文章:spring-security - Aurora Blog|java/go/python

Spring Security Define a dedicated AuthenticationSuccessHandler for the OAuth2AuthorizationEndpointFilter

https://github.com/spring-projects/spring-security/blob/9126aaf19b33d7cfa4494fa2b9ccf2918f50e62b/oauth2/oauth2-authoriza...

Spring Security Expose default error/success handlers in OAuth2AuthorizationEndpointFilter

Expected BehaviorThe default behaviour of the AuthenticationSuccessHandler and AuthenticationFailureHandlers should be a...

Spring Security Default clientSettings.isRequireProofKey=true does not make sense for non auth-code-flow clients

I have a spring boot 4 app with an oauth2 client registration, that is configured with refresh_token for the authorizati...

Spring Security put() in DefaultOAuth2TokenContext is not respected during token generation

We use this guide to create a custom grant type for our CIBA use case but we found a potential problem in enriching the ...

Spring Security PermissionEvaluator targetDomainObject should be @Nullable

Describe the bugUpgrading from 6.x to 7.0, the org.springframework.security.access package has now been @NullMarked.The ...

Spring Security Expose Methods in OAuth2EndpointUtils

Currently the methods in org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2EndpointUtils...

Spring Security can no longer use custom jwtdecoder

Describe the bugWhile running into the common(?) 'Read timed out' error I tried to follow the common advise of providing...

Spring Security Add NimbusJwtDecoder RestTemplate timeouts to migration guide

Related to #18195, we should add detail in the migration guide about how extend the socket timeout values.

Spring Security Missing oauth2AuthorizationServer method from HttpSecurityDsl in 7.0

HttpSecurity on 7.0 added oauth2AuthorizationServer method, but HttpSecurityDsl missing thathttps://github.com/spring-pr...

Spring Security Spring ACL permissions are not bitmask-based

Describe the bugIf I grant a user the .....W permission (mask 3) and check it against a document I annotated with @PreAu...

Spring Security NPE in FilterChainProxy.getFilters(String)

Describe the bugorg.springframework.security.web.FilterChainProxy.getFilters(String) throws NPE in Spring Security 6.5.6...

Spring Security Document Jackson 3 Migration

Document how the switch to Jackson 3 is a breaking change. For example, users with custom Security classes that are mapp...

Spring Security CORS auto-detection fails when CorsConfigurationSource bean name differs from default

Summary: Spring Security only detects a CorsConfigurationSource bean by name "corsConfigurationSource", causing silent C...

Spring Security OAuth2 should validate MFA

Expected BehaviorWhen Enabling MFA, OAuth2 auhorization flows should (optionally) first get MFA validated, then continue...

Spring Security AuthenticationPrincipalArgumentResolver has an outdated Authentication when OIDC ID Token is updated after refresh token

Hi, In a plain oauth2Login() application (keycloak as IDP for example), after https://github.com/spring-projects/spring-...

Spring Security WebAuthn login fails when validating allowCredentials

Describe the bugWhen used as a single factor, WebAuthn login works.Used as a second factor, WebAuthn login fails, becaus...

Spring Security Application won't start when we use a custom JpaRepositoryFactoryBean with constructor injection and have org.springframework.boot::spring-boot-starter-oauth2-client as a dependency in pom

Spring Boot Version3.5.7Describe the bugSuppose we havepublic class CustomBaseJpaRepositoryFactoryBean<T extends Repo...