spring-security
spring-security copied to clipboard
spring-projects
Spring Security
If I have 2 classes, ``` public abstract class AbstractService { public void doSmth() {...} } @Secured("SECURE") @Service public class Service extends AbstractService { ... } ``` and when I...
**Expected Behavior** Should it be possible to use reactive WebClient to create non-reactive JwtDecoder? ``` NimbusJwtDecoder.withJwkSetUri(properties.getJwt().getJwkSetUri()) .webClient(WebClient.builder().build()) .cache(jwkSetCache) .build() ``` **Current Behavior** It is only possible to use RestTemplate as...
closes #17309 - [x] Squash and Sign Off after review
**Expected Behavior** When using an OAuth2 client registration configured for the client credentials flow, the `ServerOAuth2AuthorizedClientExchangeFilterFunction` should use tokens scoped for the application instead of the current user. **Current Behavior**...
**Describe the bug** When using a `CustomUserDetails`(interface & extends `UserDetails`) and testing presentation(controller) layer via `@WebMvcTest`, `org.springframework.data.web.ProxingHandlerMethodArgumentResolver` is being used as the ArgumentResolver instead of `AuthenticationPrincipalArgumentResolver`. Consequently, a `null` value...
Currently One Time Tokens are created and then the success handler is invoked even if the user does not exist. We should only generate a token and invoke the success...
Closes gh-16750
It is not as simple as I would expect to authenticate using [Twitter / X v2 Log In APIs](https://developer.x.com/en/docs/authentication/oauth-2-0). We should simplify this process. This is inspired by the question...
This PR adds support for extracting usernames from nested properties in OAuth2 user info responses using SpEL expressions, addressing the limitation where providers wrap user data in nested objects. Fixes...
Closes gh-17188
