Last checked and updated on 21 May 2026
What Is New in Spring Security 6.1
| Category | Highlights |
|---|---|
| New Features | Rationale for deprecating .and() and non-lambda DSL methods; refreshed CSRF documentation. |
| Bug Fixes | CookieCsrfTokenRepository header handling; RememberMeAuthenticationFilter respects SecurityContextRepository; rolePrefix empty string 400 bug; SAML IE11 login; OAuth2 resource server start-up with Actuator; duplicate scope close in SimpleAroundFilterObservation; several documentation fixes. |
| Deprecations | .and() and other non-lambda DSL methods are now deprecated in favor of the lambda-style configuration. |
Why is the .and() method being deprecated and what should I use instead?
The .and() method is deprecated to push developers toward the more expressive lambda DSL that aligns with Spring Boot's functional style.
- All configuration now prefers the
http.authorizeHttpRequests(authz -> ...)pattern. - Kotlin users must import
org.springframework.security.config.annotation.web.builders.httpSecurityto access the DSL. - Legacy .and() chains still compile but emit deprecation warnings.
http
.authorizeHttpRequests(authz -> authz
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated())
.formLogin(withDefaults());How has CSRF handling been improved in 6.1?
CSRF documentation has been revisited and the CookieCsrfTokenRepository now preserves existing Set-Cookie headers instead of overwriting them.
- When multiple cookies are set (e.g., session and CSRF), the repository appends its cookie rather than replacing prior ones.
- Developers should verify that custom response headers are not unintentionally lost after upgrading.
http.csrf(csrf -> csrf
.csrfTokenRepository(new CookieCsrfTokenRepository()));What authentication-related bugs were fixed and do they affect my production environment?
Several bugs that could break authentication flows have been resolved.
- RememberMeAuthenticationFilter now correctly uses the configured SecurityContextRepository.
- Setting
rolePrefix("")no longer returns HTTP 400 (fixed in 6.0.3 onward). - SAML logins work in Internet Explorer 11 again.
- OAuth2 resource server applications start cleanly with Spring Boot 3.0 and Actuator enabled.
- SimpleAroundFilterObservation no longer calls
scope.close()twice, preventing resource leaks.
Which third-party libraries were upgraded and should I take any action?
Spring Security 6.1 bundles newer versions of many dependencies to stay compatible with Spring Boot 3.0.6 and the latest ecosystem.
- Jackson 2.14.3, JUnit 5.9.3, Logback 1.4.7, Micrometer 1.10.7, Reactor 2022.0.7, Reactor-Netty 1.1.7, Nimbus 9.43.2, Kotlin 1.8.21.
- These upgrades are transitive; no code changes are required unless you have version-pinned overrides.
- Review your
dependencyManagementsections to avoid conflicts with older versions.
Frequently Asked Questions
Is the deprecation of .and() a breaking change for existing configurations?
It is not breaking; existing code continues to work but will emit deprecation warnings and should be migrated to the lambda DSL.
Do I need to change my CSRF setup after upgrading to 6.1?
If you rely on CookieCsrfTokenRepository you may see additional Set-Cookie headers but no functional change is required.
Will rolePrefix("") still cause a 400 error after the upgrade?
No, the bug that returned HTTP 400 for an empty role prefix has been fixed.
How do I configure the new lambda DSL for form login?
Use http.formLogin(form -> form.loginPage("/login").permitAll()) in your security filter chain.
Do the dependency upgrades affect my build time?
They may increase the size of the dependency graph slightly but should not noticeably affect build performance.
Is there any special migration step for OAuth2 resource server with Actuator?
Simply upgrade to Spring Boot 3.0.6 and the resource server will start without the previous startup failure.