Spring Security 5.8: What's New, Release History & EOL Status

What Is New in Spring Security 5.8

How does Spring Security 5.8 change the Authorization model?

The release introduces a full-blown AuthorizationManager API and an AuthorizationFilter that replaces the legacy FilterSecurityInterceptor.

• MethodExpressionAuthorizationManager lets you use SpEL expressions directly on method security.
• Support for AuthorizationManager is now wired into the DSL (authorizeHttpRequests), enabling fine-grained, composable rules.
• The DefaultFilterChainValidator now checks that an AuthorizationFilter is present, helping you catch misconfigurations early.
• Migration guide (Provide guide for migrating from FilterSecurityInterceptor to AuthorizationFilter) shows a drop-in replacement pattern.

http
    .authorizeHttpRequests((auth) -> auth
        .requestMatchers("/admin/**").hasRole("ADMIN")
        .anyRequest().authenticated())
    .authorizationManager(new MethodExpressionAuthorizationManager("hasAuthority('SCOPE_read')"));

In practice, teams can now express both URL-based and method-level policies with a single, testable manager.

What CSRF enhancements are included in Spring Security 5.8?

Spring Security 5.8 adds several CSRF hardening features and bug fixes.

• Documentation for the default BREACH protection on CsrfToken is now explicit.
• New "defer load" strategy lets you lazily obtain the token, reducing unnecessary cookie writes.
• CsrfAuthenticationStrategy now correctly checks for an existing token and regenerates it when using CookieCsrfTokenRepository.
• The CookieServerCsrfTokenRepository gained support for setting Max-Age on the cookie.
• Bug fix: CsrfAuthenticationStrategy does not regenerate CsrfToken with CookieCsrfTokenRepository resolved.

http
    .csrf(csrf -> csrf
        .csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
        .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/**"))
        .csrfTokenRequestHandler(new DeferredCsrfTokenRequestHandler()));

This matters if you rely on stateless APIs or need tighter BREACH mitigation.

Which deprecations and documentation updates should I review before upgrading?

Spring Security 5.8 marks the Resource Owner Password Credentials grant as deprecated and clarifies several migration paths.

• OAuth2 client documentation now lists all deprecations, including the password grant.
• Improved deprecation notice for WebSecurityConfigurerAdapter helps you spot legacy configurations.
• New guides cover:
  • Opt-in for SHA-256 in Remember-Me services.
  • Using the new requestMatchers and securityMatchers DSL.
  • Migration to SecurityContextHolderFilter.
  • Reactive CSRF migration steps.
• Polish localization added to exception messages, expanding i18n support.

Most teams will need to replace the password grant with Authorization Code or Client Credentials flows.

What new testing and language support does Spring Security 5.8 provide?

The release adds a Kotlin example that demonstrates integration with WebTestClient, making reactive security testing easier for Kotlin developers.

• Example located under samples/kotlin/webtestclient shows how to configure SecurityWebFilterChain in a Kotlin DSL.
• All Kotlin samples compile against Kotlin 1.7.21, matching the upgraded Kotlin runtime.
• Dependency upgrades (e.g., Reactor 2020.0.25, Spring Framework 5.3.24) ensure compatibility with the latest Spring Boot releases.

@SpringBootTest
class SecurityWebTest {
    @Autowired lateinit var client: WebTestClient

    @Test
    fun `access protected endpoint`() {
        client.get().uri("/admin")
            .exchange()
            .expectStatus().isUnauthorized
    }
}

This matters if your codebase is Kotlin-first or you rely heavily on WebFlux testing.