Last checked and updated on 21 May 2026
What Is New in Spring Security 4.2
| Category | Highlights |
|---|---|
| New Features | Jackson support, Referrer-Policy header, HTTP response-splitting protection, bean reference in @AuthenticationPrincipal, RequestAttributeAuthenticationFilter for WebAuth/Shibboleth, CompositeLogoutHandler, Proxy Server documentation. |
| Improvements | Central default role-prefix configuration, custom DSLs in WebSecurityConfigurerAdapter, unlimited max-sessions, request-matcher-ref in XML, RoleHierarchy from Map/YAML, custom cookiePath for CookieCsrfTokenRepository, InvalidSessionStrategy on SessionManagementConfigurer, Spring 5 compatibility, UserBuilder API, MockMvc CSRF token handling fix. |
| Bug Fixes | Fixed bean exposure issue for defaultMethodExpressionHandler, corrected MockMvc CSRF repository behavior, various minor issue resolutions across the codebase. |
How does Spring Security 4.2 improve web security headers and request handling?
Spring Security 4.2 adds built-in support for the Referrer-Policy header and hardens the request pipeline against HTTP response splitting attacks.
- Referrer-Policy header can be enabled via
.headers().referrerPolicy(), giving browsers explicit guidance on how much referrer information to send. - Response-splitting prevention is enforced by the default
HttpFirewall, rejecting malicious request lines that contain CR/LF sequences. - Jackson integration allows automatic serialization of
Authenticationobjects in REST responses, simplifying API development.
In practice, these defaults reduce the need for custom filters and make compliance with modern browser security policies a one-liner.
What configuration enhancements simplify role management and session handling in Spring Security 4.2?
Spring Security 4.2 centralizes role-prefix configuration and expands session-management options.
- Set a global role prefix once with
.rolePrefix("ROLE_")on theSecurityExpressionHandler, eliminating repetitive.hasRole("ADMIN")adjustments. - Unlimited concurrent sessions are now supported via
maxSessions(-1)onsessionManagement(). - The
InvalidSessionStrategycan be wired directly onSessionManagementConfigurer, giving full control over the response when a session expires. - Custom cookie path for CSRF tokens is configurable through
CookieCsrfTokenRepository.withCookiePath("/custom").
This matters if your application runs behind a reverse proxy or uses a non-standard cookie scope.
Which new authentication mechanisms and integration points were added in Spring Security 4.2?
Spring Security 4.2 introduces the RequestAttributeAuthenticationFilter for pre-authenticated scenarios such as Stanford WebAuth and Shibboleth.
http
.addFilterBefore(new RequestAttributeAuthenticationFilter(),
UsernamePasswordAuthenticationFilter.class);
Additionally, @AuthenticationPrincipal now accepts bean references, enabling direct injection of custom user details beans without manual casting.
- CompositeLogoutHandler aggregates multiple logout actions, simplifying cleanup logic.
- Support for building users fluently with
UserBuilderreduces boilerplate in test configurations.
Most teams will see fewer custom filters and clearer configuration when integrating with SSO providers.
How does Spring Security 4.2 align with Spring Framework 5 and modern development practices?
Spring Security 4.2 adds early support for Spring Framework 5, allowing you to upgrade the core stack without waiting for a later security release.
- All core modules compile against Spring 5 APIs, enabling reactive-friendly dependencies and Java 8+ language features.
- The documentation now includes a dedicated Proxy Server configuration appendix, reflecting common deployment patterns in cloud environments.
- MockMvc's CSRF handling was fixed to respect the configured
CsrfTokenRepositoryaftercsrf()is called, improving test reliability.
Watch out for transitive dependency upgrades; ensure your build plugins are aligned with the Spring 5 baseline.
Frequently Asked Questions
Can I enable the Referrer-Policy header with a single method call?
You can enable it by adding .headers().referrerPolicy() to your HttpSecurity configuration.
Does the new role-prefix setting affect existing XML security configurations?
It only applies to Java DSL configurations; XML namespaces continue to use their own prefix handling.
Is unlimited concurrent sessions safe for production?
It is safe if you rely on external session stores and have other controls like IP throttling.
How do I wire a custom InvalidSessionStrategy?
Use .sessionManagement().invalidSessionStrategy(myStrategy) in your security config.
What code change is required to use RequestAttributeAuthenticationFilter?
Add the filter before UsernamePasswordAuthenticationFilter in the HttpSecurity filter chain.
Will upgrading to Spring Security 4.2 break existing MockMvc CSRF tests?
No, the fix ensures existing tests continue to work with the configured CsrfTokenRepository.