Update dependency org.springframework.security:spring-security-bom to v7

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.security:spring-security-bom (source)	6.5.8 → 7.0.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-bom)

v7.0.3

Compare Source

⭐ New Features

• Fix Javadoc warnings in spring-security-web #​18473
• Fix/gradle 9 deprecations #​18485
• Fix/gradle 9 deprecations #​18477
• Replace method call with 'Builder.configureMessageConverters()' #​18378
• Replacing use of deprecated 'check' in authorization documentation #​18390
• Use DefaultParameterNameDiscoverer#getSharedInstance #​18481

🪲 Bug Fixes

• Authorization Server fails to start with multiple PasswordEncoder beans #​18645
• BearerTokenAuthenticationEntryPoint uses context path #​18528
• Create SHA-1 MessageDigest for every new check request in Compromised Password Checker #​18594
• Document Client PKCE settings #​18304
• Fix docs typo X-Requested-By -> X-Requested-With #​18123
• Fix Formatting in mfa.adoc #​18134
• Fix typo in documentation #​18344
• Fix typos #​18121

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24 #​18384
• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.28 #​18684
• Bump ch.qos.logback:logback-classic from 1.5.28 to 1.5.29 #​18711
• Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 #​18660
• Bump com.webauthn4j:webauthn4j-core from 0.29.7.RELEASE to 0.31.0.RELEASE #​18687
• Bump gradle-wrapper from 8.14 to 8.14.4 #​18705
• Bump io.mockk:mockk from 1.14.7 to 1.14.9 #​18681
• Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2 #​18658
• Bump io.projectreactor:reactor-bom from 2025.0.2 to 2025.0.3 #​18717
• Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 #​18683
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.13 to 1.0.14 #​18725
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.4 to 4.0.5 #​18706
• Bump org-apache-maven-resolver from 1.9.24 to 1.9.25 #​18309
• Bump org-aspectj from 1.9.25 to 1.9.25.1 #​18326
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.5.2 #​18346
• Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12 #​18327
• Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 #​18682
• Bump org.junit:junit-bom from 6.0.1 to 6.0.2 #​18385
• Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2 #​18655
• Bump org.springframework.ldap:spring-ldap-core from 4.0.0 to 4.0.1 #​18316
• Bump org.springframework.ldap:spring-ldap-core from 4.0.1 to 4.0.2 #​18733
• Bump org.springframework:spring-framework-bom from 7.0.3 to 7.0.4 #​18732
• Bump org.springframework:spring-framework-bom from 7.0.3-SNAPSHOT to 7.0.4-SNAPSHOT #​18657
• Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22 #​18651
• Bump tools.jackson:jackson-bom from 3.0.3 to 3.0.4 #​18659
• Update Antora UI Spring to v0.4.25 #​18249
• Update to Spring Framework 7.0.3 #​18667
• Update to spring-data-bom 2025.1.3 #​18735

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Been24, @​Fr05ty-hub, @​Kehrlann, @​Rigu1, @​bloomsei, @​martinboulais, @​ngocnhan-tran1996, @​paulvas, @​rwinch, @​therepanic, and @​vincentstradiot

v7.0.2

Compare Source

🪲 Bug Fixes

• AuthorizationWebProxyConfiguration should only be active when both spring-security-web and spring-webmvc are on the classpath #​18315

v7.0.1

Compare Source

⭐ New Features

• Stop deploying JavaDoc outside of Antora #​18200

🪲 Bug Fixes

• An unexpected dependency appeared for spring-security-config of spring-security-web #​18307
• Fix "typ" header value in NimbusJwtEncoder-encoded JWT #​18270
• Fix broken link to Spring Boot docs #​18236
• Fix documentation resource server sample title #​18231
• Fix MyCustomDsl to use csrf(Customizer) instead of removed csrf().disabled() #​18223
• Fix typo in AnnotationTemplateExpressionDefaults documentation #​18255
• Fix typos in documentation depenendencies->dependencies #​18209
• NimbusJwtEncoder produces JWT with wrong "typ" header value #​18269
• OAuth2AuthorizationEndpointFilter should be applied after AuthorizationFilter #​18251
• Remove requireProofKey warning for non-auth-code flows #​18221
• Remove throws from MyCustomDsl in docs #​18224

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.20 to 1.5.21 #​18214
• Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22 #​18311
• Bump com.fasterxml.jackson:jackson-bom from 2.20.0 to 2.20.1 #​18245
• Bump com.unboundid:unboundid-ldapsdk from 7.0.3 to 7.0.4 #​18262
• Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #​18189
• Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14 #​18277
• Bump io.mockk:mockk from 1.14.6 to 1.14.7 #​18274
• Bump io.projectreactor:reactor-bom from 2025.0.0 to 2025.0.1 #​18289
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.13 #​18187
• Bump org-aspectj from 1.9.24 to 1.9.25 #​18186
• Bump org.apache.kerby:kerb-simplekdc from 2.1.0 to 2.1.1 #​18215
• Bump org.junit:junit-bom from 6.0.0 to 6.0.1 #​18188
• Bump org.springframework.data:spring-data-bom from 2025.1.0 to 2025.1.1 #​18312
• Bump org.springframework:spring-framework-bom from 7.0.0 to 7.0.1 #​18213
• Bump org.springframework:spring-framework-bom from 7.0.1 to 7.0.2 #​18310
• Bump tools.jackson:jackson-bom from 3.0.1 to 3.0.2 #​18212
• Bump tools.jackson:jackson-bom from 3.0.2 to 3.0.3 #​18244

🔩 Build Updates

• Add Test for ServletRequestPathUtils.parseAndCache(method=null) #​18166
• Bump antora from 3.2.0-alpha.10 to 3.2.0-alpha.11 in /docs #​18238

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​L33gn21, @​ghusta, @​ronodhirSoumik, @​rwinch, @​sach429, and @​ziqin

v7.0.0

Compare Source

⭐ New Features

• Add a minimal authorization server configuration #​18153
• Mark GrantedAuthority#getAuthority as @Nullable #​18014
• Polish SimpleGrantedAuthority #​18062

🪲 Bug Fixes

• Correct the org.springframework.security.config.annotation.web.LogoutDsl's property description #​18026
• Fix webauthn multifactor authentication #​18163

🔨 Dependency Upgrades

• Bump org.jetbrains.kotlin:kotlin-bom from 2.2.20 to 2.2.21 #​18099
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.20 to 2.2.21 #​18100
• Bump tools.jackson:jackson-bom from 3.0.0 to 3.0.1 #​18097
• Update to Reactor 2025.0.0 #​18173
• Update to Spring Data 2025.1.0 #​18174
• Update to Spring Framework 7.0.0 #​18172
• Update to Spring LDAP 4.0.0 #​18175

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Kehrlann, @​SimonVonXCVII, @​quaff, and @​therepanic

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[MarkEWaite]

I'm requesting changes on this pull request until someone does the detailed analysis to understand the Jenkins impact of upgrading to Spring Security 7

[jglick]

At least seems to depend on #11292.