Spring Security 5.1.0.RC1 Released

Releases | Josh Cummings | August 21, 2018 | ...

On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.RC1. This release comes with 50+ tickets closed.

As always we look forward to hearing your feedback! You can find the highlights below:

Table of Contents


OAuth2 Resource Server

Open ID Provider Configuration

Resource Server is now configurable via any issuer endpoint that supports Open Id Provider Configuration:

JwtDecoder jwtDecoder() {
    return JwtDecoders.createDefaultFromIssuer("https://issuer-endpoint");

Claim Validation

Users can add their own validation rules to apply to a Jwt by exposing a JwtDecoder bean:

JwtDecoder jwtDecoder() {
    String jwkSetUri = "https://issuer-endpoint/.well-known/jwks.json";
    NimbusJwtDecoderJwkSupport jwtDecoder =
      new NimbusJwkDecoderJwkSupport(jwkSetUri);
    OAuth2TokenValidator<Jwt> validator =
      new DelegatingOAuth2TokenValidator(
        new MyCustomValidator());
    return jwtDecoder;

GrantedAuthority Extraction

Users can customize how GrantedAuthority s are derived from a Jwt:

JwtDecoder jwtDecoder() {
    String jwkSetUri = "https://issuer-endpoint/.well-known/jwks.json";
    NimbusJwtDecoderJwkSupport jwtDecoder =
      new NimbusJwkDecoderJwkSupport(jwkSetUri);
    JwtAuthenticationConverter jwtAuthenticationConverter =
      new JwtAuthenticationConverter() {
        protected Collection<GrantedAuthority> extractAuthorities(Jwt jwt) {
          return Arrays.asList(new SimpleGrantedAuthority("app:read"));
    return jwtDecoder;

OAuth2 Client Credentials Grant

Basic Support for the Client Credentials Grant Type has been added.

Feature-Policy Secure Header

Basic support for the Feature-Policy has been added:

        .featurePolicy("geolocation 'none'");


OAuth2 Resource Servers

Basic support for Reactive-based OAuth2 Resource Servers has been added. See oauth2resourceserver-webflux

OAuth2 Login/Client

Authorization Code Grant

Basic support for Reactive-based Authorization Code Grant flow has been added. See authcodegrant-webflux

Authorization Request Resolver

Support for customizing the authentication request made to the Authorization Server has been added. This is handy if, for example, the authorization server requires a custom parameter to be sent. It is also helpful in multi-tenant scenarios where elements of the request like the hostname may change how the request to an authorization server is made.

Authorized Client Repository

Support for customizing the persistence of authorized clients between requests has been added:

            .authorizedClientRepository(new MyCookieBasedClientRepository());

Hardening Your Application

Secure Headers

Support for the following secure headers has been added to WebFlux:

  • Content-Security-Policy

  • Referrer-Policy

  • Feature-Policy


Support for CORS has been added to Webflux.

Dependency Updates

We have updated our dependencies to be on the latest and greatest to ensure our transitive dependencies are up to date.

Project Site | Reference | Help

Get the Spring newsletter

Thank you for your interest. Someone will get back to you shortly.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all