spring-security
spring-security copied to clipboard
spring-projects
Spring Security
**Describe the bug** HttpSecurity configuration with `securityMatcher` and `oauth2Login(withDefaults())` leads to 404 for _some_ OAuth2 endpoints. **To Reproduce** 1. Clone this repo: https://github.com/Haarolean/spring-security-matchers-bug 2. Run the app 3. Go to...
When upgrading to Spring Boot 2.7.11 and later we started having sessions even though we have explicitly configured the use of the `SecurityContextRepository` to be the `NullSecurityContextRepository`. We traced this...
**Describe the bug** Each `RelyingParty` can specify its own logout URL properties, but doing that results in having to change the `RequestMatcher` used by `Saml2LogoutRequest/ResponseFilter` manually to match those different...
[This PR](https://github.com/spring-projects/spring-security/pull/9737) introduced the `SecurityMockMvcResultHandlers` with the `exportTestSecurityContext` method. It works well when using with `@WithSecurityContext` and the annotation that inherits it. However, it does not work when not using...
When I use the reactive WebFilter in a webflux application no AuthenticationEvents are published
This would simplify the resolution of an `OneTimeToken`. Currently, a `OneTimeTokenService` should be injected and a `OneTimeTokenAuthenticationRequest` must be created manually. ```java @GetMapping("/ott/generate") public String generateOtt(Authentication authentication, Model model) {...
**Expected Behavior** When we configure `MessageMatcherDelegatingAuthorizationManager` it should be possible to provide an instance of a class that supports expression-based authorization to the method `org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager.Builder.Constraint.access(AuthorizationManager
**Expected Behavior** Currently, if the JWT is having typ as "at+jwt", the token is rejected with message "Failed to authenticate since the JWT was invalid". Spring Security Oauth2 Resource Server...
Hi, using spring-security 6.3.3 the [InitializeUserDetailsBeanManagerConfigurer](https://github.com/spring-projects/spring-security/blob/main/config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/InitializeUserDetailsBeanManagerConfigurer.java#L95) does have this code: `PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class);` It does look for a password encoder and if this one returns null, a `new DaoAuthenticationProvider();`...
One common requirement is to request a One-Time Token from your computer browser, open the magic link on your phone (where you are authenticated), and then the browser, instead of...