spring-security

spring-security copied to clipboard

**Describe the bug** `JwtDecoderProviderConfigurationUtils` use `UriComponentsBuilder` to modify a `URI` in `oidc`, `oidcRfc8414` and `oauth`. Due to a known issue in UriComponents builder (https://github.com/spring-projects/spring-framework/issues/27774), this produces invalid URIs in the...

bodograumann

Provide a way to customize the default RequestCache without replacing the entire implementation

5

Spring Security 6.2.5 Without any customization, the default `RequestCache` is `HttpSessionRequestCache` (created by private methods in `RequestCacheConfigurer`). For some situations, it would be necessary to customize that cache. An example...

eric-creekside

Given #15816, it may be easier to make Spring Security's bean resolution policy more consistent. Reports like #15751 and #15538 make it clear that the existing behavior in some parts...

jzheaux

Consider adding `ClientRegistrationIdResolver` to `ExchangeFilterFunction`s

1

We should align `(Server|Servlet)OAuth2AuthorizedClientExchangeFilterFunction` with `OAuth2ClientHttpRequestInterceptor` which introduces a `ClientRegistrationIdResolver` as a flexible strategy for resolving the `clientRegistrationId` for a given request. For `WebClient`-based `ExchangeFilterFunction`s, the interface could be: ```java...

sjohnr

Improve documentation about CredentialsContainer

2

ElMansourH

Introduce `UserAuthorities`

1

`UserAuthorities` is a new core interface similar to `UserDetails`. The difference is that `UserAuthorities` does not include password/credentials information. This is helpful for scenarios where a password is not required....

marcusdacoregio

Improve documentation about `CredentialsContainer`

1

Please see https://github.com/spring-projects/spring-security/issues/15319#issuecomment-2198695646 for details on what to include

marcusdacoregio

Support Expressions in Method Authorization Denied Handlers

1

We should consider supporting expressions in method authorization handlers for simple setups. Currently, if you want to handle authorization denied and map the return value to `null`, you must create...

marcusdacoregio

Fix Customizer.withDefaults() for authorizeHttpRequests

3

For Spring Boot 3.1.6 with Spring Security where the respective version used behind the scene is 6.1.5 Consider the following code: ``` @Configuration @Profile("security") @EnableWebSecurity(debug=true) class SecurityConfig { ... @Bean...

manueljordan

RequestHeaderAuthenticationFilter creates a session even if not configured to do so

8

**Describe the bug** Spring Security, even if configured with `SessionCreationPolicy.NEVER` or `SessionCreationPolicy.STATELESS` creates a session when using RequestHeaderAuthenticationFilter. It may be caused by the change here https://github.com/spring-projects/spring-security/commit/4479cefade65333c1a60904a67d993b69b277206#diff-b9376389ef77383ad282c387359020ed122ad52d641cf25de70f104deae213d8R113 that changed `AbstractPreAuthenticatedProcessingFilter`...

obourgain