spring-security

spring-security copied to clipboard

**Expected Behavior** Inside OAuth2LoginConfigurer during init method when postProcess method invoked for OidcAuthorizationCodeAuthenticationProvider do not cast it to OidcAuthorizationCodeAuthenticationProvider but use interface AuthenticationProvider to provide ability to decorate provider inside...

vmotolyzhenko

Fix: #17180

therepanic

Unhandled AuthenticationServiceException in the default exception handing of http filter chain (Resource Server)

3

**Describe the bug** When a AuthenticationServiceException is thrown from AuthenticationProviders say JwtAuthenticationProvider is throwing this exception at this [line](https://github.com/spring-projects/spring-security/blob/ffd6e3c0f71d2257fd6177ae549e8f1290828608/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java#L106) and the security filter chain is not able to capture this...

kpur-sbab

Fix traceId discrepancy in case error in servlet web

5

Fixes https://github.com/spring-projects/spring-security/issues/12610 --- As I see from my research, the bug happens only in the real servlet environment, supposedly because of HttpServletResponse.sendError(), I didn't manage to reproduce it via mockMvc....

nkonev

Wrong logging for CsrfFilter in trace level

3

**Describe the bug** When trace logging is active a simple GET request that does not require CSRF protection logs the following: ``` Did not protect against CSRF since request did...

everflux

Convert to use LdapClient instead of SpringSecurityLdapTemplate in Pa…

1

Closes https://github.com/spring-projects/spring-security/issues/17289

minkukjo

Consider handler bean reference for HandleAuthorizationDenied

1

Closes gh-16622

evgeniycheban

<websocket-message-broker> should use XorCsrfChannelInterceptor by default

4

**Describe the bug** When configuring WebSocket message security via Spring Security's XML support, a `CsrfChannelInterceptor` is configured but the default CSRF handler in the web layer is generated by the...

msqr

Change WebSocketMessageBrokerSecurityBeanDefinitionParser to use XorCsrfChannelInterceptor by default, so WebSocket XML configuration matches the default Xor-based configuration already in WebSocketMessageBrokerSecurityConfiguration. Issue gh-17260

msqr

Configuring RelyingPartyRegistration no longer works with just a metadata uri

1

**Describe the bug** After updating from Boot 3.5.0. to 3.5.3 the property-based SAML configuration no longer works. ```stacktrace java.lang.IllegalArgumentException: entityId cannot be null or empty at org.springframework.util.Assert.hasText(Assert.java:253) at org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration$AssertingPartyDetails.(RelyingPartyRegistration.java:489) at...

OrangeDog