When using the IDP metadata for configuration by RelyingPartyRegistrations#fromMetadataLocation the OpenSamlMetadataAsse...

SummaryAs part of spring-boot-starter-oauth2-client, came across an error where even openid scope has been specified, ap...

SummaryI have configured Spring Security with SAML2 (SP Initiated) and OAuth2 Client implementation for user authenticat...

Spring Boot SecurityProperty expiredUrl of SessionManagement is not handled correctlyActual BehaviorThis situation is ve...

With the addition of the .with() method, we can now deprecate the .apply() and guide users how to migrate to .with().

Expected Behaviorin the spring-security-oauth2-core project, the class of ClientAuthenticationMethod support Oauth2.0 t...

Given that and() is stated for removal, does it mean that in the future, I cannot chain the HttpSecurity?// not possible...

Describe the bugWe just updated Spring Security to version 6 in our project , and replaced the @EnableGlobalMethodSecuri...

When dealing with spring security I was never able to find a way to use an SPA (say angular) to initiate a oauth2 login ...

Hello, All.I have an idea for spring security.We can all agree that there are many confusing options in Spring Security....

Christopher Smith (Migrated from SEC-2939) said:Increasing numbers of applications aren't using SQL datastores at all (m...

This would avoid Boot needing to add that to provide support for CORS out of the box.Comment From: andersonkyleIMHO enab...

The filter should use the SecurityContextHolderStrategy in its successfullAuthentication method instead of accessing the...

Our application's single sign-on works with a federated identity provider (IdP) where the IdP selection is based on quer...

It would be easier to use RequestMatcherDelegatingAuthorizationManager.Builder if it used builder methods similar to Mes...

We use a custom prefix for our roles (e.g. we want roles to be something like MYPREFIX_USER instead of ROLE_USER): @B...

Describe the bugAfter using the version Latest corresponding to Boot3 and opening the annotation @ EnableMethodSecurity,...

This would provide the same externalization benefit for @RolesAllowed as @Secured. It would also simplify configuring a ...

CsrfConfigurer and CsrfBeanDefinitionParser use the deprecated LazyCsrfTokenRepository; however, this is no longer neces...

Documentation at Security Filters leaves a lot of questions unanswered. Suggest that that section be enhanced by answeri...