文章:spring-security - Aurora Blog|java/go/python

Spring Security Remove usage of SpringSecurityCoreVersion.SERIAL_VERSION_UID

We have attempted to remove the usage of SpringSecurityCoreVersion.SERIAL_VERSION_UID but it is still used in quite a fe...

spring-security-oauth2-jose 6.5.1 depends on com.nimbusds:nimbus-jose-jwt 9.37.3, which is vulnerable to CVE-2025-53864 ...

The equals and hashCode implementation of PathPatternRequestMatcher was altered in https://github.com/spring-projects/sp...

Describe the bugI am trying to make the Back-Channel Logout work with an OIDC client registered with an id_token_signed_...

We should make PublicKeyCredentialCreationOptions implement Serializable. This will ensure that it an be persisted in di...

WebAuthAuthenticationTokenRequest should be serializable. It isn't, however, since some of its components aren't seriali...

Currently webauthn logic is in spring-security-web and requires an optional dependency. This should be moved to its own ...

Spring Security provides expressive ways to declare authorization. For example HttpSecurity provides:http .authorizeH...

Spring Security should adopt JSpecify for Null safety as is done in Spring FrameworkRelated https://github.com/spring-pr...

We should consider removing PortResolver as it leads to confusion is likely no longer necessary.See gh-8140 gh-12971

Describe the bugI wondered if OidcIdToken should implement equals. While running some test, I realized that the claims o...

Check this comment for the rationale https://github.com/spring-projects/spring-security/issues/13561#issuecomment-164405...

https://github.com/pingidentity/ldapsdk/releases/tag/7.0.0The devil will be in the details, but looking at the release n...

An AuthenticationServiceException represents something that went wrong on the server side. As such, it shouldn't be hand...

We should remove SecurityContextPersistenceFilter in favor of explicit saves to the SecurityContextRepository. This will...

Describe the bugIf a security configurer is added during builder's initializing lifecycle phase, if such configurer adds...

To simplify the migration path for applications that set a servlet path, it would be handy for the related factory bean ...

Describe the bugScope mapping handling changed with https://github.com/spring-projects/spring-security/issues/12112.http...

Problem DescriptionThe current interaction between URL-based security (requestMatchers()) and method-level annotations (...

AuthorizeProxyDataConfiguration exposes a private class as a bean:@Bean@Role(BeanDefinition.ROLE_INFRASTRUCTURE)DataTarg...