Roadmap

Four milestones have shipped since the foundations. The latest published release on Maven Central is 00.72.00:

00.60.00 (2026-05-14) — all eight Konzept-V00.60 points as stable SPIs: audit, brute-force, session policy, action authorization, logout, bootstrap, plus the security-standalone adapter.
00.70.00 (2026-05-31) — all eight Konzept-V00.70 phases: multi-tenancy, 11 persistence-store SPIs with an Eclipse-Store reference, SecurityVersion drift detection, the Policy API
- @Secured method-security processor, role hierarchy, account lifecycle, API keys, rate limiting, and the Phase-8 Vaadin component layer.
00.71.00 — the credential-security stack: pluggable hashing (Argon2id / bcrypt / scrypt), post-KDF pepper, CredentialStore, atomic password change, single-use reset, breached-password checks, abuse detection, ASVS / NIST / CWE traceability. Ships in the 00.72 line.
00.72.00 (2026-06-08) — the developer-experience release: typed fluent bootstrap, @SecurityAutoService, the Vaadin starter, and secret-free diagnostics. 22 modules.

Planned: v00.80.00 — High-Security & Identity.

Delivered in 00.70.00

Area	What shipped
Multi-tenancy	`TenantId` / `ResourceRef` / `ResourceAccessContext`; every store key and service tenant-scoped. See Multi-Tenancy.
Persistence	11 store SPIs + in-memory defaults + Eclipse-Store reference + contract testkit. See Persistence.
Active sessions	`SecurityVersion` drift detection, role refresh for live sessions, store-backed `SubjectSessionRegistry`, `SessionManagementView`.
Method security	`@Secured` compile-time processor + runtime `SecuredProxy.wrap(...)`, one `SecurityEnforcer`. See Method Security.
Policy API	`@RequiresPolicy`, `PolicyRegistry`, sealed `PolicyDecision`. See Policy API.
Authorization ergonomics	`RoleHierarchy` SPI, `@RequiresAnyPermission`, `@RequiresAllPermissions`.
Account lifecycle	Password reset, email verification, `SecurityNotificationSender` SPI.
Tokens + rate limiting	API keys, rotating refresh tokens, sliding-window `RateLimitPolicy`.
Audit	27 sealed `AuditEvent` variants (11 new), `StoreBackedSecurityAuditService`.

Delivered in 00.60.00

#	Capability	Notes
1	Password hashing	`PasswordHasher` + `PasswordHash` (typed record) + `Pbkdf2PasswordHasher` (PBKDF2-HMAC-SHA256, 120 000 iter). `needsRehash(...)` drift detection; both demo stores rehash transparently on successful login.
2	Security audit pipeline	`SecurityAuditService` SPI with 16 sealed `AuditEvent` record types (incl. `UserCreated`/`UserDeleted` from the new admin UI). `RingBufferAuditSink` + `LoggingAuditSink` + `CompositeAuditService`. Vaadin `/audit` route + REST `GET /api/audit`. See Security Audit.
3	Brute-force protection	`LoginAttemptPolicy` SPI with sealed `LoginAttemptDecision = Allowed \| LockedOut`. `InMemoryLoginAttemptPolicy` default. Red lockout banner in both Vaadin demo login views; `429 + Retry-After` in REST. See Brute-Force Protection.
4	Session policies	`SessionPolicy<U>` SPI with `TimeoutSessionPolicy` default. Session-id rotation honoured on login as session-fixation defence. See Session Policy.
5	Role persistence	`AuthorizationService` stays the boundary; no `RoleStore` forced into core. Both Vaadin demos ship a `/admin/roles` UI with role assignment, user create + delete (with `ConfirmDialog`).
6	Multi-session logout	`LogoutService.logout(SubjectId, LogoutScope)` with `LogoutScope = CurrentSession \| AllSessionsOfSubject`. `SubjectSessionRegistry` tracks active sessions; `LogoutListener` lets adapters plug in cleanup. See Logout Flows.
7	Action authorization	`ActionAuthorizationService<U>` SPI (stable, not just static helpers). `ActionPermission` record, `StaticActionAuthorizationService` default. Every denial automatically emits an `ActionDenied` audit event.
8	First-run bootstrap	Modes, token store (POSIX 0600), TTL parsing, race-safe admin creation, leak-free validation, brute-force-protected. See Bootstrap.

Plus, beyond the Konzept

Capability	Notes
Core-Java adapter	New `security-standalone` module (3 classes: `Secured`, `StandaloneLoginFlow`, `ThreadLocalSubjectStore`). Same annotations enforce security on plain Java services via dynamic proxy — no Vaadin, no REST. New `demo-standalone` CLI demonstrates. See Standalone Integration.
`SecurityServiceResolver`	Central SPI cache for all eight services. Strict accessors throw `IllegalStateException`; `find…()` returns `Optional`; `set…(…)` is a programmatic test seam.
Role + User admin UI in both Vaadin demos	`/admin/roles` with single-role-set semantics; new-user dialog; per-row delete with `ConfirmDialog`. Backend-driven in `demo-vaadin-rest-client` over `GET/POST/PUT/DELETE /api/admin/users`.
Mutation-tested library	Pitest runs on all four library modules — 79 / 90 / 95 / 98 %. See Architecture → Quality.
Vaadin Browserless Testing	Wired in `security-vaadin` + both Vaadin demos. Real adapter-test suite covers LoginView policy ordering, action-gated UI patterns, B3 session-id rotation against `MockHttpSession`, lockout banner formatting, `/audit` grid filtering, `/setup`, `/admin/roles` flows, `MainView` tab matrix per role. Replaces the planned Karibu / TestBench setup — free since Vaadin 25.1.
~570 tests across all modules	Reactor-wide `mvn test`.

Open within the 00.60 line

Capability	Why it matters
`PermissionName` graduation	Still marked `@ExperimentalSecurityApi`. Konzept calls for stable status alongside the now-shipped `ActionAuthorizationService` SPI.
Demo mutation-coverage push	`demo-rest` (49 %) and `demo-vaadin-rest-client` (10 %) trail the library numbers. Pitest run pending for the next iteration.

Delivered in 00.71.00 (Credential Hardening)

✅ Shipped on Maven Central as part of the 00.72.00 release line. Phases 1a–5 complete (35 of 36 prompts). Pull it in with 00.72.00 coordinates — see Quick Start.

v00.71.00 is a dedicated credential-security stack built against modern standards (OWASP ASVS V2, NIST SP 800-63B, CWE):

Pluggable hashing — JDK-only PBKDF2 core plus an optional security-crypto-bc module adding Argon2id / bcrypt / scrypt (BouncyCastle lightweight API, no global JCA mutation).
Post-KDF HMAC pepper with rotation, calibration profiles, Unicode-aware input hygiene, SecretValue (AutoCloseable).
CredentialStore with compare-and-swap updates, an eight-state lifecycle, atomic password change, single-use selector/verifier reset.
Abuse detection — multi-dimensional sliding-window (username / client-address / tenant / global), credential-stuffing and password-spraying detectors, context-aware password validation, optional password history.
Compromised-password check — CompromisedPasswordChecker SPI with an optional security-credentials-hibp module (Have I Been Pwned via k-anonymity SHA-1 prefix; plaintext never leaves the JVM).
Compliance traceability — ASVS / NIST / CWE coverage matrix.

Delivered in 00.72.00 (Developer Experience)

✅ Latest release on Maven Central. All 35 V00.72 prompts shipped; the DX surface is marked @ExperimentalSecurityApi until V00.73 wiring follow-ups.

v00.72.00 is a deliberate stabilisation / adoption release — no new security primitives, no SPI replaced. It lowers the integration barrier with four building blocks:

Typed fluent bootstrap — VaadinSecurity.bootstrap() / RestSecurity.bootstrap() / StandaloneSecurity.bootstrap() configure every subsystem in one call path and return a diagnostic SecurityRuntime; SecurityBootstrapMode (COMMUNITY_DEFAULTS / DEVELOPMENT / PRODUCTION / STRICT).
@SecurityAutoService — a dependency-free annotation + JDK-only processor that generates META-INF/services files (no external Google AutoService); a marker-comment protocol preserves hand-written entries.
security-vaadin-starter — declarative SecuredUi.button / link / menuItem, @SecureRoute(roles, permissions, policy), and development / production / strict profiles.
SecurityDiagnostics.inspect() — secret-free report of active services, applied defaults, generated wrappers, and missing / duplicate / conflicting SPIs.

Reactor grows 16 → 22 modules; security-core is unchanged.

Read more: v00.72.00 · 00.72.00 release notes.

Planned — v00.80.00

Concept only — nothing below ships today. SPIs, module names, signatures, and scope may shift before they land.

v00.80.00 — Planned

High-security & identity integration. MFA / step-up, WebAuthn / Passkeys, OIDC-OAuth2 bridge, device + remember-me management, risk-based authentication, tamper-evident audit (hash-chaining), Security Event Bus, metrics + health, fail-closed strict mode, CSRF hardening, GDPR / retention / backup-restore.

Explicitly out of scope

Built-in cluster mode. The SPIs (SubjectSessionRegistry, SecurityAuditService, LoginAttemptPolicy) are deliberately shaped so Redis / database / IAM-backed implementations are drop-in replacements when needed.
security-javafx as a dedicated module. Both 00.70 and 00.80 concepts hold the line: security-standalone covers Swing / JavaFX / CLI functionally via manual Secured.wrap(...) + StandaloneLoginFlow. A JavaFX-specific module only makes sense once a real UI-lifecycle need surfaces.
Becoming a full IAM / OIDC stack. The 00.80 OIDC/OAuth2 bridge translates external identity into internal subjects; it does not replace established identity-provider clients.

License

EUPL 1.2