🪲 Bug Fixes

• Opaque token introspectors should not allow empty credentials #19201

🔨 Dependency Upgrades

• Bump @springio/antora-extensions from 1.14.11 to 1.14.12 in /docs #19235
• Bump actions/checkout from 6.0.2 to 6.0.3 #19271
• Bump antora from 3.2.0-alpha.11 to 3.2.0-alpha.12 in /docs #19181
• Bump ch.qos.logback:logback-classic from 1.5.32 to 1.5.33 #19228
• Bump ch.qos.logback:logback-classic from 1.5.33 to 1.5.34 #19268
• Bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 #19133
• Bump com.fasterxml.jackson:jackson-bom from 2.21.3 to 2.22.0 #19246
• Bump com.google.code.gson:gson from 2.13.2 to 2.14.0 #19125
• Bump com.nimbusds:oauth2-oidc-sdk from 11.37 to 11.37.1 #19157
• Bump com.nimbusds:oauth2-oidc-sdk from 11.37 to 11.37.2 #19195
• Bump com.webauthn4j:webauthn4j-core from 0.31.3.RELEASE to 0.31.5.RELEASE #19148
• Bump com.webauthn4j:webauthn4j-core from 0.31.5.RELEASE to 0.31.6.RELEASE #19263
• Bump gradle-wrapper from 9.4.1 to 9.5.0 #19135
• Bump gradle-wrapper from 9.5.0 to 9.5.1 #19171
• Bump io-micrometer from 1.16.5 to 1.17.0 #19287
• Bump io.mockk:mockk from 1.14.9 to 1.14.11 #19244
• Bump io.projectreactor:reactor-bom from 2025.0.5 to 2025.0.6 #19296
• Bump org-jetbrains-kotlin from 2.3.20 to 2.3.21 #19126
• Bump org-jetbrains-kotlin from 2.3.21 to 2.4.0 #19264
• Bump org-opensaml5 from 5.2.1 to 5.2.2 #19176
• Bump org.apache.maven:maven-resolver-provider from 3.9.15 to 3.9.16 #19190
• Bump org.apereo.cas.client:cas-client-core from 4.1.0 to 4.1.1 #19200
• Bump org.hibernate.orm:hibernate-core from 7.3.1.Final to 7.3.2.Final #19119
• Bump org.hibernate.orm:hibernate-core from 7.3.2.Final to 7.3.3.Final #19149
• Bump org.hibernate.orm:hibernate-core from 7.3.3.Final to 7.3.4.Final #19165
• Bump org.hibernate.orm:hibernate-core from 7.3.4.Final to 7.3.5.Final #19191
• Bump org.hibernate.orm:hibernate-core from 7.3.5.Final to 7.3.6.Final #19211
• Bump org.hibernate.orm:hibernate-core from 7.3.6.Final to 7.4.0.Final #19226
• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.10.2 to 1.11.0 #19166
• Bump org.junit:junit-bom from 6.0.3 to 6.1.0 #19197
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 #19169
• Bump org.springframework.data:spring-data-bom from 2025.1.5 to 2025.1.6 #19290
• Bump org.springframework.ldap:spring-ldap-core from 4.0.3 to 4.1.0 #19291
• Bump org.springframework:spring-framework-bom from 7.0.7 to 7.0.8 #19285
• Bump spring-io/spring-release-actions from 0.0.4 to 0.0.5 #19179
• Bump tools.jackson:jackson-bom from 3.1.2 to 3.1.3 #19147
• Bump tools.jackson:jackson-bom from 3.1.3 to 3.1.4 #19245
• Bump tools.jackson:jackson-bom from 3.1.4 to 3.2.0 #19286
• Update to spring-data-bom 2026.0.0 #19303

🔩 Build Updates

• Release 7.1.0 #19218

🪲 Bug Fixes

• FormPostRedirectStrategy should not emit percent-encoded values into hidden form inputs #19137
• AbstractAuthenticationFilterConfigurer should not automatically pick up servlet path #19128
• Principal Extractor should select the left-most RDN attribute value #19254

🔨 Dependency Upgrades

• Bump antora from 3.2.0-alpha.11 to 3.2.0-alpha.12 in /docs #19184
• Bump ch.qos.logback:logback-classic from 1.5.32 to 1.5.34 #19266
• Bump com.webauthn4j:webauthn4j-core from 0.31.3.RELEASE to 0.31.5.RELEASE #19151
• Bump com.webauthn4j:webauthn4j-core from 0.31.5.RELEASE to 0.31.6.RELEASE #19265
• Bump gradle-wrapper from 8.14.4 to 8.14.5 #19160
• Bump io-micrometer from 1.16.5 to 1.16.6 #19292
• Bump io.mockk:mockk from 1.14.9 to 1.14.11 #19247
• Bump io.projectreactor:reactor-bom from 2025.0.5 to 2025.0.6 #19298
• Bump org-bouncycastle from 1.80 to 1.80.2 #19193
• Bump org.apache.maven:maven-resolver-provider from 3.9.15 to 3.9.16 #19192
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 #19174
• Bump org.springframework.data:spring-data-bom from 2025.1.5 to 2025.1.6 #19294
• Bump org.springframework.ldap:spring-ldap-core from 4.0.3 to 4.0.4 #19289
• Bump org.springframework:spring-framework-bom from 7.0.7 to 7.0.8 #19288
• Bump spring-io/spring-release-actions from 0.0.4 to 0.0.5 #19182
• Update to Micrometer 1.16.5 #19225

🔩 Build Updates

• Release 7.0.6 #19239

🪲 Bug Fixes

• FormPostRedirectStrategy should not emit percent-encoded values into hidden form inputs #19136

🔨 Dependency Upgrades

• Bump antora from 3.2.0-alpha.11 to 3.2.0-alpha.12 in /docs #19185
• Bump ch.qos.logback:logback-classic from 1.5.32 to 1.5.34 #19299
• Bump com.fasterxml.jackson:jackson-bom from 2.18.6 to 2.18.7 #19129
• Bump com.fasterxml.jackson:jackson-bom from 2.18.7 to 2.18.8 #19297
• Bump gradle-wrapper from 8.14.4 to 8.14.5 #19159
• Bump org-bouncycastle from 1.80 to 1.80.2 #19204
• Bump org.apache.maven:maven-resolver-provider from 3.9.15 to 3.9.16 #19205
• Bump org.hibernate.orm:hibernate-core from 6.6.49.Final to 6.6.50.Final #19150
• Bump org.hibernate.orm:hibernate-core from 6.6.50.Final to 6.6.51.Final #19213
• Bump org.hibernate.orm:hibernate-core from 6.6.51.Final to 6.6.53.Final #19300
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 #19173
• Bump org.springframework:spring-framework-bom from 6.2.18 to 6.2.19 #19293
• Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6 #19124
• Bump spring-io/spring-release-actions from 0.0.4 to 0.0.5 #19183
• Update micrometer-bom to 1.15.12 #19302
• Update to Micrometer 1.15.11 #19224
• Update to reactor-bom 2024.0.18 #19301

🔩 Build Updates

• Release 6.5.11 #19118

⭐ New Features

• Add AllRequiredFactorsAuthorizationManager.anyOf #18960
• Add PreFlightRequestFilter Support #18926
• Add ConditionalAuthorizationManager #18919
• Add MultiFactorCondition.WEBAUTHN_REGISTERED #18923
• Add PreFlightRequestFilter Support #18980
• Add PrincipalResolver to ExchangeFilterFunctions #18888
• Add Support DPoP Customization #17202
• Add XML Based shouldWriteHeadersEagerly tests #19019
• AuthorizationManagerFactories.when #18920
• Clarify @WithSecurityContext thread scope #18812
• Construct SecureRandom in BCryptPasswordEncoder #18560
• Enable Null checking in spring-security-oauth2-authorization-server via JSpecify #18937
• Enable Null checking in spring-security-oauth2-client via JSpecify #17819
• Enable Null checking in spring-security-oauth2-resource-server via JSpecify #17822
• Exclude build output directories from nohttp source set #18928
• Implement equals and hashCode in ImmutablePublicKeyCredentialUserEntity #18883
• Improve And/Or-RequestMatcher/ServerWebExchangeMatcher API #18479
• Merge Add CredentialRecordOwnerAuthorizationManager #19006
• Move InetAddressMatcher to spring-security-core #18979
• Polish oauth2-client tests with missing Content-Type header #19008
• Prefer dispatcher context for authorize tag beans #18822
• Publish authentication events in WebAuthn #18938
• Relax client_id validation in AtJwtBuilder #18890
• Remove compiler warnings for spring-security-access #18738
• Remove compiler warnings in spring-security-web #18820
• Remove Unnecessary ObjectProvider roleHierarchy parameter #18921
• Revert snapshots to Spring Framework 7.0.+ #19024
• Support Customizer<AdditionalRequiredFactorsBuilder>> #18922
• Use idiomatic Kotlin in custom filter documentation #18976

🪲 Bug Fixes

• Fix equals nullability annotations for jspecify compliance #18930
• Merge Handle null value in OnCommittedResponseWrapper header methods #18991

🔨 Dependency Upgrades

• Bump @springio/antora-extensions from 1.14.7 to 1.14.9 in /docs #18946
• Bump @springio/antora-extensions from 1.14.9 to 1.14.10 in /docs #19030
• Bump @springio/antora-extensions from 1.14.9 to 1.14.11 in /docs #19053
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.17 to 1.0.0-alpha.18 in /docs #18913
• Bump actions/upload-artifact from 7.0.0 to 7.0.1 #19091
• Bump com.fasterxml.jackson:jackson-bom from 2.21.1 to 2.21.2 #18965
• Bump com.nimbusds:oauth2-oidc-sdk from 11.34 to 11.35 #18977
• Bump com.nimbusds:oauth2-oidc-sdk from 11.35 to 11.37 #19002
• Bump com.webauthn4j:webauthn4j-core from 0.31.1.RELEASE to 0.31.2.RELEASE #19020
• Bump com.webauthn4j:webauthn4j-core from 0.31.2.RELEASE to 0.31.3.RELEASE #19107
• Bump gradle-wrapper from 9.4.0 to 9.4.1 #18959
• Bump io.micrometer:micrometer-observation from 1.16.4 to 1.16.5 #19065
• Bump io.projectreactor:reactor-bom from 2025.0.4 to 2025.0.5 #19079
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.12 to 0.0.13 #19067
• Bump org-bouncycastle from 1.83 to 1.84 #19066
• Bump org-jetbrains-kotlin from 2.3.10 to 2.3.20 #18915
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.6 to 5.6.1 #19106
• Bump org.apache.maven:maven-resolver-provider from 3.9.14 to 3.9.15 #19105
• Bump org.apereo.cas.client:cas-client-core from 4.0.4 to 4.1.0 #18974
• Bump org.hibernate.orm:hibernate-core from 7.2.7.Final to 7.3.0.Final #18917
• Bump org.hibernate.orm:hibernate-core from 7.3.0.Final to 7.3.1.Final #19063
• Bump org.jetbrains.dokka from 2.1.0 to 2.2.0 #18998
• Bump org.jetbrains.dokka:dokka-gradle-plugin from 2.1.0 to 2.2.0 #18999
• Bump org.seleniumhq.selenium:htmlunit3-driver from 4.41.0 to 4.43.0 #19060
• Bump org.seleniumhq.selenium:selenium-java from 4.41.0 to 4.42.0 #19056
• Bump org.seleniumhq.selenium:selenium-java from 4.41.0 to 4.43.0 #19062
• Bump org.springframework.data:spring-data-bom from 2025.1.4 to 2025.1.5 #19104
• Bump org.springframework.ldap:spring-ldap-core from 4.0.2 to 4.0.3 #19097
• Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6 #18993
• Bump spring-io/spring-release-actions from 0.0.3 to 0.0.4 #19092
• Bump spring-io/spring-security-release-tools from 1.0.14 to 1.0.15 #18942
• Bump spring-io/spring-security-release-tools/.github/workflows/perform-release.yml from 1.0.14 to 1.0.15 #18944
• Bump spring-io/spring-security-release-tools/.github/workflows/test.yml from 1.0.14 to 1.0.15 #18943
• Bump spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml from 1.0.14 to 1.0.15 #18945
• Bump tools.jackson:jackson-bom from 3.1.0 to 3.1.1 #19003
• Bump tools.jackson:jackson-bom from 3.1.1 to 3.1.2 #19061

❤️ Contributors

Thank you to all the contributors who worked on this release:

@aspan, @dasog94, @evgeniycheban, @franticticktick, @gbaso, @jkuhel, @ribafish, @rwinch, @suuuuuuminnnnnn, @therepanic, @wonderfulrosemari, @yxinot, and @ziqin

⭐ New Features

• Add XML Based shouldWriteHeadersEagerly tests #19018
• Merge Add CredentialRecordOwnerAuthorizationManager #19005

🪲 Bug Fixes

• Add equals and hashcode to HttpMethodRequestMatcher #18963
• auth_time claim doesn't show the time of the original authentication #18282
• auth_time validation fails when SSO session is renewed #18978
• Fallback defaultTargetUrl if refererHeader is empty #18981
• Fix HttpSessionRequestCache#getMatchingRequest query string parsing #18972
• Merge Handle null value in OnCommittedResponseWrapper header methods #18990
• OAuth2 client sessionManagement ineffective with DefaultOidcUser #19022

🔨 Dependency Upgrades

• Bump @springio/antora-extensions from 1.14.10 to 1.14.11 in /docs #19054
• Bump @springio/antora-extensions from 1.14.7 to 1.14.9 in /docs #18953
• Bump @springio/antora-extensions from 1.14.9 to 1.14.10 in /docs #19029
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.17 to 1.0.0-alpha.18 in /docs #18957
• Bump actions/upload-artifact from 7.0.0 to 7.0.1 #19096
• Bump com.webauthn4j:webauthn4j-core from 0.31.1.RELEASE to 0.31.2.RELEASE #19021
• Bump com.webauthn4j:webauthn4j-core from 0.31.2.RELEASE to 0.31.3.RELEASE #19114
• Bump io.projectreactor:reactor-bom from 2025.0.4 to 2025.0.5 #19080
• Bump org.apache.maven:maven-resolver-provider from 3.9.14 to 3.9.15 #19111
• Bump org.springframework.data:spring-data-bom from 2025.1.4 to 2025.1.5 #19113
• Bump org.springframework.ldap:spring-ldap-core from 4.0.2 to 4.0.3 #19098
• Bump org.springframework:spring-framework-bom from 7.0.6 to 7.0.7 #19112
• Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6 #18996
• Bump spring-io/spring-release-actions from 0.0.3 to 0.0.4 #19095
• Bump spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml from 1.0.14 to 1.0.15 #18948

❤️ Contributors

Thank you to all the contributors who worked on this release:

@rwinch

⭐ New Features

• Add CredentialRecordOwnerAuthorizationManager #19004
• Add XML Based shouldWriteHeadersEagerly tests #19017
• Clarify Session Management Persistence Documentation #18345
• Update FilterChainProxy#getFilters(String) javadoc #18258

🪲 Bug Fixes

• Add equals and hashcode to HttpMethodRequestMatcher #18914
• auth_time validation fails when SSO session is renewed #18839
• Fallback defaultTargetUrl if refererHeader is empty #18806
• Fix HttpSessionRequestCache#getMatchingRequest query string parsing #16914
• Fix documentation for Custom Authorization Manager #18362
• Improve serialVersionUID check in tests #18474
• Merge Handle null value in OnCommittedResponseWrapper header methods #18989
• OAuth2 client sessionManagement ineffective with DefaultOidcUser #18622

🔨 Dependency Upgrades

• Bump @springio/antora-extensions from 1.14.10 to 1.14.11 in /docs #19055
• Bump @springio/antora-extensions from 1.14.7 to 1.14.9 in /docs #18956
• Bump @springio/antora-extensions from 1.14.9 to 1.14.10 in /docs #19031
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.17 to 1.0.0-alpha.18 in /docs #18952
• Bump actions/upload-artifact from 7.0.0 to 7.0.1 #19094
• Bump io.projectreactor:reactor-bom from 2024.0.16 to 2024.0.17 #19078
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.14 to 1.0.15 #18916
• Bump org.apache.maven:maven-resolver-provider from 3.9.14 to 3.9.15 #19108
• Bump org.hibernate.orm:hibernate-core from 6.6.44.Final to 6.6.45.Final #18966
• Bump org.hibernate.orm:hibernate-core from 6.6.45.Final to 6.6.47.Final #19046
• Bump org.hibernate.orm:hibernate-core from 6.6.47.Final to 6.6.48.Final #19064
• Bump org.hibernate.orm:hibernate-core from 6.6.48.Final to 6.6.49.Final #19110
• Bump org.springframework:spring-framework-bom from 6.2.17 to 6.2.18 #19109
• Bump spring-io/spring-release-actions from 0.0.3 to 0.0.4 #19093
• Bump spring-io/spring-security-release-tools from 1.0.14 to 1.0.15 #18954
• Bump spring-io/spring-security-release-tools/.github/workflows/build.yml from 1.0.14 to 1.0.15 #18955
• Bump spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml from 1.0.14 to 1.0.15 #18949
• Bump spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml from 1.0.14 to 1.0.15 #18950
• Bump spring-io/spring-security-release-tools/.github/workflows/perform-release.yml from 1.0.14 to 1.0.15 #18995
• Bump spring-io/spring-security-release-tools/.github/workflows/test.yml from 1.0.14 to 1.0.15 #18951
• Bump spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml from 1.0.14 to 1.0.15 #18994
• Update to spring-security-release-tools 1.0.15 #18910

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Kehrlann, @as1605, @johnycho, @ngocnhan-tran1996, @rwinch, and @sankranty

⭐ New Features

• Add postProcessor to SpringOpaqueTokenIntrospector Builders #18625
• Add InetAddressMatcher #18634
• Add MessageExpressionAuthorizationManager #18813
• Add missing AOT Runtime Hints #18767
• Add nullability contract to PasswordEncoder#encode implementations #18490
• Add RestClientOpaqueTokenIntrospector #18746
• Add tests for PathPatternRequestMatcher request path caching #18721
• Allow custom token settings for OAuth 2.0 dynamic client registration #18870
• Change ActiveDirectoryLdapAuthenticationProvider to use LdapClient #18627
• Clarify need for method attribute in JSP authorize tag #18566
• Cleanup #17801
• Document multipart CSRF header option #18757
• Enable Null checking in spring-security-oauth2-jose via JSpecify #17821
• Ensure ID Token is updated after refresh token (Reactive) #17246
• Fail on javadoc warnings for spring-security-aspects #18855
• Fail spring-security-docs on javadoc warnings #18613
• Fix ClientAttributes Javadoc Typos #18802
• Fix compile warning in spring-security-test #18593
• Fix compile warnings for spring-security-config #18596
• Make authenticationConverter customizable in SpringOpaqueTokenIntrospector.Builder #18623
• Make PublicKeyCredentialCreationOptions Serializable #18354
• Mark CsrfTokenRequestAttributeHandler#setCsrfRequestAttributeName as Nullable #18620
• Remove unused @Nullable in Switch User and FactorGrantedAuthority #18765
• Specify charset in WWW-Authenticate for Basic Auth #18760
• Support custom OAuth2AuthenticatedPrincipal in Jwt-based authentication flow #17191
• Support single-line PEM encoded RSA keys in RsaKeyConverters #18599
• Update servlet/architecture.adoc to use include-code #18536
• Use attributes in Antora to replace the original links #18819
• Use include-code for websocket.adoc #18856

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18785
• Add Jackson Mixin for WebAuthnAuthentication #18907
• Add Missing OnCommitedResponseWrapper Header Overrides #18800
• Document Keberose Dependency Coordinates #18786
• Ensure tests clear AuthorizationServerContextHolder #18769
• Fix CookieRequestCache parameters #18865
• Fix Flaky Crypto Tests #18843
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18908
• Fix SecurityContextLogoutHandler.logout @param response Javadoc (cannot be null) #18795
• Fix spring-security-webauthn dependency in passkeys documentation #18866
• HttpMessageConverterAuthenticationSuccessHandler Supports Jackson 3 #18835
• Improve error message for missing access attribute in intercept-url #18530
• Mark targetDomainObject as @Nullable in PermissionEvaluator #18796
• Update password4j docs to use BcryptPassword4jPasswordEncoder #18232

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 #18851
• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18852
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18808
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.31 #18740
• Bump ch.qos.logback:logback-classic from 1.5.31 to 1.5.32 #18748
• Bump com.fasterxml.jackson:jackson-bom from 2.21.0 to 2.21.1 #18778
• Bump com.nimbusds:oauth2-oidc-sdk from 11.33 to 11.34 #18859
• Bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE #18827
• Bump gradle-wrapper from 9.3.1 to 9.4.0 #18849
• Bump io.micrometer:micrometer-observation from 1.16.3 to 1.16.4 #18868
• Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4 #18875
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.11 to 0.0.12 #18828
• Bump minimatch from 3.1.2 to 3.1.5 in /javascript #18811
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18747
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18789
• Bump org-opensaml5 from 5.2.0 to 5.2.1 #18754
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18858
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18885
• Bump org.hibernate.orm:hibernate-core from 7.2.4.Final to 7.2.5.Final #18775
• Bump org.hibernate.orm:hibernate-core from 7.2.5.Final to 7.2.6.Final #18826
• Bump org.hibernate.orm:hibernate-core from 7.2.6.Final to 7.2.7.Final #18901
• Bump org.junit:junit-bom from 6.0.2 to 6.0.3 #18741
• Bump org.mockito:mockito-bom from 5.21.0 to 5.22.0 #18825
• Bump org.mockito:mockito-bom from 5.22.0 to 5.23.0 #18881
• Bump org.seleniumhq.selenium:htmlunit3-driver from 4.40.0 to 4.41.0 #18777
• Bump org.seleniumhq.selenium:selenium-java from 4.40.0 to 4.41.0 #18776
• Bump org.springframework.data:spring-data-bom from 2025.1.3 to 2025.1.4 #18902
• Bump org.springframework:spring-framework-bom from 7.0.4 to 7.0.5 #18763
• Bump org.springframework:spring-framework-bom from 7.0.5 to 7.0.6 #18900
• Bump spring-io/spring-security-release-tools/.github/workflows/test.yml from 1.0.13 to 1.0.14 #18728
• Bump tools.jackson:jackson-bom from 3.0.4 to 3.1.0 #18790
• Update Antora UI Spring to v0.4.26 #18894

❤️ Contributors

Thank you to all the contributors who worked on this release...

⭐ New Features

• Update RestTemplateBuilder usage in opaque-token.adoc #18836

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18784
• Add Jackson Mixin for WebAuthnAuthentication #18878
• Add Missing OnCommitedResponseWrapper Header Overrides #18799
• Document the change in dependency coordinates with Spring Security 7 #18773
• Ensure tests clear AuthorizationServerContextHolder #18768
• Fix CookieRequestCache parameters #18864
• Fix Flaky Crypto Tests #18842
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18897
• HttpMessageConverterAuthenticationSuccessHandler Supports Jackson 3 #18834
• OAuth2DeviceVerificationEndpointFilter should be applied after AuthorizationFilter #18873
• Restore upgradeEncoding condition in DaoAuthenticationProvider #18788
• saveAuthenticationRequest should read relayState from authenticationRequest #18884
• SecurityExpressionRoot#hasAuthority should delegate to AuthorizationManagerFactory#hasAuthority #18487
• ServerHttpSecurityConfiguration should not set userDetailsPasswordService to a null value #18276
• TokenBasedRememberMeServices documentation snippets should compile #18642
• Update request-matcher XML property to support PathPatternRequestMatcher #18737

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18853
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18810
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18752
• Bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE #18830
• Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4 #18877
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18751
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18792
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18861
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18887
• Bump org.junit:junit-bom from 6.0.2 to 6.0.3 #18743
• Bump org.springframework.data:spring-data-bom from 2025.1.3 to 2025.1.4 #18904
• Bump org.springframework:spring-framework-bom from 7.0.4 to 7.0.5 #18764
• Bump org.springframework:spring-framework-bom from 7.0.5 to 7.0.6 #18905
• Update Antora UI Spring to v0.4.26 #18893
• Update to spring-security-release-tools 1.0.15 #18909

❤️ Contributors

Thank you to all the contributors who worked on this release:

@busoco-sjb, @making, @meliezer, @ngocnhan-tran1996, @rwinch, @sephiroth-j, @therepanic, @thuri, and @ziqin

⭐ New Features

• Update Link to CSRF Docs in FAQ #18616

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18544
• saveAuthenticationRequest should read relayState from authenticationRequest #18872
• Add Missing OnCommitedResponseWrapper Header Overrides #18798
• Clarify Resource Server startup expectations #18518
• Correct Reference to Clear-Site-Data Directive enum #18273
• Fix CookieRequestCache parameters #18857
• Fix Flaky Crypto Tests #18841
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18896

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18854
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18809
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18749
• Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #18779
• Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #18876
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18750
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18791
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18860
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18886
• Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #18780
• Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #18829
• Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #18903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Hann244, @Khyojae, @ghusta, @itsmevichu, @qihaiyan, @rwinch, @therepanic, and @ziqin

⭐ New Features

• Fail on compiler warnings for spring-security-javascript #18569
• TestingAuthenticationToken.credentials should be @Nullable #18615
• Ability to configure authenticationDetailsSource in AnonymousConfigurer #17878
• Add @Nullable to changePassword parameters in UserDetailsManager #18271
• Add missing @Nullable to setters of Nullable fields #18618
• Create Checkstyle Rules for Nullability Usage #18564
• Document RegisteredClient.ClientSettings #18614
• Enable Null checking in spring-security-ldap via JSpecify #17818
• Enable Null checking in spring-security-oauth2-core via JSpecify #17820
• Fail on compiler warnings for spring-security-access #18555
• Fail on compiler warnings for spring-security-acl #18557
• Fail on compiler warnings for spring-security-bom #18576
• Fail on compiler warnings for spring-security-dependencies #18568
• Fail on compiler warnings for spring-security-kerberos-client #18570
• Fail on compiler warnings for spring-security-taglibs #18578
• Fail spring-security-cas on javadoc warnings #18517
• Fail spring-security-ldap on javadoc warnings #18547
• Fail spring-security-messaging on javadoc warnings #18546
• Fail spring-security-oauth2-authorization-server on javadoc warnings #18602
• Fail spring-security-oauth2-core on javadoc warnings #18603
• Fail spring-security-oauth2-jose on javadoc warnings #18604
• Fail spring-security-rsocket on javadoc warnings #18605
• Fail spring-security-saml2-service-provider on javadoc warnings #18606
• Fail spring-security-taglibs on javadoc warnings #18607
• Fail spring-security-webauthn on javadoc warnings #18608
• Fix compiler warnings in spring-security-acl #18626
• Fix compiler warnings in spring-security-aspects #18581
• Fix HttpSecurity javadoc formatting #18526
• Fix javadoc warnings for spring-security-config #18545
• Fix javadoc warnings for spring-security-data #18532
• Fix Javadoc warnings in spring-security-crypto #18519
• Introduce resource_metadata parameter resolver for BearerTokenAuthenticationEntryPoint #18542
• Null safety via JSpecify spring-security-access #18398
• Null safety via JSpecify spring-security-acl #18401
• Null safety via JSpecify spring-security-aspects #18400
• Null safety via JSpecify spring-security-kerberos #18397
• Null safety via JSpecify spring-security-kerberos-client #18552
• Null safety via JSpecify spring-security-kerberos-core #18549
• Null safety via JSpecify spring-security-kerberos-web #18550
• Remove @NullUnmarked #18491
• Remove compiler warnings for spring-security-cas #18579
• Remove compiler warnings for spring-security-docs #18601
• Remove compiler warnings for spring-security-kerberos-core #18571
• Remove compiler warnings for spring-security-kerberos-test #18572
• Remove compiler warnings for spring-security-kerberos-web #18573
• Remove compiler warnings for spring-security-messaging #18575
• Remove compiler warnings for spring-security-oauth2-authorization-server #18562
• Remove compiler warnings for spring-security-rsocket #18567
• Remove compiler warnings for spring-security-saml2-service-provider #18577
• Remove compiler warnings for spring-security-webauthn #18556
• Remove compiler warnings in spring-security-data #18580
• Remove compiler warnings in spring-security-ldap #18559
• Support hasScope in Method Security #18151

🪲 Bug Fixes

• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #18595
• ExpressionJwtGrantedAuthoritiesConverter is undocumented #18300
• Fix docs #18488
• Fix typo in authorize-http-requests.adoc #18600
• Fix typos in contributing guide #18635

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.25 to 1.5.26 #18588
• Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27 #18637
• Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27 #18628
• Bump ch.qos.logback:logback-classic from 1.5.27 to 1.5.28 #18697
• Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 #18529
• Bump com.fasterxml.jackson:jackson-bom from 2.20.2 to 2.21.0 #18696
• Bump com.jayway.jsonpath:json-path from 2.9.0 to 2.10.0 #18690
• Bump github/codeql-action from 3 to 4 #18669
• Bump gradle-wrapper from 9.2.1 to 9.3.1 #18700
• Bump io.freefair.gradle:aspectj-plugin from 8.13.1 to 8.14.4 #18664
• Bump io.micrometer:context-propagation from 1.1.3 to 1.2.0 #18671
• Bump io.micrometer:context-propagation from 1.2.0 to 1.2.1 #18702
• Bump io.micrometer:micrometer-observation from 1.14.14 to 1.16.2 #18689
• Bump io.mockk:mockk from 1.14.7 to 1.14.9 #18597
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #18533
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.10 to 0.0.11 #18636
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.10 to 0.0.11 #18612
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.9 to 0.0.10 #18554
• Bump jakarta.xml.bind:jakart...