On behalf of the team and everyone who has contributed, I am pleased to announce the release candidate milestone for the final Spring Security 6 minor release. Among a number of feature enhancements, there are some that we'd love your attention on as we prepare them for general availability: Core Complete Deprecation of ConfigAttribute, SecurityConfig, and other Access API components. Specifically, please speak up if you are using any of the ACL Access components that were deprecated. OAuth 2.0 Further refinements to DPoP support - #16937, #16921, and #16900 SAML 2.0 Simplified SAML 2.…

On behalf of the team and everyone who has contributed, I am pleased to announce the third milestone of the next Spring Security 6 minor release. Among a number of feature enhancements, there are some that we'd love your attention on as we prepare them for general availability: OAuth 2.0 Access Token JWT Profile Support (RFC 9068) - Reference ConfigAttribute deprecation, including the addition of redirectToHttps - #16667 Support for SecurityContext Reactive Context Propagation - #16665 Please check the changelog for more details. Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.3.8 and 6.4.4 are out! In all cases, the releases are mostly composed of bug fixes, dependency upgrades, and documentation improvements. Importantly, these releases address CVE-2025-22223 and CVE-2025-22228. To learn more, please visit the 6.3.8 and 6.4.4 release summaries. Commercial customers using Spring Boot 2.7, 3.0, 3.1, or 3.2 will be able to update to Spring Boot 2.7.24.1, 3.0.19.1, 3.1.15.1, or 3.2.13.1 respectively to receive the corresponding Security releases 5.7.16, 6.0.16, 6.…

On behalf of the team and everyone who has contributed, I am pleased to announce the second milestone of the next Spring Security 6 minor release. Among a number of feature enhancements, there are some that we'd love your attention on as we prepare them for general availability: OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) support - #16574 Improvements to One-Time Login, WebAuthn, and Method Security Please check the changelog for more details. Project Page | GitHub | Issues | Documentation

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.3.7 and 6.4.3 are out! In all cases, the releases are mostly composed of bug fixes, dependency upgrades, and documentation improvements. To learn more, please visit the 6.3.7 and 6.4.3 release summaries. Commercial customers using Spring Boot 2.7, 3.0, 3.1, or 3.2 will be able to update to Spring Boot 2.7.24, 3.0.19, 3.1.15, or 3.2.13 respectively to receive the corresponding Security releases 5.7.15, 6.0.15, 6.1.13, and 6.2.9. These Security versions are available now on the Spring…

On behalf of the Spring Security team and everyone who contributed to this release, I am delighted to announce the general availability of Spring Security 6.4.0 from Maven Central! The 6.4 release brings several compelling features including: Support for Passkeys and One-Time Tokens Simplified OAuth 2.0 Configuration Refreshable SAML 2.0 Asserting Parties, and New method security annotations and capabilities To find out more about what’s new, see the what's new section of the documentation. This release will be included in the upcoming Spring Boot 3.4 GA release. We'd like to hear from you, so…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring LDAP 2.4.4 and 3.2.8 are out! In both cases, the releases are mostly composed of bug fixes and dependency upgrades. Importantly, these release addresses CVE-2024-38829. To learn more, please visit the 2.4.4 and 3.2.8 release summaries. Commercial customers using Spring Boot 2.7, 3.0, or 3.1 can update to Spring Boot 2.7.22.5, 3.0.17.5, or 3.1.13.5 respectively to receive the corresponding LDAP releases 2.4.4, 3.0.10, and 3.1.8. These hotfix versions are available now on the Spring commercial artifact…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.2.8 and 6.3.5 are out! In all cases, the releases are mostly composed of bug fixes, dependency upgrades, and documentation improvements. Importantly, these releases address CVE-2024-38827. To learn more, please visit the 6.2.8 and 6.3.5 release summaries. Commercial customers using Spring Boot 2.7, 3.0, or 3.1 can update to Spring Boot 2.7.22.5, 3.0.17.5, or 3.1.13.5 respectively to receive the corresponding Security releases 5.7.14, 6.0.14, and 6.1.12. These hotfix versions are available…

On behalf of the team and everyone who has contributed, I am pleased to announce that the release candidate of Spring Security 6.3 is released. The 6.3 release brings several compelling features including Long-term JDK serialization backward compatibility New method security annotations and capabilities Compromised password checking, and OAuth 2.0 Token Exchange support You can read more about each of these in the What's New section of the 6.3 documentation and also see the exhaustive list of of features across the 6.3 release in the release pages for 6.3.0-M1, 6.3.0-M2, 6.3.0-M3, and 6.3.0-RC…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.2.4, 6.1.9, and 5.8.12 are available now. In all cases, the releases are mostly composed of bug fixes, dependency upgrades, and documentation improvements. To learn more, please visit the 6.2.4, 6.1.9, and 5.8.12 release summaries. Project Site | Reference | Help