Spring Security 5.3: What's New, Release History & EOL Status

Latest in branch 5.3

5.3.13

Released 20 Dec 2021
(4 years ago)

Software	Spring Security
Branch	5.3
Supported Java/Jakarta EE	Java 8+ Servlet 3.0+
Initial release	5.3.0 04 Mar 2020 (6 years ago)
Latest release	5.3.13 20 Dec 2021 (4 years ago)
End of OSS support	31 May 2021 (Ended 4 years, 11 months ago)
End of enterprise support	31 Aug 2022 (Ended 3 years, 8 months ago)
Release notes	https://github.com/spring-projects/spring-security/releases/tag/5.3.13.RELEASE
Source code	https://github.com/spring-projects/spring-security/tree/5.3.13.RELEASE
Download	https://github.com/spring-projects/spring-security/releases/tag/5.3.13.RELEASE
Spring Security 5.3 Releases	View full list

What Is New in Spring Security 5.3

Category	Highlights
New Features	OAuth2/OIDC success-failure handlers, JwtClaimValidator, ReactiveJwtIssuerAuthenticationManagerResolver, Kotlin DSL extensions (hasRole, custom filter), configurable DefaultAuthenticationEventPublisher, XML namespace support for OAuth2 client/resource-server/login, Opaque Token reactive test support.
Improvements	Clock injection for OidcIdTokenValidator, principal configuration on OAuth2AuthorizeRequest, better handling of query-parameter encoding, lazy exception instantiation, accessible color palette for docs, Kotlin DSL marker annotations to prevent scope leaking.
Bug Fixes	Typo corrections, AntPathRequestMatcher comment fix, double-escaping of authorize URL parameters, ClassCastException fixes for ServletRequestAttributes, query-parameter double-encoding issues, OAuth2AuthorizationCodeGrant filter matching on query parameters.
Dependency Upgrades	Gradle 6.2.2, Kotlin 1.3.70, Spring Boot 2.2.5, spring-build-conventions 0.0.31.RELEASE.

How does Spring Security 5.3 improve OAuth2/OIDC client and resource-server support?

Spring Security 5.3 adds dedicated success and failure handlers for OAuth2 authorization, a configurable JwtClaimValidator, and a reactive resolver for JWT issuers.

New OAuth2AuthorizationRequest.Builder lets you add extra parameters via a consumer, simplifying custom request creation.
Success/failure handlers (OAuth2AuthorizationSuccessHandler, OAuth2AuthorizationFailureHandler) give you a hook to store state or log events after the authorization flow.
JwtClaimValidator enables fine-grained claim checks without writing a full JwtDecoder implementation.
Reactive support: JwtIssuerReactiveAuthenticationManagerResolver and ReactiveJwtIssuerAuthenticationManagerResolver resolve a JWT decoder per issuer at runtime, useful for multi-tenant SaaS.
XML namespace extensions for OAuth2 client, resource server, and login make legacy XML configuration viable again.

http
    .oauth2Login()
        .authorizationEndpoint()
            .authorizationRequestResolver(
                request -> OAuth2AuthorizationRequest.from(request)
                    .additionalParameters(params -> params.put("prompt", "consent"))
                    .build())
        .and()
    .successHandler(new MyAuthSuccessHandler())
    .failureHandler(new MyAuthFailureHandler());

What Kotlin DSL enhancements are introduced in Spring Security 5.3?

Kotlin DSL now supports role-based authorization, custom filters, and marker annotations that keep the DSL scope clean.

authorizeRequests { hasRole("ADMIN") } mirrors the Java .hasRole method, allowing concise role checks.
Custom filter registration: http.addFilterBefore(myFilter, UsernamePasswordAuthenticationFilter::class.java) can be expressed directly in the DSL.
Marker annotations (@SecurityDslMarker) prevent accidental leakage of DSL functions into unrelated scopes, reducing compile-time surprises.
Principal name can now be set on OAuth2AuthorizeRequest.Builder.principal(String), making token acquisition code more readable.

@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
    http {
        authorizeRequests {
            authorize("/admin/**", hasRole("ADMIN"))
            authorize(anyRequest, permitAll)
        }
        oauth2Login { }
        addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter::class)
    }
    return http.build()
}

How can you customize authentication events with the new DefaultAuthenticationEventPublisher?

Spring Security 5.3 makes DefaultAuthenticationEventPublisher configurable via a map and lets you define a default event type.

Supply a map of Class<? extends AuthenticationEvent> → ApplicationEventPublisher to route specific authentication events to different listeners.
Use the setDefaultAuthenticationEventPublisher method to emit a fallback event when no specific mapping matches.
This flexibility is handy for audit pipelines that need distinct handling for success, failure, and interactive authentication events.

val publisher = DefaultAuthenticationEventPublisher()
publisher.setEventPublishers(
    mapOf(
        InteractiveAuthenticationSuccessEvent::class.java to successPublisher,
        AbstractAuthenticationFailureEvent::class.java to failurePublisher
    )
)
publisher.setDefaultAuthenticationEventPublisher(genericPublisher)

What new reactive JWT and opaque-token capabilities are available in Spring Security 5.3?

Reactive support now includes a dedicated resolver for JWT issuers and test utilities for opaque-token introspection.

JwtIssuerReactiveAuthenticationManagerResolver lazily creates a ReactiveJwtDecoder per issuer, enabling multi-tenant token validation without restarting the application.
Opaque-token reactive test support (OpaqueTokenReactiveAuthenticationManagerResolver) simplifies writing WebFlux integration tests for resource servers.
Improved error handling differentiates token-level errors from service-level errors in NimbusOpaqueTokenIntrospector, giving clearer diagnostics.

@Bean
fun jwtResolver(): ReactiveAuthenticationManagerResolver {
    return JwtIssuerReactiveAuthenticationManagerResolver { issuer ->
        ReactiveJwtDecoders.fromIssuerLocation(issuer)
    }
}

Frequently Asked Questions

Do I need to change my existing OAuth2 client configuration to use the new success/failure handlers?
You can add the handlers without touching the rest of the configuration, simply by calling .successHandler(...) and .failureHandler(...).

Can I still use XML configuration for OAuth2 resource servers?
Yes, Spring Security 5.3 adds XML namespace support for OAuth2 resource server, client, and login.

How do I enable role-based checks in the Kotlin DSL?
Use hasRole("ROLE_NAME") inside authorizeRequests { ... } blocks.

Is the JwtClaimValidator mandatory for JWT validation?
No, it is optional and can be added to the JwtDecoder chain when you need custom claim checks.

What is the simplest way to register a custom filter in a Kotlin DSL configuration?
Call addFilterBefore(myFilter, UsernamePasswordAuthenticationFilter::class) inside the http { ... } block.

How can I test an opaque-token resource server in a WebFlux application?
Use the provided OpaqueTokenReactiveAuthenticationManagerResolver in your test configuration to mock token introspection.

Releases In Branch 5.3

Version	Release date
5.3.13	20 Dec 2021 (4 years ago)
5.3.12	18 Oct 2021 (4 years ago)
5.3.11	16 Aug 2021 (4 years ago)
5.3.10	22 Jun 2021 (4 years ago)
5.3.9	12 Apr 2021 (5 years ago)
5.3.8	11 Feb 2021 (5 years ago)
5.3.7	11 Feb 2021 (5 years ago)
5.3.6	02 Dec 2020 (5 years ago)
5.3.5	07 Oct 2020 (5 years ago)
5.3.4	05 Aug 2020 (5 years ago)
5.3.3	03 Jun 2020 (5 years ago)
5.3.2	06 May 2020 (6 years ago)
5.3.1	31 Mar 2020 (6 years ago)
5.3.0	04 Mar 2020 (6 years ago)
5.3.0.RC1	05 Feb 2020 (6 years ago)
5.3.0.M1	08 Jan 2020 (6 years ago)