fix(deps): update dependency org.springframework.security:spring-security-web to v7.0.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.security:spring-security-web (source)	7.0.3 → 7.0.4

GitHub Vulnerability Alerts

CVE-2026-22732

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. 
This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-web)

v7.0.4

Compare Source

⭐ New Features

• Update RestTemplateBuilder usage in opaque-token.adoc #​18836

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #​18784
• Add Jackson Mixin for WebAuthnAuthentication #​18878
• Add Missing OnCommitedResponseWrapper Header Overrides #​18799
• Document the change in dependency coordinates with Spring Security 7 #​18773
• Ensure tests clear AuthorizationServerContextHolder #​18768
• Fix CookieRequestCache parameters #​18864
• Fix Flaky Crypto Tests #​18842
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #​18897
• HttpMessageConverterAuthenticationSuccessHandler Supports Jackson 3 #​18834
• OAuth2DeviceVerificationEndpointFilter should be applied after AuthorizationFilter #​18873
• Restore upgradeEncoding condition in DaoAuthenticationProvider #​18788
• saveAuthenticationRequest should read relayState from authenticationRequest #​18884
• SecurityExpressionRoot#hasAuthority should delegate to AuthorizationManagerFactory#hasAuthority #​18487
• ServerHttpSecurityConfiguration should not set userDetailsPasswordService to a null value #​18276
• TokenBasedRememberMeServices documentation snippets should compile #​18642
• Update request-matcher XML property to support PathPatternRequestMatcher #​18737

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #​18853
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #​18810
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #​18752
• Bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE #​18830
• Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4 #​18877
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #​18751
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #​18792
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #​18861
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #​18887
• Bump org.junit:junit-bom from 6.0.2 to 6.0.3 #​18743
• Bump org.springframework.data:spring-data-bom from 2025.1.3 to 2025.1.4 #​18904
• Bump org.springframework:spring-framework-bom from 7.0.4 to 7.0.5 #​18764
• Bump org.springframework:spring-framework-bom from 7.0.5 to 7.0.6 #​18905
• Update Antora UI Spring to v0.4.26 #​18893
• Update to spring-security-release-tools 1.0.15 #​18909

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​busoco-sjb, @​making, @​meliezer, @​ngocnhan-tran1996, @​rwinch, @​sephiroth-j, @​therepanic, @​thuri, and @​ziqin

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.