• Add 6.4 Sample Serializations for Serializable classes #16274
• Add @inheritDoc to sessionIdChanged method #16216
• Fix typo in oauth2 resource server documentation #16053
• Fixed confusing phrasing in the docs for a better clarity. #16169
• Improve AuthorizationManager configuration error messages #16194
• Polish #16148
• Use Documentation Tags for Maven and Gradle in Getting Started #16234
• Add WebDriver WebAuthn test #15969

• Add Deprecated ObjectPostProcessor constructor #16212
• Add RuntimeHints for webauthn Javascript resource #16159
• Always return current ClientRegistration in loadAuthorizedClient #16139
• Avoid requesting an unnecessary attestation statement when creating a webauthn credential #16252
• CI is not using the correct secret for Develocity #16263
• Dark mode rendering issue with images on CSRF and Method Security pages #16176
• DefaultSaml2AuthenticatedPrincipal should define a serialVersionUID #16163
• Delay initialization of AuthenticationProvider in Global Authentication #16147
• Fix Documentation Typos #16054
• Correct OAuth2ClientHttpRequestInterceptor Usage Documentation #16172
• Fix Typo in 'What's New' Documentation #16183
• Fix WebAuthnWebdriverTests #16279
• Correct OpenSAML 5.x Documentation #16195
• Issue when using @AuthenticationPrincipal on interfaces #16177
• Mutate breaks functionality of StrictFirewallHttpHeaders with recently modified HttpHeaders#writabeHttpHeaders #16261
• Remove duplicate cache in AuthenticationPrincipalArgumentResolverand CurrentSecurityContextArgumentResolver #16202
• Resolve ObjectPostProcessor collisions between RSocket and WebFlux security configuration #16161
• Restore @AuthenticationPrincipal/@CurrentSecurityContext Interface Support #16245
• Restore Servlet 5 Compatiblity for CookieCsrfTokenRepository #16220
• Spelling error in opensaml.adoc #16146
• Update document regarding PublicKeyCredentialCreationOptions.attestation value #16264
• Verification Options Should Return Saved Transports for Credentials #16084

• Bump com.fasterxml.jackson:jackson-bom from 2.18.1 to 2.18.2 #16184
• Bump com.webauthn4j:webauthn4j-core from 0.28.2.RELEASE to 0.28.3.RELEASE #16203
• Bump io.micrometer:micrometer-observation from 1.14.1 to 1.14.2 #16255
• Bump io.projectreactor:reactor-bom from 2023.0.12 to 2023.0.13 #16256
• Bump org.gradle.wrapper-upgrade from 0.11.4 to 0.12 #16209
• Bump org.gretty:gretty from 4.1.5 to 4.1.6 #16247
• Bump org.hibernate.orm:hibernate-core from 6.6.2.Final to 6.6.3.Final #16145
• Bump org.htmlunit:htmlunit from 4.6.0 to 4.7.0 #16205
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.22 to 4.33.23 #16180
• Bump org.seleniumhq.selenium:htmlunit3-driver from 4.26.0 to 4.27.0 #16204
• Bump org.seleniumhq.selenium:selenium-java from 4.26.0 to 4.27.0 #16167
• Bump org.springframework.data:spring-data-bom from 2024.1.0 to 2024.1.1 #16290
• Bump org.springframework.ldap:spring-ldap-core from 3.2.8 to 3.2.10 #16270
• Bump org.springframework:spring-framework-bom from 6.2.0 to 6.2.1 #16271

• Bump @antora/collector-extension from 1.0.0 to 1.0.1 in /docs #16239
• Bump antora from 3.2.0-alpha.6 to 3.2.0-alpha.8 in /docs #16237
• Bump gradle/gradle-build-action from 2 to 3 #16278
• Remove 5.8.x and 6.2.x dependabot configuration #16268
• Remove 5.8.x from Auto Merge Forward Dependabot PRs #15770

Thank you to all the contributors who worked on this release:

@12OneTwo12, @Kehrlann, @MuhammadNFadhil, @OrangeDog, @Spikhalskiy, @dependabot[bot], @harpreets789, @kse-music, @martin-tarjanyi, @ngocnhan-tran1996, and @ynojima

• Always return current ClientRegistration in loadAuthorizedClient #16138
• CI is not using the correct secret for Develocity #16262
• Dark mode rendering issue with images on CSRF and Method Security pages #16175
• Delay initialization AuthenticationProvider in Global Authentication #16050
• Do not eagerly construct UserDetailsService bean in Global Authentication #16144
• Documentation images should render clearly in both light and dark mode #16131
• Mutate breaks functionality of StrictFirewallHttpHeaders with recently modified HttpHeaders#writabeHttpHeaders #16069
• OidcBackChannelLogoutWebFilter error response is not a correct JSON #16229
• Restore Servlet 5 Compatiblity for CookieCsrfTokenRepository #16219

• Bump io.projectreactor:reactor-bom from 2023.0.12 to 2023.0.13 #16257
• Bump org.gretty:gretty from 4.1.5 to 4.1.6 #16246
• Bump org.jfrog.buildinfo:build-info-extractor-gradle from 4.33.22 to 4.33.23 #16179
• Bump org.springframework.data:spring-data-bom from 2024.0.6 to 2024.0.7 #16289
• Bump org.springframework.ldap:spring-ldap-core from 3.2.8 to 3.2.10 #16269
• Bump org.springframework:spring-framework-bom from 6.1.15 to 6.1.16 #16272

• Bump antora from 3.2.0-alpha.6 to 3.2.0-alpha.8 in /docs #16244
• Update Antora UI Spring to v0.4.18 #16110

Thank you to all the contributors who worked on this release:

@dependabot[bot], @github-actions[bot], and @kse-music

• Documentation images should render clearly in both light and dark mode #16132
• Fix conflicting bean names between @EnableWebSecurity and @EnableWebSocketSecurity #16113

• Update Antora UI Spring to v0.4.18 #16112

Thank you to all the contributors who worked on this release:

@github-actions[bot] and @ngocnhan-tran1996

• Support ServerExchangeRejectedHandler @Bean #15975

• Support ServerWebExchangeFirewall @Bean #15974

• Support ServerExchangeRejectedHandler @Bean #16062
• Supporting logout+jwt for back-channel logout with spring-webflux #15702

• Align DelegatingAuthenticationConverter Constructors #15949
• An empty-string bearer token should result in an appropriate HTTP status code #16036
• IpAddressMatcher null pointer exception #15527
• RequestMatcherDelegatingAuthorizationManager should be post-processable #15981
• Support ServerWebExchangeFirewall @Bean #15991
• Unhandled exception in CookieRequestCache results in 500 Internal Server Error #15986
• Update logout.adoc: Fix Customizing Logout Success Example #15956

• Bump ch.qos.logback:logback-classic from 1.5.11 to 1.5.12 #16006
• Bump com.fasterxml.jackson:jackson-bom from 2.17.2 to 2.17.3 #16032
• Bump io.micrometer:micrometer-observation from 1.12.12 to 1.12.13 #16126
• Bump io.projectreactor:reactor-bom from 2023.0.11 to 2023.0.12 #16082
• Bump org.hsqldb:hsqldb from 2.7.3 to 2.7.4 #16033
• Bump org.springframework.data:spring-data-bom from 2024.0.5 to 2024.0.6 #16125
• Bump org.springframework.ldap:spring-ldap-core from 3.2.7 to 3.2.8 #16102
• Bump org.springframework:spring-framework-bom from 6.1.14 to 6.1.15 #16101

• Bump @antora/collector-extension from 1.0.0-beta.4 to 1.0.0-beta.5 in /docs #16117
• Update Antora UI Spring to v0.4.17 #15930

Thank you to all the contributors who worked on this release:

@asimuleo, @dependabot[bot], @github-actions[bot], and @kse-music

• Support ServerExchangeRejectedHandler @Bean #15976

• Catch base64 decode exception #15914
• Support ServerWebExchangeFirewall @Bean #15977

• Bump org.hsqldb:hsqldb from 2.7.3 to 2.7.4 #16030
• Bump org.springframework.ldap:spring-ldap-core from 2.4.2 to 2.4.4 #16094

• Bump @antora/collector-extension from 1.0.0-beta.4 to 1.0.0-beta.5 in /docs #16114
• Update Antora UI Spring to v0.4.17 #15933

We'd like to thank all the contributors who worked on this release!

• @kse-music
• @github-actions[bot]
• @dependabot[bot]

• Support ServerExchangeRejectedHandler @Bean #16061
• Support ServerWebExchangeFirewall @Bean #15987

• Fix error when Bearer token is requested with empty string #15940
• Make RequestMatcherDelegatingAuthorizationManager post-processable #15978
• RequestMatcherDelegatingAuthorizationManager should be post-processable #15948
• Unhandled exception in CookieRequestCache results in 500 Internal Server Error #15985

• Bump io.micrometer:micrometer-observation from 1.12.12 to 1.12.13 #16128
• Bump io.projectreactor:reactor-bom from 2023.0.11 to 2023.0.12 #16081
• Bump org.hsqldb:hsqldb from 2.7.3 to 2.7.4 #16031
• Bump org.springframework.data:spring-data-bom from 2023.1.11 to 2023.1.12 #16127
• Bump org.springframework.ldap:spring-ldap-core from 3.2.7 to 3.2.8 #16100
• Bump org.springframework:spring-framework-bom from 6.1.14 to 6.1.15 #16099

• Bump @antora/collector-extension from 1.0.0-beta.4 to 1.0.0-beta.5 in /docs #16120
• Update Antora UI Spring to v0.4.17 #15931

Thank you to all the contributors who worked on this release:

@codeconsole, @dependabot[bot], @github-actions[bot], and @jacknie84

• Add @FunctionalInterface to AuthorizationEventPublisher #15934
• Add DefaultResourcesFilter.webauthn() #15970
• Add deprecation notice for missing leading slashes #16020
• Code Cleanup #15996
• Document passkeys dependencies #16107
• Factor out some common object mocking in tests #15396
• Fix saml2 authentication guide docs #16017
• Improve documentation about CredentialsContainer #15554
• Improve Documentation on Adding a Custom Security Filter #15893
• Improve Error Message for Conflicting Filter Chains #15992
• Make it easier to determine where a filter chain has been defined #15874
• OIDC logout not working for JPA/JDBC OAuth2AuthorizationService because DefaultSaml2AuthenticatedPrincipal does not implement equality #15346
• Polish JdbcOneTimeTokenService #15997
• relying-party-registration doesn't allow placeholders in xml #14645
• Support ServerExchangeRejectedHandler @Bean #16063

• An empty-string bearer token should result in an appropriate HTTP status code #16037
• AuthorizeReturnObject AOT support should register proxied class as well #16106
• Correct class name reference in WebFilterChainProxy JavaDoc #16004
• Fix typo javadoc some classes #16022
• Initialize OpenSAML in OpenSamlAssertingPartyMetadataRepository #16055
• IpAddressMatcher null pointer exception #16104
• OpenSamlAssertingPartyMetadataRepository should initialize OpenSAML #16042
• Support ServerWebExchangeFirewall @Bean #15999
• UniqueSecurityAnnotationScanner throws ConcurrentModificationException #15906

• Bump ch.qos.logback:logback-classic from 1.5.11 to 1.5.12 #16005
• Bump com.fasterxml.jackson:jackson-bom from 2.18.0 to 2.18.1 #16007
• Bump com.webauthn4j:webauthn4j-core from 0.28.1.RELEASE to 0.28.2.RELEASE #16122
• Bump io.freefair.gradle:aspectj-plugin from 8.10.2 to 8.11 #16123
• Bump io.micrometer:micrometer-observation from 1.14.0 to 1.14.1 #16121
• Bump io.projectreactor:reactor-bom from 2023.0.11 to 2023.0.12 #16079
• Bump org-bouncycastle from 1.78.1 to 1.79 #16010
• Bump org.hibernate.orm:hibernate-core from 6.6.1.Final to 6.6.2.Final #16048
• Bump org.hsqldb:hsqldb from 2.7.3 to 2.7.4 #16028
• Bump org.htmlunit:htmlunit from 4.5.0 to 4.6.0 #16044
• Bump org.junit:junit-bom from 5.11.2 to 5.11.3 #15968
• Bump org.seleniumhq.selenium:htmlunit3-driver from 4.25.0 to 4.26.0 #16043
• Bump org.seleniumhq.selenium:selenium-java from 4.25.0 to 4.26.0 #16018
• Bump org.springframework.data:spring-data-bom from 2024.0.5 to 2024.1.0 #16124
• Bump org.springframework.ldap:spring-ldap-core from 3.2.7 to 3.2.8 #16097
• Bump org.springframework:spring-framework-bom from 6.2.0-RC3 to 6.2.0 #16096

• Bump @antora/collector-extension from 1.0.0-beta.4 to 1.0.0-beta.5 in /docs #16115
• fix assertions #15937
• Remove unnecessary parentheses and add static final field MockPortResolver#getServerPort #15875
• Update Antora UI Spring to v0.4.17 #15929

Thank you to all the contributors who worked on this release:

@Chu3laMan, @Kehrlann, @Limm-jk, @dcolazin, @dependabot[bot], @franticticktick, @github-actions[bot], @gzhao9, @ig-jinwoo, @jzheaux, @kse-music, @ngocnhan-tran1996, and @nomoreFt

• Add API for Looking Up Security Annotations #15700
• Add public InMemoryOneTimeTokenService.setClock(Clock) #15864
• Add Reactive One-Time Token Login Kotlin DSL Support #15888
• Add Support for Passkeys #13305
• Allow OAuth2ClientSpec to get ReactiveOAuth2AccessTokenResponseClient from Spring IoC #11097
• Allow access token request parameters to override defaults #15339
• Allow building a ClientRegistration from provided configuration #15716
• Allow logout+jwt JWT type for reactive #15847
• AuthorizationEventPublisher should accept an AuthorizationResult #15915
• AuthorizationManager should return AuthorizationResult #14846
• Clarify Username/Password Authentication Docs #15806
• Customize the strategy for resolving the principal #15833
• Introduce ExpressionJwtGrantedAuthoritiesConverter to extract nested authorities via SpEL expression #15202
• Improve encapsulation for jwtValidators #15879
• Improve readibility of empty collection checks #15898
• Improved error message for PasswordEncoder #14968
• Make Security Observations Selectable #15678
• ObjectProvider over custom getBeanOrNull method #15816
• Parameters customizer called before all parameters are set #15939
• Polish diamond operator usage #15900
• Polish OAuth2ClientConfiguration #15857
• Reactive oauth2Login should pick up OAuth2ReactiveUserService bean #15848
• Replace Date().getTime() method with System.currentTimeMillis() #15890
• Simplify Casting with ReactiveJwtDecoders #15797
• Support refresh token for Token Exchange #15534
• Update document #15862
• Update javaDoc for DefaultOneTimeTokenSubmitPageGeneratingFilter #15870
• Update websocket integration docs #15438
• Use SessionAuthenticationStrategy for Remember-Me authentication #15748

• Fix HttpSecurity Deprecation notices #15827
• Minor fix in Kotlin docs for noSpringSecurityObservations #15831
• OidcBackChannelLogoutTokenValidator should not construct when missing OIDC Provider Issuer #15824
• Restore Framework version on Snapshot build #15916
• The additionalParameters array parameter of OAuth2AuthorizationRequest causes the authorizationRequestUri to be incorrect #15830

• Bump ch.qos.logback:logback-classic from 1.5.10 to 1.5.11 #15924
• Bump com.fasterxml.jackson:jackson-bom from 2.17.2 to 2.18.0 #15859
• Bump io.freefair.gradle:aspectj-plugin from 8.10 to 8.10.2 #15881
• Bump io.micrometer:micrometer-observation from 1.13.5 to 1.13.6 #15918
• Bump io.mockk:mockk from 1.13.12 to 1.13.13 #15895
• Bump io.projectreactor:reactor-bom from 2023.0.10 to 2023.0.11 #15922
• Bump io.spring.develocity.conventions from 0.0.21 to 0.0.22 #15871
• Bump org.hibernate.orm:hibernate-core from 6.6.0.Final to 6.6.1.Final #15823
• Bump org.htmlunit:htmlunit from 4.4.0 to 4.5.0 #15960
• Bump org.junit:junit-bom from 5.11.1 to 5.11.2 #15882
• Bump org.mockito:mockito-bom from 5.14.1 to 5.14.2 #15923
• Bump org.seleniumhq.selenium:htmlunit3-driver from 4.23.0 to 4.25.0 #15959
• Bump org.seleniumhq.selenium:selenium-java from 4.24.0 to 4.25.0 #15839
• Bump org.springframework.data:spring-data-bom from 2024.0.4 to 2024.0.5 #15961
• Bump org.springframework.ldap:spring-ldap-core from 3.2.6 to 3.2.7 #15942
• Bump org.springframework:spring-framework-bom from 6.2.0-RC1 to 6.2.0-RC2 #15943

• Bump @antora/collector-extension from 1.0.0-beta.2 to 1.0.0-beta.3 in /docs #15911
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.13 to 1.0.0-alpha.14 in /docs #15834
• Fix Broken Resource Server Doc Links #15845
• Fix typo of createDefaultRequestMacher in WebSessionServerRequestCache #15867
• Polish ExpressionTemplateSecurityAnnotationScanner #15832
• Release 6.4.0-RC1 #15966

Thank you to all the contributors who worked on this release:

@JohnNiang, @bottlerocketjonny, @c1rd3cm, @dependabot[bot], @franticticktick, @heruan, @jinia91, @kse-music, @kwonyonghyun, @ngocnhan-tran1996, @nimakarimiank, @openrefactorymunawar, @regiuss-own, @rs017991, @sjohnr, @thomasdarimont, @wapkch, and @xhaggi