spring-security
spring-security copied to clipboard
spring-projects
Spring Security
The default `SecurityContextRepository` for stateless applications is now `RequestAttributeSecurityContextRepository`. However, `SecurityContextConfigurer` sets the `SecurityContextRepository` to `HttpSessionSecurityContextRepository` if it isn't already set as a shared object. This results in the context...
**Describe the bug** https://github.com/spring-projects/spring-security/blob/5.7.3/docs/modules/ROOT/pages/servlet/test/mockmvc/result-matchers.adoc#authenticated-assertion The Kotlin examples for the MockMvc assertions call the Java functions, but these methods are not compatible with the Kotlin DSL, and so this test will...
In [this line](https://github.com/spring-projects/spring-security/blob/5.7.3/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java#L108), the `Saml2MetadataFilter` sends out the response without specifying an encoding. The response will therefore be encoded using the default `ISO-8859-1` encoding (see `getWriter` Javadoc). However, the xml...
[Servlet spec states](https://jakarta.ee/specifications/servlet/5.0/jakarta-servlet-spec-5.0.html#the-include-method) that include dispatch: > ... cannot set headers or call any method that affects the headers of the response... Any attempt to set the headers must be...
**Expected Behavior** The `AuthorizationChannelInterceptor` implements a similar to the `preSend()` in the `postReceive()` contract which is applicable for the `PollableChannel` implementations. **Current Behavior** The `AuthorizationChannelInterceptor` currently implements only `preSend()` for...
The implements can replace the authentication token, which will be PreAuthenticatedAuthenticationToken or its subclass, by overriding the method createAuthenticationToken. The system may be authenticated by several external system, and if...
`AuthenticationManager` and `AuthenticationProvider` have the same primary signature. In an effort to simplify the API, `AuthenticationProvider` should be deprecated. Here is an initial list: - [ ] Have existing `AuthenticationProvider`s...
**Describe the bug** As [mentioned in gitter](https://gitter.im/spring-projects/spring-security?at=633bbecbb4ccef19d021b93c)... My app currently runs on Spring Boot 2.7.4. I was testing compatibility with 3.0.0-M5. All appeared to work well except one aspect of...
We should look in every location and require that if an authorization manager abstained, then access should be denied. One option is that if the AuthorizationResult is null, then deny...
Making Spring Security's actions observable at runtime will help make applications more secure. Following [recommendations from OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html#which-events-to-log), we should: - [x] [Add authorization events](https://github.com/spring-projects/spring-security/pull/9527) - [ ] Add OAuth2 client...