spring-security
spring-security copied to clipboard
spring-projects
Spring Security
**Expected Behavior** When there a multiple filter chains configured for any request, Spring Security should make it as easy as possible for the user to correct their configuration mistake by...
**Describe the bug** I have two endpoints with path variables. One endpoint is specified with two path variables and the other with one path variable. I want to open the...
Fix DefaultLoginPageConfigurerTests localization failure on system language different than english
The PR aims to fix the `DefaultLoginPageConfigurerTests.loginPageWhenErrorThenDefaultLoginPageWithError()` failure given the system language is set to something else than english. When asserting the Bad credentials login page, the expected template contains...
To reduce code duplication between `InMemoryOneTimeTokenService` and `JdbcOneTimeTokenService`, need to separate out the shared code in `AbstractOneTimeTokenService`. This class can be made part of public API so that developers can...
To active OIDC Back-Channel Logout support in the DSL, an application does this: ```java http .oidcLogout((oidc) -> oidc.backChannel(Customizer.withDefaults()) ) ``` This could be simplified to: ```java http .oidcBackChannelLogout(Customizer.withDefaults()) ``` This...
**Describe the bug** Spring SAML considers NameID to hold username, populates `Saml2AuthenticatedPrincipal#name` with NameID value and later in Single Logout flow again populates/validates NameID value using Principal Name. This behaviour...
I recently upgraded our Spring Boot application from version 2.4.3 to 3.3.3. Although I saw some tickets related to this issue that were previously closed, the issue has resurfaced in...
The current default in Spring Security is that all its observations--filter chain, authentication, and authorization--are made. In #15678, `SecurityObservationSettings` was added so that applications could easily change these settings. Its...
**Describe the bug** Once I added a `DispatcherServlet` to my EAR application deployed on JBoss 7.4, I started to get the following exception: ``` Exception handling request to /myapp/rest/foo/hello: java.lang.IllegalArgumentException:...
**Describe the bug** Apparently, neither the ID token nor the `userinfo` are updated during the refresh token flow in Spring clients with `oauth2Login`. This has at least two consequences: -...
