FedCM is a new proposal from W3C group, which simplifies the browse login.A detailed introduction from infoQ.https://www...

Related to https://spring.io/blog/2025/09/09/access-api-moves-to-spring-security-accessWe should revisit this possibilit...

JwtIssuerAuthenticationManagerResolverTests uses MockWebServer which is flakey on GitHub Windows runners due to resource...

Certain authorization rules are time-based. For example, a user may only have the profile:read authority if they've been...

If a user authenticates, and they has previously authenticated with another factor, the authorities from the first authe...

We can simplify mutating an authentication by adding a builder to each Authentication implementation:public Builder<?...

Currently, the Kotlin DSL for authorizeHttpRequests internally invokes the following static factory methods that should ...

Add context propagation support via Micrometer Context Propagation for the SecurityContext, between SecurityContextHolde...

Expected BehaviorClass ActiveDirectoryLdapAuthenticationProvider is non-final and can be extendedCurrent BehaviorClass A...

If we create a new ACL, set ourselves as the owner, create the first ACE assigning some permission to some SID, and try ...

The Access API has been deprecated for a few years now, though some applications continue to need it. We can move these ...

There are many Security tests that extract authorities, convert them to strings, and then assert their contents. It woul...

Because Spring Security sometimes uses RequestMatcher as a Map key, all implementations should implement equals and hash...

Currently, AuthenticatedMatcher#withRoles checks all authorities in MvcResult.It's semantics would be clearer if withRol...

@jvalkeal added support for importing Spring Security into VS Code and Eclipse. It would be helpful to document this as ...

Describe the bugBCrypt#gensalt without providing a SecureRandom instance, seems to generate one every single time.https:...

Jean-Pierre Bergamin (Migrated from SEC-2856) said:After enabling remember-me authentication for our SSO portal, people ...

Find comments linking to https://github.com/spring-projects/spring-framework/issues/35371 and remove the null check afte...

I wasn't sure how to resolve some of the errors with nullability inObservationWebFilterChainDecorator and ObservationFil...

Using Supplier<@Nullable Authentication> prevents Supplier<Authentication> from being passed in. Instead we ...