On behalf of the team and everyone who has contributed, I am pleased to announce that the third milestone of Spring Security 6.3 is released. This release brings several new features that you can check on the release page or on the What's New section of the 6.3 documentation. In addition to that, Spring Security 6.2.3, 6.1.8, 6.0.10, 5.8.11 and 5.7.12 have been released as well! These releases are mostly composed of bug fixes, dependency upgrades and documentation improvements. The releases address CVE-2024-22257 for Possible Broken Access Control in Spring Security With Direct Use of…

In the early versions of Spring Security, a deliberate decision was made to avoid providing any guarantee of compatibility for serialized classes (via JDK serialization) between different versions of the project. This decision primarily took into account the context of RMI, with the recommendation being that both the server and client should use the same version of Spring Security. As more apps depend on persistent sessions and technologies like Spring Session, the problem with inconsistent serialization becomes a bigger deal. Persistent sessions mean saving user sessions by turning them into…

On behalf of the team and everyone who has contributed, I'm happy to announce that Spring Session 3.3.0-M1 is now available. This milestone brings a Reactive Redis Indexed implementation of ReactiveSessionRepository with support for session events and find sessions by principal name. This new implementation takes a slightly different approach on how to store and retrieve the secondary indexes information, as well as the session expiration strategy. Check out the documentation and give it a try, we are looking forward to receiving your feedback. Project Page | GitHub | Issues | Documentation…

On behalf of the Spring Security team, it is my pleasure to announce that Spring Session 3.2.0 is generally available from Maven Central now! The 3.2 generation comes with some key improvements: Introduce SessionIdGenerator to allow custom session id generation Allow safe deserialization of Redis sessions You can check the related documentation on the What's New section of the reference docs. This release will be included in the upcoming Spring Boot 3.2 GA release. We are looking forward to hearing your feedback.

On behalf of the Spring Security team, it is my pleasure to announce that Spring Security 6.2.0 is generally available from Maven Central now! The 6.2 generation comes with improvements that you can check on the What's New section of the documentation. Spring Security 6.2 has upgraded its Spring Framework baseline to 6.1 along with Project Reactor 2023.0.0 and Micrometer 1.12.0 while requiring Java 17 as minimum platform version and supporting up to Java 21 for Virtual Threads support. This release will be included in the upcoming Spring Boot 3.2 GA release. We'd like to hear from you, so keep…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Session 3.2.0-M1 is available now. This release comes with the support for using different strategies to generate session identifiers. Make sure to check it out and give your feedback. To learn more about that release, please visit the releases page. Project Site | Reference | Help

On behalf of the team and everyone who has contributed, I am pleased to announce that the Spring Security 6.1.0-RC1, 6.0.3, 5.8.3 and 5.7.8 versions are available now. Please refer to the releases page for more detail on what is included in each release. Those versions fix the following CVE: cve-2023-20862: Empty SecurityContext Is Not Properly Saved Upon Logout The 6.0.3 and 5.7.8 versions will be shipped with Spring Boot 3.0.6 and 2.7.11, to be released next Thursday. In the meantime, you can update your existing Spring Boot application to pick up the latest Spring Security version. For…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.0.1, 5.8.1, 5.7.6 and 5.6.10 are available now. In all cases, the releases are mostly composed of bug fixes and documentation improvements. To learn more, please visit the 6.0.1, 5.8.1, 5.7.6 and 5.6.10 release summaries. Project Site | Reference | Help

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.0.0-RC2 is available now. Spring Security 6.0.0-RC2 includes fixes and improvements to the documentation. Stay tuned for the announcement of Spring Boot 3.0.0-RC2 later this week! Project Page | GitHub | Issues | Documentation

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31692 affecting the AuthorizationFilter. Users are encouraged to update as soon as possible.