spring-security

spring-security copied to clipboard

ReactiveMethodSecurityConfiguration is initialized prematurely when the context contains a BeanPostProcessor

6

**Describe the bug** `ReactiveMethodSecurityConfiguration` is initialized prematurely when the context contains a `BeanPostProcessor`. This results in the following log message: ``` 11:04:02.687 [main] INFO org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker - Bean 'org.springframework.security.config.annotation.method.configuration.ReactiveMethodSecurityConfiguration' of type...

wilkinsona

Add support for JWT/JWE

13

We should provide support for encrypting / decrypting the claims set of a JWE (JSON Web Encryption).

jgrandja

Default use of RequestAttributeSecurityContextRepository instead of NullSecurityContextRepository

2

Rather than totally ignoring saving the SecurityContext we should place it on the request as a request attribute to ensure that other dispatch types work properly. Related gh-10918

rwinch

Ignored requestCache.saveRequest, because sendRedirect is in front

2

**Describe the bug** I am using CookieRequestCache . However, as SendRedirect proceeds first, cookie settings are not included. **To Reproduce** **Expected behavior**  **Sample** https://github.com/spring-projects/spring-security/blob/bf138c5154e87b55ab6f1c8940116351d6e1aedc/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java#L189-L190

o1i0

Remove `previous-compilation-data.bin` from `spring-security-saml2-service-provider` jar artifact

2

The artifact jar of spring-security-saml2-service-provider contains a file named `previous-compilation-data.bin` As i understand this file corretly it is used by gradle and shout part of the final artifact.

ugrave

Customize RestOperations / WebClient for OAuth 2.0

23

We've been working on an enhancement ([gh-8732](https://github.com/spring-projects/spring-security/pull/8732)) that allows an application to provide a custom `RestOperations` or `WebClient` `@Bean`, which would be auto-wired to the related components for `oauth2-client` or...

jgrandja

Oauth2 client: Allow deescalating logged ERROR for invalid client registration ID

8

**Current Behavior** Currently, when attempting to work withz invalid client ID, an ERROR is logged : `Authorization Request failed: java.lang.IllegalArgumentException: Invalid Client Registration with Id: xxxl` (`org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver#resolve(javax.servlet.http.HttpServletRequest, java.lang.String, java.lang.String)`) **Desired...

PunchyRascal

Additional client_id field added in POST body for private_key_jwt authentication method for client credential grant type

11

**Describe the bug** I specifically want to use WebClientReactiveClientCredentialsTokenResponseClient because it provides WebClient to integrate with Okta api with client credentials private_key_jwt. Okta's [/v1/token](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#get-an-access-token) url needs client_assertion_type of urn:ietf:params:oauth:client-assertion-type:jwt-bearer, grant...

mit2222

Add native-image support for PreAuthorize

1

The `security-method` sample in spring-native branch `sb-3.0.x.` uses `@PreAuthorize` on a controller. The resulting native image fails with this exception: ``` org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'controller2': Proxy class...

mhalbritter

rwinch