Spring Security 6.2: What's New, Release History & EOL Status

Latest in branch 6.2

6.2.8

Released 18 Nov 2024
(1 year ago)

Software	Spring Security
Branch	6.2
Supported Java/Jakarta EE	Java 17+ Jakarta EE 9+ (Servlet 5.0+)
Initial release	6.2.0 20 Nov 2023 (2 years ago)
Latest release	6.2.8 18 Nov 2024 (1 year ago)
End of OSS support	31 Dec 2024 (Ended 1 year, 4 months ago)
End of enterprise support	31 Dec 2025 (Ended 4 months ago)
Release notes	https://github.com/spring-projects/spring-security/releases/tag/6.2.8
Source code	https://github.com/spring-projects/spring-security/tree/6.2.8
Download	https://github.com/spring-projects/spring-security/releases/tag/6.2.8
Spring Security 6.2 Releases	View full list

What Is New in Spring Security 6.2

Category	Highlights
New Features	AuthorizationManager[Before/After]ReactiveMethodInterceptor now explicitly does not support Kotlin coroutines; Simplified configuration of OAuth2 Client component model.
Improvements	Dependency upgrades: Spring Framework 6.1.0, Micrometer Observation 1.12.0, Reactor 2023.0.0, Spring Data 2023.1.0, Spring LDAP 3.2.0, JUnit 5.10.1, etc.
Bug Fixes	Observation span handling on cancel, authentication propagation after Spring Boot 3 migration, CSRF SameSite handling with Tomcat, metric naming fixes, AOT readiness for OAuth2AuthorizedClientManager, and numerous documentation and typo corrections.

How can I simplify OAuth2 client configuration in Spring Security 6.2?

Spring Security 6.2 introduces a streamlined DSL for configuring the OAuth2 client component model.

In practice you now use the oauth2Client customizer on HttpSecurity instead of manually wiring each bean.

http
    .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
    .oauth2Client(client -> client
        .clientRegistrationRepository(regRepo)
        .authorizedClientService(authService));

This matters if you are consolidating client registrations across multiple services; the new API reduces boilerplate and aligns with the rest of the HttpSecurity DSL.

Does Spring Security 6.2 support Kotlin coroutines in reactive method security?

No, the AuthorizationManager[Before/After]ReactiveMethodInterceptor does not support Kotlin coroutines in this release.

Watch out for this if your codebase relies on @PreAuthorize or @PostAuthorize on reactive methods returning Mono<T> or Flux<T> while also using suspend functions. You will need to fall back to non-coroutine reactive types or wait for a future update.

What observability and metric changes were made in Spring Security 6.2?

Spring Security 6.2 cleans up metric naming and counter behavior to improve compatibility with Micrometer Observation.

Metric names no longer contain dashes (e.g., spring_security_authentication_success instead of spring-security-authentication-success).
Counters now correctly reflect onComplete and cancel() signals, fixing inaccurate counts reported in previous versions.
The observation filter now stops spans correctly when a request is cancelled.

This matters if you have Grafana or Prometheus dashboards that rely on exact metric names; you'll need to adjust queries accordingly.

How does Spring Security 6.2 handle SameSite cookies for CSRF tokens?

The CSRF token repository now respects the SameSite attribute set by Tomcat's CookieProcessor when creating the XSRF-TOKEN cookie.

In practice, if you configure Tomcat with sameSiteCookies="strict", the generated CSRF cookie will inherit that attribute, improving browser compatibility and security posture.

Most teams using Spring MVC with embedded Tomcat will see the correct Set-Cookie header without additional code changes.

Is OAuth2AuthorizedClientManager AOT-compatible in Spring Security 6.2?

Yes, the latest OAuth2AuthorizedClientManager class has been updated to be AOT ready.

This matters for projects that build native images with Spring Native or GraalVM; you no longer need custom reflection configuration for this class.

Example usage remains unchanged, but you can now include it in a native build without runtime errors.

Frequently Asked Questions

What are the key steps to migrate my Spring Security configuration to the new OAuth2 client DSL in 6.2?
Replace the old oauth2ClientConfigurer calls with the new HttpSecurity.oauth2Client(customizer -> customizer.clientRegistrationRepository(...).authorizedClientService(...)).

Will existing reactive method security annotations break when using Kotlin coroutines after upgrading to 6.2?
Yes, reactive method security currently does not work with Kotlin coroutines and you need to fallback to non-coroutine reactive types.

Do I need to update my Micrometer observation version when upgrading to Spring Security 6.2?
Spring Security 6.2 bundles micrometer-observation 1.12.0 so align your dependency to that version.

How can I verify that CSRF SameSite handling works correctly in a Tomcat 10 environment?
Inspect the Set-Cookie header for XSRF-TOKEN and ensure it includes SameSite attribute as configured by Tomcat's CookieProcessor.

Is there any impact on metric naming that could affect my Grafana dashboards after upgrading to 6.2?
Metric names have been changed to remove dashes, so you may need to update dashboard queries accordingly.

Can I use Spring Native/AOT compilation with OAuth2AuthorizedClientManager in 6.2?
Yes, the class is now AOT ready, allowing native image builds without additional reflection configuration.

Releases In Branch 6.2

Version	Release date
6.2.8	18 Nov 2024 (1 year ago)
6.2.7	21 Oct 2024 (1 year ago)
6.2.6	19 Aug 2024 (1 year ago)
6.2.5	17 Jun 2024 (1 year ago)
6.2.4	15 Apr 2024 (2 years ago)
6.2.3	18 Mar 2024 (2 years ago)
6.2.2	16 Feb 2024 (2 years ago)
6.2.1	18 Dec 2023 (2 years ago)
6.2.0	20 Nov 2023 (2 years ago)
6.2.0-RC2	16 Oct 2023 (2 years ago)
6.2.0-RC1	16 Oct 2023 (2 years ago)
6.2.0-M3	19 Sep 2023 (2 years ago)
6.2.0-M2	21 Aug 2023 (2 years ago)
6.2.0-M1	17 Jul 2023 (2 years ago)