spring-security
spring-security copied to clipboard
spring-projects
Spring Security
Reading https://docs.spring.io/spring-security/reference/features/exploits/csrf.html for 5.7.2 one can read (https://docs.spring.io/spring-security/reference/features/exploits/csrf.html#csrf-protection-stp): ``` ... Requiring the actual CSRF token in a cookie does not work because cookies are automatically included in the HTTP request...
**Expected Behavior** We would like to have the possibility to easily log SAML responses as with the (previous) `SAMLLogger`-API. **Current Behavior** We did not find a "standard" way of logging...
By default, we should reject using the built in RequestMatcher implementations other than MvcRequestMatcher in a MvcRequestMatcher application. Alternatively we can deprecate/remove antMatcher, regexMatchers, and mvcMatchers from the DSL and...
**Describe the bug** Spring Security SAML2 Logout is not working with Spring Session Data MongoDB. Our setup fully works if I use in-memory sessions instead of MongoDB sessions. SP Initiated...
This is a reminder to update Spring Framework to the latest milestone when preparing for the next release. Once resolved, this reminder can be moved to the *next* milestone as...
The documentation (https://docs.spring.io/spring-security/reference/reactive/oauth2/resource-server/jwt.html#_runtime_expectations and https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#_runtime_expectations) doesn't mention it, but if the configuration has the `spring.security.oauth2.resourceserver.jwt.audiences` property set than the resource server will validate the `aud` claims as well.
**Expected Behavior** The expression handler that gets created per default in `PrePostMethodSecurityConfiguration` at https://github.com/spring-projects/spring-security/blob/74d646f569ad5df4bd1055ab016444cea9af6fbd/config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java#L63 doesn't use the existing permission evaluator from the Spring context but keeps the default `DenyAllPermissionEvaluator`. **Current...
**Describe the bug** In my project we have 2 SecurityFilterChains 1. `externalFilterChain` for external API requests 2. `defaultlFilterChain` for Angular/React client applications We use LDAP and JDBC authentication. Both `activeDirectoryLdapAuthenticationProvider`...
**Describe the bug** I am running spring-boot `2.3.1` with `spring-boot-starter-oauth2-client`, after adding a context-path, everything breaks **To Reproduce** I have the following configuration ```java @Bean SecurityWebFilterChain securityFilter(ServerHttpSecurity http) { var...
Since `isFullyAuthenticated` is a composition of `isAnonymous` and `isRememberMe`, a default convenience method can be added: ```java default boolean isFullyAuthenticated(Authentication authentication) { return !isAnonymous(authentication) && !isRememberMe(authentication) } ``` This would...
