On behalf of the team and everyone who has contributed, it is my pleasure to announce the general availability of Spring Authorization Server 1.1.0-M2.

The main feature delivered in this release is support for OAuth 2.0 Device Authorization Grant (gh-1106).

See the release notes for complete details.

To get started using Spring Authorization Server, see the Getting Started chapter of the reference documentation and the samples to become familiar with setup and configuration.

Project Page | GitHub Issues | ZenHub Board

On behalf of the team and everyone who has contributed, we are very excited to announce the general availability of Spring Security 6.0! In addition, we are pleased to announce the general availability of Spring Security 5.8, which is provided to simplify upgrading to 6.0.

Spring Security 6 requires JDK 17 and uses the jakarta namespace. Among its many features, upgrading to Spring Security 6 will bring you:

• Improved session management

• Improved AOT processing

• Security metrics and traces

• Several defense-in-depth enhancements

• A simplified authorization framework

Check out What’s New in Spring Security 5.8 and What’s New in Spring Security 6.0…

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible.

Impact

Users who have applied the mitigation should take note of the following impact:

No authorized scopes are mapped to the principal (current user) when the Authorization Server (AS) responds to the OAuth2 Access Token Response with an empty or missing scope parameter.

If you are affected by this vulnerability, users will not be granted any authorities beginning with SCOPE_ when the AS does not return scopes. Only the special authority ROLE_USER…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 5.7.5 and 5.6.9 are available now. In both cases the releases are composed of bug fixes.

To learn more, please visit the 5.7.5 and 5.6.9 release summaries.

Project Site | Reference | Help

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 5.7.4 and 5.6.8 are available now. In both cases the releases are largely composed of dependency upgrades and minor fixes.

To learn more, please visit the 5.7.4 and 5.6.8 release summaries.

Project Site | Reference | Help

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.0.0-RC1 and 5.8.0-RC1 are available now.

See the 6.0.0-RC1 and 5.8.0-RC1 release notes for more details.

Project Site | Reference | Help

On behalf of the team and everyone who has contributed, it is my pleasure to announce the general availability of Spring Authorization Server 0.3.0.

You can download it from Maven Central by using the module coordinates:

implementation 'org.springframework.security:spring-security-oauth2-authorization-server:0.3.0'

See the release notes for complete details.

With this release, you can view the initial version of the reference documentation and the new project page on spring.io.

To get started using Spring Authorization Server, see the Getting Started chapter of the reference documentation and the samples to become familiar with setup and…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.0.0-M5 is available now.

This release includes dependency upgrades, bug fixes, and minor enhancements as well as a fix for a bug where the StrictHttpFirewall incorrectly rejects valid CJKV characters. The milestone contains a few noteworthy changes:

• Authorization on Every Dispatch Type

• Change the default of shouldFilterAllDispatchTypes to true

• Default to SecurityContextHolderFilter instead of SecurityContextPersistenceFilter

• Remove SAML Deprecations

See the release notes here and here for more…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.0.0-M3 and 5.7.0-M3 are available now.

This third 6.0 milestone covers build and release enhancements as well as the deprecation of WebSecurityConfigurerAdapter that was already released with 5.7.0-M2. The third 5.7 milestone covers several enhancements to SAML 2.0 and OAuth 2.0 support as well as a change to use UTF-8 by default for HTTP Basic credentials in Spring WebFlux.

For the release changes, please refer to the releases page.

Project Site | Reference | Help

On behalf of the community, I’m pleased to announce the release of Spring Security 5.6.0-M3!

In addition to dependency upgrades and minor enhancements, the milestone contains a few noteworthy changes:

• Introduced SecurityContextChangedListener

• Added SAML 2.0 Single Logout Support

• Added RelyingPartyRegistrationResolver

• Added support to propagate the TestSecurityContextHolder to SecurityContextHolder

You can find the complete details in the release notes.