Spring Security 5.2: What's New, Release History & EOL Status

Latest in branch 5.2

5.2.15

Released 20 Dec 2021
(4 years ago)

Software	Spring Security
Branch	5.2
Supported Java/Jakarta EE	Java 8+ Servlet 3.0+
Initial release	5.2.0 30 Sep 2019 (6 years ago)
Latest release	5.2.15 20 Dec 2021 (4 years ago)
End of OSS support	31 Oct 2020 (Ended 5 years, 6 months ago)
End of enterprise support	31 Jan 2022 (Ended 4 years, 3 months ago)
Release notes	https://github.com/spring-projects/spring-security/releases/tag/5.2.15.RELEASE
Source code	https://github.com/spring-projects/spring-security/tree/5.2.15.RELEASE
Download	https://github.com/spring-projects/spring-security/releases/tag/5.2.15.RELEASE
Spring Security 5.2 Releases	View full list

What Is New in Spring Security 5.2

Category	Highlights
New Features	RSocket security DSL, SAML2 signature enforcement, OAuth2 nonce support, Reactive Messaging argument resolvers, Clear-Site-Data documentation
Improvements	hasAuthority/hasAnyAuthority/denyAll in AuthorizePayloadsSpec, OAuth2User now extends OAuth2AuthenticatedPrincipal, Scheduler usage tuned for reactive managers
Bug Fixes	AuthNRequest destination correction, SAML response skew type fix, Jwt.Builder notBefore handling, AbstractUserDetailsReactiveAuthenticationManager scheduler disposal
Dependency Upgrades	Jackson 2.10.0, OpenSAML 3.4.3, Tomcat 9.0.24, Spring Data Moore, Gradle 5.6.2

How does Spring Security 5.2 improve RSocket authentication and authorization?

Spring Security 5.2 adds first-class RSocket support, including a dedicated DSL and default configuration.

New RSocketSecurity DSL with hasAuthority, anyRequest delegating to anyExchange, and a ready-to-use "Hello RSocket" sample.
Payload-based authorization now offers hasAuthority, hasAnyAuthority, and denyAll methods via AuthorizePayloadsSpec.Access.
Reactive messaging argument resolvers (ReactiveMessagingAuthenticationPrincipalArgumentResolver and ReactiveMessagingCurrentSecurityContextPrincipalArgumentResolver) make it trivial to inject the principal into RSocket handlers.

@Bean
RSocketSecurity rsocketSecurity() {
    return http
        .authorizePayloads(spec -> spec
            .hasAuthority("ROLE_USER")
            .anyRequest().denyAll())
        .build();
}

What are the key SAML2 enhancements in Spring Security 5.2?

Spring Security 5.2 hardens SAML2 processing and adds documentation to guide implementers.

All SAML2 assertions now require signature validation by default (SAML 2 Assertion - Always require signature validation).
OpenSamlAuthenticationProvider propagates actual validation errors instead of masking them.
Fixed a bug where the SAML response skew used the wrong type, improving time-skew handling.
Initial SAML2 login documentation was added, giving teams a concrete starting point.

How has OAuth2/OIDC support been extended in Spring Security 5.2?

OAuth2/OIDC in 5.2 receives nonce handling, richer principal model, and more customization hooks.

Nonce can now be added to OIDC authentication requests (OAuth2AuthorizationRequestRedirectWebFilter customization).
OAuth2User now extends OAuth2AuthenticatedPrincipal, unifying the principal API.
Developers can customize the OAuth2AuthorizationRequestRedirectWebFilter via the new OAuth2LoginSpec builder.
Documentation added for Bearer Token propagation, RFC 8414 discovery, Clear-Site-Data header, and both JWT and opaque token usage.

http
  .oauth2Login(login -> login
      .authorizationRequestResolver(customResolver -> 
          customResolver.nonce("random-nonce-value")));

What reactive-specific APIs and performance tweaks were added in 5.2?

Spring Security 5.2 introduces several reactive-only improvements that reduce thread-blocking and simplify testing.

New argument resolvers for reactive messaging (ReactiveMessagingAuthenticationPrincipalArgumentResolver).
AbstractUserDetailsReactiveAuthenticationManager now disposes its default Scheduler correctly, preventing resource leaks.
Reactive managers default to Schedulers.boundedElastic() for blocking I/O, improving scalability.
Mock JWT support now ensures CSRF is not required, making unit tests less brittle.

Frequently Asked Questions

Do I need to change my existing RSocket security configuration when upgrading to Spring Security 5.2?
Most existing configurations will continue to work, but you can take advantage of the new DSL methods like hasAuthority and denyAll for finer-grained control.

How can I add a nonce to an OIDC authentication request in Spring Security 5.2?
Use the OAuth2LoginSpec builder to configure the OAuth2AuthorizationRequestRedirectWebFilter with a nonce value.

What is the new way to customize the OAuth2AuthorizationRequestRedirectWebFilter?
Call http.oauth2Login(login -> login.authorizationRequestResolver(customResolver)) where customResolver can set a nonce or other parameters.

Is there a new method to deny all access in payload-based authorization?
Yes, the AuthorizePayloadsSpec.Access interface now includes a denyAll() method that can be used in the authorizePayloads DSL.

How do I create a Jwt with a notBefore claim using the new Jwt.Builder?
Use Jwt.builder().notBefore(Instant.now()).build() to set the notBefore claim as an Instant.

Which scheduler does AbstractUserDetailsReactiveAuthenticationManager use by default after the 5.2 fix?
It now defaults to Schedulers.boundedElastic() and disposes the scheduler when the manager is destroyed.

Releases In Branch 5.2

Version	Release date
5.2.15	20 Dec 2021 (4 years ago)
5.2.14	20 Dec 2021 (4 years ago)
5.2.13	18 Oct 2021 (4 years ago)
5.2.12	16 Aug 2021 (4 years ago)
5.2.11	21 Jun 2021 (4 years ago)
5.2.10	12 Apr 2021 (5 years ago)
5.2.9	11 Feb 2021 (5 years ago)
5.2.8	02 Dec 2020 (5 years ago)
5.2.7	07 Oct 2020 (5 years ago)
5.2.6	05 Aug 2020 (5 years ago)
5.2.5	03 Jun 2020 (5 years ago)
5.2.4	06 May 2020 (6 years ago)
5.2.3	01 Apr 2020 (6 years ago)
5.2.2	05 Feb 2020 (6 years ago)
5.2.1	04 Nov 2019 (6 years ago)
5.2.0	30 Sep 2019 (6 years ago)
5.2.0.RC1	06 Sep 2019 (6 years ago)
5.2.0.M4	05 Aug 2019 (6 years ago)
5.2.0.M3	14 Jun 2019 (6 years ago)
5.2.0.M2	15 Apr 2019 (7 years ago)
5.2.0.M1	15 Jan 2019 (7 years ago)