On behalf of the community, it is my pleasure to announce the general availability of Spring Security 5.3. This release is the result of the work that went into 5.3.0.M1, 5.3.0.RC1, and 5.3.0.RELEASE. In combination they close 200+ tickets. You can find the highlights of 5.3 in the What’s new section of the Spring Security reference. As always, we look forward to hearing your feedback! Project Site | Reference | Help

Note See the latest announcement on Announcing the Spring Authorization Server. This post is a follow-up to Next Generation OAuth 2.0 Support with Spring Security Current State In the Spring Security 5.x release train, we’ve endeavored to replace and simplify the feature set found in the Spring Security OAuth 2.x legacy project. In the process, we’ve also added numerous new features, including support for OpenID Connect 1.0. We are pleased to announce that as of the 5.2 release, we are very close to feature parity with the client and resource server legacy support. What remains is quite…

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.1 (release notes) and 5.1.7 (release notes). These releases deliver bug fixes along with some minor improvements. Users are encouraged to update to the latest patch release. Project Site | Reference | Help

On behalf of the community I am pleased to announce the release of Spring Security 5.1.6 (changelog) and 5.0.13 (changelog). These releases deliver bug fixes along with some minor improvements. Users are encouraged to update to the latest patch release. Project Site | Reference | Help

We have released Spring Security 4.2.13 to address CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null. Users are encouraged to update immediately. With Spring Boot, you can override the Spring Security version in Maven like so: Or in Gradle like so: Note that users of Spring Security 5+ are not affected by this vulnerability.

We have released Spring Security OAuth 2.3.6, 2.2.5, 2.1.5 and 2.0.18 to address CVE-2019-11269: Open Redirector in spring-security-oauth2. Please review the information in the CVE report and upgrade immediately. For additional changes included in each release, please refer to: 2.3.6 changelog 2.2.5 changelog 2.1.5 changelog 2.0.18 changelog NOTE: For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the fix for the CVE. Please see the Mitigation section in the CVE report for detailed…

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M2! This release includes 100+ updates. You can find the highlights below: OAuth 2.0 gh-6446 - Client Support for PKCE PKCE isn’t just for native or browser-based apps, but for any time we want to have a public client. Spring Security 5.2 introduces a secure way for backends to authenticate as public clients. gh-5350 - OpenID Connect RP-Initiated Logout gh-5465 - Ability to use symmetric keys with JwtDecoder gh-5397 - Ability for NimbusReactiveJwtDecoder to take a custom processor gh-6513 & gh-520…

We have released Spring Security 4.2.12, 5.0.12, and 5.1.5 to address CVE-2019-3795: Insecure Randomness with SecureRandomFactoryBean. Users are encouraged to update immediately.

On behalf of the community I am pleased to announce the release of Spring Security 5.1.4 (changelog). This release provides a round of bug fixes and users are encouraged to update to the latest patch release. Project Site | Reference | Help

On behalf of the community I am pleased to announce the release of Spring Security 5.1.3 (changelog), 5.0.11 (changelog), and 4.2.11 (changelog). This series of releases provides a round of bug fixes and users are encouraged to update to the latest patch release. Project Site | Reference | Help