Expected BehaviorIdeally there would be a programatic way to (manually) refresh an OAuth2 access token using its corresp...

SummaryAllow multiple security annotations on a single methodActual BehaviorCurrently if there are multiple annotations ...

Andy O'Neill (Migrated from SEC-1954) said:Javadocs claim that this method is protected, but it is actually protected fi...

Expected Behaviorhttp.securityMatcher("/actuator/**")I expected above would match all actuator endpoints and apply the s...

Describe the bugThis line session.getAttributes()throws NPE, if we have WebSession bean configuration like this to disab...

Expected BehaviorPlease provide a description in the documentation on how to properly set up CSRF protection with SPA an...

SummaryWhen I try to POST to a resource requiring authentication, I am redirected to a login page (as expected). Upon e...

CSRF protection provided by @EnableWebSocketSecurity is broken. I have identified 2 things that prevent the CsrfChannelI...

Describe the bugWhen testing a controller with WebMvcTest and Spring Security, the authorization seems to be failing. T...

Expected BehaviorSAML Single Logout should work even if the principal does not implement the Saml2AuthenticatedPrincipal...

Describe the bugSince the introduction of the authenticationConverter in 6.3, the default implementation (this::defaultA...

SummaryThis is not a bug on our side, but I believe it's worth noticing it. I created an issue in the com.nimbusds:oauth...

Describe the bugThe offical documentation for CSRF protection for Single Page Applications (SPA) might be ineffective. I...

Describe the bugSpring Session cannot handle Spring Boot 2.3 and 2.4 sessions in parallel, because the serialization of ...

Describe the bugIn Spring Security 6.2.2 the OidcBackChannelLogoutHandler.java logout handler automatically replaces the...

We should make sure that we remove them in 7.0.[ ] https://github.com/spring-projects/spring-security/issues/13067[ ] #1...

Describe the bugThe SpringSecurityCoreVersion.SERIAL_VERSION_UID, which is updated on major and minor updates, is still ...

On the documentation section for LDAP Authentication, the ldif file with a embedded server is invalid even with a minima...

It was noted in #14382 that the docs aren't clear on how different configurations that make use of securityMatcher with ...

It is not possible to customize the userDetailsChecker in CasAuthenticationProvider. Would be possible to add a setter m...