Last checked and updated on 21 May 2026
What Is New in Spring Security 5.6
| Category | Highlights |
|---|---|
| New Features | Revamped OAuth 2.0 reactive documentation, SAML 2.0 logout request now includes KeyInfo, clearer MissingCsrfTokenException message, OAuth2 Resource Server retry fix for multi-tenant setups, DaoAuthenticationProviderTests avg function now returns fractions. |
| Improvements | Dependency upgrades: aspectj-plugin 6.2.0, Nimbus 9.19, Hibernate 5.6.1.Final, HSQLDB 2.6.1, Reactor 2020.0.13, Logback 1.2.7, Spring Framework 5.3.13, Reactor Netty 1.0.13. |
| Bug Fixes | Added KeyInfo section to LogoutRequest, fixed missing KeyInfo in SAML 2.0 logout, OAuth2 Resource Server no longer skips retry on first failure in multi-tenant mode, corrected missing port documentation, ensured SAML 2.0 JUnit tests run, silenced various Javadoc warnings. |
How does Spring Security 5.6 improve OAuth 2.0 reactive documentation?
Spring Security 5.6 delivers a complete revamp of the OAuth 2.0 login and client documentation for reactive applications, making it easier to configure and troubleshoot.
- Separate sections for login flow, client registration, and token handling.
- Step-by-step code snippets that use
ServerHttpSecurityandReactiveOAuth2ClientAPIs. - New diagrams illustrate the interaction between the resource server, authorization server, and the reactive client.
http
.oauth2Login()
.authorizationEndpoint()
.baseUri("/oauth2/authorize")
.and()
.oauth2Client();What changes were made to SAML 2.0 logout handling in Spring Security 5.6?
SAML 2.0 logout requests now include a KeyInfo element on the RP side, satisfying stricter IdP requirements.
- The
LogoutRequestbuilder automatically adds aKeyInfosection when a signing key is configured. - Existing logout flows continue to work; only IdPs that previously rejected unsigned requests benefit.
- Unit tests for SAML 2.0 now cover the new element, preventing regressions.
LogoutRequest logoutRequest = Saml2LogoutRequest
.withRelyingPartyRegistration(registration)
.logoutUrl("https://idp.example.com/logout")
.build();How does Spring Security 5.6 address multi-tenant OAuth2 Resource Server retry behavior?
The resource server now retries the token introspection request on the first failure when operating in a multi-tenant environment.
- This prevents 401 responses caused by transient network glitches between tenants.
- The retry logic is scoped per tenant, preserving isolation.
- Configuration remains unchanged; the behavior is enabled by default.
What improvements were made to the MissingCsrfTokenException message in Spring Security 5.6?
The exception message now accurately reflects scenarios where CSRF tokens are not stored in the HTTP session.
- When
CsrfTokenRepositoryis stateless (e.g., cookie-based), the message no longer mentions a missing session. - This reduces confusion during debugging of API clients that rely on header-only CSRF handling.
Frequently Asked Questions
Do I need to modify my existing OAuth2 login configuration when upgrading to Spring Security 5.6?
Most configurations work unchanged unless you rely on the old reactive documentation examples.
How can I enable the new KeyInfo section in a SAML2 LogoutRequest?
Add a signing key to the RelyingPartyRegistration and the framework will include KeyInfo automatically.
Which version of Spring Framework is bundled with Spring Security 5.6?
Spring Framework 5.3.13.
What is the recommended way to upgrade the Nimbus JOSE JWT library after moving to 5.6?
Update the Maven dependency to com.nimbusds:nimbus-jose-jwt version 9.19.
Are there any breaking changes to DaoAuthenticationProvider in 5.6?
No breaking changes; only a test fix for the avg function.
Where can I find the updated reactive OAuth2 documentation?
In the official Spring Security reference guide under the Reactive OAuth2 Login section.