Scenario: After logging in on a mobile phone, the user scans the QR code to log in to the computer's web page,I searched...

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.con...

Expected BehaviorPossibility to replace OAuth2LoginAuthenticationWebFilter with a custom-made AuthenticationWebFilter f...

I have a project composed of spring-cloud-gateway in front of a couple of spring boot microservices that use websockets....

Expected BehaviorIf there are parallel requests that require a refreshed token, this should only need to be done once - ...

We should add a step in our CI that verifies if the branch contains the right version. For example, for branch 6.3.x the...

The current documentation uses a @ControllerAdvice to handle the CompromisedPasswordException and redirect the user to t...

There are cases where support for multiple OpaqueTokenIntrospectors in an OpaqueTokenAuthenticationProvider is needed. T...

Been looking into the documentation trying to figure out how to use a custom AuthorizationManager with PreAuthorize and ...

In https://github.com/spring-projects/spring-framework/issues/31742 a change was made to not add the charset parameter i...

With a configuration that includes CSRF protection (even customized), LogoutConfigurer assumes that /logout will only ma...

Documentation and maybe a blog post should be added for https://github.com/spring-projects/spring-security/issues/3737Co...

The following snippet from Method Security section of Spring Security reference contains a broken link to AuthorizationM...

The current Method Security is 40 pages. We should split it up.

Describe the bugI am trying to make the Back-Channel Logout work with an OIDC client registered with an id_token_signed_...

I have a URI that updates authenticated user's context now when user only calls this URI it is working as expected but ...

There are times that users cannot add annotations to objects or APIs that they want to secure. For example, consider if ...

Expected BehaviorThe OAuth2 Resource server should have a way to cache tokens (such as JWT) to avoid validating the toke...

Hello,I'm trying to migrate from Spring boot 2 to 3 and having an issue I can't seem to solve, despite having tried mult...

Since Spring Security 6 every exception thrown by an endpoint that is configured as .permitAll() will be send as 403 For...