Describe the bugIn an application where spring-security-saml2-service-provider was upgraded from 6.3.x to 6.4.1, I am ex...

If you manually define both a RoleHierarchy bean and a MethodSecurityExpressionHandler, the RoleHierarchy isn't injected...

Expected BehaviorI want to modify the URLs used for WebAuth authentication to be customized by WebAuthnConfigurer. In we...

Expected BehaviorOAuth2LoginAuthenticationFilter has a authenticationResultConverter property (link to code). It would b...

Current BehaviorThere's a copy pasted version of Saml2Utils.You can find this class under saml2.provider.service.servlet...

Default to using SecurityContextHolderFilter instead of SecurityContextPersistenceFilter. This means that explicit savin...

Describe the bugThe redirect url generated by the login endpoint url-encodes the query parameters:OAuth2AuthorizationReq...

Expected BehaviorBy default, Spring sends an HSTS (Strict-TransportSecurity) header, though this can be configured. Requ...

Expected BehaviorThe OidcSessionInformation class should include a mixin for JSON serialization to Redis, which will sup...

Expected BehaviorI would like org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager to be an autoconf...

Florent Biville (Migrated from SEC-2701) said:Hi, it seems that DaoAuthenticationProvider#retrieveUser semantics have c...

Describe the bugThe auth/z check on this line in the filter implementation for registering passkey credentials seems to ...

Currently to construct a NimbusJwtEncoder with a single key takes something like the following:OctetSequenceKey jwk = ne...

Hello.I noticed this situation with the RememberMeAuthenticationFilter filter.When the application is launched, this fil...

I read from spring documentation that to enable dynamic method level meta annotations I need to configure a class called...

WebAuthnAuthentication implements Serializable, but cannot be serialized due to PublicKeyCredentialUserEntity, one of it...

DescriptionWe are facing a Path Traversal Vulnerability (CVE-2024-38819) in our application due to the Spring Framework....

Expected BehaviorTo be able to utilize the default JdbcOneTimeTokenService and set a custom expire time for the OneTImeT...

Ok, after 2 days of trouble shooting, I've narrowed this down to being a Spring Security issue. Goal:To run secure login...

Summary@PreAuthorize is executed after @Valid validationActual Behavior@PreAuthorize is executed after @Valid validation...