Last checked and updated on 21 May 2026
What Is New in Spring Security 5.4
| Category | Highlights |
|---|---|
| New Features | Added "What's New" docs, servlet logging for resource server, generalized SAML 2.0 assertion validation, Kotlin DSL enhancements (hasAnyRole/hasAnyAuthority, authenticationManagerResolver) |
| Improvements | Dependency upgrades to Spring Data Neumann-SR+ and RSocket 1.0+, resolved OAuth2 client-id/secret placeholders, fixed scope handling in client registrations |
| Bug Fixes | Fixed NoClassDefFoundError in SimpleAuthenticationEncoder, corrected SAML attribute parsing with prefixed XML, updated clickjacking docs, corrected OIDC scopes handling |
How has SAML 2.0 support been enhanced in Spring Security 5.4?
Spring Security 5.4 broadens SAML 2.0 assertion validation and simplifies the sample configuration.
- Generalized assertion validation now works with a wider set of SAML profiles, reducing custom code for edge cases.
- SAML 2.0 samples have been cleaned up: framework tests removed and the flow is easier to follow.
- Bug fix for prefixed XML elements ensures attributes are parsed correctly, preventing missing attribute values in production.
In practice, you can keep your existing RelyingPartyRegistration beans and benefit from the more tolerant validator without code changes.
What new Kotlin DSL features are available in Spring Security 5.4?
The Kotlin DSL now includes hasAnyRole, hasAnyAuthority, and an authenticationManagerResolver for resource servers.
http {
authorizeRequests {
authorize("/admin/**", hasAnyRole("ADMIN", "MANAGER"))
authorize("/api/**", hasAnyAuthority("SCOPE_read", "SCOPE_write"))
}
oauth2ResourceServer {
authenticationManagerResolver { request ->
// custom resolver logic
}
servletLoggingEnabled = true
}
}
This matters if you need to express "any of these roles/authorities" in a single rule or resolve different authentication managers per request (multi-tenant scenarios).
How does Spring Security 5.4 improve OAuth2 client registration and resource server logging?
Version 5.4 adds placeholder resolution for client-id and client-secret and stops using scopes_supported as a default.
- Placeholders like
${my.client.id}are now resolved from the Spring environment, simplifying externalized configuration. - OAuth2 client registrations no longer default to the provider's
scopes_supported, giving you explicit control over requested scopes. - Resource server servlet logging can be turned on via the DSL, helping you audit token validation failures in production.
Watch out for any custom code that relied on the old default scope behavior; you may need to add the desired scopes to your registration.
Which dependency versions were upgraded in Spring Security 5.4 and why does it matter?
Spring Security 5.4 upgrades Spring Data to the Neumann-SR+ release train and RSocket to 1.0+.
- Neumann-SR+ brings bug fixes and compatibility with newer Spring Boot versions, reducing version-skew issues.
- RSocket 1.0+ adds support for the latest RSocket protocol features and improves stability for reactive applications.
Most teams will not need to change code, but aligning your BOM to the new versions avoids class-path conflicts.
Frequently Asked Questions
Do I need to modify my existing SAML configuration when upgrading to Spring Security 5.4?
In most cases no changes are required because the new validator is backward compatible.
How can I enable servlet logging for the OAuth2 resource server?
Set servletLoggingEnabled = true in the oauth2ResourceServer DSL block as shown in the code example.
What does the hasAnyAuthority method do in the Kotlin DSL?
It allows you to require any one of a list of authorities, for example hasAnyAuthority("ROLE_USER","ROLE_ADMIN").
Are there any breaking changes related to OAuth2 client registration scopes?
Yes the provider's scopes_supported is no longer used as a default, so you must explicitly list the scopes you need.
Which Spring Data version is bundled with Spring Security 5.4?
Spring Data Neumann-SR+ is the default version.
Can I still use XML configuration for SAML after the upgrade?
Yes XML configuration continues to work; the new features are additive and do not remove existing XML support.