Last checked and updated on 21 May 2026
What Is New in Spring Security 5.5
| Category | Highlights |
|---|---|
| New Features | HttpSessionOAuth2AuthorizationRequestRepository stores a single OAuth2AuthorizationRequest; configurable Gradle CI username; CI jobs stopped on forks. |
| Improvements | Restored dependency constraints for commons-codec and commons-logging; updated Reactor, Spring Framework, Spring Data, R2DBC, Spring LDAP, Gradle, Kotlin, and Gradle Enterprise versions; corrected Javadoc for AuthorizationCodeOAuth2AuthorizedClientProvider. |
How does Spring Security 5.5 simplify OAuth2 authorization request storage?
Spring Security 5.5 introduces HttpSessionOAuth2AuthorizationRequestRepository that keeps only one OAuth2AuthorizationRequest in the HTTP session, eliminating the need for a map of multiple requests.
- Works out-of-the-box with
OAuth2LoginAuthenticationFilter. - Reduces session size and simplifies cleanup logic.
- Configuration example:
http .oauth2Login() .authorizationRequestRepository(new HttpSessionOAuth2AuthorizationRequestRepository());
In practice this matters if your application only supports a single concurrent OAuth2 login flow per user session.
What CI and build improvements are included in Spring Security 5.5?
Spring Security 5.5 adds a configurable user name for Gradle CI builds and disables CI jobs on forked repositories.
- Set the CI user via
gradle.propertiesor environment variable to avoid permission issues on shared runners. - Forked PRs no longer trigger the full CI matrix, saving compute resources and reducing noise.
- These changes are transparent to most developers; only CI administrators need to adjust their pipelines.
Which library versions were upgraded in Spring Security 5.5 and why does it matter?
Spring Security 5.5 aligns its transitive dependencies with the latest stable releases to improve security, performance, and compatibility.
- Reactor Core → 2020.0.7
- Spring Framework → 5.3.7
- Spring Data → 2021.0.1
- R2DBC SPI Test → 0.8.5.RELEASE
- Spring LDAP Core → 2.3.4.RELEASE
- Gradle → 6.9
- Kotlin → 1.5.0
- Gradle Enterprise → 3.6.1
- commons-codec and commons-logging constraints restored
Most teams will see no breaking changes, but aligning with these versions can prevent known CVEs and take advantage of performance fixes.
How were documentation and Javadoc corrected in Spring Security 5.5?
The Javadoc for AuthorizationCodeOAuth2AuthorizedClientProvider was fixed to accurately describe its behavior and parameters.
- Incorrect Javadoc that previously misled developers about token handling has been replaced.
- Updated Javadoc now includes clear examples and links to the OAuth2 spec.
- This matters for teams that generate API docs or rely on IDE hover information.
Frequently Asked Questions
Can I use the new HttpSessionOAuth2AuthorizationRequestRepository with multiple concurrent OAuth2 logins?
The repository is designed for a single request per session, so concurrent logins will overwrite each other.
Do I need to change my Gradle build scripts to set the CI user name?
You can add a property in gradle.properties or export an environment variable; no script changes are required.
Will the dependency upgrades in 5.5 cause classpath conflicts with older Spring Boot versions?
Spring Boot 2.5+ already aligns with these versions, so most projects will not see conflicts.
How do I disable CI jobs on forks in my own repository?
Configure your CI provider to ignore pull requests from forked repositories, following its documentation.
What is the exact code snippet to configure the new OAuth2 request repository?
http .oauth2Login() .authorizationRequestRepository(new HttpSessionOAuth2AuthorizationRequestRepository());
Is there any runtime impact from restoring commons-codec and commons-logging constraints?
The restored constraints ensure consistent versions across the classpath, reducing the risk of NoSuchMethodErrors.