spring-security

spring-security copied to clipboard

This helps to reduce custom code necessary to extract roles from deeply nested claims. Fixes #15201

thomasdarimont

**Describe the bug** Spring Security is unable to complete SLO successfully if the asserting party (IdP) does not sign the SAMLResponse. **To Reproduce** Configure Spring Security with an appropriate asserting...

OrangeDog

Add Spring Session support to OIDC Back-Channel Logout

4

**Describe the bug** When using Spring boot in version 3.2.1, together with Redis-base session store, session invalidation fails because of lack of Base64 cookie encoding When back channel logout implementation...

pzgadzaj

CookieRequestCache should set SameSite on the REDIRECT_URI cookie

1

**Describe the bug** When using CookieRequestCache, Firefox complains: > Cookie “REDIRECT_URI” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value...

2is10

hasAuthority and custom Mono<Boolean> method in @PreAuthorize leads to ConverterNotFoundException error

2

**Describe the bug** After upgrading to Spring Boot 3.3.0 and Spring Security 6.3.0 I've tried to migrate my single `Mono` `@PreAuthorize` calls to more complex ones as I thought that...

bskorka

Support extracting nested authorities in JwtGrantedAuthoritiesConverter

1

**Expected Behavior** Users should be able to specify a SpEL expression on the `JwtGrantedAuthoritiesConverter` to extract the granted authorities from a nested claim structure. This helps to reduce the necessary...

thomasdarimont

Simplify MVC-based authentication

7

It's common in an application to use Spring MVC to publish a custom login page, for example like so: ```java @GetMapping("/login") String startLogin() { return "login"; } ``` And it's...

jzheaux

Add methods to augment allowed headers and parameters in StrictHttpFi…

3

# Description This pull request introduces new methods in the StrictHttpFirewall class that allow for the augmentation of the sets of allowable header names, header values, parameter names, and parameter...

baezzys

Add Support for Passwordless Authentication with OTP

3

We should add support for [one time token authentication](https://en.wikipedia.org/wiki/One-time_password), one common example is magic links sent in email or a text code to log a user in. Note that this...

marcusdacoregio

Add Cookie-based Bearer Token support

7

[The OAuth 2.0 for Browser-Based Apps draft](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-18#name-backend-for-frontend-bff) outlines the use of an HTTP-Only cookie to resolve the bearer token when the Application and API share a domain: > The BFF...

jzheaux