Spring Security HttpHeaders.writeHttpHeaders Fails with UnsupportedOperationException

Superseded by https://github.com/spring-projects/spring-framework/issues/33789Related https://github.com/spring-cloud/s...
  • 2025-10-19 14:00:32
  • 7562

Spring Security When possible use SmartHttpMessageConverter over GenericHttpMessageConverter

Spring Security often uses GenericHttpMessageConverter for JSON support. The new Jackson support was refined to be a Sma...
  • 2025-10-18 14:01:39
  • 1019

Spring Security Provide an official PDF download for the Spring Security reference documentation

DescriptionThe Spring Security reference guide is currently available only as HTML athttps://docs.spring.io/spring-secur...
  • 2025-10-18 14:01:34
  • 2251

Spring Security Spring Security with Active Directory shows *Property 'userDn' not set - anonymous context will be used for read-write operations* INFO message even if anonymous is disabled in HttpSecurity settings

Describe the bugI use AD to authenticate user which works as expected. I have class like below:Note that I have enabled...
  • 2025-10-18 14:01:29
  • 31618

Spring Security Redundant Test File AbstractSecurityInterceptorTests

Most of the coverage classes under AbstractSecurityInterceptorTests are deprecated or moved to MethodSecurityInterceptor...
  • 2025-10-18 14:01:14
  • 164

Spring Security RegexRequestMatcher factory methods and their documentation are not consistent

RegexRequestMatcher.regexMatcher(HttpMethod method, String pattern) says in the Javadoc that method "May be null to matc...
  • 2025-10-17 14:01:14
  • 352

Spring Security Login with OAuth 2.0 Invalid credentials

Describe the bugrequests:http://127.0.0.1/http://127.0.0.1/oauth2/authorization/gatewayhttp://localhost:8080/oauth2/auth...
  • 2025-10-17 14:01:13
  • 1118

Spring Security Consider hasFactor

Currently, to specify a time-sensitive factor, it is needed to create an AuthorizationManagerFactory by way of a static ...
  • 2025-10-17 14:01:11
  • 1924

Spring Security Possible StackOverflowError with io.micrometer:context-propagation and Lettuce Redis backend and Web Session in Redis

Describe the bugWe encountered repeating, but not easily reproducible bug ending with StackOverflowError caught and logg...
  • 2025-10-17 14:01:09
  • 11091

Spring Security Align setRetrieveUserInfo() between OidcUserService and OidcReactiveOAuth2UserService

Align the defaults applied in OidcUserService.setRetrieveUserInfo() and OidcReactiveOAuth2UserService.setRetrieveUserInf...
  • 2025-10-17 14:01:00
  • 124

Spring Security Deprecate CacheControlServerHttpHeadersWriter.CACHE_CONTRTOL_VALUE

It's misspelled. We cannot just remove it since it is public, so we should deprecate it in favor of the correct spelling...
  • 2025-10-17 14:00:58
  • 136

Spring Security HttpsRedirectWebFilter can redirect to https:/

This is quite possibly a bug in the underlying component(s), but the following test will fail:this.webTestClient .get...
  • 2025-10-17 14:00:57
  • 349

Spring Security Mismatch Between DefaultLoginPageGeneratingFilter and DelegatingMissingAuthorityAccessDeniedHandler

DelegatingMissingAuthorityAccessDeniedHandler only sets a single missing authority while DefaultLoginPageGeneratingFilt...
  • 2025-10-16 14:02:17
  • 744

Spring Security Calling SecurityContextHolder.setStrategyName(strategy) breaks Spring filters

Calling SecurityContextHolder.setStrategyName(strategy) with any strategy name breaks spring filters because of code lik...
  • 2025-10-16 14:02:15
  • 9916

Spring Security Consolidate logic for merging authorities

Related to #18021, it would be nice if Authentication.Builder could merge authorities on its own. One way to do this is ...
  • 2025-10-16 14:02:13
  • 407

Spring Security Improve Passivity when Merging Authorities

Introducing Authentication#toBuilder and using it on each filter means that any application using a custom authenticatio...
  • 2025-10-16 14:02:12
  • 655

Spring Security Update vulnerable depdendency

Could you please at least update "oauth2-oidc-sdk:9.43.6" dependency to a more recent version in "spring-security-oauth2...
  • 2025-10-13 14:00:28
  • 477

Spring Security Using OAuth2ClientPropertiesMapper throws NoClassDefFoundError when CommonOAuth2Provider is not on classpath

Expected BehaviorTo not throw an exception and create Map<String, ClientRegistration> properlyCurrent BehaviorThro...
  • 2025-10-12 14:00:35
  • 2044

Spring Security Add possibility to customize refresh token and DPoP binding

Expected BehaviorIt should be possible to customize refresh token and DPoP binding, so engineers can use any binding sch...
  • 2025-10-09 14:00:44
  • 1046

Spring Security Consider enabling automatically WebauthnJacksonModule in SecurityJacksonModules

While it is not possible to automatically enable WebauthnJackson2Module in SecurityJackson2Modules due to the global def...
  • 2025-10-09 14:00:42
  • 378
下一页
.