Spring Security 5.0: What's New, Release History & EOL Status

What Is New in Spring Security 5.0

How does Spring Security 5.0 enable OAuth 2.0 Login?

Spring Security 5.0 introduces first-class OAuth 2.0 Login support out of the box.

In practice this means you can delegate authentication to providers such as Google, GitHub, or Azure AD with minimal configuration. The new client registration model stores provider details in application.yml or application.properties, and the framework automatically creates the authorization request, handles the callback, and populates a populated OAuth2AuthenticationToken.

• Define client registration under spring.security.oauth2.client.registration.
• Optionally configure provider details under spring.security.oauth2.client.provider.
• Secure endpoints with .oauth2Login() in the HttpSecurity DSL.

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeRequests(a -> a
                .anyRequest().authenticated()
            )
            .oauth2Login(); // enables OAuth2 login flow
        return http.build();
    }
}

This matters if your organization is moving to a zero-trust model and wants to avoid custom authentication code.

What reactive capabilities does Spring Security 5.0 add for WebFlux applications?

Spring Security 5.0 adds dedicated annotations and testing support for reactive WebFlux applications.

Key additions:

• @EnableWebFluxSecurity activates a reactive security filter chain.
• @EnableReactiveMethodSecurity enables method-level security using reactive return types.
• WebFlux testing utilities (WebTestClient integration) let you assert security rules without a servlet container.

@Configuration
@EnableWebFluxSecurity
public class ReactiveSecurityConfig {
    @Bean
    SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        return http
            .authorizeExchange(ex -> ex
                .pathMatchers("/admin/**").hasRole("ADMIN")
                .anyExchange().authenticated()
            )
            .httpBasic().and()
            .build();
    }
}

Watch out for the shift from HttpSecurity to ServerHttpSecurity - the APIs are similar but not interchangeable.

How has password encoding been modernized in Spring Security 5.0?

Spring Security 5.0 modernizes password encoding by promoting the PasswordEncoder interface and adding BCrypt, SCrypt, and Argon2 implementations as first-class beans.

In production this encourages a move away from legacy MD5PasswordEncoder or plain text storage. The new DelegatingPasswordEncoder lets you migrate existing hashes by prefixing stored passwords with an identifier (e.g., {bcrypt}$2a$10$...).

• Configure a bean: PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
• Use encoder.encode(rawPassword) when persisting new credentials.
• Existing passwords continue to work as long as their prefix matches a registered encoder.

This matters if you need to comply with PCI-DSS or other security standards that require strong hashing algorithms.