What is new in different version of SPring boot Security
Categories: Spring Boot
Spring Security has also evolved significantly over the years, especially in how it integrates with Spring Boot. Below is a version-wise summary of what's new in different versions of Spring Security, especially in relation to Spring Boot integration and security features.
Spring Security 5.x Series (2018–2022)
Spring Security 5.0 (Jan 2018)
- OAuth 2.0 Login Support
- Password Encoders with DelegatingPasswordEncoder
- WebFlux Security (Reactive stack support)
- Security Matcher updates – mvcMatchers() and antMatchers()
- OAuth 2.0 Resource Server support (initial)
Spring Security 5.1 (Sept 2018)
- Form login + OAuth 2.0 simplifications
- Automatic JWT decoding
- SAML 2.0 initial support
- Enhancements to SecurityContextHolder
Spring Security 5.2 (Oct 2019)
- OAuth2 Authorization Server refinements (separate project)
- JWT Bearer Token support
- SameSite cookie support
- CSRF configuration improvements
Spring Security 5.3 (March 2020)
- Support for X.509 Authentication in WebFlux
- DelegatingAuthorizationManager
- Authorization event logging
- OAuth2 enhancements
Spring Security 5.4 (Sept 2020)
- @EnableMethodSecurity (replacement for @EnableGlobalMethodSecurity)
- SecurityFilterChain bean customization
- OAuth2 PKCE support
- SAML 2.0 refinements
- More lambda DSL support
Spring Security 5.5 (May 2021)
- New AuthorizationManager API (replacing AccessDecisionManager)
- OAuth2 Authorization Server improvements
- SecurityContextHolderStrategy (for async scenarios)
Spring Security 5.6 (Nov 2021)
- Support for Spring Native / AOT
- BouncyCastle support for JCA
- Improvements for OAuth2 token introspection
Spring Security 5.7 (May 2022)
- Deprecated WebSecurityConfigurerAdapter
- Move to component-based security configuration via SecurityFilterChain beans
- Enhanced method-level security annotations
- @EnableMethodSecurity replaces older global settings
Spring Security 6.x Series (2022–Present)
Supports Spring Boot 3.x and Jakarta EE
Spring Security 6.0 (Nov 2022)
- Java 17 baseline
- Jakarta EE 9+ package support (javax.* → jakarta.*)
- Component-based security config only (WebSecurityConfigurerAdapter removed)
- New configuration DSL using lambdas
- Enhanced support for GraalVM native image
- Updated OAuth2 client and server modules
Spring Security 6.1 (May 2023)
- Method Security Expressions overhaul
- AuthorizationManager for all major use cases
- Improved multi-tenancy support
- JWT decoding enhancements
- Easier use of custom claims and scopes in token validation
- Better support for Docker and Cloud Native environments
Spring Security 6.2 (Nov 2023)
- Virtual thread compatibility
- Better error message handling
- More flexible authentication entry points
- Support for OAuth2 Token Revocation
- Continued improvements for AOT/Natively compiled applications
Upcoming (Spring Security 6.3 in 2024/2025)
- Improved OpenID Connect support
- Expanded SAML 2.0 features
- Performance and native image optimizations
Key Shifts Summary
Version | Key Features |
5.0 | OAuth 2.0 Login, Password Encoding |
5.2 | JWT & OAuth2 Resource Server |
5.4 | Lambda DSL, AuthorizationManager |
5.7 | Deprecated WebSecurityConfigurerAdapter |
6.0 | Jakarta EE, Java 17+, Native Ready |
6.1 | Method Security revamp, AuthorizationManager |
6.2 | Virtual Threads, OAuth2 Revocation |
-----------------