Update spring security to v7

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.security:spring-security-crypto (source)	6.4.13 → 7.0.5
org.springframework.security:spring-security-web (source)	6.4.13 → 7.0.5
org.springframework.security:spring-security-config (source)	6.4.13 → 7.0.5
org.springframework.security:spring-security-core (source)	6.4.13 → 7.0.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-crypto)

v7.0.5

Compare Source

⭐ New Features

• Add XML Based shouldWriteHeadersEagerly tests #​19018
• Merge Add CredentialRecordOwnerAuthorizationManager #​19005

🪲 Bug Fixes

• Add equals and hashcode to HttpMethodRequestMatcher #​18963
• auth_time claim doesn't show the time of the original authentication #​18282
• auth_time validation fails when SSO session is renewed #​18978
• Fallback defaultTargetUrl if refererHeader is empty #​18981
• Fix HttpSessionRequestCache#getMatchingRequest query string parsing #​18972
• Merge Handle null value in OnCommittedResponseWrapper header methods #​18990
• OAuth2 client sessionManagement ineffective with DefaultOidcUser #​19022

🔨 Dependency Upgrades

• Bump @springio/antora-extensions from 1.14.10 to 1.14.11 in /docs #​19054
• Bump @springio/antora-extensions from 1.14.7 to 1.14.9 in /docs #​18953
• Bump @springio/antora-extensions from 1.14.9 to 1.14.10 in /docs #​19029
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.17 to 1.0.0-alpha.18 in /docs #​18957
• Bump actions/upload-artifact from 7.0.0 to 7.0.1 #​19096
• Bump com.webauthn4j:webauthn4j-core from 0.31.1.RELEASE to 0.31.2.RELEASE #​19021
• Bump com.webauthn4j:webauthn4j-core from 0.31.2.RELEASE to 0.31.3.RELEASE #​19114
• Bump io.projectreactor:reactor-bom from 2025.0.4 to 2025.0.5 #​19080
• Bump org.apache.maven:maven-resolver-provider from 3.9.14 to 3.9.15 #​19111
• Bump org.springframework.data:spring-data-bom from 2025.1.4 to 2025.1.5 #​19113
• Bump org.springframework.ldap:spring-ldap-core from 4.0.2 to 4.0.3 #​19098
• Bump org.springframework:spring-framework-bom from 7.0.6 to 7.0.7 #​19112
• Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6 #​18996
• Bump spring-io/spring-release-actions from 0.0.3 to 0.0.4 #​19095
• Bump spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml from 1.0.14 to 1.0.15 #​18948

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​rwinch

v7.0.4

Compare Source

⭐ New Features

• Update RestTemplateBuilder usage in opaque-token.adoc #​18836

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #​18784
• Add Jackson Mixin for WebAuthnAuthentication #​18878
• Add Missing OnCommitedResponseWrapper Header Overrides #​18799
• Document the change in dependency coordinates with Spring Security 7 #​18773
• Ensure tests clear AuthorizationServerContextHolder #​18768
• Fix CookieRequestCache parameters #​18864
• Fix Flaky Crypto Tests #​18842
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #​18897
• HttpMessageConverterAuthenticationSuccessHandler Supports Jackson 3 #​18834
• OAuth2DeviceVerificationEndpointFilter should be applied after AuthorizationFilter #​18873
• Restore upgradeEncoding condition in DaoAuthenticationProvider #​18788
• saveAuthenticationRequest should read relayState from authenticationRequest #​18884
• SecurityExpressionRoot#hasAuthority should delegate to AuthorizationManagerFactory#hasAuthority #​18487
• ServerHttpSecurityConfiguration should not set userDetailsPasswordService to a null value #​18276
• TokenBasedRememberMeServices documentation snippets should compile #​18642
• Update request-matcher XML property to support PathPatternRequestMatcher #​18737

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #​18853
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #​18810
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #​18752
• Bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE #​18830
• Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4 #​18877
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #​18751
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #​18792
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #​18861
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #​18887
• Bump org.junit:junit-bom from 6.0.2 to 6.0.3 #​18743
• Bump org.springframework.data:spring-data-bom from 2025.1.3 to 2025.1.4 #​18904
• Bump org.springframework:spring-framework-bom from 7.0.4 to 7.0.5 #​18764
• Bump org.springframework:spring-framework-bom from 7.0.5 to 7.0.6 #​18905
• Update Antora UI Spring to v0.4.26 #​18893
• Update to spring-security-release-tools 1.0.15 #​18909

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​busoco-sjb, @​making, @​meliezer, @​ngocnhan-tran1996, @​rwinch, @​sephiroth-j, @​therepanic, @​thuri, and @​ziqin

v7.0.3

Compare Source

⭐ New Features

• Fix Javadoc warnings in spring-security-web #​18473
• Fix/gradle 9 deprecations #​18485
• Fix/gradle 9 deprecations #​18477
• Replace method call with 'Builder.configureMessageConverters()' #​18378
• Replacing use of deprecated 'check' in authorization documentation #​18390
• Use DefaultParameterNameDiscoverer#getSharedInstance #​18481

🪲 Bug Fixes

• Authorization Server fails to start with multiple PasswordEncoder beans #​18645
• BearerTokenAuthenticationEntryPoint uses context path #​18528
• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #​18594
• Document Client PKCE settings #​18304
• Fix docs typo X-Requested-By -> X-Requested-With #​18123
• Fix Formatting in mfa.adoc #​18134
• Fix typo in documentation #​18344
• Fix typos #​18121

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24 #​18384
• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.28 #​18684
• Bump ch.qos.logback:logback-classic from 1.5.28 to 1.5.29 #​18711
• Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 #​18660
• Bump com.webauthn4j:webauthn4j-core from 0.29.7.RELEASE to 0.31.0.RELEASE #​18687
• Bump gradle-wrapper from 8.14 to 8.14.4 #​18705
• Bump io.mockk:mockk from 1.14.7 to 1.14.9 #​18681
• Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2 #​18658
• Bump io.projectreactor:reactor-bom from 2025.0.2 to 2025.0.3 #​18717
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #​18683
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.13 to 1.0.14 #​18725
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.4 to 4.0.5 #​18706
• Bump org-apache-maven-resolver from 1.9.24 to 1.9.25 #​18309
• Bump org-aspectj from 1.9.25 to 1.9.25.1 #​18326
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.5.2 #​18346
• Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12 #​18327
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 #​18682
• Bump org.junit:junit-bom from 6.0.1 to 6.0.2 #​18385
• Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2 #​18655
• Bump org.springframework.ldap:spring-ldap-core from 4.0.0 to 4.0.1 #​18316
• Bump org.springframework.ldap:spring-ldap-core from 4.0.1 to 4.0.2 #​18733
• Bump org.springframework:spring-framework-bom from 7.0.3 to 7.0.4 #​18732
• Bump org.springframework:spring-framework-bom from 7.0.3-SNAPSHOT to 7.0.4-SNAPSHOT #​18657
• Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22 #​18651
• Bump tools.jackson:jackson-bom from 3.0.3 to 3.0.4 #​18659
• Update Antora UI Spring to v0.4.25 #​18249
• Update to Spring Framework 7.0.3 #​18667
• Update to spring-data-bom 2025.1.3 #​18735

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Been24, @​Fr05ty-hub, @​Kehrlann, @​Rigu1, @​bloomsei, @​martinboulais, @​ngocnhan-tran1996, @​paulvas, @​rwinch, @​therepanic, and @​vincentstradiot

v7.0.2

Compare Source

🪲 Bug Fixes

• AuthorizationWebProxyConfiguration should only be active when both spring-security-web and spring-webmvc are on the classpath #​18315

v7.0.1

Compare Source

⭐ New Features

• Stop deploying JavaDoc outside of Antora #​18200

🪲 Bug Fixes

• An unexpected dependency appeared for spring-security-config of spring-security-web #​18307
• Fix "typ" header value in NimbusJwtEncoder-encoded JWT #​18270
• Fix broken link to Spring Boot docs #​18236
• Fix documentation resource server sample title #​18231
• Fix MyCustomDsl to use csrf(Customizer) instead of removed csrf().disabled() #​18223
• Fix typo in AnnotationTemplateExpressionDefaults documentation #​18255
• Fix typos in documentation depenendencies->dependencies #​18209
• NimbusJwtEncoder produces JWT with wrong "typ" header value #​18269
• OAuth2AuthorizationEndpointFilter should be applied after AuthorizationFilter #​18251
• Remove requireProofKey warning for non-auth-code flows #​18221
• Remove throws from MyCustomDsl in docs #​18224

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.20 to 1.5.21 #​18214
• Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22 #​18311
• Bump com.fasterxml.jackson:jackson-bom from 2.20.0 to 2.20.1 #​18245
• Bump com.unboundid:unboundid-ldapsdk from 7.0.3 to 7.0.4 #​18262
• Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #​18189
• Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14 #​18277
• Bump io.mockk:mockk from 1.14.6 to 1.14.7 #​18274
• Bump io.projectreactor:reactor-bom from 2025.0.0 to 2025.0.1 #​18289
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.13 #​18187
• Bump org-aspectj from 1.9.24 to 1.9.25 #​18186
• Bump org.apache.kerby:kerb-simplekdc from 2.1.0 to 2.1.1 #​18215
• Bump org.junit:junit-bom from 6.0.0 to 6.0.1 #​18188
• Bump org.springframework.data:spring-data-bom from 2025.1.0 to 2025.1.1 #​18312
• Bump org.springframework:spring-framework-bom from 7.0.0 to 7.0.1 #​18213
• Bump org.springframework:spring-framework-bom from 7.0.1 to 7.0.2 #​18310
• Bump tools.jackson:jackson-bom from 3.0.1 to 3.0.2 #​18212
• Bump tools.jackson:jackson-bom from 3.0.2 to 3.0.3 #​18244

🔩 Build Updates

• Add Test for ServletRequestPathUtils.parseAndCache(method=null) #​18166
• Bump antora from 3.2.0-alpha.10 to 3.2.0-alpha.11 in /docs #​18238

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​L33gn21, @​ghusta, @​ronodhirSoumik, @​rwinch, @​sach429, and @​ziqin

v7.0.0

Compare Source

⭐ New Features

• Add a minimal authorization server configuration #​18153
• Mark GrantedAuthority#getAuthority as @Nullable #​18014
• Polish SimpleGrantedAuthority #​18062

🪲 Bug Fixes

• Correct the org.springframework.security.config.annotation.web.LogoutDsl's property description #​18026
• Fix webauthn multifactor authentication #​18163

🔨 Dependency Upgrades

• Bump org.jetbrains.kotlin:kotlin-bom from 2.2.20 to 2.2.21 #​18099
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.20 to 2.2.21 #​18100
• Bump tools.jackson:jackson-bom from 3.0.0 to 3.0.1 #​18097
• Update to Reactor 2025.0.0 #​18173
• Update to Spring Data 2025.1.0 #​18174
• Update to Spring Framework 7.0.0 #​18172
• Update to Spring LDAP 4.0.0 #​18175

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Kehrlann, @​SimonVonXCVII, @​quaff, and @​therepanic

v6.5.10

Compare Source

⭐ New Features

• Add CredentialRecordOwnerAuthorizationManager #​19004
• Add XML Based shouldWriteHeadersEagerly tests #​19017
• Clarify Session Management Persistence Documentation #​18345
• Update FilterChainProxy#getFilters(String) javadoc #​18258

🪲 Bug Fixes

• Add equals and hashcode to HttpMethodRequestMatcher #​18914
• auth_time validation fails when SSO session is renewed #​18839
• Fallback defaultTargetUrl if refererHeader is empty #​18806
• Fix HttpSessionRequestCache#getMatchingRequest query string parsing #​16914
• Fix documentation for Custom Authorization Manager #​18362
• Improve serialVersionUID check in tests #​18474
• Merge Handle null value in OnCommittedResponseWrapper header methods #​18989
• OAuth2 client sessionManagement ineffective with DefaultOidcUser #​18622

🔨 Dependency Upgrades

• Bump @springio/antora-extensions from 1.14.10 to 1.14.11 in /docs #​19055
• Bump @springio/antora-extensions from 1.14.7 to 1.14.9 in /docs #​18956
• Bump @springio/antora-extensions from 1.14.9 to 1.14.10 in /docs #​19031
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.17 to 1.0.0-alpha.18 in /docs #​18952
• Bump actions/upload-artifact from 7.0.0 to 7.0.1 #​19094
• Bump io.projectreactor:reactor-bom from 2024.0.16 to 2024.0.17 #​19078
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.14 to 1.0.15 #​18916
• Bump org.apache.maven:maven-resolver-provider from 3.9.14 to 3.9.15 #​19108
• Bump org.hibernate.orm:hibernate-core from 6.6.44.Final to 6.6.45.Final #​18966
• Bump org.hibernate.orm:hibernate-core from 6.6.45.Final to 6.6.47.Final #​19046
• Bump org.hibernate.orm:hibernate-core from 6.6.47.Final to 6.6.48.Final #​19064
• Bump org.hibernate.orm:hibernate-core from 6.6.48.Final to 6.6.49.Final #​19110
• Bump org.springframework:spring-framework-bom from 6.2.17 to 6.2.18 #​19109
• Bump spring-io/spring-release-actions from 0.0.3 to 0.0.4 #​19093
• Bump spring-io/spring-security-release-tools from 1.0.14 to 1.0.15 #​18954
• Bump spring-io/spring-security-release-tools/.github/workflows/build.yml from 1.0.14 to 1.0.15 #​18955
• Bump spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml from 1.0.14 to 1.0.15 #​18949
• Bump spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml from 1.0.14 to 1.0.15 #​18950
• Bump spring-io/spring-security-release-tools/.github/workflows/perform-release.yml from 1.0.14 to 1.0.15 #​18995
• Bump spring-io/spring-security-release-tools/.github/workflows/test.yml from 1.0.14 to 1.0.15 #​18951
• Bump spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml from 1.0.14 to 1.0.15 #​18994
• Update to spring-security-release-tools 1.0.15 #​18910

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Kehrlann, @​as1605, @​johnycho, @​ngocnhan-tran1996, @​rwinch, and @​sankranty

v6.5.9

Compare Source

⭐ New Features

• Update Link to CSRF Docs in FAQ #​18616

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #​18544
• saveAuthenticationRequest should read relayState from authenticationRequest #​18872
• Add Missing OnCommitedResponseWrapper Header Overrides #​18798
• Clarify Resource Server startup expectations #​18518
• Correct Reference to Clear-Site-Data Directive enum #​18273
• Fix CookieRequestCache parameters #​18857
• Fix Flaky Crypto Tests #​18841
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #​18896

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #​18854
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #​18809
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #​18749
• Bump com.fasterxml.jackson:jackson-bom from 2.18.5 to 2.18.6 #​18779
• Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #​18876
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #​18750
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #​18791
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #​18860
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #​18886
• Bump org.hibernate.orm:hibernate-core from 6.6.42.Final to 6.6.43.Final #​18780
• Bump org.hibernate.orm:hibernate-core from 6.6.43.Final to 6.6.44.Final #​18829
• Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #​18903

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Hann244, @​Khyojae, @​ghusta, @​itsmevichu, @​qihaiyan, @​rwinch, @​therepanic, and @​ziqin

v6.5.8

Compare Source

⭐ New Features

• Add @FunctionalInterface to RequestMatcher #​18337
• Spring Security 7 should provide migration path from request-matcher="ant" #​18211
• Stop deploying JavaDoc outside of Antora #​18199

🪲 Bug Fixes

• Add Missing Migration Pages to Navigation #​18313
• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #​18235
• Fix typo in "Preparing for 7.0" in reference to PathPatternRequestMatcher #​18336
• Fix typo in AnnotationTemplateExpressionDefaults documentation #​18176
• Fix typos in documentation depenendencies->dependencies #​18208

🔨 Dependency Upgrades

• Bump @antora/atlas-extension from 1.0.0-alpha.2 to 1.0.0-alpha.5 in /docs #​18675
• Bump @antora/collector-extension from 1.0.1 to 1.0.2 in /docs #​18677
• Bump @springio/antora-extensions from 1.14.4 to 1.14.7 in /docs #​18676
• Bump antora from 3.2.0-alpha.8 to 3.2.0-alpha.11 in /docs #​18679
• Bump ch.qos.logback:logback-classic from 1.5.20 to 1.5.21 #​18192
• Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22 #​18321
• Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24 #​18387
• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.25 #​18525
• Bump ch.qos.logback:logback-classic from 1.5.25 to 1.5.26 #​18591
• Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27 #​18631
• Bump ch.qos.logback:logback-classic from 1.5.27 to 1.5.28 #​18678
• Bump ch.qos.logback:logback-classic from 1.5.28 to 1.5.29 #​18710
• Bump gradle-wrapper from 8.14 to 8.14.4 #​18704
• Bump io.micrometer:context-propagation from 1.1.3 to 1.1.4 #​18703
• Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14 #​18279
• Bump io.mockk:mockk from 1.14.6 to 1.14.7 #​18275
• Bump io.projectreactor:reactor-bom from 2024.0.12 to 2024.0.13 #​18293
• Bump io.projectreactor:reactor-bom from 2024.0.13 to 2024.0.14 #​18495
• Bump io.projectreactor:reactor-bom from 2024.0.14 to 2024.0.15 #​18716
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #​18535
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.13 to 1.0.14 #​18724
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.4 to 4.0.5 #​18670
• Bump org-apache-maven-resolver from 1.9.24 to 1.9.25 #​18292
• Bump org-aspectj from 1.9.25 to 1.9.25.1 #​18329
• Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12 #​18352
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 #​18590
• Bump org.hibernate.orm:hibernate-core from 6.6.34.Final to 6.6.36.Final #​18193
• Bump org.hibernate.orm:hibernate-core from 6.6.36.Final to 6.6.38.Final #​18241
• Bump org.hibernate.orm:hibernate-core from 6.6.38.Final to 6.6.39.Final #​18308
• Bump org.hibernate.orm:hibernate-core from 6.6.39.Final to 6.6.40.Final #​18351
• Bump org.hibernate.orm:hibernate-core from 6.6.40.Final to 6.6.41.Final #​18524
• Bump org.hibernate.orm:hibernate-core from 6.6.41.Final to 6.6.42.Final #​18632
• Bump org.springframework.data:spring-data-bom from 2024.1.12 to 2024.1.13 #​18320
• Bump org.springframework.ldap:spring-ldap-core from 3.2.15 to 3.2.16 #​18322
• Bump org.springframework:spring-framework-bom from 6.2.13 to 6.2.14 #​18206
• Bump org.springframework:spring-framework-bom from 6.2.14 to 6.2.15 #​18323
• Bump org.springframework:spring-framework-bom from 6.2.15 to 6.2.16 #​18731
• Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22 #​18649
• Update Antora UI Spring to v0.4.25 #​18402

🔩 Build Updates

• Remove unnecessary Gradle wrapper from buildSrc #​18692

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​garvit-joshi, @​ghusta, @​kucoll, and @​rwinch

v6.5.7

Compare Source

⭐ New Features

• Add Include-Code for the Password Storage page #​18054
• Default WebAuthnConfigurer#rpName to rpId #​18131
• Document effects of disabling CORS #​18129

🪲 Bug Fixes

• typ values should not be case-sensitive in JwtTypeValidator #​18101
• BCryptPasswordEncoderTests should password limit of 72 bytes #​18136
• Fix GenerateOneTimeTokenRequestResolver ignored if username param not present #​18074
• GenerateOneTimeTokenFilter should not attempt to generate a token with a null token request #​18088

🔨 Dependency Upgrades

• Bump com.fasterxml.jackson:jackson-bom from 2.18.4.1 to 2.18.5 #​18110
• Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #​18149
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.11 to 1.0.13 #​18141
• Bump org-aspectj from 1.9.24 to 1.9.25 #​18142
• Bump org.hibernate.orm:hibernate-core from 6.6.33.Final to 6.6.34.Final #​18111
• Update to Reactor 2024.0.12 #​18181
• Update to Spring Data 2024.1.12 #​18182
• Update to Spring Framework 6.2.13 #​18180

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​himanshu-pareek, @​marcusdacoregio, and @​namest504

v6.5.6

Compare Source

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 #​18082
• Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #​17930
• Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #​17929
• Bump io.micrometer:micrometer-observation from 1.14.11 to 1.14.12 #​18045
• Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 #​17950
• Bump org.gretty:gretty from 4.1.7 to 4.1.10 #​17945
• Bump org.hibernate.orm:hibernate-core from 6.6.31.Final to 6.6.33.Final #​18039
• Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 #​18083
• Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 #​18067
• Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 #​18068

v6.5.5

Compare Source

🔨 Dependency Upgrades

• Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #​17922
• Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #​17911
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #​17923
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 #​17910
• Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #​17924
• Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #​17913
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #​17925
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #​17912
• Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #​17926
• Bump org.springframework:spring-framework-bom from 6.2.10 to 6.2.11 #​17914

v6.5.4

Compare Source

⭐ New Features

• Update servlet test method docs to use include-code #​17749

🪲 Bug Fixes

• Annonation Scanning Should Fallback to Object when Parameter Matching #​17899
• Fix double-slash when basePath is root #​17841
• Fix traceId discrepancy in case error in servlet web #​17796
• Reference should advise avoiding post-authorization on writes #​17798

🔨 Dependency Upgrades

• Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #​17893
• Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 #​17874
• Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #​17895
• Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #​17854
• Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE #​17836
• Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #​17894
• Bump io.micrometer:micrometer-observation from 1.14.10 to 1.14.11 #​17858
• Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 #​17767
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #​17766
• Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.26.Final #​17759
• Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.28.Final #​17853
• Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.28.Final #​17837
• Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.29.Final #​17896
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.10 #​17897
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #​17855
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #​17791
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #​17771
• Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 #​17758
• Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.14 #​17773

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​jkuhel and @​therepanic

v6.5.3

Compare Source

⭐ New Features

• Add META-INF/LICENSE.txt to published jars #​17639
• Update Angular documentation links in csrf.adoc #​17653
• Update Shibboleth Repository URL #​17637
• Use 2004-present Copyright #​17634

🪲 Bug Fixes

• Add Missing Navigation in Preparing for 7.0 Guide [#​

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • Between 04:00 PM and 07:59 PM, Monday through Friday (* 16-19 * * 1-5)
• Automerge
  • Between 02:00 PM and 06:59 PM, Monday through Thursday (* 14-18 * * 1-4)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 7.x releases. But if you manually upgrade to 7.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.