Update dependency org.springframework.security:spring-security-bom to v7

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.security:spring-security-bom (source)	6.5.8 → 7.0.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-bom)

v7.0.3

Compare Source

⭐ New Features

• Fix Javadoc warnings in spring-security-web #​18473
• Fix/gradle 9 deprecations #​18485
• Fix/gradle 9 deprecations #​18477
• Replace method call with 'Builder.configureMessageConverters()' #​18378
• Replacing use of deprecated 'check' in authorization documentation #​18390
• Use DefaultParameterNameDiscoverer#getSharedInstance #​18481

🪲 Bug Fixes

• Authorization Server fails to start with multiple PasswordEncoder beans #​18645
• BearerTokenAuthenticationEntryPoint uses context path #​18528
• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #​18594
• Document Client PKCE settings #​18304
• Fix docs typo X-Requested-By -> X-Requested-With #​18123
• Fix Formatting in mfa.adoc #​18134
• Fix typo in documentation #​18344
• Fix typos #​18121

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24 #​18384
• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.28 #​18684
• Bump ch.qos.logback:logback-classic from 1.5.28 to 1.5.29 #​18711
• Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 #​18660
• Bump com.webauthn4j:webauthn4j-core from 0.29.7.RELEASE to 0.31.0.RELEASE #​18687
• Bump gradle-wrapper from 8.14 to 8.14.4 #​18705
• Bump io.mockk:mockk from 1.14.7 to 1.14.9 #​18681
• Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2 #​18658
• Bump io.projectreactor:reactor-bom from 2025.0.2 to 2025.0.3 #​18717
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #​18683
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.13 to 1.0.14 #​18725
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.4 to 4.0.5 #​18706
• Bump org-apache-maven-resolver from 1.9.24 to 1.9.25 #​18309
• Bump org-aspectj from 1.9.25 to 1.9.25.1 #​18326
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.5.2 #​18346
• Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12 #​18327
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 #​18682
• Bump org.junit:junit-bom from 6.0.1 to 6.0.2 #​18385
• Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2 #​18655
• Bump org.springframework.ldap:spring-ldap-core from 4.0.0 to 4.0.1 #​18316
• Bump org.springframework.ldap:spring-ldap-core from 4.0.1 to 4.0.2 #​18733
• Bump org.springframework:spring-framework-bom from 7.0.3 to 7.0.4 #​18732
• Bump org.springframework:spring-framework-bom from 7.0.3-SNAPSHOT to 7.0.4-SNAPSHOT #​18657
• Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22 #​18651
• Bump tools.jackson:jackson-bom from 3.0.3 to 3.0.4 #​18659
• Update Antora UI Spring to v0.4.25 #​18249
• Update to Spring Framework 7.0.3 #​18667
• Update to spring-data-bom 2025.1.3 #​18735

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Been24, @​Fr05ty-hub, @​Kehrlann, @​Rigu1, @​bloomsei, @​martinboulais, @​ngocnhan-tran1996, @​paulvas, @​rwinch, @​therepanic, and @​vincentstradiot

v7.0.2

Compare Source

🪲 Bug Fixes

• AuthorizationWebProxyConfiguration should only be active when both spring-security-web and spring-webmvc are on the classpath #​18315

v7.0.1

Compare Source

⭐ New Features

• Stop deploying JavaDoc outside of Antora #​18200

🪲 Bug Fixes

• An unexpected dependency appeared for spring-security-config of spring-security-web #​18307
• Fix "typ" header value in NimbusJwtEncoder-encoded JWT #​18270
• Fix broken link to Spring Boot docs #​18236
• Fix documentation resource server sample title #​18231
• Fix MyCustomDsl to use csrf(Customizer) instead of removed csrf().disabled() #​18223
• Fix typo in AnnotationTemplateExpressionDefaults documentation #​18255
• Fix typos in documentation depenendencies->dependencies #​18209
• NimbusJwtEncoder produces JWT with wrong "typ" header value #​18269
• OAuth2AuthorizationEndpointFilter should be applied after AuthorizationFilter #​18251
• Remove requireProofKey warning for non-auth-code flows #​18221
• Remove throws from MyCustomDsl in docs #​18224

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.20 to 1.5.21 #​18214
• Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22 #​18311
• Bump com.fasterxml.jackson:jackson-bom from 2.20.0 to 2.20.1 #​18245
• Bump com.unboundid:unboundid-ldapsdk from 7.0.3 to 7.0.4 #​18262
• Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #​18189
• Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14 #​18277
• Bump io.mockk:mockk from 1.14.6 to 1.14.7 #​18274
• Bump io.projectreactor:reactor-bom from 2025.0.0 to 2025.0.1 #​18289
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.13 #​18187
• Bump org-aspectj from 1.9.24 to 1.9.25 #​18186
• Bump org.apache.kerby:kerb-simplekdc from 2.1.0 to 2.1.1 #​18215
• Bump org.junit:junit-bom from 6.0.0 to 6.0.1 #​18188
• Bump org.springframework.data:spring-data-bom from 2025.1.0 to 2025.1.1 #​18312
• Bump org.springframework:spring-framework-bom from 7.0.0 to 7.0.1 #​18213
• Bump org.springframework:spring-framework-bom from 7.0.1 to 7.0.2 #​18310
• Bump tools.jackson:jackson-bom from 3.0.1 to 3.0.2 #​18212
• Bump tools.jackson:jackson-bom from 3.0.2 to 3.0.3 #​18244

🔩 Build Updates

• Add Test for ServletRequestPathUtils.parseAndCache(method=null) #​18166
• Bump antora from 3.2.0-alpha.10 to 3.2.0-alpha.11 in /docs #​18238

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​L33gn21, @​ghusta, @​ronodhirSoumik, @​rwinch, @​sach429, and @​ziqin

v7.0.0

Compare Source

⭐ New Features

• Add a minimal authorization server configuration #​18153
• Mark GrantedAuthority#getAuthority as @Nullable #​18014
• Polish SimpleGrantedAuthority #​18062

🪲 Bug Fixes

• Correct the org.springframework.security.config.annotation.web.LogoutDsl's property description #​18026
• Fix webauthn multifactor authentication #​18163

🔨 Dependency Upgrades

• Bump org.jetbrains.kotlin:kotlin-bom from 2.2.20 to 2.2.21 #​18099
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.20 to 2.2.21 #​18100
• Bump tools.jackson:jackson-bom from 3.0.0 to 3.0.1 #​18097
• Update to Reactor 2025.0.0 #​18173
• Update to Spring Data 2025.1.0 #​18174
• Update to Spring Framework 7.0.0 #​18172
• Update to Spring LDAP 4.0.0 #​18175

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Kehrlann, @​SimonVonXCVII, @​quaff, and @​therepanic

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[MarkEWaite]

I'm requesting changes on this pull request until someone does the detailed analysis to understand the Jenkins impact of upgrading to Spring Security 7

[jglick]

At least seems to depend on #11292.

[MarkEWaite]

This PR is now ready for merge. We will merge it after the security release if there is no negative feedback. Please see the merge process documentation for more information about the merge process.

Includes pull request:

• #11292

/label ready-for-merge

ATH tests pass

Plugin BOM tests pass

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[jglick]

If you are adding your own commits it would be clearer to file a separate PR.

[MarkEWaite]

Is that a blocking comment or an advisory comment? If it is a blocking comment, I'll create a new pull request that combines pull requests:

• Update dependency org.springframework:spring-framework-bom to v7 #11292
• Update dependency org.springframework.security:spring-security-bom to v7 #11304

and adds commits:

• 8bc4549
• 5d65bbe

I preferred the pull request descriptions as generated by Renovate, but if you prefer a separate pull request, I'm happy to do it.

[jglick]

Advisory, not blocking.

I preferred the pull request descriptions as generated by Renovate

Well, a human-filed PR could refer to the outstanding Renovate PRs (with their diff links etc.) for reference.