2. What’s New in Spring Security 5.1

Spring Security 5.1 provides a number of new features. Below are the highlights of the release.

2.1 Servlet

Automatic password storage upgrades through UserDetailsPasswordService
OAuth 2.0 Client
- Customizable Authorize and Token requests
- authorization_code grant support
- client_credentials grant support
OAuth 2.0 Resource Server - support for JWT-encoded bearer tokens
Added OAuth2 WebClient integration
HTTP Firewall protects against HTTP Verb Tampering and Cross-site Tracing
ExceptionTranslationFilter support for selecting an AccessDeniedHandler by RequestMatcher
CSRF support for excluding certain requests
Added Support for Feature Policy
Added @Transient authentication tokens
A modern look-and-feel for the default log in page

Automatic password storage upgrades through ReactiveUserDetailsPasswordService
Added OAuth2 support
- Added OAuth2 Client support
- Added OAuth2 Resource Server support
- Added OAuth2 WebClient integration
@WithUserDetails now works with ReactiveUserDetailsService
Added CORS support
Added support for the following HTTP headers
Redirect to HTTPS
Improvements for @AuthenticationPrincipal
- Support for resolving beans
- Support for resolving errorOnInvalidType

Jackson Support works with BadCredentialsException
@WithMockUser supports customizing when the SecurityContext is setup in the test. For example, @WithMockUser(setupBefore = TestExecutionEvent.TEST_EXECUTION) will setup a user after JUnit’s @Before and before the test executes.
LDAP Authentication can be configured with custom environment variables
X.509 Authentication supports deriving the principal as a strategy