2
0

whats-new.adoc 2.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960
  1. [[new]]
  2. = What's New in Spring Security 7.0
  3. Spring Security 7.0 provides a number of new features.
  4. Below are the highlights of the release, or you can view https://github.com/spring-projects/spring-security/releases[the release notes] for a detailed listing of each feature and bug fix.
  5. == Removals
  6. Being a major release, there are a number of deprecated APIs that are removed in Spring Security 7.
  7. Each section that follows will indicate the more notable removals as well as the new features in that module
  8. == Core
  9. * Removed `AuthorizationManager#check` in favor of `AuthorizationManager#authorize`
  10. * Added xref:servlet/authorization/architecture.adoc#authz-authorization-manager-factory[`AuthorizationManagerFactory`] for creating `AuthorizationManager` instances in xref:servlet/authorization/authorize-http-requests.adoc#customizing-authorization-managers[request-based] and xref:servlet/authorization/method-security.adoc#customizing-authorization-managers[method-based] authorization components
  11. == Config
  12. * Support modular configuration in xref::servlet/configuration/java.adoc#modular-httpsecurity-configuration[Servlets] and xref::reactive/configuration/webflux.adoc#modular-serverhttpsecurity-configuration[WebFlux]
  13. * Removed `and()` from the `HttpSecurity` DSL in favor of using the lambda methods
  14. * Removed `authorizeRequests` in favor of `authorizeHttpRequests`
  15. * Simplified expression migration for `authorizeRequests`
  16. * Added support for SPA-based CSRF configuration:
  17. Java::
  18. +
  19. [source,java,role="primary"]
  20. ----
  21. http.csrf((csrf) -> csrf.spa());
  22. ----
  23. == Data
  24. * Added support to Authorized objects for Spring Data types
  25. == LDAP
  26. * Removed `ApacheDsContainer` and related Apache DS support in favor of UnboundID
  27. == OAuth 2.0
  28. * Removed support for password grant
  29. * Added OAuth2 Support for xref:features/integrations/rest/http-interface.adoc[HTTP Interface Integration]
  30. * Added support for custom `JwkSource` in `NimbusJwtDecoder`, allowing usage of Nimbus's `JwkSourceBuilder` API
  31. * Added builder for `NimbusJwtEncoder`, supports specifying an EC or RSA key pair or a secret key
  32. == SAML 2.0
  33. * Removed API methods based on `AssertingPartyDetails` class in favor of `AssertingPartyMetadata` interface
  34. * Removed GET request support from `Saml2AuthenticationTokenConverter`
  35. * Added JDBC-based `AssertingPartyMetadataRepository`
  36. * Made so that SLO still returns `<saml2:LogoutResponse>` even when validation fails
  37. * Removed Open SAML 4 support; applications should migrate to Open SAML 5
  38. == Web
  39. * Removed `MvcRequestMatcher` and `AntPathRequestMatcher` in favor of `PathPatternRequestMatcher`
  40. * Added javadoc:org.springframework.security.web.authentication.preauth.x509.SubjectX500PrincipalExtractor[]
  41. * Added support for propagating exceptions in Authorized proxies through Spring MVC controllers
  42. * Added support to Authorized objects for Spring MVC types