Josh Cummings

With the recent release of Spring Security 5.4, we’d like to announce that maintenance for Spring Security SAML Extensions 1.x will end on 6 October 2021.

SAML 2.0 support has been added to the core Spring Security framework over the last three minor releases. There are two main reasons for this.

First, the extension project is based on a version of OpenSAML that the OpenSAML team no longer supports. This version has known CVEs that make it unsafe for use in a production system.

Second, moving the support to the core Spring Security framework allowed us to simplify the API, use the latest OpenSAML, and add long-requested support for features like multi-tenancy and Spring Boot integration.

On behalf of the community, it is my pleasure to announce the general availability of Spring Security 5.4. This release is the result of the work that went into 5.4.0-M1, 5.4.0-M2, 5.4.0-RC1, and 5.4.0. In combination, they close 250+ tickets.

You can find the highlights of 5.4 in the What’s new section of the Spring Security reference.

As always, we look forward to hearing your feedback!

Project Site | Reference | Help

On behalf of the community, I’m pleased to announce the release of Spring Security 5.4.0-M2! You can find the complete details in the release notes and the highlights below:

On behalf of the community, it is my pleasure to announce the general availability of Spring Security 5.3. This release is the result of the work that went into 5.3.0.M1, 5.3.0.RC1, and 5.3.0.RELEASE. In combination they close 200+ tickets.

You can find the highlights of 5.3 in the What’s new section of the Spring Security reference.

As always, we look forward to hearing your feedback!

Project Site | Reference | Help

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.1 (release notes) and 5.1.7 (release notes). These releases deliver bug fixes along with some minor improvements. Users are encouraged to update to the latest patch release.

Project Site | Reference | Help

On behalf of the community I am pleased to announce the release of Spring Security 5.1.6 (changelog) and 5.0.13 (changelog). These releases deliver bug fixes along with some minor improvements. Users are encouraged to update to the latest patch release.

Project Site | Reference | Help

We have released Spring Security 4.2.13 to address CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null.

Users are encouraged to update immediately.

With Spring Boot, you can override the Spring Security version in Maven like so:

Or in Gradle like so:

Note that users of Spring Security 5+ are not affected by this vulnerability.

We have released Spring Security OAuth 2.3.6, 2.2.5, 2.1.5 and 2.0.18 to address CVE-2019-11269: Open Redirector in spring-security-oauth2. Please review the information in the CVE report and upgrade immediately.

For additional changes included in each release, please refer to:

NOTE: For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the fix for the CVE. Please see the Mitigation section in the CVE report for detailed instructions on how to override the version.

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M2! This release includes 100+ updates. You can find the highlights below: