Last checked and updated on 21 May 2026
What Is New in Spring Security 5.1
| Category | Highlights |
|---|---|
| New Features | Automatic password storage upgrades via UserDetailsPasswordService and ReactiveUserDetailsPasswordService; OAuth2 Client and Resource Server support for servlet and WebFlux, including authorization_code and client_credentials grants; JWT-encoded bearer token handling; OAuth2 WebClient integration for both servlet and WebFlux; enhanced HTTP Firewall protecting against verb tampering and cross-site tracing; Feature-Policy header support; @Transient authentication tokens; modern default login page. |
| Improvements | ExceptionTranslationFilter can select an AccessDeniedHandler by RequestMatcher; CSRF can exclude specific requests; @WithMockUser now allows custom setup timing; @WithUserDetails works with ReactiveUserDetailsService; @AuthenticationPrincipal now resolves beans and supports errorOnInvalidType; LDAP authentication can be configured with environment variables; X.509 authentication supports custom principal derivation strategies. |
How does Spring Security 5.1 simplify password migration for existing users?
Spring Security 5.1 introduces automatic password storage upgrades through the UserDetailsPasswordService (and its reactive counterpart) so that passwords can be re-hashed transparently on successful authentication.
- Implement
UserDetailsPasswordServiceand return an updatedUserDetailswith the new encoded password. - Register the service as a bean; the framework will invoke it after a successful login if the stored password needs upgrading.
@Service
public class MyPasswordUpgradeService implements UserDetailsPasswordService {
@Override
public UserDetails updatePassword(UserDetails user, String newPassword) {
// persist the new encoded password and return a fresh UserDetails
return new User(user.getUsername(), newPassword, user.getAuthorities());
}
}
In practice this means you can move from BCrypt to Argon2 without forcing users to reset passwords.
What new OAuth 2.0 client and resource server capabilities are available in Spring Security 5.1 for servlet and WebFlux?
Spring Security 5.1 adds full OAuth2 Client support for both servlet and WebFlux, including authorization_code and client_credentials grant types, plus JWT-based resource server handling.
- Servlet: configure
spring.security.oauth2.clientproperties or useOAuth2AuthorizedClientManagerfor programmatic token acquisition. - WebFlux: use
ServerOAuth2AuthorizedClientExchangeFilterFunctionwith the reactiveWebClientto obtain tokens automatically. - Resource Server: add
spring.security.oauth2.resourceserver.jwtto validate JWT bearer tokens without extra code.
// Example WebClient configuration for reactive OAuth2 client
WebClient client = WebClient.builder()
.filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(
clientRegistrationRepository, authorizedClientRepository))
.build();
This matters if your microservices need to call downstream APIs using OAuth2 without writing custom token handling logic.
How have HTTP security headers and firewall protections been strengthened in Spring Security 5.1?
Spring Security 5.1 enhances the HTTP firewall to block verb tampering and cross-site tracing, and adds first-class support for Feature-Policy and other modern security headers.
- HTTP Firewall now validates the HTTP method against the request path and rejects unexpected verbs such as TRACE.
- Feature-Policy header can be added via the
HeadersConfigurerto control browser features like fullscreen or geolocation. - CSRF configuration now allows selective exclusion of endpoints using a
RequestMatcher.
http
.csrf(csrf -> csrf.ignoringRequestMatchers("/webhook/**"))
.headers(headers -> headers
.featurePolicy("geolocation 'self'; fullscreen 'none'"))
.requestCache().disable();
Watch out for legacy proxies that might rewrite HTTP verbs; the new firewall will reject those requests early.
What testing annotation enhancements does Spring Security 5.1 introduce?
Spring Security 5.1 expands test support by allowing @WithMockUser to control when the security context is set up and enabling @WithUserDetails to work with reactive user services.
@WithMockUser(setupBefore = TestExecutionEvent.TEST_EXECUTION)lets you initialize the mock user after JUnit's@Beforemethods.@WithUserDetailsnow accepts aReactiveUserDetailsServicebean, making it usable in WebFlux tests.- Improvements to
@AuthenticationPrincipalallow bean resolution and optional error handling viaerrorOnInvalidType.
@Test
@WithMockUser(username = "admin", roles = "ADMIN", setupBefore = TestExecutionEvent.TEST_EXECUTION)
void securedEndpointReturnsOk() {
// test logic here
}
Most teams will see faster test setup and clearer intent when using these annotations.
Frequently Asked Questions
Does Spring Security 5.1 require any code changes to enable automatic password upgrades?
Yes you need to implement UserDetailsPasswordService and register it as a bean so the framework can invoke it after a successful authentication.
Can the new OAuth2 client in 5.1 handle the authorization_code grant out of the box?
Yes the client automatically builds the authorization request and token exchange for authorization_code.
Which HTTP firewall checks were added in 5.1 to prevent verb tampering?
The firewall now validates the HTTP method against the request and blocks unexpected verbs such as TRACE.
How do I exclude a specific endpoint from CSRF protection in 5.1?
Add a RequestMatcher to the CsrfConfigurer using csrf().ignoringRequestMatchers("/webhook/**").
What is the new annotation that allows transient authentication tokens in 5.1?
The @Transient annotation can be placed on a custom Authentication implementation to mark it as non-persistent.