spring-security
spring-security copied to clipboard
spring-projects
Spring Security
Closes gh-17302
Closes gh-17305
**Summary** I'd like to propose adding a `getCreationTime()` method to the `org.springframework.security.core.session.SessionInformation` interface to enhance session lifecycle visibility and control. See also the discussion with @jgrandja in [auth_time claim doesn't...
Spring Security's x509 configuration for WebFlux does not currently allow for a custom ServerAuthenticationConverter that provides additional attributes to the initial Authentication token. This PR allows an application to supply...
Spring Security for Spring MVC allows for specifying multiple LogoutHandler implementations which get wrapped in a DelegatingLogoutHandler. Spring Security for WebFlux currently only allows a single ServerLogoutHandler implementation. This PR...
**Describe the bug** In some configuration setups, adding a `ServletOAuth2AuthorizedClientExchangeFilterFunction` to a `WebClient` that can retry causes an `IllegalArgumentException` when trying to remove the client in the case where the...
**Describe the bug** Spring Security version 6.5.0 release. Since the `AntPathMatcher` is deprecated, I replaced it with `PathPatternRequestMatcher` expecting that it would behave the same. However I discovered that the...
## Summary Use `StringUtils.hasText()` instead of null check in `getAuthoritiesClaimName()` to properly handle empty strings and whitespace-only strings. ## Problem The current null check (`!= null`) incorrectly treats empty strings...
Resolves: #17301
I also had to remove two methods from `XFrameOptionsHeaderWriterTests` that are no longer relevant. However, in order not to delete the test, I added my own custom test for the...