spring-security/docs/modules/ROOT/pages/whats-new.adoc

[[new]]
= What's New in Spring Security 6.0

Spring Security 6.0 provides a number of new features.
Below are the highlights of the release.

== Breaking Changes

* https://github.com/spring-projects/spring-security/issues/10556[gh-10556] - Remove EOL OpenSaml 3 Support.
Use the OpenSaml 4 Support instead.
* https://github.com/spring-projects/spring-security/issues/8980[gh-8980] - Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)`.
Instead use data storage to encrypt values.
* https://github.com/spring-projects/spring-security/issues/11520[gh-11520] - Remember Me uses SHA256 by default
* https://github.com/spring-projects/spring-security/issues/8819 - Move filters to web package
Reorganize imports
* https://github.com/spring-projects/spring-security/issues/7349 - Move filter and token to appropriate packages
Reorganize imports
* https://github.com/spring-projects/spring-security/issues/11026[gh-11026] - Use `RequestAttributeSecurityContextRepository` instead of `NullSecurityContextRepository`
* https://github.com/spring-projects/spring-security/pull/11887[gh-11827] - Change default authority for `oauth2Login()`
* https://github.com/spring-projects/spring-security/issues/10347[gh-10347] - Remove `UsernamePasswordAuthenticationToken` check in `BasicAuthenticationFilter`
* https://github.com/spring-projects/spring-security/pull/11923[gh-11923] - Remove `WebSecurityConfigurerAdapter`.
Instead, create a https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter[SecurityFilterChain bean].
* https://github.com/spring-projects/spring-security/issues/11899[gh-11899] - Use `MvcRequestMatcher` by default if Spring MVC is present.
You can configure a different `RequestMatcher` by using the https://docs.spring.io/spring-security/reference/servlet/appendix/namespace/http.html#nsa-http-attributes[request-matcher attribute from <http>].
* Change use-authorization-manager="true" to default
If the application uses `use-expressions="true"` or `access-decision-manager-ref` switch to `use-expressions="false"` or `authorization-manager-ref`, respectively.
If application relies on the implicit `<intercept-url pattern="/**" access="permitAll"/>`, this is no longer implicit and needs to be specified.
Or use `use-authorization-manager="false"`
* https://github.com/spring-projects/spring-security/issues/11939[gh-11939] - Remove deprecated `antMatchers`, `mvcMatchers`, `regexMatchers` helper methods from Java Configuration.
Instead, use `requestMatchers` or `HttpSecurity#securityMatchers`.
* https://github.com/spring-projects/spring-security/issues/11985[gh-11985] - Remove deprecated constructors in `Argon2PasswordEncoder`, `SCryptPasswordEncoder` and `Pbkdf2PasswordEncoder`.
Extract subsections for preface Issue: gh-2567 2018-03-06 06:56:47 +08:00			`[[new]]`
Merge Clean up Reference Documentation Closes gh-9668 2021-12-14 06:57:36 +08:00			`= What's New in Spring Security 6.0`
Extract subsections for preface Issue: gh-2567 2018-03-06 06:56:47 +08:00
Merge Clean up Reference Documentation Closes gh-9668 2021-12-14 06:57:36 +08:00			`Spring Security 6.0 provides a number of new features.`
Extract subsections for preface Issue: gh-2567 2018-03-06 06:56:47 +08:00			`Below are the highlights of the release.`
Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)` This method is insecure. Users should instead encrypt with their database. Closes gh-8980 2022-09-08 02:51:58 +08:00
			`== Breaking Changes`

Remove Deprecated OpenSAML 3 Support Closes gh-10556 2022-09-08 02:39:26 +08:00			`* https://github.com/spring-projects/spring-security/issues/10556[gh-10556] - Remove EOL OpenSaml 3 Support.`
			`Use the OpenSaml 4 Support instead.`
Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)` This method is insecure. Users should instead encrypt with their database. Closes gh-8980 2022-09-08 02:51:58 +08:00			* https://github.com/spring-projects/spring-security/issues/8980[gh-8980] - Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)`.
Update What's New for 6.0 2022-09-20 19:32:30 +08:00			`Instead use data storage to encrypt values.`
			`* https://github.com/spring-projects/spring-security/issues/11520[gh-11520] - Remember Me uses SHA256 by default`
Move Saml2 Authentication Filters Closes gh-8819 2022-09-21 07:18:05 +08:00			`* https://github.com/spring-projects/spring-security/issues/8819 - Move filters to web package`
			`Reorganize imports`
Adjust OAuth2 Resource Server packaging Closes gh-7349 2022-09-21 07:44:05 +08:00			`* https://github.com/spring-projects/spring-security/issues/7349 - Move filter and token to appropriate packages`
			`Reorganize imports`
Update What's New for 6.0 2022-09-26 22:48:52 +08:00			* https://github.com/spring-projects/spring-security/issues/11026[gh-11026] - Use `RequestAttributeSecurityContextRepository` instead of `NullSecurityContextRepository`
Update What's New for 6.0 2022-09-26 23:07:50 +08:00			* https://github.com/spring-projects/spring-security/pull/11887[gh-11827] - Change default authority for `oauth2Login()`
Merge branch '5.8.x' Closes gh-11347 in 6.0.x Closes gh-11945 2022-10-04 03:02:18 +08:00			* https://github.com/spring-projects/spring-security/issues/10347[gh-10347] - Remove `UsernamePasswordAuthenticationToken` check in `BasicAuthenticationFilter`
Remove WebSecurityConfigurerAdapter Closes gh-10902 2022-09-30 21:31:15 +08:00			* https://github.com/spring-projects/spring-security/pull/11923[gh-11923] - Remove `WebSecurityConfigurerAdapter`.
			`Instead, create a https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter[SecurityFilterChain bean].`
Use MvcRequestMatcher by default if Spring MVC is present Closes gh-11899 2022-10-05 00:29:39 +08:00			* https://github.com/spring-projects/spring-security/issues/11899[gh-11899] - Use `MvcRequestMatcher` by default if Spring MVC is present.
			You can configure a different `RequestMatcher` by using the https://docs.spring.io/spring-security/reference/servlet/appendix/namespace/http.html#nsa-http-attributes[request-matcher attribute from <http>].
use-authorization-manager defaults to true Closes gh-11929 2022-10-06 09:49:53 +08:00			`* Change use-authorization-manager="true" to default`
			If the application uses `use-expressions="true"` or `access-decision-manager-ref` switch to `use-expressions="false"` or `authorization-manager-ref`, respectively.
			If application relies on the implicit `<intercept-url pattern="/**" access="permitAll"/>`, this is no longer implicit and needs to be specified.
			Or use `use-authorization-manager="false"`
Remove deprecated RequestMatcher methods from Java Configuration Closes gh-11939 2022-10-06 00:29:47 +08:00			* https://github.com/spring-projects/spring-security/issues/11939[gh-11939] - Remove deprecated `antMatchers`, `mvcMatchers`, `regexMatchers` helper methods from Java Configuration.
			Instead, use `requestMatchers` or `HttpSecurity#securityMatchers`.
Update What's New in 6.0 for PasswordEncoders Issue gh-11985 2022-10-12 20:27:46 +08:00			* https://github.com/spring-projects/spring-security/issues/11985[gh-11985] - Remove deprecated constructors in `Argon2PasswordEncoder`, `SCryptPasswordEncoder` and `Pbkdf2PasswordEncoder`.