spring-security
spring-security copied to clipboard
spring-projects
Spring Security
**Expected Behavior** `Saml2MetadataFilter` should not require information about an identity provider / asserting party in order to generate the metadata. The `RelyingPartyRegistration` is intended to be a representation of both...
**Expected Behavior** [RFC 9126](https://datatracker.ietf.org/doc/html/rfc9126) introduces pushed authorization requests (PAR) for OAuth. In essence, pushed authorization requests allow the client to send authorization request information to the authorization server through back...
https://github.com/pingidentity/ldapsdk/releases/tag/7.0.0 The devil will be in the details, but looking at the release notes, the only obviously breaking change is dropping support for Java 7. As such, for Spring's user...
I'm creating this as a parent issue to some method security enhancements that I think would be nice. - [x] #14480 - [x] #14596 - [x] #14601 - [x] #14597...
Fixes #14751
According to the [Webflux documentation](https://docs.spring.io/spring-framework/reference/web/webflux/controller/ann-methods/responseentity.html) it is allowed to use the return type `ResponseEntity` Neither [AuthorizationManagerBeforeReactiveMethodInterceptor](https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptor.java#L112) nor [AuthorizationManagerAfterReactiveMethodInterceptor](https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.java#L112) support this. Using a method signature with the described return type causes...
**Describe the bug** I am working on a small project to have a 'gateway' application in between Landing page and Backend API servers. Following the admin [guide](https://docs.spring.io/spring-security/reference/reactive/integrations/cors.html) of Spring boot...
Using Spring Security 6.0.8 I use XML based configuration for most security setup as I have customisations that need to be dynamically processed. Using
**Describe the bug** Can't create a UsernamePasswordAuthenticationToken with CAS authentication, there's no CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER anymore **To Reproduce** Just read the source of CasAuthenticationFilter **Expected behavior** Create a UsernamePasswordAuthenticationToken for CAS authentication...
**Describe the bug** In Spring Security 6.2.2 the `OidcBackChannelLogoutHandler.java` logout handler automatically replaces the logout URL endpoint hostname with `localhost`. However, in a Tomcat context, we also need to specify...
