7.0.0-M1

⏪ Breaking Changes

• Address BouncyCastle's deprecated AESFastEngine usage #16164
• Default to XorCsrfChannelInterceptor in XML configuration #17323
• Don't cache WebSocket request in RequestCache #16741
• Improve JdbcUserDetailsManager.userExists method #14649
• Remove .and() and non lambda methods from DSL #13067
• Remove authorizeRequests #15174
• Remove AbstractConfiguredSecurityBuilder apply method #17498
• Remove AbstractSecurityWebSocketMessageBrokerConfigurer #17328
• Remove ApacheDS #13852
• Remove APPLICATION_JSON_UTF8 usage #17070
• Remove AssertingPartyDetails from APIs in favor of AssertingPartyMetadata #17304
• Remove deprecated classes moved to other packages #17330
• Remove deprecated elements from DaoAuthenticationProvider #17315
• Remove deprecated elements of RoleHierarchyImpl #17313
• Remove deprecated elements using AuthorizationDecision #17322
• Remove deprecated implementations of OAuth2AccessTokenResponseClient #16909
• Remove deprecated methods from CookieServerCsrfTokenRepository #14139
• Remove deprecations from CookieCsrfTokenRepository #14132
• Remove EnableWebMvcSecurity #17311
• Remove HandlerMappingIntrospector Usage #16886
• Remove LazyCsrfTokenRepository #13196
• Remove Nimbus(Reactive)OpaqueTokenIntrospector #17326
• Remove no-version Open SAML implementations #17306
• Remove PrePostTemplateDefaults #17312
• Remove RelyingPartyRegistration deprecations #17329
• Remove RequestVariablesExtractor #17320
• Remove Resource Owner Password Credentials grant #17446
• Remove shouldFilterAllDispatcherTypes #17505
• Remove shouldFilterAllDispatcherTypes #12139
• Remove usage of PathMatcher in messaging #17501
• Use LdapName instead of DistinguishedName #17325

⭐ New Features

• Add basePath to PathPatternParserRequestMatcherBuilderFactoryBean #17579
• Add BearerTokenAuthenticationConverter #14791
• Add default authorizationRequestBaseUri to DefaultOAuth2AuthorizationRequestResolver #16384
• Add Equals and HashCode methods for better comparison. #16842
• Add JdbcAssertingPartyMetadataRepository #17077
• Add null check for authentication token in JwtAuthenticationProvider #17251
• Add NullReturningMethodAuthorizationDeniedHandler #17084
• Add OAuth Support for HTTP Interface Client #16858
• Add PathPatternRequestMatcher static factory shortcuts #17476
• Add possibility to customize JwkSource of NimbusJwtDecoder #17046
• Add Support Credentialless COEP Header #17027
• Add Support Extracting DN From X500Principal #16984
• Add TestMockHttpServletRequests #17450
• Add Twitter/X to CommonOAuth2Provider #16510
• Add username property to UsernameNotFoundException #17179
• Begin Spring Security 7 to 8 Migration Guide #17182
• Create CsrfCustomizer for SPA configuration #16966
• Create demonstration of include-code usage #17163
• Create Spring Security 7.0.x branch #17047
• Decouple SAML 2.0 Single Logout from the authenticated principal's type #11338
• Deprecate the X5T JOSE Header name #17130
• Exceptions for Authorized Objects should propagate when returned from a Controller #17074
• Fix the problem of not deserializing SwitchUserGrantedAuthority in Webflux #17064
• Force Snapshot Build is separate workflow #17558
• Improve logging clarity in CsrfFilter #17425
• Improve OAuth2ResourceServerConfigurer to eliminate deprecated operations #16963
• Include UsernameNotFoundException in BadCredentialsException #16512
• JwtTimestampsValidator can require exp and nbf claims #17030
• Kotlin 2.2 Upgrade #16884
• Make AuthorizationProxyFactory.proxy generic #16996
• NimbusJwtEncoder should simplify constructing with javax.security Keys #17033
• Polish Webauthn4JRelyingPartyOperations #17224
• Remove 32-byte minimum keyLength restriction in Base64StringKeyGenerator #17091
• Remove GET request support from Saml2AuthenticationTokenConverter #17108
• Replace deprecated #check calls with #authorize #16965
• Replace deprecated NimbusReactiveOpaqueTokenIntrospector with SpringReactiveOpaqueTokenIntrospector #16964
• Send saml logout response even when validation errors happen #14676
• Setup include-code extension for docs #17162
• Simplify Expression Migration for authorizeRequests #17504
• Simplify Websocket Csrf Processor XML Configuration #17248
• Standarize Mock Request Paths #17449
• Support Filtering Events in SpringAuthorizationEventPublisher #17503
• Support Spring Data container types for AuthorizeReturnObject #16953
• Update document regarding Stream usage #17219
• Update Type Validation Defaults #17181
• Use UserWebTestClientConfigurer #17496
• We should remove usage of PathMatcher in web modules #16887

🪲 Bug Fixes

• DataTargetVisitor should be package private to support AOT #17561
• Fix users schema documentation #17190
• Fixed link to CSRF checks on rubyonrails.org site #17319
• Remove the redundant punctuation marks in the comments #17075
• UnboundIdContainer fails with TestContext #17543
• Update HttpSecurity javadoc to use authorizeHttpRequests #17225
• Update JwtIssuerAuthenticationManagerResolver constructor javadoc #17486

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1 #17458
• Bump com.fasterxml.jackson:jackson-bom from 2.19.1 to 2.19.2 #17567
• Bump com.webauthn4j:webauthn4j-core from 0.29.1.RELEASE to 0.29.2.RELEASE #17092
• Bump com.webauthn4j:webauthn4j-core from 0.29.2.RELEASE to 0.29.3.RELEASE #17193
• Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE #17478
• Bump io-spring-javaformat from 0.0.43 to 0.0.45 #17150
• Bump io-spring-javaformat from 0.0.45 to 0.0.46 #17200
• Bump io-spring-javaformat from 0.0.46 to 0.0.47 #17479
• Bump io.micrometer:micrometer-observation from 1.14.6 to 1.14.7 #17093
• Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8 #17222
• Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 #17517
• Bump io.mockk:mockk from 1.14.2 to 1.14.4 #17456
• Bump io.mockk:mockk from 1.14.4 to 1.14.5 #17538
• Bump io.projectreactor:reactor-bom from 2025.0.0-M2 to 2025.0.0-M3 #17104
• Bump io.projectreactor:reactor-bom from 2025.0.0-M3 to 2025.0.0-M4 #17227
• Bump io.projectreactor:reactor-bom from 2025.0.0-M4 to 2025.0.0-M5 #17526
• Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 #17205
• Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 #17090
• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 #17457
• Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 #17527
• Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10 #17213
• Bump org.hibernate.orm:hibernate-core from 7.0.0.CR1 to 7.0.0.CR2 #17114
• Bump org.hibernate.orm:hibernate-core from 7.0.0.CR2 to 7.0.0.Final #17149
• Bump org.hibernate.orm:hibernate-core from 7.0.0.Final to 7.0.1.Final #17228
• Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final #17459
• Bump org.hibernate.orm:hibernate-core from 7.0.4.Final to 7.0.5.Final #17489
• Bump org.hibernate.orm:hibernate-core from 7.0.5.Final to 7.0.6.Final #17518
• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 [#17460](#17460
• Update com.nimbusds dependencies #17542
• Update to Kotlin 2.2 #17380
• Update to Spring Data 2025.1.0-M4 #17560
• Update to Spring Framework 7.0.0-M7 #17559

🔩 Build Updates

• Bump @springio/antora-extensions from 1.14.4 to 1.14.6 in /docs #17515
• Remove deprecated Cookie method usage #17006

❤️ Contributors

Thank you to all the contributors who worked on this release:

@1livv, @DeepDhamala, @FerencKemeny, @GrmpfNarf, @JohnNiang, @Lidoca, @M-Faheem-Khan, @Shenker93, @big-cir, @chanbinme, @chschu, @evga7, @evgeniycheban, @fa11enangel, @felhag, @fjacobs, @franticticktick, @gamemock, @huhdy32, @kiruthiga1793, @kse-music, @marbon87, @milaneuh, @msqr, @ngocnhan-tran1996, @pat-mccusker, @quaff, @ronodhirSoumik, @rwinch, @surajbh123, @therepanic, @wapkch, and @yuezk