spring-security
spring-security copied to clipboard
spring-projects
Spring Security
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot] avatar"){kind=avatar}
**Describe the bug** `org.springframework.security.web.FilterChainProxy.getFilters(String)` throws NPE in Spring Security 6.5.6. It used to work in Spring Security 5.8.12. ``` java.lang.NullPointerException at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1693) at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry$DeferredRequestMatcher.lambda$new$0(AbstractRequestMatcherRegistry.java:420) at org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry$DeferredRequestMatcher.matches(AbstractRequestMatcherRegistry.java:430) at org.springframework.security.web.DefaultSecurityFilterChain.matches(DefaultSecurityFilterChain.java:89) at org.springframework.security.web.FilterChainProxy.getFilters(FilterChainProxy.java:248)...
**Describe the bug** When I try to use CacheSaml2AuthenticationRequestRepository in SAML2 Login , I get the following exception before the redirect, when the is saved in the CacheSaml2AuthenticationRequestRepository. ``` java.lang.IllegalArgumentException:...
We encountered an issue where authentication was being mixed across threads. During our analysis, we discovered that `SecurityContextHolderThreadLocalAccessor` propagates the same `SecurityContext` to other threads when using Micrometer Context Propagation....
**Describe the bug** Up to 6.5.7, you were able to create (in Kotlin) a class that implements `AuthenticationManagerResolver` and handle potential multi-tenancy as below (below is a simplified version, but...
**Expected Behavior** I want to be able to set the clock-skew (ideally per property) and not change anything else. ```yaml spring: security: oauth2: resourceserver: jwt: clock-skew: 5m # does not...
**Describe the bug** The Jackson 3 version of [PreAuthenticatedAuthenticationTokenDeserializer](https://github.com/spring-projects/spring-security/blob/9126aaf19b33d7cfa4494fa2b9ccf2918f50e62b/web/src/main/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenDeserializer.java#L64) replaced asText() with stringValue() when de-serializing credentials. However, _unlike_ asText(), stringValue() throws a JsonNodeException if the node value is not a...
regression: Spring Security 7 Filters interfere with Spring Web StandardMultipartHttpServletRequest
**Describe the bug** When an authenticated user uploads a file larger than the configured `spring.servlet.multipart.max-file-size` then Spring Security returns 401. **To Reproduce** Clone the repo at https://github.com/filiphr/spring-security-boot-4-max-upload-size. It has 2...
