Spring Security 6.5: What's New, Release History & EOL Status

Q: Do I need to modify existing Micrometer dashboards after upgrading to Spring Security 6.5?

Yes you must replace any references to the old metric key security.security.reached.filter.section with the new spring.security.reached.filter.section in your queries.

Latest in branch 6.5

6.5.10

Released 20 Apr 2026
(1 month ago)

Software	Spring Security
Branch	6.5
Supported Java/Jakarta EE	Java 17+ Jakarta EE 9+ (Servlet 5.0+)
Initial release	6.5.0 19 May 2025 (1 year ago)
Latest release	6.5.10 20 Apr 2026 (1 month ago)
End of OSS support	30 Jun 2026 (Ends in 1 month)
End of enterprise support	30 Jun 2032 (Ends in 6 years, 1 month)
Release notes	https://github.com/spring-projects/spring-security/releases/tag/6.5.10
Source code	https://github.com/spring-projects/spring-security/tree/6.5.10
Download	https://github.com/spring-projects/spring-security/releases/tag/6.5.10
Spring Security 6.5 Releases	View full list

What Is New in Spring Security 6.5

Category	Highlights
New Features	Automatic Micrometer context propagation; OAuth 2.0 Demonstrating Proof of Possession (DPoP) support
Breaking Changes	Metric key renamed from `security.security.reached.filter.section` to `spring.security.reached.filter.section`
Deprecations	OAuth2 client APIs prepared for removal in Spring Security 7

How does Spring Security 6.5 improve observability with Micrometer?

Spring Security 6.5 now automatically propagates the security context into Micrometer's observation data.

All security-related metrics inherit the current Authentication and SecurityContext without extra code.
This matters if you rely on per-user latency or error rates in Grafana or Prometheus dashboards.
In practice you only need to add the Micrometer dependency; the integration is plug-and-play.

implementation("org.springframework.boot:spring-boot-starter-actuator")
implementation("io.micrometer:micrometer-core")

What new OAuth 2.0 capabilities are introduced in Spring Security 6.5?

Spring Security 6.5 adds native support for OAuth 2.0 Demonstrating Proof of Possession (DPoP) and enables PKCE for confidential clients.

DPoP protects access tokens from replay attacks by binding them to a cryptographic proof.
Enable PKCE on confidential clients with a single setting:

ClientRegistration.withRegistrationId("my-client")
    .clientSettings(c -> c.requireProofKey(true))
    .build();

Most teams will enable DPoP on resource servers and PKCE on confidential clients to meet modern security standards.

How can I customize WebAuthn persistence and message conversion in Spring Security 6.5?

Spring Security 6.5 introduces JDBC persistence for WebAuthn credentials and lets you plug in a custom HttpMessageConverter for Passkeys.

Define a JdbcWebAuthnRepository bean pointing at your datasource for out-of-the-box storage.
Supply a custom converter via the DSL:

http
    .securityMatcher("/webauthn/**")
    .webAuthn(webAuthn -> webAuthn
        .messageConverter(myPasskeyConverter)
        .credentialCreationOptionsRepository(myOptionsRepo));

This flexibility is essential when integrating with legacy databases or proprietary JSON formats.

What breaking change affects metric key names in Spring Security 6.5?

The observation key security.security.reached.filter.section has been corrected to spring.security.reached.filter.section.

Any dashboards, alerts, or scripts that query the old key must be updated.
Failure to rename will result in missing data points after the upgrade.

How does Spring Security 6.5 support PKCE for confidential clients and what migration steps are needed?

PKCE can now be turned on for confidential clients by setting ClientRegistration.clientSettings.requireProofKey=true.

Update your client registration configuration (both servlet and reactive).
Test the flow against your authorization server to ensure the code_challenge is processed.
Watch out for older clients that may not send a code_verifier; they will receive an error until they are updated.

Frequently Asked Questions

Do I need to modify existing Micrometer dashboards after upgrading to Spring Security 6.5?
Yes you must replace any references to the old metric key security.security.reached.filter.section with the new spring.security.reached.filter.section in your queries.

Can I enable DPoP for my OAuth2 resource server in Spring Security 6.5?
Yes you add the DPoP filter to the security chain and configure the resource server to validate the DPoP header.

Is PKCE now mandatory for public clients in Spring Security 6.5?
No, PKCE remains optional for public clients but can be enabled for confidential clients via a configuration flag.

How do I configure JDBC storage for WebAuthn credentials in Spring Security 6.5?
Define a JdbcWebAuthnRepository bean and point it to your DataSource, then reference it in the WebAuthn DSL.

What should I do about the OAuth2 client deprecations before moving to Spring Security 7?
Review the deprecation list, replace removed APIs with the recommended alternatives now to avoid breaking changes later.

Releases In Branch 6.5

Version	Release date
6.5.10	20 Apr 2026 (1 month ago)
6.5.9	16 Mar 2026 (2 months ago)
6.5.8	13 Feb 2026 (3 months ago)
6.5.7	17 Nov 2025 (6 months ago)
6.5.6	20 Oct 2025 (7 months ago)
6.5.5	17 Sep 2025 (8 months ago)
6.5.4	15 Sep 2025 (8 months ago)
6.5.3	18 Aug 2025 (9 months ago)
6.5.2	21 Jul 2025 (10 months ago)
6.5.1	16 Jun 2025 (11 months ago)
6.5.0	19 May 2025 (1 year ago)
6.5.0-RC1	21 Apr 2025 (1 year ago)
6.5.0-M3	17 Mar 2025 (1 year ago)
6.5.0-M2	18 Feb 2025 (1 year ago)
6.5.0-M1	20 Jan 2025 (1 year ago)