spring-security/docs/modules/ROOT/pages/whats-new.adoc

[[new]]
= What's New in Spring Security 6.0

Spring Security 6.0 provides a number of new features.
Below are the highlights of the release.

== Baseline Changes

* Spring Security 6 requires JDK 17

== Breaking Changes

* https://github.com/spring-projects/spring-security/issues/8980[gh-8980] - Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)`.
Instead use data storage to encrypt values.
* https://github.com/spring-projects/spring-security/issues/11520[gh-11520] - Remember Me uses SHA256 by default
* https://github.com/spring-projects/spring-security/issues/8819[gh-8819] - Move filters to web package
Reorganize imports
* https://github.com/spring-projects/spring-security/issues/7349[gh-7349] - Move filter and token to appropriate packages
Reorganize imports
* https://github.com/spring-projects/spring-security/issues/11026[gh-11026] - Use `RequestAttributeSecurityContextRepository` instead of `NullSecurityContextRepository`
* https://github.com/spring-projects/spring-security/pull/11887[gh-11827] - Change default authority for `oauth2Login()`
* https://github.com/spring-projects/spring-security/issues/10347[gh-10347] - Remove `UsernamePasswordAuthenticationToken` check in `BasicAuthenticationFilter`
* https://github.com/spring-projects/spring-security/pull/11923[gh-11923] - Remove `WebSecurityConfigurerAdapter`.
Instead, create a https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter[SecurityFilterChain bean].
* https://github.com/spring-projects/spring-security/issues/11899[gh-11899] - Use `MvcRequestMatcher` by default if Spring MVC is present.
You can configure a different `RequestMatcher` by using the https://docs.spring.io/spring-security/reference/servlet/appendix/namespace/http.html#nsa-http-attributes[request-matcher attribute from <http>].
* Change use-authorization-manager="true" to default
If the application uses `use-expressions="true"` or `access-decision-manager-ref` switch to `use-expressions="false"` or `authorization-manager-ref`, respectively.
If application relies on the implicit `<intercept-url pattern="/**" access="permitAll"/>`, this is no longer implicit and needs to be specified.
Or use `use-authorization-manager="false"`
* https://github.com/spring-projects/spring-security/issues/11939[gh-11939] - Remove deprecated `antMatchers`, `mvcMatchers`, `regexMatchers` helper methods from Java Configuration.
Instead, use `requestMatchers` or `HttpSecurity#securityMatchers`.
* https://github.com/spring-projects/spring-security/issues/11985[gh-11985] - Remove deprecated constructors in `Argon2PasswordEncoder`, `SCryptPasswordEncoder` and `Pbkdf2PasswordEncoder`.
* https://github.com/spring-projects/spring-security/issues/11960[gh-11960] - Default to Xor CSRF protection for xref:servlet/exploits/csrf.adoc#servlet-csrf-configure-request-handler[servlet] and xref:reactive/exploits/csrf.adoc#webflux-csrf-configure-request-handler[reactive]
* https://github.com/spring-projects/spring-security/issues/12019[gh-12019] - Remove deprecated method `setTokenFromMultipartDataEnabled` from `CsrfWebFilter`
* https://github.com/spring-projects/spring-security/issues/12020[gh-12020] - Remove deprecated method `tokenFromMultipartDataEnabled` from Java Configuration
* https://github.com/spring-projects/spring-security/issues/9429[gh-9429] - `Authentication(Web)Filter` rethrows `AuthenticationServiceException`s
* https://github.com/spring-projects/spring-security/issues/11027[gh-11027], https://github.com/spring-projects/spring-security/issues/11466[gh-11466] - Authorization on every dispatcher type
* https://github.com/spring-projects/spring-security/issues/11110[gh-11110] - Require explicit session saves by default
* https://github.com/spring-projects/spring-security/issues/11057[gh-11057] - Remove `MessageSourceAware` from `ExceptionTranslationWebFilter`
* https://github.com/spring-projects/spring-security/issues/12022[gh-12202] - Remove OAuth deprecations
* https://github.com/spring-projects/spring-security/issues/10556[gh-10556] - Remove EOL OpenSaml 3 Support.
Use the OpenSaml 4 Support instead.
* https://github.com/spring-projects/spring-security/issues/11077[gh-11077] - Remove SAML deprecations
** Remove `Converter` constructors from `Saml2MetadataFilter` and `Saml2AuthenticationTokenConverter`
** Remove `Saml2AuthenticationRequestContextResolver` and `Saml2AuthenticationRequestFactory` and implementations
** Remove `Saml2AuthenticationToken(String, String, String, String, List)`
** Remove `RelyingPartyRegistration.ProviderDetails` and related methods
** Remove `OpenSamlAuthenticationProvider`

== Core

* https://github.com/spring-projects/spring-security/issues/11446[gh-11446] - Add native image support for `@PreAuthorize`
* https://github.com/spring-projects/spring-security/issues/11737[gh-11737] - Add native image support for `@PostAuthorize`
* xref:servlet/integrations/observability.adoc[Instrumentation] of `AuthenticationManager`, `AuthorizationManager`, and `FilterChainProxy`
* xref:reactive/integrations/observability.adoc[Instrumentation] of `ReactiveAuthenticationManager`, `ReactiveAuthorizationManager`, and `WebFilterChainProxy`

== LDAP

* https://github.com/spring-projects/spring-security/pull/9276[gh-9276] - LdapAuthoritiesPopulator is post-processed

== Web

* https://github.com/spring-projects/spring-security/issues/11432[gh-11432] - `CookieServerCsrfTokenRepository` supports maxage
Extract subsections for preface Issue: gh-2567 2018-03-06 06:56:47 +08:00			`[[new]]`
Merge Clean up Reference Documentation Closes gh-9668 2021-12-14 06:57:36 +08:00			`= What's New in Spring Security 6.0`
Extract subsections for preface Issue: gh-2567 2018-03-06 06:56:47 +08:00
Merge Clean up Reference Documentation Closes gh-9668 2021-12-14 06:57:36 +08:00			`Spring Security 6.0 provides a number of new features.`
Extract subsections for preface Issue: gh-2567 2018-03-06 06:56:47 +08:00			`Below are the highlights of the release.`
Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)` This method is insecure. Users should instead encrypt with their database. Closes gh-8980 2022-09-08 02:51:58 +08:00
Update What's New Closes gh-12024 2022-10-14 03:53:49 +08:00			`== Baseline Changes`

			`* Spring Security 6 requires JDK 17`

Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)` This method is insecure. Users should instead encrypt with their database. Closes gh-8980 2022-09-08 02:51:58 +08:00			`== Breaking Changes`

			* https://github.com/spring-projects/spring-security/issues/8980[gh-8980] - Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)`.
Update What's New for 6.0 2022-09-20 19:32:30 +08:00			`Instead use data storage to encrypt values.`
			`* https://github.com/spring-projects/spring-security/issues/11520[gh-11520] - Remember Me uses SHA256 by default`
Polish whats-new.adoc 2022-10-14 02:25:28 +08:00			`* https://github.com/spring-projects/spring-security/issues/8819[gh-8819] - Move filters to web package`
Move Saml2 Authentication Filters Closes gh-8819 2022-09-21 07:18:05 +08:00			`Reorganize imports`
Polish whats-new.adoc 2022-10-14 02:25:28 +08:00			`* https://github.com/spring-projects/spring-security/issues/7349[gh-7349] - Move filter and token to appropriate packages`
Adjust OAuth2 Resource Server packaging Closes gh-7349 2022-09-21 07:44:05 +08:00			`Reorganize imports`
Update What's New for 6.0 2022-09-26 22:48:52 +08:00			* https://github.com/spring-projects/spring-security/issues/11026[gh-11026] - Use `RequestAttributeSecurityContextRepository` instead of `NullSecurityContextRepository`
Update What's New for 6.0 2022-09-26 23:07:50 +08:00			* https://github.com/spring-projects/spring-security/pull/11887[gh-11827] - Change default authority for `oauth2Login()`
Merge branch '5.8.x' Closes gh-11347 in 6.0.x Closes gh-11945 2022-10-04 03:02:18 +08:00			* https://github.com/spring-projects/spring-security/issues/10347[gh-10347] - Remove `UsernamePasswordAuthenticationToken` check in `BasicAuthenticationFilter`
Remove WebSecurityConfigurerAdapter Closes gh-10902 2022-09-30 21:31:15 +08:00			* https://github.com/spring-projects/spring-security/pull/11923[gh-11923] - Remove `WebSecurityConfigurerAdapter`.
			`Instead, create a https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter[SecurityFilterChain bean].`
Use MvcRequestMatcher by default if Spring MVC is present Closes gh-11899 2022-10-05 00:29:39 +08:00			* https://github.com/spring-projects/spring-security/issues/11899[gh-11899] - Use `MvcRequestMatcher` by default if Spring MVC is present.
			You can configure a different `RequestMatcher` by using the https://docs.spring.io/spring-security/reference/servlet/appendix/namespace/http.html#nsa-http-attributes[request-matcher attribute from <http>].
use-authorization-manager defaults to true Closes gh-11929 2022-10-06 09:49:53 +08:00			`* Change use-authorization-manager="true" to default`
			If the application uses `use-expressions="true"` or `access-decision-manager-ref` switch to `use-expressions="false"` or `authorization-manager-ref`, respectively.
			If application relies on the implicit `<intercept-url pattern="/**" access="permitAll"/>`, this is no longer implicit and needs to be specified.
			Or use `use-authorization-manager="false"`
Remove deprecated RequestMatcher methods from Java Configuration Closes gh-11939 2022-10-06 00:29:47 +08:00			* https://github.com/spring-projects/spring-security/issues/11939[gh-11939] - Remove deprecated `antMatchers`, `mvcMatchers`, `regexMatchers` helper methods from Java Configuration.
			Instead, use `requestMatchers` or `HttpSecurity#securityMatchers`.
Update What's New in 6.0 for PasswordEncoders Issue gh-11985 2022-10-12 20:27:46 +08:00			* https://github.com/spring-projects/spring-security/issues/11985[gh-11985] - Remove deprecated constructors in `Argon2PasswordEncoder`, `SCryptPasswordEncoder` and `Pbkdf2PasswordEncoder`.
Update What's New for 6.0 2022-10-14 02:41:50 +08:00			`* https://github.com/spring-projects/spring-security/issues/11960[gh-11960] - Default to Xor CSRF protection for xref:servlet/exploits/csrf.adoc#servlet-csrf-configure-request-handler[servlet] and xref:reactive/exploits/csrf.adoc#webflux-csrf-configure-request-handler[reactive]`
			* https://github.com/spring-projects/spring-security/issues/12019[gh-12019] - Remove deprecated method `setTokenFromMultipartDataEnabled` from `CsrfWebFilter`
			* https://github.com/spring-projects/spring-security/issues/12020[gh-12020] - Remove deprecated method `tokenFromMultipartDataEnabled` from Java Configuration
Change Default for (Server)AuthenticationEntryPointFailureHandler Closes gh-9429 2022-10-14 10:03:03 +08:00			* https://github.com/spring-projects/spring-security/issues/9429[gh-9429] - `Authentication(Web)Filter` rethrows `AuthenticationServiceException`s
Update What's New Closes gh-12024 2022-10-14 03:53:49 +08:00			`* https://github.com/spring-projects/spring-security/issues/11027[gh-11027], https://github.com/spring-projects/spring-security/issues/11466[gh-11466] - Authorization on every dispatcher type`
			`* https://github.com/spring-projects/spring-security/issues/11110[gh-11110] - Require explicit session saves by default`
			* https://github.com/spring-projects/spring-security/issues/11057[gh-11057] - Remove `MessageSourceAware` from `ExceptionTranslationWebFilter`
			`* https://github.com/spring-projects/spring-security/issues/12022[gh-12202] - Remove OAuth deprecations`
Adjust SAML What's New Issue gh-11077 2022-11-09 05:15:38 +08:00			`* https://github.com/spring-projects/spring-security/issues/10556[gh-10556] - Remove EOL OpenSaml 3 Support.`
			`Use the OpenSaml 4 Support instead.`
			`* https://github.com/spring-projects/spring-security/issues/11077[gh-11077] - Remove SAML deprecations`
			** Remove `Converter` constructors from `Saml2MetadataFilter` and `Saml2AuthenticationTokenConverter`
			** Remove `Saml2AuthenticationRequestContextResolver` and `Saml2AuthenticationRequestFactory` and implementations
			** Remove `Saml2AuthenticationToken(String, String, String, String, List)`
			** Remove `RelyingPartyRegistration.ProviderDetails` and related methods
			** Remove `OpenSamlAuthenticationProvider`
Document Observability Support Issue gh-10964 2022-10-05 05:34:16 +08:00
Update What's New Closes gh-12024 2022-10-14 03:53:49 +08:00			`== Core`
Document Observability Support Issue gh-10964 2022-10-05 05:34:16 +08:00
Update What's New Closes gh-12024 2022-10-14 03:53:49 +08:00			* https://github.com/spring-projects/spring-security/issues/11446[gh-11446] - Add native image support for `@PreAuthorize`
			* https://github.com/spring-projects/spring-security/issues/11737[gh-11737] - Add native image support for `@PostAuthorize`
Document Observability Support Issue gh-10964 2022-10-05 05:34:16 +08:00			* xref:servlet/integrations/observability.adoc[Instrumentation] of `AuthenticationManager`, `AuthorizationManager`, and `FilterChainProxy`
			* xref:reactive/integrations/observability.adoc[Instrumentation] of `ReactiveAuthenticationManager`, `ReactiveAuthorizationManager`, and `WebFilterChainProxy`
Update What's New Closes gh-12024 2022-10-14 03:53:49 +08:00
			`== LDAP`

			`* https://github.com/spring-projects/spring-security/pull/9276[gh-9276] - LdapAuthoritiesPopulator is post-processed`

			`== Web`

			* https://github.com/spring-projects/spring-security/issues/11432[gh-11432] - `CookieServerCsrfTokenRepository` supports maxage