spring-security/docs/modules/ROOT/pages/whats-new.adoc

[[new]]
= What's New in Spring Security 7.0

Spring Security 7.0 provides a number of new features.
Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.

== Removals

Being a major release, there are a number of deprecated APIs that are removed in Spring Security 7.
Each section that follows will indicate the more notable removals as well as the new features in that module

== Modules

* The https://github.com/spring-projects/spring-security-kerberos[Spring Security Kerberos Extension] is now part of Spring Security. See the xref:servlet/authentication/kerberos/index.adoc[Kerberos] section of the reference for details.

== Core

* Removed `AuthorizationManager#check` in favor of `AuthorizationManager#authorize`
* Added xref:servlet/authorization/architecture.adoc#authz-authorization-manager-factory[`AuthorizationManagerFactory`] for creating `AuthorizationManager` instances in xref:servlet/authorization/authorize-http-requests.adoc#customizing-authorization-managers[request-based] and xref:servlet/authorization/method-security.adoc#customizing-authorization-managers[method-based] authorization components
* Added `Authentication.Builder` for mutating and merging `Authentication` instances
* Moved Access API (`AccessDecisionManager`, `AccessDecisionVoter`, etc.) to a new module, `spring-security-access`

== Config

* Support modular configuration in xref::servlet/configuration/java.adoc#modular-httpsecurity-configuration[Servlets] and xref::reactive/configuration/webflux.adoc#modular-serverhttpsecurity-configuration[WebFlux]
* Removed `and()` from the `HttpSecurity` DSL in favor of using the lambda methods
* Removed `authorizeRequests` in favor of `authorizeHttpRequests`
* Simplified expression migration for `authorizeRequests`
* Added support for SPA-based CSRF configuration:

Java::
+
[source,java,role="primary"]
----
http.csrf((csrf) -> csrf.spa());
----

== Crypto

* Added Password4j-based password encoders providing alternative implementations for popular hashing algorithms:
** `Argon2Password4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#authentication-password-storage-password4j-argon2[Argon2 implementation using Password4j]
** `BcryptPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#authentication-password-storage-password4j-bcrypt[BCrypt implementation using Password4j]
** `ScryptPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#authentication-password-storage-password4j-scrypt[SCrypt implementation using Password4j]
** `Pbkdf2Password4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#authentication-password-storage-password4j-pbkdf2[PBKDF2 implementation using Password4j]
** `BalloonHashingPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#authentication-password-storage-password4j-balloon[Balloon Hashing implementation using Password4j]

== Data

* Added support to Authorized objects for Spring Data types

== LDAP

* Removed `ApacheDsContainer` and related Apache DS support in favor of UnboundID

== OAuth 2.0

* Removed support for password grant
* Added OAuth2 Support for xref:features/integrations/rest/http-interface.adoc[HTTP Interface Integration]
* Added support for custom `JwkSource` in `NimbusJwtDecoder`, allowing usage of Nimbus's `JwkSourceBuilder` API
* Added builder for `NimbusJwtEncoder`, supports specifying an EC or RSA key pair or a secret key
* Added support for `@ClientRegistrationId` at the xref:features/integrations/rest/http-interface.adoc#type[type level], eliminating the need for method level repetition

== SAML 2.0

* Removed API methods based on `AssertingPartyDetails` class in favor of `AssertingPartyMetadata` interface
* Removed GET request support from `Saml2AuthenticationTokenConverter`
* Added JDBC-based `AssertingPartyMetadataRepository`
* Made so that SLO still returns `<saml2:LogoutResponse>` even when validation fails
* Removed Open SAML 4 support; applications should migrate to Open SAML 5

== Web

* Removed `MvcRequestMatcher` and `AntPathRequestMatcher` in favor of `PathPatternRequestMatcher`
* Added javadoc:org.springframework.security.web.authentication.preauth.x509.SubjectX500PrincipalExtractor[]
* Added support for propagating exceptions in Authorized proxies through Spring MVC controllers
* Added support to Authorized objects for Spring MVC types
Extract subsections for preface Issue: gh-2567 2018-03-06 06:56:47 +08:00			`[[new]]`
Update to 7.0.0-SNAPSHOT Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com> 2025-04-25 08:48:50 +08:00			`= What's New in Spring Security 7.0`
Extract subsections for preface Issue: gh-2567 2018-03-06 06:56:47 +08:00
Update to 7.0.0-SNAPSHOT Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com> 2025-04-25 08:48:50 +08:00			`Spring Security 7.0 provides a number of new features.`
Update What's New in 6.3 Closes gh-14918 2024-04-18 00:13:49 +08:00			`Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.`
Add SubjectX500PrincipalExtractor to Whats New Issue gh-16984 2025-06-13 01:19:37 +08:00
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			`== Removals`

			`Being a major release, there are a number of deprecated APIs that are removed in Spring Security 7.`
			`Each section that follows will indicate the more notable removals as well as the new features in that module`

Add Spring Security Kerberos Move the Spring Security Kerberos Extension into Spring Security Closes gh-17879 2025-09-13 03:23:19 +08:00			`== Modules`

			`* The https://github.com/spring-projects/spring-security-kerberos[Spring Security Kerberos Extension] is now part of Spring Security. See the xref:servlet/authentication/kerberos/index.adoc[Kerberos] section of the reference for details.`

Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			`== Core`

			* Removed `AuthorizationManager#check` in favor of `AuthorizationManager#authorize`
Add AuthorizationManagerFactory Signed-off-by: Steve Riesenberg <5248162+sjohnr@users.noreply.github.com> 2025-09-03 01:47:53 +08:00			* Added xref:servlet/authorization/architecture.adoc#authz-authorization-manager-factory[`AuthorizationManagerFactory`] for creating `AuthorizationManager` instances in xref:servlet/authorization/authorize-http-requests.adoc#customizing-authorization-managers[request-based] and xref:servlet/authorization/method-security.adoc#customizing-authorization-managers[method-based] authorization components
Document Authentication.Builder The commit documents the new Authentication Builder interface and its usage in the security filter chain. Closes gh-17861 Closes gh-17862 2025-09-10 04:47:34 +08:00			* Added `Authentication.Builder` for mutating and merging `Authentication` instances
Document spring-security-access Closes gh-17847 2025-09-03 08:48:37 +08:00			* Moved Access API (`AccessDecisionManager`, `AccessDecisionVoter`, etc.) to a new module, `spring-security-access`
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00
			`== Config`

Remove stray modular from the documentation Issue gh-16258 2025-08-21 01:24:25 +08:00			`* Support modular configuration in xref::servlet/configuration/java.adoc#modular-httpsecurity-configuration[Servlets] and xref::reactive/configuration/webflux.adoc#modular-serverhttpsecurity-configuration[WebFlux]`
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			* Removed `and()` from the `HttpSecurity` DSL in favor of using the lambda methods
			* Removed `authorizeRequests` in favor of `authorizeHttpRequests`
			* Simplified expression migration for `authorizeRequests`
			`* Added support for SPA-based CSRF configuration:`

			`Java::`
			`+`
			`[source,java,role="primary"]`
			`----`
			`http.csrf((csrf) -> csrf.spa());`
			`----`

Add documentation for Password4j-based password encoders for Argon2, BCrypt, Scrypt, PBKDF2, and Balloon hashing Closes gh-17706 Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com> 2025-09-13 13:56:59 +08:00			`== Crypto`

			`* Added Password4j-based password encoders providing alternative implementations for popular hashing algorithms:`
			** `Argon2Password4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#authentication-password-storage-password4j-argon2[Argon2 implementation using Password4j]
			** `BcryptPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#authentication-password-storage-password4j-bcrypt[BCrypt implementation using Password4j]
			** `ScryptPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#authentication-password-storage-password4j-scrypt[SCrypt implementation using Password4j]
			** `Pbkdf2Password4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#authentication-password-storage-password4j-pbkdf2[PBKDF2 implementation using Password4j]
			** `BalloonHashingPassword4jPasswordEncoder` - xref:features/authentication/password-storage.adoc#authentication-password-storage-password4j-balloon[Balloon Hashing implementation using Password4j]

Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			`== Data`

			`* Added support to Authorized objects for Spring Data types`

			`== LDAP`

			* Removed `ApacheDsContainer` and related Apache DS support in favor of UnboundID

			`== OAuth 2.0`

			`* Removed support for password grant`
			`* Added OAuth2 Support for xref:features/integrations/rest/http-interface.adoc[HTTP Interface Integration]`
			* Added support for custom `JwkSource` in `NimbusJwtDecoder`, allowing usage of Nimbus's `JwkSourceBuilder` API
			* Added builder for `NimbusJwtEncoder`, supports specifying an EC or RSA key pair or a secret key
Document @ClientRegistrationId on types Issue gh-17806 2025-09-13 04:04:44 +08:00			* Added support for `@ClientRegistrationId` at the xref:features/integrations/rest/http-interface.adoc#type[type level], eliminating the need for method level repetition
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00
			`== SAML 2.0`

			* Removed API methods based on `AssertingPartyDetails` class in favor of `AssertingPartyMetadata` interface
			* Removed GET request support from `Saml2AuthenticationTokenConverter`
			* Added JDBC-based `AssertingPartyMetadataRepository`
			* Made so that SLO still returns `<saml2:LogoutResponse>` even when validation fails
Update What's New Issue gh-17707 2025-08-19 05:30:37 +08:00			`* Removed Open SAML 4 support; applications should migrate to Open SAML 5`
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00
Add SubjectX500PrincipalExtractor to Whats New Issue gh-16984 2025-06-13 01:19:37 +08:00			`== Web`

Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			* Removed `MvcRequestMatcher` and `AntPathRequestMatcher` in favor of `PathPatternRequestMatcher`
Add SubjectX500PrincipalExtractor to Whats New Issue gh-16984 2025-06-13 01:19:37 +08:00			`* Added javadoc:org.springframework.security.web.authentication.preauth.x509.SubjectX500PrincipalExtractor[]`
Update What's New in Spring Security 7 Closes gh-17582 2025-07-22 05:00:47 +08:00			`* Added support for propagating exceptions in Authorized proxies through Spring MVC controllers`
			`* Added support to Authorized objects for Spring MVC types`