We are not able to get CORS headers from CROSFIlter in logout request which restrict browsers to read the response. Erro...

[x] Add rememberMe to AuthorizeHttpRequestsConfigurer[x] Add fullyAuthenticated to AuthorizeHttpRequestsConfigurer[x] Ad...

Expected BehaviorIn other Sp metadata provider (Okta for example), we can generate SP metadata that contains all the fol...

SummaryStrange behaviour of @WithMockUser on method annotated as @BeforeEachActual Behavior@BeforeEach annotated method...

SEE: SPRING-BOOT #12593SummaryTLS termination seems to cause baseUrl to use http instead of httpsActual BehaviorTLS term...

Remove deprecated allowMultipleAuthorizationRequests in HttpSessionOAuth2AuthorizationRequestRepository and WebSessionOA...

spring-javaformat-checkstyle 0.032+ requires package javadoc which breaks the Spring Security Build. We need to fix the ...

Comment From: marcusdacoregioClosed via https://github.com/spring-projects/spring-security/commit/bbccc48d2ff1694df2bdbf...

Comment From: marcusdacoregioClosed via https://github.com/spring-projects/spring-security/commit/0c14a36ad6609b0ed15c02...

Spring Framework updated to Kotlin 1.7 and so to align dependency versions, Spring Security should also update to Kotlin...

Expected BehaviorTo hash passwords and secret keys a secure hashing algorithm (e.g., SHA256) should be used.Current Beha...

Describe the bugOn a controller method annotated with multiple instances of @PreAuthorize, only the first annotation is ...

Related to #11105. A method-based version will be useful for <protect-pointcut> and other method security features...

With both the AuthorizationFilter and FilterSecurityInterceptor applying to every dispatcher type, we should make it eas...

Backport release automation from main to 5.6.x.Related gh-10451Comment From: github-actions[bot]Fixed via 148756076c22f0...

Backport release automation from main to 5.7.x.Related gh-10451Comment From: github-actions[bot]Fixed via d76c321f8c300c...

We should change interface that define constants only to public final class (same as JoseHeaderNames).This change should...

The original intent of CommonOAuth2Provider is to provide sensible defaults for the HttpSecurity.oauth2Login() flow when...

Upgrade io.r2dbc:r2dbc-h2 (used as testImplementation in oauth2-client) to 1.0.0 once spring-r2dbc is compatible with th...

Expected BehaviorWebSessionServerRequestCache or another ServerRequestCache implementation should support saving POST re...