spring-security
spring-security copied to clipboard
spring-projects
Spring Security
**Describe the bug** Using `@EnableGlobalMethodSecurity(securedEnabled = true)` does not work with injected `RoleHierarchy` For `@Secured` based version of interceptor the only Voters configured in `AffirmativeBased` are `RoleVoter` and `AuthenticatedVoter`. Injected...
**Describe the bug** IpAddressMatcher.matches(var) returns true when var is null **To Reproduce** create a new IpAddressMatcher with an ip address or subnet to check against, afterwards check a variable with...
**Describe the bug** Consider the following controller: ``` @RestController public class SecuredController { @GetMapping(path = "/rolesAllowed_GUEST") @RolesAllowed("GUEST") public String rolesAllowed_GUEST() { return "GUEST"; } @GetMapping(path = "/rolesAllowed_ROLE_GUEST") @RolesAllowed("ROLE_GUEST") public String...
**Describe the bug** I tried all codes in https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html, but they all failed to work **To Reproduce** configure codes in a SecurityConfig.java file in my springboot, which is migrated from...
When attempting to run tests on the `5.7.x` branch using the built-in Gradle runner, the tests fail to compile and reporting missing classes in `Saml2LoginConfigurerTests`. However, when configuring to run...
**Summary** Spring-security-oauth2.xsd should be published under https://www.springframework.org/schema/security/ Or was this removal intentional? Because it crashes our application based on spring. **Actual Behavior** Spring-security-oauth2.xsd is not available under https://www.springframework.org/schema/security/ causing XML...
By doing: ```java @Bean ApplicationListener securityEventListener() { ObservationRegistry observationRegistry = ObservationRegistry.create(); observationRegistry.observationConfig().observationHandler(new ObservationTextPublisher()); return DelegatingObservationSecurityEventListener.withDefaults(observationRegistry).build(); } ``` Then all `AuthenticationSuccessEvent`s, `AuthenticationFailureEvent`s, `AuthorizationGrantedEvent`s, and `AuthorizationDeniedEvent`s will be handled by Micrometer. Specifically,...
This could close https://github.com/spring-projects/spring-security/issues/11661 It adds configurable authentication converter for resource-servers with token introspection (something very similar to what `JwtAuthenticationConverter` does for resource-servers with JWT decoder). The new `(Reactive)OpaqueTokenAuthenticationConverter` is...
The `FilterSecurityInterceptor` and `AuthorizationFilter` now apply to every request by default. This led to a problem from the Spring Boot's perspective: Consider the following configuration: ```java @Bean SecurityFilterChain appSecurity(HttpSecurity http)...
