spring-security
spring-security copied to clipboard
spring-projects
Spring Security
This should help with keeping the GitHub actions updated on new releases. This will also help with keeping it secure. Dependabot helps in keeping the supply chain secure https://docs.github.com/en/code-security/dependabot GitHub...
[Pelit Mamani](https://jira.spring.io/secure/ViewProfile.jspa?name=pelmam) (Migrated from [SEC-2839](https://jira.spring.io/browse/SEC-2839?redirect=false)) said: After reloading parsers, one needs to call 'get' again. Please see: class: org.springframework.security.config.SecurityNamespaceHandler Method: public BeanDefinition parse(Element element, ParserContext pc) Contains: ``` BeanDefinitionParser parser...
DaoAuthenticationProvider is autoconfigured when more than one AuthenticationProvider is registered
**Describe the bug** By default, the `AuthenticationManagerBuilder`is [autoconfigured](https://github.com/spring-projects/spring-security/blob/da9d7414bd88dac94785cea6dab742e18bd7cd57/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java#L119) with an `AuthenticationProvider`, [if registered](https://github.com/spring-projects/spring-security/blob/da9d7414bd88dac94785cea6dab742e18bd7cd57/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/InitializeAuthenticationProviderBeanManagerConfigurer.java#L57), or with a `DaoAuthenticationProvider`, if an `UserDetailsService` [is registered](https://github.com/spring-projects/spring-security/blob/da9d7414bd88dac94785cea6dab742e18bd7cd57/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/InitializeUserDetailsBeanManagerConfigurer.java#L62). Both configurer back off if the `AuthenticationManagerBuilder` [is...
This PR makes using `@AuthorizeReturnObject` practical on a more diverse set of classes and interfaces, including Spring Data interfaces. A typical Spring Data interface begins like this: ```java public interface...
Sometimes e.g. keycloak have additional authorities. It can be roles in keyclak token stored in realm_access.roles and should be converted on authorities with prefix ROLE_. Customizing this behaviour is problematic...
**Describe the bug** We are using OpenApi Generator to generate an Interface for our Controller. When I add **@EnableMethodSecurity** with **@PreAuthorize** I get the error: **No static resource** for that...
Closes gh-14652
For this feature, we have at least 2 options: 1. Create a `DeniedHandlerMethodInterceptor` that intercepts `AccessDeniedException` thrown from methods annotated with `@DeniedHandler`: - The `AuthorizationManagerAfterMethodInterceptor` would have to throw a...
**Expected Behavior** Usually term `baseUri` means an URI **prefix**. E.g. in `oauth2Login.authorizationEndpoint` configurer there is `baseUri(..)` method that actually sets base URI of the autorization endpoint. `OAuth2AuthorizationRequestRedirectFilter` will match all...
This fixes https://github.com/spring-projects/spring-security/issues/11725 and reflects the feedback from https://github.com/spring-projects/spring-security/pull/12818
