Spring Security 7.0: What's New, Release History & EOL Status

What Is New in Spring Security 7.0

How does Spring Security 7.0 enable Multi-Factor Authentication out of the box?

Spring Security 7.0 introduces first-class Multi-Factor Authentication (MFA) support through new authorization managers and a builder for mutating Authentication objects.

• AllAuthoritiesAuthorizationManager lets you require a set of authorities that represent MFA factors.
• Authentication.Builder enables merging of existing Authentication with additional MFA details without recreating the token.

In practice you can protect an endpoint like this:

http.authorizeHttpRequests(auth -> auth
    .requestMatchers("/admin/**").hasAuthority("ROLE_ADMIN")
    .anyRequest().access(new AllAuthoritiesAuthorizationManager("MFA_SMS", "MFA_TOTP"))

The default login page now renders factor information based on factor.type and factor.reason query parameters, making it easier for UI teams to display the correct challenge.

What are the major configuration API changes developers need to adopt?

Spring Security 7.0 replaces several long-standing DSL methods with more expressive lambda-based alternatives.

• Removed: HttpSecurity.and() - chain calls now end with a lambda.
• Removed: authorizeRequests() - use authorizeHttpRequests() instead.
• Added: Modular configuration for both Servlet and WebFlux stacks, allowing separate HttpSecurity or ServerHttpSecurity beans per module.
• Added: SPA-friendly CSRF DSL: http.csrf(csrf -> csrf.spa());

Example of the new style:

http
    .csrf(csrf -> csrf.spa())
    .authorizeHttpRequests(auth -> auth
        .requestMatchers("/public/**").permitAll()
        .anyRequest().authenticated())
    .formLogin(form -> form.loginPage("/login"));

This matters if you have existing security configuration files; the migration is straightforward but requires updating method names and removing the now-redundant and() calls.

How has OAuth 2.0 support been expanded in Spring Security 7.0?

Spring Security 7.0 adds several OAuth 2.0 enhancements that simplify client and server development.

• Password grant removed - encourages use of more secure flows.
• OAuth2 support for HTTP service clients via WebClient and RestTemplate builders.
• Custom JwkSource can now be supplied to NimbusJwtDecoder using Nimbus's builder API.
• Builder for NimbusJwtEncoder supports EC, RSA, or secret keys directly.
• @ClientRegistrationId can be placed on a class, reducing repetitive annotations on each method.
• Dynamic Registration protocol and PKCE are enabled by default in the Authorization Server.

Typical client configuration now looks like:

NimbusJwtDecoder decoder = NimbusJwtDecoder.withJwkSource(myJwkSource).build();

These changes reduce boilerplate and improve security posture for modern OAuth deployments.

What are the key changes for SAML 2.0 and Kerberos integrations?

Spring Security 7.0 modernizes SAML 2.0 and Kerberos support while removing legacy dependencies.

• SAML: API methods based on AssertingPartyDetails replaced by AssertingPartyMetadata; GET support removed from Saml2AuthenticationTokenConverter; JDBC-based AssertingPartyMetadataRepository added; OpenSAML 4 dropped - migrate to OpenSAML 5.
• Kerberos: The Kerberos extension is now part of the core Spring Security distribution, simplifying dependency management.
• Single Logout (SLO) now returns an empty response body even when validation fails, making client handling more predictable.

When upgrading, ensure your SAML metadata handling switches to the new AssertingPartyMetadata interface and update any GET-based token conversion logic.