⭐ New Features

• Add postProcessor to SpringOpaqueTokenIntrospector Builders #18625
• Add InetAddressMatcher #18634
• Add MessageExpressionAuthorizationManager #18813
• Add missing AOT Runtime Hints #18767
• Add nullability contract to PasswordEncoder#encode implementations #18490
• Add RestClientOpaqueTokenIntrospector #18746
• Add tests for PathPatternRequestMatcher request path caching #18721
• Allow custom token settings for OAuth 2.0 dynamic client registration #18870
• Change ActiveDirectoryLdapAuthenticationProvider to use LdapClient #18627
• Clarify need for method attribute in JSP authorize tag #18566
• Cleanup #17801
• Document multipart CSRF header option #18757
• Enable Null checking in spring-security-oauth2-jose via JSpecify #17821
• Ensure ID Token is updated after refresh token (Reactive) #17246
• Fail on javadoc warnings for spring-security-aspects #18855
• Fail spring-security-docs on javadoc warnings #18613
• Fix ClientAttributes Javadoc Typos #18802
• Fix compile warning in spring-security-test #18593
• Fix compile warnings for spring-security-config #18596
• Make authenticationConverter customizable in SpringOpaqueTokenIntrospector.Builder #18623
• Make PublicKeyCredentialCreationOptions Serializable #18354
• Mark CsrfTokenRequestAttributeHandler#setCsrfRequestAttributeName as Nullable #18620
• Remove unused @Nullable in Switch User and FactorGrantedAuthority #18765
• Specify charset in WWW-Authenticate for Basic Auth #18760
• Support custom OAuth2AuthenticatedPrincipal in Jwt-based authentication flow #17191
• Support single-line PEM encoded RSA keys in RsaKeyConverters #18599
• Update servlet/architecture.adoc to use include-code #18536
• Use attributes in Antora to replace the original links #18819
• Use include-code for websocket.adoc #18856

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18785
• Add Jackson Mixin for WebAuthnAuthentication #18907
• Add Missing OnCommitedResponseWrapper Header Overrides #18800
• Document Keberose Dependency Coordinates #18786
• Ensure tests clear AuthorizationServerContextHolder #18769
• Fix CookieRequestCache parameters #18865
• Fix Flaky Crypto Tests #18843
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18908
• Fix SecurityContextLogoutHandler.logout @param response Javadoc (cannot be null) #18795
• Fix spring-security-webauthn dependency in passkeys documentation #18866
• HttpMessageConverterAuthenticationSuccessHandler Supports Jackson 3 #18835
• Improve error message for missing access attribute in intercept-url #18530
• Mark targetDomainObject as @Nullable in PermissionEvaluator #18796
• Update password4j docs to use BcryptPassword4jPasswordEncoder #18232

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 #18851
• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18852
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18808
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.31 #18740
• Bump ch.qos.logback:logback-classic from 1.5.31 to 1.5.32 #18748
• Bump com.fasterxml.jackson:jackson-bom from 2.21.0 to 2.21.1 #18778
• Bump com.nimbusds:oauth2-oidc-sdk from 11.33 to 11.34 #18859
• Bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE #18827
• Bump gradle-wrapper from 9.3.1 to 9.4.0 #18849
• Bump io.micrometer:micrometer-observation from 1.16.3 to 1.16.4 #18868
• Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4 #18875
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.11 to 0.0.12 #18828
• Bump minimatch from 3.1.2 to 3.1.5 in /javascript #18811
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18747
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18789
• Bump org-opensaml5 from 5.2.0 to 5.2.1 #18754
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18858
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18885
• Bump org.hibernate.orm:hibernate-core from 7.2.4.Final to 7.2.5.Final #18775
• Bump org.hibernate.orm:hibernate-core from 7.2.5.Final to 7.2.6.Final #18826
• Bump org.hibernate.orm:hibernate-core from 7.2.6.Final to 7.2.7.Final #18901
• Bump org.junit:junit-bom from 6.0.2 to 6.0.3 #18741
• Bump org.mockito:mockito-bom from 5.21.0 to 5.22.0 #18825
• Bump org.mockito:mockito-bom from 5.22.0 to 5.23.0 #18881
• Bump org.seleniumhq.selenium:htmlunit3-driver from 4.40.0 to 4.41.0 #18777
• Bump org.seleniumhq.selenium:selenium-java from 4.40.0 to 4.41.0 #18776
• Bump org.springframework.data:spring-data-bom from 2025.1.3 to 2025.1.4 #18902
• Bump org.springframework:spring-framework-bom from 7.0.4 to 7.0.5 #18763
• Bump org.springframework:spring-framework-bom from 7.0.5 to 7.0.6 #18900
• Bump spring-io/spring-security-release-tools/.github/workflows/test.yml from 1.0.13 to 1.0.14 #18728
• Bump tools.jackson:jackson-bom from 3.0.4 to 3.1.0 #18790
• Update Antora UI Spring to v0.4.26 #18894

❤️ Contributors

Thank you to all the contributors who worked on this release...

⭐ New Features

• Update RestTemplateBuilder usage in opaque-token.adoc #18836

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18784
• Add Jackson Mixin for WebAuthnAuthentication #18878
• Add Missing OnCommitedResponseWrapper Header Overrides #18799
• Document the change in dependency coordinates with Spring Security 7 #18773
• Ensure tests clear AuthorizationServerContextHolder #18768
• Fix CookieRequestCache parameters #18864
• Fix Flaky Crypto Tests #18842
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18897
• HttpMessageConverterAuthenticationSuccessHandler Supports Jackson 3 #18834
• OAuth2DeviceVerificationEndpointFilter should be applied after AuthorizationFilter #18873
• Restore upgradeEncoding condition in DaoAuthenticationProvider #18788
• saveAuthenticationRequest should read relayState from authenticationRequest #18884
• SecurityExpressionRoot#hasAuthority should delegate to AuthorizationManagerFactory#hasAuthority #18487
• ServerHttpSecurityConfiguration should not set userDetailsPasswordService to a null value #18276
• TokenBasedRememberMeServices documentation snippets should compile #18642
• Update request-matcher XML property to support PathPatternRequestMatcher #18737

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18853
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18810
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18752
• Bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE #18830
• Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4 #18877
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18751
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18792
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18861
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18887
• Bump org.junit:junit-bom from 6.0.2 to 6.0.3 #18743
• Bump org.springframework.data:spring-data-bom from 2025.1.3 to 2025.1.4 #18904
• Bump org.springframework:spring-framework-bom from 7.0.4 to 7.0.5 #18764
• Bump org.springframework:spring-framework-bom from 7.0.5 to 7.0.6 #18905
• Update Antora UI Spring to v0.4.26 #18893
• Update to spring-security-release-tools 1.0.15 #18909

❤️ Contributors

Thank you to all the contributors who worked on this release:

@busoco-sjb, @making, @meliezer, @ngocnhan-tran1996, @rwinch, @sephiroth-j, @therepanic, @thuri, and @ziqin

⭐ New Features

• Update Link to CSRF Docs in FAQ #18616

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18544
• saveAuthenticationRequest should read relayState from authenticationRequest #18872
• Add Missing OnCommitedResponseWrapper Header Overrides #18798
• Clarify Resource Server startup expectations #18518
• Correct Reference to Clear-Site-Data Directive enum #18273
• Fix CookieRequestCache parameters #18857
• Fix Flaky Crypto Tests #18841
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18896

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18854
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18809
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18749
• Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #18779
• Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #18876
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18750
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18791
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18860
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18886
• Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #18780
• Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #18829
• Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #18903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Hann244, @Khyojae, @ghusta, @itsmevichu, @qihaiyan, @rwinch, @therepanic, and @ziqin

⭐ New Features

• Fail on compiler warnings for spring-security-javascript #18569
• TestingAuthenticationToken.credentials should be @Nullable #18615
• Ability to configure authenticationDetailsSource in AnonymousConfigurer #17878
• Add @Nullable to changePassword parameters in UserDetailsManager #18271
• Add missing @Nullable to setters of Nullable fields #18618
• Create Checkstyle Rules for Nullability Usage #18564
• Document RegisteredClient.ClientSettings #18614
• Enable Null checking in spring-security-ldap via JSpecify #17818
• Enable Null checking in spring-security-oauth2-core via JSpecify #17820
• Fail on compiler warnings for spring-security-access #18555
• Fail on compiler warnings for spring-security-acl #18557
• Fail on compiler warnings for spring-security-bom #18576
• Fail on compiler warnings for spring-security-dependencies #18568
• Fail on compiler warnings for spring-security-kerberos-client #18570
• Fail on compiler warnings for spring-security-taglibs #18578
• Fail spring-security-cas on javadoc warnings #18517
• Fail spring-security-ldap on javadoc warnings #18547
• Fail spring-security-messaging on javadoc warnings #18546
• Fail spring-security-oauth2-authorization-server on javadoc warnings #18602
• Fail spring-security-oauth2-core on javadoc warnings #18603
• Fail spring-security-oauth2-jose on javadoc warnings #18604
• Fail spring-security-rsocket on javadoc warnings #18605
• Fail spring-security-saml2-service-provider on javadoc warnings #18606
• Fail spring-security-taglibs on javadoc warnings #18607
• Fail spring-security-webauthn on javadoc warnings #18608
• Fix compiler warnings in spring-security-acl #18626
• Fix compiler warnings in spring-security-aspects #18581
• Fix HttpSecurity javadoc formatting #18526
• Fix javadoc warnings for spring-security-config #18545
• Fix javadoc warnings for spring-security-data #18532
• Fix Javadoc warnings in spring-security-crypto #18519
• Introduce resource_metadata parameter resolver for BearerTokenAuthenticationEntryPoint #18542
• Null safety via JSpecify spring-security-access #18398
• Null safety via JSpecify spring-security-acl #18401
• Null safety via JSpecify spring-security-aspects #18400
• Null safety via JSpecify spring-security-kerberos #18397
• Null safety via JSpecify spring-security-kerberos-client #18552
• Null safety via JSpecify spring-security-kerberos-core #18549
• Null safety via JSpecify spring-security-kerberos-web #18550
• Remove @NullUnmarked #18491
• Remove compiler warnings for spring-security-cas #18579
• Remove compiler warnings for spring-security-docs #18601
• Remove compiler warnings for spring-security-kerberos-core #18571
• Remove compiler warnings for spring-security-kerberos-test #18572
• Remove compiler warnings for spring-security-kerberos-web #18573
• Remove compiler warnings for spring-security-messaging #18575
• Remove compiler warnings for spring-security-oauth2-authorization-server #18562
• Remove compiler warnings for spring-security-rsocket #18567
• Remove compiler warnings for spring-security-saml2-service-provider #18577
• Remove compiler warnings for spring-security-webauthn #18556
• Remove compiler warnings in spring-security-data #18580
• Remove compiler warnings in spring-security-ldap #18559
• Support hasScope in Method Security #18151

🪲 Bug Fixes

• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #18595
• ExpressionJwtGrantedAuthoritiesConverter is undocumented #18300
• Fix docs #18488
• Fix typo in authorize-http-requests.adoc #18600
• Fix typos in contributing guide #18635

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.25 to 1.5.26 #18588
• Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27 #18637
• Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27 #18628
• Bump ch.qos.logback:logback-classic from 1.5.27 to 1.5.28 #18697
• Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 #18529
• Bump com.fasterxml.jackson:jackson-bom from 2.20.2 to 2.21.0 #18696
• Bump com.jayway.jsonpath:json-path from 2.9.0 to 2.10.0 #18690
• Bump github/codeql-action from 3 to 4 #18669
• Bump gradle-wrapper from 9.2.1 to 9.3.1 #18700
• Bump io.freefair.gradle:aspectj-plugin from 8.13.1 to 8.14.4 #18664
• Bump io.micrometer:context-propagation from 1.1.3 to 1.2.0 #18671
• Bump io.micrometer:context-propagation from 1.2.0 to 1.2.1 #18702
• Bump io.micrometer:micrometer-observation from 1.14.14 to 1.16.2 #18689
• Bump io.mockk:mockk from 1.14.7 to 1.14.9 #18597
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #18533
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.10 to 0.0.11 #18636
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.10 to 0.0.11 #18612
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.9 to 0.0.10 #18554
• Bump jakarta.xml.bind:jakart...

⭐ New Features

• Fix Javadoc warnings in spring-security-web #18473
• Fix/gradle 9 deprecations #18485
• Fix/gradle 9 deprecations #18477
• Replace method call with 'Builder.configureMessageConverters()' #18378
• Replacing use of deprecated 'check' in authorization documentation #18390
• Use DefaultParameterNameDiscoverer#getSharedInstance #18481

🪲 Bug Fixes

• Authorization Server fails to start with multiple PasswordEncoder beans #18645
• BearerTokenAuthenticationEntryPoint uses context path #18528
• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #18594
• Document Client PKCE settings #18304
• Fix docs typo X-Requested-By -> X-Requested-With #18123
• Fix Formatting in mfa.adoc #18134
• Fix typo in documentation #18344
• Fix typos #18121

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24 #18384
• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.28 #18684
• Bump ch.qos.logback:logback-classic from 1.5.28 to 1.5.29 #18711
• Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 #18660
• Bump com.webauthn4j:webauthn4j-core from 0.29.7.RELEASE to 0.31.0.RELEASE #18687
• Bump gradle-wrapper from 8.14 to 8.14.4 #18705
• Bump io.mockk:mockk from 1.14.7 to 1.14.9 #18681
• Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2 #18658
• Bump io.projectreactor:reactor-bom from 2025.0.2 to 2025.0.3 #18717
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #18683
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.13 to 1.0.14 #18725
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.4 to 4.0.5 #18706
• Bump org-apache-maven-resolver from 1.9.24 to 1.9.25 #18309
• Bump org-aspectj from 1.9.25 to 1.9.25.1 #18326
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.5.2 #18346
• Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12 #18327
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 #18682
• Bump org.junit:junit-bom from 6.0.1 to 6.0.2 #18385
• Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2 #18655
• Bump org.springframework.ldap:spring-ldap-core from 4.0.0 to 4.0.1 #18316
• Bump org.springframework.ldap:spring-ldap-core from 4.0.1 to 4.0.2 #18733
• Bump org.springframework:spring-framework-bom from 7.0.3 to 7.0.4 #18732
• Bump org.springframework:spring-framework-bom from 7.0.3-SNAPSHOT to 7.0.4-SNAPSHOT #18657
• Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22 #18651
• Bump tools.jackson:jackson-bom from 3.0.3 to 3.0.4 #18659
• Update Antora UI Spring to v0.4.25 #18249
• Update to Spring Framework 7.0.3 #18667
• Update to spring-data-bom 2025.1.3 #18735

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Been24, @Fr05ty-hub, @Kehrlann, @Rigu1, @bloomsei, @martinboulais, @ngocnhan-tran1996, @paulvas, @rwinch, @therepanic, and @vincentstradiot

⭐ New Features

• Add @FunctionalInterface to RequestMatcher #18337
• Spring Security 7 should provide migration path from request-matcher="ant" #18211
• Stop deploying JavaDoc outside of Antora #18199

🪲 Bug Fixes

• Add Missing Migration Pages to Navigation #18313
• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #18235
• Fix typo in "Preparing for 7.0" in reference to PathPatternRequestMatcher #18336
• Fix typo in AnnotationTemplateExpressionDefaults documentation #18176
• Fix typos in documentation depenendencies->dependencies #18208

🔨 Dependency Upgrades

• Bump @antora/atlas-extension from 1.0.0-alpha.2 to 1.0.0-alpha.5 in /docs #18675
• Bump @antora/collector-extension from 1.0.1 to 1.0.2 in /docs #18677
• Bump @springio/antora-extensions from 1.14.4 to 1.14.7 in /docs #18676
• Bump antora from 3.2.0-alpha.8 to 3.2.0-alpha.11 in /docs #18679
• Bump ch.qos.logback:logback-classic from 1.5.20 to 1.5.21 #18192
• Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22 #18321
• Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24 #18387
• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.25 #18525
• Bump ch.qos.logback:logback-classic from 1.5.25 to 1.5.26 #18591
• Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27 #18631
• Bump ch.qos.logback:logback-classic from 1.5.27 to 1.5.28 #18678
• Bump ch.qos.logback:logback-classic from 1.5.28 to 1.5.29 #18710
• Bump gradle-wrapper from 8.14 to 8.14.4 #18704
• Bump io.micrometer:context-propagation from 1.1.3 to 1.1.4 #18703
• Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14 #18279
• Bump io.mockk:mockk from 1.14.6 to 1.14.7 #18275
• Bump io.projectreactor:reactor-bom from 2024.0.12 to 2024.0.13 #18293
• Bump io.projectreactor:reactor-bom from 2024.0.13 to 2024.0.14 #18495
• Bump io.projectreactor:reactor-bom from 2024.0.14 to 2024.0.15 #18716
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #18535
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.13 to 1.0.14 #18724
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.4 to 4.0.5 #18670
• Bump org-apache-maven-resolver from 1.9.24 to 1.9.25 #18292
• Bump org-aspectj from 1.9.25 to 1.9.25.1 #18329
• Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12 #18352
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 #18590
• Bump org.hibernate.orm:hibernate-core from 6.6.34.Final to 6.6.36.Final #18193
• Bump org.hibernate.orm:hibernate-core from 6.6.36.Final to 6.6.38.Final #18241
• Bump org.hibernate.orm:hibernate-core from 6.6.38.Final to 6.6.39.Final #18308
• Bump org.hibernate.orm:hibernate-core from 6.6.39.Final to 6.6.40.Final #18351
• Bump org.hibernate.orm:hibernate-core from 6.6.40.Final to 6.6.41.Final #18524
• Bump org.hibernate.orm:hibernate-core from 6.6.41.Final to 6.6.42.Final #18632
• Bump org.springframework.data:spring-data-bom from 2024.1.12 to 2024.1.13 #18320
• Bump org.springframework.ldap:spring-ldap-core from 3.2.15 to 3.2.16 #18322
• Bump org.springframework:spring-framework-bom from 6.2.13 to 6.2.14 #18206
• Bump org.springframework:spring-framework-bom from 6.2.14 to 6.2.15 #18323
• Bump org.springframework:spring-framework-bom from 6.2.15 to 6.2.16 #18731
• Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22 #18649
• Update Antora UI Spring to v0.4.25 #18402

🔩 Build Updates

• Remove unnecessary Gradle wrapper from buildSrc #18692

❤️ Contributors

Thank you to all the contributors who worked on this release:

@garvit-joshi, @ghusta, @kucoll, and @rwinch

⭐ New Features

• Add nullability contract to PasswordEncoder#encode #18334
• Create Jackson Mixin for OneTimeTokenAuthenticationToken #18096
• Fix javadoc warnings for spring-security-oauth2-client #18483
• Fix spring-security-oauth2-core compiler warnings #18482
• Replacing use of deprecated 'check' in authorization documentation #18471
• Update to JDK 25 (release = 17) #18512
• Use DefaultParameterNameDiscoverer#getSharedInstance #18484

🪲 Bug Fixes

• Add Missing @NullMarked #18514
• Broken OAuth2AuthorizationRequestRedirectFilter constructor tests #18507
• Fix duplicated use-authorization-manager in docs #18478
• Fix Nullability on Collections/Arrays #18511

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.25 #18521
• Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2 #18494
• Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.6 to 0.0.9 #18371
• Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2 #18520
• Bump org.springframework:spring-framework-bom from 7.0.3-SNAPSHOT to 7.0.3 #18515
• Update jococo 0.8.14 #18508
• Update to Gradle 9.2.1 #18510
• Update to Kotlin 2.3.0 #18509

❤️ Contributors

Thank you to all the contributors who worked on this release:

@dasog94, @marcusdacoregio, @paulvas, @qkrrlgus114, and @scordio

🪲 Bug Fixes

• AuthorizationWebProxyConfiguration should only be active when both spring-security-web and spring-webmvc are on the classpath #18315

⭐ New Features

• Stop deploying JavaDoc outside of Antora #18200

🪲 Bug Fixes

• An unexpected dependency appeared for spring-security-config of spring-security-web #18307
• Fix "typ" header value in NimbusJwtEncoder-encoded JWT #18270
• Fix broken link to Spring Boot docs #18236
• Fix documentation resource server sample title #18231
• Fix MyCustomDsl to use csrf(Customizer) instead of removed csrf().disabled() #18223
• Fix typo in AnnotationTemplateExpressionDefaults documentation #18255
• Fix typos in documentation depenendencies->dependencies #18209
• NimbusJwtEncoder produces JWT with wrong "typ" header value #18269
• OAuth2AuthorizationEndpointFilter should be applied after AuthorizationFilter #18251
• Remove requireProofKey warning for non-auth-code flows #18221
• Remove throws from MyCustomDsl in docs #18224

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.20 to 1.5.21 #18214
• Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22 #18311
• Bump com.fasterxml.jackson:jackson-bom from 2.20.0 to 2.20.1 #18245
• Bump com.unboundid:unboundid-ldapsdk from 7.0.3 to 7.0.4 #18262
• Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #18189
• Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14 #18277
• Bump io.mockk:mockk from 1.14.6 to 1.14.7 #18274
• Bump io.projectreactor:reactor-bom from 2025.0.0 to 2025.0.1 #18289
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.13 #18187
• Bump org-aspectj from 1.9.24 to 1.9.25 #18186
• Bump org.apache.kerby:kerb-simplekdc from 2.1.0 to 2.1.1 #18215
• Bump org.junit:junit-bom from 6.0.0 to 6.0.1 #18188
• Bump org.springframework.data:spring-data-bom from 2025.1.0 to 2025.1.1 #18312
• Bump org.springframework:spring-framework-bom from 7.0.0 to 7.0.1 #18213
• Bump org.springframework:spring-framework-bom from 7.0.1 to 7.0.2 #18310
• Bump tools.jackson:jackson-bom from 3.0.1 to 3.0.2 #18212
• Bump tools.jackson:jackson-bom from 3.0.2 to 3.0.3 #18244

🔩 Build Updates

• Add Test for ServletRequestPathUtils.parseAndCache(method=null) #18166
• Bump antora from 3.2.0-alpha.10 to 3.2.0-alpha.11 in /docs #18238

❤️ Contributors

Thank you to all the contributors who worked on this release:

@L33gn21, @ghusta, @ronodhirSoumik, @rwinch, @sach429, and @ziqin

⭐ New Features

• Add a minimal authorization server configuration #18153
• Mark GrantedAuthority#getAuthority as @Nullable #18014
• Polish SimpleGrantedAuthority #18062

🪲 Bug Fixes

• Correct the org.springframework.security.config.annotation.web.LogoutDsl's property description #18026
• Fix webauthn multifactor authentication #18163

🔨 Dependency Upgrades

• Bump org.jetbrains.kotlin:kotlin-bom from 2.2.20 to 2.2.21 #18099
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.20 to 2.2.21 #18100
• Bump tools.jackson:jackson-bom from 3.0.0 to 3.0.1 #18097
• Update to Reactor 2025.0.0 #18173
• Update to Spring Data 2025.1.0 #18174
• Update to Spring Framework 7.0.0 #18172
• Update to Spring LDAP 4.0.0 #18175

❤️ Contributors

Thank you to all the contributors who worked on this release:

@Kehrlann, @SimonVonXCVII, @quaff, and @therepanic