Spring Security 6.4: What's New, Release History & EOL Status

Latest in branch 6.4

6.4.13

Released 17 Nov 2025
(6 months ago)

Software	Spring Security
Branch	6.4
Supported Java/Jakarta EE	Java 17+ Jakarta EE 9+ (Servlet 5.0+)
Initial release	6.4.0 18 Nov 2024 (1 year ago)
Latest release	6.4.13 17 Nov 2025 (6 months ago)
End of OSS support	31 Dec 2025 (Ended 4 months ago)
End of enterprise support	31 Dec 2026 (Ends in 7 months)
Release notes	https://github.com/spring-projects/spring-security/releases/tag/6.4.13
Source code	https://github.com/spring-projects/spring-security/tree/6.4.13
Download	https://github.com/spring-projects/spring-security/releases/tag/6.4.13
Spring Security 6.4 Releases	View full list

What Is New in Spring Security 6.4

Category	Highlights
New Features	Add @FunctionalInterface to AuthorizationEventPublisher; DefaultResourcesFilter.webauthn(); Documentation for passkeys dependencies.
Improvements	Improved error messages for conflicting filter chains; easier to locate filter chain definitions; deprecation notice for missing leading slashes; support for ServerExchangeRejectedHandler and ServerWebExchangeFirewall beans.
Bug Fixes	Empty-string bearer token returns proper status; AOT support registers proxied class; OpenSAML initialization fixes; IpAddressMatcher NPE; ConcurrentModificationException in UniqueSecurityAnnotationScanner.
Deprecations	Missing leading slash in request matchers now deprecated.
Dependency Upgrades	Logback 1.5.12, Jackson 2.18.1, Webauthn4j 0.28.2, Micrometer 1.14.1, Reactor 2023.0.12, BouncyCastle 1.79, Hibernate Core 6.6.2, Spring Framework 6.2.0, and several other library bumps.

How can I implement a functional AuthorizationEventPublisher in Spring Security 6.4?

You can implement AuthorizationEventPublisher as a functional interface using a lambda or method reference.

In practice this means you can declare a bean like:

@Bean
AuthorizationEventPublisher myPublisher() {
    return (event) -> {
        // custom handling logic
    };
}

This reduces boilerplate and aligns the publisher with modern Java functional style.

What WebAuthn and passkey capabilities are added in Spring Security 6.4?

Spring Security now includes a DefaultResourcesFilter.webauthn() helper and documentation for passkey dependencies.

DefaultResourcesFilter.webauthn() can be added to the filter chain to handle WebAuthn registration and authentication flows.
The release notes point developers to the new "passkeys" documentation, clarifying required Maven coordinates (e.g., com.webauthn4j:webauthn4j-core).
This matters if your product is moving toward password-less authentication; the built-in filter reduces custom wiring.

How have filter chain diagnostics been improved in Spring Security 6.4?

Error messages now pinpoint conflicting filter chains and the framework provides utilities to locate where a chain is defined.

The "Conflicting Filter Chains" error now includes the exact HttpSecurity configuration class and line number.
A new helper method makes it easier to determine the source of a filter chain, helping teams debug complex multi-module setups.
Watch out for the deprecation notice about missing leading slashes in request matchers, which can also trigger clearer warnings.

Which critical bugs were fixed that affect token handling and SAML2 in Spring Security 6.4?

Empty bearer tokens now trigger proper HTTP status, OpenSAML is auto-initialized, and several NPEs and concurrency issues were resolved.

An empty-string Authorization header now returns 401 instead of silently proceeding.
OpenSamlAssertingPartyMetadataRepository now guarantees OpenSAML initialization, fixing metadata loading failures.
IpAddressMatcher null-pointer guard added; UniqueSecurityAnnotationScanner no longer throws ConcurrentModificationException.
These fixes improve reliability for OAuth2 resource servers and SAML2 service providers in production.

Frequently Asked Questions

Does Spring Security 6.4 require changes to existing AuthorizationEventPublisher implementations?
Most existing implementations will continue to work, but you can now replace them with a lambda because the interface is marked @FunctionalInterface.

How do I enable the new WebAuthn filter in my security configuration?
Add DefaultResourcesFilter.webauthn() to the HttpSecurity filter chain, for example http.addFilterAfter(DefaultResourcesFilter.webauthn(), SecurityContextPersistenceFilter.class).

What should I do about the deprecation of missing leading slashes in request matchers?
Update any AntPathRequestMatcher or similar configurations to include a leading '/' to avoid future breaking changes.

Which dependency version should I upgrade to for Spring Framework when moving to 6.4?
Spring Framework 6.2.0 is the baseline version bundled with Spring Security 6.4.

Is there any impact on existing OAuth2AuthorizationService implementations due to OIDC logout changes?
Only OIDC logout scenarios that rely on DefaultSaml2AuthenticatedPrincipal equality are affected; ensure your principal implements proper equals/hashCode.

How can I register a ServerWebExchangeFirewall bean in a reactive application?
Declare a @Bean of type ServerWebExchangeFirewall in your configuration class and Spring Security will auto-wire it.

Releases In Branch 6.4

Version	Release date
6.4.13	17 Nov 2025 (6 months ago)
6.4.12	20 Oct 2025 (7 months ago)
6.4.11	17 Sep 2025 (8 months ago)
6.4.10	15 Sep 2025 (8 months ago)
6.4.9	18 Aug 2025 (9 months ago)
6.4.8	21 Jul 2025 (10 months ago)
6.4.7	16 Jun 2025 (11 months ago)
6.4.6	19 May 2025 (1 year ago)
6.4.5	21 Apr 2025 (1 year ago)
6.4.4	17 Mar 2025 (1 year ago)
6.4.3	18 Feb 2025 (1 year ago)
6.4.2	16 Dec 2024 (1 year ago)
6.4.1	20 Nov 2024 (1 year ago)
6.4.0	18 Nov 2024 (1 year ago)
6.4.0-RC1	21 Oct 2024 (1 year ago)
6.4.0-M4	16 Sep 2024 (1 year ago)
6.4.0-M3	22 Aug 2024 (1 year ago)
6.4.0-M2	19 Aug 2024 (1 year ago)
6.4.0-M1	15 Jul 2024 (1 year ago)