spring-security
spring-security copied to clipboard
spring-projects
Spring Security
**Describe the bug** With Redis session enabled, GenericJackson2JsonRedisSerializer based on ObjectMapper with OAuth2ClientJackson2Module an exception is thrown in JDK 17 while serializing: ```com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Invalid type definition for type `org.springframework.security.oauth2.core.OAuth2AuthenticationException`: Failed...
`X-Xss-Protection` header, when set to mode=block, is different in Servlet and Reactive stacks: - `X-Xss-Protection: 1; mode=block` in Servlet - `X-Xss-Protection: 1 ; mode=block` in Reactive, with an extra space...
**Expected Behavior** Permission#getMask() returns long. **Current Behavior** Permission#getMask() returns int. **Context** In our project we have very complex security restrictions. We have a lot of tiny permissions (1 bit for...
We should remove `SecurityContextPersistenceFilter` in favor of explicit saves to the SecurityContextRepository. This will provide lots of benefits: * There will be no confusion when the SecurityContext should be saved...
This commit https://github.com/spring-projects/spring-framework/commit/22a750f378fcdf9d4baab721ec92952280afa207 which is now merged in Spring Framework main, added a GraalVM feature that makes constant at build-time 2 type of fields: - `NativeDetector#imageCode` - Static fields with...
**Describe the bug** So I've build frontent application which doing two requests in parallel: - GET /user/info (authenticated endpoint) - GET /app/data (public endpoint) I've setup spring security to create...
The main reference documentation has a servlet section https://docs.spring.io/spring-security/reference/servlet/index.html, however if you are building code that does not need servlet access or cannot access servlet applications such as quartz, some...
We need to provide support for OAuth 2.0 Token Exchange [RFC 8693](https://tools.ietf.org/html/rfc8693) Related #6053
**Expected Behavior** When building a `ClientRegistration` and passing a string to the `AuthorizationGrantType` constructor, invalid grant types that match case insensitively with a pre-defined constant could log a warning informing...
