This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.5.3!spring-doc.cn

What’s New in Spring Security 7.0

Spring Security 7.0 provides a number of new features. Below are the highlights of the release, or you can view the release notes for a detailed listing of each feature and bug fix.spring-doc.cn

Removals

Being a major release, there are a number of deprecated APIs that are removed in Spring Security 7. Each section that follows will indicate the more notable removals as well as the new features in that modulespring-doc.cn

Core

  • Removed AuthorizationManager#check in favor of AuthorizationManager#authorizespring-doc.cn

Config

  • Removed and() from the HttpSecurity DSL in favor of using the lambda methodsspring-doc.cn

  • Removed authorizeRequests in favor of authorizeHttpRequestsspring-doc.cn

  • Simplified expression migration for authorizeRequestsspring-doc.cn

  • Added support for SPA-based CSRF configuration:spring-doc.cn

    Java
    http.csrf((csrf) -> csrf.spa());

Data

  • Added support to Authorized objects for Spring Data typesspring-doc.cn

LDAP

  • Removed ApacheDsContainer and related Apache DS support in favor of UnboundIDspring-doc.cn

OAuth 2.0

SAML 2.0

  • Removed API methods based on AssertingPartyDetails class in favor of AssertingPartyMetadata interfacespring-doc.cn

  • Removed GET request support from Saml2AuthenticationTokenConverterspring-doc.cn

  • Added JDBC-based AssertingPartyMetadataRepositoryspring-doc.cn

  • Made so that SLO still returns <saml2:LogoutResponse> even when validation failsspring-doc.cn

Web