Latest development in branch 7.1
7.1.0-RC1
Released 20 Apr 2026
(1 month ago)
SoftwareSpring Security
Branch7.1
Supported
Java/Jakarta EE		Java 17+
Jakarta EE 9+ (Servlet 6.0+)
Latest release7.1.0-RC1
20 Apr 2026
(1 month ago)
End of
OSS support		30 Jun 2027
(Ends in 1 year, 1 month)
End of
enterprise support		30 Jun 2028
(Ends in 2 years, 1 month)
Release noteshttps://github.com/spring-projects/spring-security/releases/tag/7.1.0-RC1
Source codehttps://github.com/spring-projects/spring-security/tree/7.1.0-RC1
Downloadhttps://github.com/spring-projects/spring-security/releases/tag/7.1.0-RC1
Spring Security 7.1 ReleasesView full list
SEE ALSO: Servlet/Jakarta New Spring Framework Spring Boot Apache Shiro New Apache Tomcat Keycloak New
Under Development: Spring Security 7.1 is still in active development and has not been officially released. The features and changes described below are based on the current development branch and may change before the final release.

What Is New in Spring Security 7.1

Category Highlights
New Features
  • InetAddressMatcher for flexible IP matching
  • AllRequiredFactorsAuthorizationManager.anyOf for composite MFA rules
  • Programmatic MFA conditions (when/withWhen) and WebAuthn-registered condition
  • RestClientOpaqueTokenIntrospector for opaque token validation
  • Authentication events published for WebAuthn flows
  • PreFlightRequestFilter support for CORS pre-flight handling
  • Charset parameter now included in WWW-Authenticate header
Improvements
  • Enhanced multi-factor authorization API surface
  • Better integration with Spring WebFlux via RestClientOpaqueTokenIntrospector
  • More explicit WWW-Authenticate challenges for clients

How can I programmatically enforce MFA conditions in Spring Security 7.1?

Spring Security 7.1 introduces when and withWhen conditions on AuthorizationManagerFactories.multiFactor() plus the AllRequiredFactorsAuthorizationManager.anyOf method, letting you compose complex MFA rules in code.

  • Use when to apply MFA only for specific request matchers.
  • Combine multiple factors with anyOf to accept any satisfied factor.
  • Enable WebAuthn-specific MFA via @EnableMultiFactorAuthentication(when = MultiFactorCondition.WEBAUTHN_REGISTERED).
http
    .authorizeHttpRequests(authz -> authz
        .requestMatchers("/sensitive/**")
        .access(multiFactor()
            .when(request -> request.getHeader("X-Device") != null)
            .anyOf(factor -> factor.password(), factor -> factor.webauthn()))
        .anyRequest().authenticated());

What new support does Spring Security 7.1 provide for network address matching?

Spring Security 7.1 adds InetAddressMatcher, a utility that lets you match IP addresses and CIDR ranges directly in security expressions.

  • Instantiate with a single address, a range, or a CIDR block.
  • Use matches(InetAddress) inside AccessDecisionVoter or @PreAuthorize expressions.
InetAddressMatcher matcher = new InetAddressMatcher("192.168.0.0/16");
boolean allowed = matcher.matches(request.getRemoteAddress());

How does Spring Security 7.1 simplify OAuth2 opaque token introspection?

The new RestClientOpaqueTokenIntrospector leverages Spring's RestClient to call an introspection endpoint with minimal boilerplate.

  • Configure once with the introspection URI and client credentials.
  • Works out-of-the-box with both servlet and WebFlux stacks.
OpaqueTokenIntrospector introspector = new RestClientOpaqueTokenIntrospector(
    "https://auth.example.com/introspect",
    "client-id",
    "client-secret");

What updates were made to HTTP authentication handling and CORS in Spring Security 7.1?

Spring Security 7.1 now includes the charset attribute in the WWW-Authenticate header and adds a dedicated PreFlightRequestFilter for CORS pre-flight requests.

  • The charset ensures clients correctly decode challenge messages.
  • Register PreFlightRequestFilter early in the filter chain to handle OPTIONS requests without triggering authentication.
http
    .addFilterBefore(new PreFlightRequestFilter(), ChannelProcessingFilter.class)
    .httpBasic(basic -> basic
        .realmName("MyApp")
        .charset("UTF-8"));

Frequently Asked Questions

Does Spring Security 7.1 require any configuration changes for existing MFA setups?
Most existing MFA configurations continue to work, but you can opt-in to the new programmatic conditions for finer control.

How do I use InetAddressMatcher in a @PreAuthorize expression?
Use @PreAuthorize("@ipMatcher.matches(#request.remoteAddress)") where ipMatcher is a bean of type InetAddressMatcher.

Can RestClientOpaqueTokenIntrospector be used with Spring WebClient?
Yes, the introspector internally uses RestClient which shares the same reactive infrastructure as WebClient.

Is the charset parameter now mandatory in WWW-Authenticate responses?
It is automatically added when you configure httpBasic or formLogin with a charset value.

What event types are published for WebAuthn authentication?
AuthenticationSuccessEvent and AuthenticationFailureBadCredentialsEvent are now emitted for WebAuthn flows.

How do I enable PreFlightRequestFilter in my security filter chain?
Add http.addFilterBefore(new PreFlightRequestFilter(), ChannelProcessingFilter.class) before any authentication filters.

Releases In Branch 7.1

VersionRelease date
7.1.0-RC120 Apr 2026
(1 month ago)
7.1.0-M316 Mar 2026
(2 months ago)
7.1.0-M213 Feb 2026
(3 months ago)
7.1.0-M119 Jan 2026
(4 months ago)