `spring-security-access`

== Config

* Support modular configuration in xref::servlet/configuration/java.adoc#modular-httpsecurity-configuration[Servlets] and xref::reactive/configuration/webflux.adoc#modular-serverhttpsecurity-configuration[WebFlux]
* Removed `and()` from the `HttpSecurity` DSL in favor of using the lambda methods
* Removed `authorizeRequests` in favor of `authorizeHttpRequests`
* Simplified expression migration for `authorizeRequests`
* Added support for SPA-based CSRF configuration:

Java::
+
[source,java,role="primary"]
----
http.csrf((csrf) -> csrf.spa());
----

== Crypto

* Added Password4j-based password encoders providing alternative implementations for popular hashing algorithms:
** `Argon2Password4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-argon2[Argon2]
** `BcryptPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-bcrypt[BCrypt]
** `ScryptPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-scrypt[SCrypt]
** `Pbkdf2Password4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-pbkdf2[PBKDF2]
** `BalloonHashingPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-balloon[Balloon Hashing]

== Data

* Added support to Authorized objects for Spring Data types

== LDAP

* Removed `ApacheDsContainer` and related Apache DS support in favor of UnboundID

== OAuth 2.0

* Removed support for password grant
* Added OAuth2 Support for xref:features/integrations/rest/http-service-client.adoc[HTTP Service Clients]
* Added support for custom `JwkSource` in `NimbusJwtDecoder`, allowing usage of Nimbus's `JwkSourceBuilder` API
* Added builder for `NimbusJwtEncoder`, supports specifying an EC or RSA key pair or a secret key
* Added support for `@ClientRegistrationId` at the xref:features/integrations/rest/http-service-client.adoc#type[type level], eliminating the need for method level repetition

== SAML 2.0

* Removed API methods based on `AssertingPartyDetails` class in favor of `AssertingPartyMetadata` interface
* Removed GET request support from `Saml2AuthenticationTokenConverter`
* Added JDBC-based `AssertingPartyMetadataRepository`
* Made so that SLO still returns `<saml2:LogoutResponse>` even when validation fails
* Removed Open SAML 4 support; applications should migrate to Open SAML 5

== Web

* Removed `MvcRequestMatcher` and `AntPathRequestMatcher` in favor of `PathPatternRequestMatcher`
* Added javadoc:org.springframework.security.web.authentication.preauth.x509.SubjectX500PrincipalExtractor[]
* Added support for propagating exceptions in Authorized proxies through Spring MVC controllers
* Added support to Authorized objects for Spring MVC types
Extract subsections for preface Issue: gh-2567 2018-03-06 06:56:47 +08:00			`[[new]]`
Update to 7.0.0-SNAPSHOT Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com> 2025-04-25 08:48:50 +08:00			`= What's New in Spring Security 7.0`
Extract subsections for preface Issue: gh-2567 2018-03-06 06:56:47 +08:00
Update to 7.0.0-SNAPSHOT Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com> 2025-04-25 08:48:50 +08:00			`Spring Security 7.0 provides a number of new features.`
Update What's New in 6.3 Closes gh-14918 2024-04-18 00:13:49 +08:00			`Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.`
Add SubjectX500PrincipalExtractor to Whats New Issue gh-16984 2025-06-13 01:19:37 +08:00
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			`== Removals`

			`Being a major release, there are a number of deprecated APIs that are removed in Spring Security 7.`
			`Each section that follows will indicate the more notable removals as well as the new features in that module`

Add Spring Security Kerberos Move the Spring Security Kerberos Extension into Spring Security Closes gh-17879 2025-09-13 03:23:19 +08:00			`== Modules`

			`* The https://github.com/spring-projects/spring-security-kerberos[Spring Security Kerberos Extension] is now part of Spring Security. See the xref:servlet/authentication/kerberos/index.adoc[Kerberos] section of the reference for details.`

Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			`== Core`

Add Initial Documentation Issue gh-17934 2025-09-19 04:17:02 +08:00			`* Added Support for xref:servlet/authentication/adaptive.adoc[Multi-factor Authentication]`
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			* Removed `AuthorizationManager#check` in favor of `AuthorizationManager#authorize`
Add hasAll(Roles\|Authorities) to SecurityExpressionRoot This adds support for hasAllRoles and hasAllAuthorities to method security expressions. Issue gh-17932 2025-09-19 22:33:50 +08:00			* Added javadoc:org.springframework.security.authorization.AllAuthoritiesAuthorizationManager[] and javadoc:org.springframework.security.authorization.AllAuthoritiesReactiveAuthorizationManager[] along with corresponding methods for xref:servlet/authorization/authorize-http-requests.adoc#authorize-requests[Authorizing `HttpServletRequests`] and xref:servlet/authorization/method-security.adoc#using-authorization-expression-fields-and-methods[method security expressions].
Add AuthorizationManagerFactory Signed-off-by: Steve Riesenberg <5248162+sjohnr@users.noreply.github.com> 2025-09-03 01:47:53 +08:00			* Added xref:servlet/authorization/architecture.adoc#authz-authorization-manager-factory[`AuthorizationManagerFactory`] for creating `AuthorizationManager` instances in xref:servlet/authorization/authorize-http-requests.adoc#customizing-authorization-managers[request-based] and xref:servlet/authorization/method-security.adoc#customizing-authorization-managers[method-based] authorization components
Document Authentication.Builder The commit documents the new Authentication Builder interface and its usage in the security filter chain. Closes gh-17861 Closes gh-17862 2025-09-10 04:47:34 +08:00			* Added `Authentication.Builder` for mutating and merging `Authentication` instances
Document spring-security-access Closes gh-17847 2025-09-03 08:48:37 +08:00			* Moved Access API (`AccessDecisionManager`, `AccessDecisionVoter`, etc.) to a new module, `spring-security-access`
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00
			`== Config`

Remove stray modular from the documentation Issue gh-16258 2025-08-21 01:24:25 +08:00			`* Support modular configuration in xref::servlet/configuration/java.adoc#modular-httpsecurity-configuration[Servlets] and xref::reactive/configuration/webflux.adoc#modular-serverhttpsecurity-configuration[WebFlux]`
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			* Removed `and()` from the `HttpSecurity` DSL in favor of using the lambda methods
			* Removed `authorizeRequests` in favor of `authorizeHttpRequests`
			* Simplified expression migration for `authorizeRequests`
			`* Added support for SPA-based CSRF configuration:`

			`Java::`
			`+`
			`[source,java,role="primary"]`
			`----`
			`http.csrf((csrf) -> csrf.spa());`
			`----`

Add documentation for Password4j-based password encoders for Argon2, BCrypt, Scrypt, PBKDF2, and Balloon hashing Closes gh-17706 Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com> 2025-09-13 13:56:59 +08:00			`== Crypto`

			`* Added Password4j-based password encoders providing alternative implementations for popular hashing algorithms:`
Use non-redundant ids in password4j docs Documentation ids no longer need to be globally unique, so they do not need to include the path. This makes the ids less verbose and integrates with include-code extension better. Issue gh-17706 2025-09-16 00:00:51 +08:00			** `Argon2Password4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-argon2[Argon2]
			** `BcryptPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-bcrypt[BCrypt]
			** `ScryptPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-scrypt[SCrypt]
			** `Pbkdf2Password4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-pbkdf2[PBKDF2]
			** `BalloonHashingPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#password4j-balloon[Balloon Hashing]
Add documentation for Password4j-based password encoders for Argon2, BCrypt, Scrypt, PBKDF2, and Balloon hashing Closes gh-17706 Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com> 2025-09-13 13:56:59 +08:00
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			`== Data`

			`* Added support to Authorized objects for Spring Data types`

			`== LDAP`

			* Removed `ApacheDsContainer` and related Apache DS support in favor of UnboundID

			`== OAuth 2.0`

			`* Removed support for password grant`
Update terminology to HTTP Service Clients Closes gh-17947 2025-09-22 23:09:04 +08:00			`* Added OAuth2 Support for xref:features/integrations/rest/http-service-client.adoc[HTTP Service Clients]`
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			* Added support for custom `JwkSource` in `NimbusJwtDecoder`, allowing usage of Nimbus's `JwkSourceBuilder` API
			* Added builder for `NimbusJwtEncoder`, supports specifying an EC or RSA key pair or a secret key
Update terminology to HTTP Service Clients Closes gh-17947 2025-09-22 23:09:04 +08:00			* Added support for `@ClientRegistrationId` at the xref:features/integrations/rest/http-service-client.adoc#type[type level], eliminating the need for method level repetition
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00
			`== SAML 2.0`

			* Removed API methods based on `AssertingPartyDetails` class in favor of `AssertingPartyMetadata` interface
			* Removed GET request support from `Saml2AuthenticationTokenConverter`
			* Added JDBC-based `AssertingPartyMetadataRepository`
			* Made so that SLO still returns `<saml2:LogoutResponse>` even when validation fails
Update What's New Issue gh-17707 2025-08-19 05:30:37 +08:00			`* Removed Open SAML 4 support; applications should migrate to Open SAML 5`
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00
Add SubjectX500PrincipalExtractor to Whats New Issue gh-16984 2025-06-13 01:19:37 +08:00			`== Web`

Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			* Removed `MvcRequestMatcher` and `AntPathRequestMatcher` in favor of `PathPatternRequestMatcher`
Add SubjectX500PrincipalExtractor to Whats New Issue gh-16984 2025-06-13 01:19:37 +08:00			`* Added javadoc:org.springframework.security.web.authentication.preauth.x509.SubjectX500PrincipalExtractor[]`
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			`* Added support for propagating exceptions in Authorized proxies through Spring MVC controllers`
			`* Added support to Authorized objects for Spring MVC types`