Hear from the Spring team this January at SpringOne. >

Steve Riesenberg

Steve Riesenberg

Spring Security committer

Papillion, Nebraska

Blog Posts by Steve Riesenberg

Spring Security 5.8 and 6.0 are now GA

On behalf of the team and everyone who has contributed, we are very excited to announce the general availability of Spring Security 6.0! In addition, we are pleased to announce the general availability of Spring Security 5.8, which is provided to simplify upgrading to 6.0.

Spring Security 6 requires JDK 17 and uses the jakarta namespace. Among its many features, upgrading to Spring Security 6 will bring you:

  • Improved session management

  • Improved AOT processing

  • Security metrics and traces

  • Several defense-in-depth enhancements

  • A simplified authorization framework


CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible.


Users who have applied the mitigation should take note of the following impact:

No authorized scopes are mapped to the principal (current user) when the Authorization Server (AS) responds to the OAuth2 Access Token Response with an empty or missing scope parameter.

If you are affected by this vulnerability, users will not be granted any authorities beginning with SCOPE_ when the AS does not return scopes. Only the special authority ROLE_USER is given to the principal.

Beginning with 6.0, the special authority is changed to OAUTH2_USER (or OIDC_USER). See Using a GrantedAuthoritiesMapper in the 6.0 reference documentation for more information.

If additional authorities are required for your application, you should register a GrantedAuthoritiesMapper @Bean to provide the needed authorities, as in the following example:

public class OAuth2LoginSecurityConfig {

	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
			.authorizeHttpRequests((authorize) -> authorize
				.mvcMatchers(HttpMethod.GET, "/messages").hasAuthority("SCOPE_read")
				// ...
		return http.build();

	public GrantedAuthoritiesMapper userAuthoritiesMapper() {
		return (authorities) -> {
			if (!authorities.isEmpty() && authorities.stream()
					.anyMatch(authority -> authority.startsWith("SCOPE_"))) {
				// AS returned scopes that are mapped to SCOPE_ by Spring Security
				return authorities;

			// AS returned no scopes, either because none were granted or because requested == granted
			// See https://www.rfc-editor.org/rfc/rfc6749#section-5.1 and your AS documentation
			// You can access the ID Token or UserInfo attributes to map authorities based on the user:

			Set<GrantedAuthority> grantedAuthorities = new HashSet<>();
			authorities.forEach(authority -> {
				if (OidcUserAuthority.class.isInstance(authority)) {
					OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority;
					OidcIdToken idToken = oidcUserAuthority.getIdToken();
					// ...
				} else if (OAuth2UserAuthority.class.isInstance(authority)) {
					OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority) authority;
					Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();
					// ...

			return grantedAuthorities;

			// Alternatively, provide a fallback set of authorities that make sense for your application
			// return AuthorityUtils.createAuthorityList("ROLE_USER", "SCOPE_read");

It is not recommended to simply map authorities from the ClientRegistration.

Spring Authorization Server 0.3.0 available now

On behalf of the team and everyone who has contributed, it is my pleasure to announce the general availability of Spring Authorization Server 0.3.0.

You can download it from Maven Central by using the module coordinates:

implementation 'org.springframework.security:spring-security-oauth2-authorization-server:0.3.0'

See the release notes for complete details.

With this release, you can view the initial version of the reference documentation and the new project page on spring.io.

To get started using Spring Authorization Server, see the Getting Started chapter of the reference documentation and the samples to become familiar with setup and configuration.


Spring Security 6.0.0-M5 available now

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.0.0-M5 is available now.

This release includes dependency upgrades, bug fixes, and minor enhancements as well as a fix for a bug where the StrictHttpFirewall incorrectly rejects valid CJKV characters. The milestone contains a few noteworthy changes:

  • Authorization on Every Dispatch Type

  • Change the default of shouldFilterAllDispatchTypes to true

  • Default to SecurityContextHolderFilter instead of SecurityContextPersistenceFilter

  • Remove SAML Deprecations


Spring Security 6.0.0-M3 and 5.7.0-M3 available now

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.0.0-M3 and 5.7.0-M3 are available now.

This third 6.0 milestone covers build and release enhancements as well as the deprecation of WebSecurityConfigurerAdapter that was already released with 5.7.0-M2. The third 5.7 milestone covers several enhancements to SAML 2.0 and OAuth 2.0 support as well as a change to use UTF-8 by default for HTTP Basic credentials in Spring WebFlux.

For the release changes, please refer to the releases page.


Spring Security 5.6.0-M3 released

On behalf of the community, I’m pleased to announce the release of Spring Security 5.6.0-M3!

In addition to dependency upgrades and minor enhancements, the milestone contains a few noteworthy changes:

  • Introduced SecurityContextChangedListener

  • Added SAML 2.0 Single Logout Support

  • Added RelyingPartyRegistrationResolver

  • Added support to propagate the TestSecurityContextHolder to SecurityContextHolder

You can find the complete details in the release notes.