11 Pull requests merged by 5 people

• Bump org.jetbrains.kotlinx:kotlinx-coroutines-bom from 1.10.1 to 1.10.2

  #16910 merged Apr 9, 2025

• Update kotlin.adoc to add required spread operator(*)

  #16859 merged Apr 8, 2025

• Polish javadoc

  #16908 merged Apr 8, 2025

• Typo in Base64StringKeyGenerator exception message

  #16868 merged Apr 8, 2025

• Bump org.mockito:mockito-bom from 5.16.1 to 5.17.0

  #16898 merged Apr 7, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.12.Final to 6.6.13.Final

  #16897 merged Apr 7, 2025

• Bump org.seleniumhq.selenium:selenium-java from 4.30.0 to 4.31.0

  #16896 merged Apr 7, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.12.Final to 6.6.13.Final

  #16895 merged Apr 7, 2025

• Bump spring-io/spring-doc-actions from 0.0.19 to 0.0.20

  #16894 merged Apr 7, 2025

• Bump spring-io/spring-doc-actions from 0.0.19 to 0.0.20

  #16893 merged Apr 7, 2025

• Update test object factories to Test<Object>s naming convention

  #16686 merged Apr 3, 2025

5 Pull requests opened by 5 people

• Add default redirect URI for OAuth2 client registration

  #16871 opened Apr 3, 2025

• Implement UserDetailsPasswordService in JdbcUserDetailsManager #16863

  #16881 opened Apr 4, 2025

• Pr 16635 last version

  #16899 opened Apr 7, 2025

• Update DeferredCsrfToken to implement Supplier

  #16905 opened Apr 8, 2025

• Set PublicKeyCredentialRequestOptionsRepository by DSL or Bean

  #16911 opened Apr 9, 2025

15 Issues closed by 5 people

• Incorrect documentation for OpaqueTokenIntrospector

  #16903 closed Apr 8, 2025

• Prepare Request Matching for Spring Framework Changes

  #16417 closed Apr 7, 2025

• Update `HandlerMappingIntrospector` Usage in Cache filter support

  #16536 closed Apr 7, 2025

• ServerBearerTokenAuthenticationConverter does not support form encoded body parameter

  #15818 closed Apr 7, 2025

• `ServerBearerTokenAuthenticationConverter` validates parameters when not enabled

  #16902 closed Apr 7, 2025

• `ServerBearerTokenAuthenticationConverter` validates parameters when not enabled

  #16901 closed Apr 7, 2025

• `ServerBearerTokenAuthenticationConverter` validates parameters when not enabled

  #16038 closed Apr 7, 2025

• Add AuthenticationEntryPoint for DPoP

  #16900 closed Apr 7, 2025

• Add RelayState-based Authentication Request Respository

  #14793 closed Apr 3, 2025

• Improve startup validation of request matchers

  #16135 closed Apr 3, 2025

• Saml2WebSsoAuthenticationFilter should allow requests through when SAMLResponse is absent

  #16000 closed Apr 3, 2025

• Update WebAuthn Test Objects Class Names

  #16604 closed Apr 3, 2025

• Restore Migration and Preparation Steps

  #16873 closed Apr 3, 2025

• Support Customizing Set of OpenSAML Validators

  #15578 closed Apr 2, 2025

• oauth2: make it less painful to use a proxy

  #16694 closed Apr 2, 2025

23 Issues opened by 10 people

• Reactive implementation for DPoPAuthenticationProvider & related classes

  #16912 opened Apr 9, 2025

• Remove deprecated implementations of OAuth2AccessTokenResponseClient

  #16909 opened Apr 8, 2025

• Support RFC 9493 ("sub_id" claim)

  #16907 opened Apr 8, 2025

• Support for JWT claims from RFC 9068

  #16906 opened Apr 8, 2025

• Align Metadata Annotation Support with Spring Framework 7

  #16890 opened Apr 4, 2025

• Remove Usage of Spring Framework APIs marked Deprecated for Removal

  #16889 opened Apr 4, 2025

• Revise HttpHeaders Usage

  #16888 opened Apr 4, 2025

• We should remove usage of PathMatcher in web modules

  #16887 opened Apr 4, 2025

• Remove HandlerMappingIntrospector Usage

  #16886 opened Apr 4, 2025

• Declare Spring modules with JDK 9 module metadata

  #16885 opened Apr 4, 2025

• Kotlin 2.2 Upgrade

  #16884 opened Apr 4, 2025

• Update to Jakarta 11

  #16883 opened Apr 4, 2025

• Null safety via JSpecify

  #16882 opened Apr 4, 2025

• Consider using Bouncy Castle BCrypt implementation

  #16880 opened Apr 4, 2025

• Consider changing default encoder in PasswordEncoderFactories

  #16879 opened Apr 4, 2025

• Change of default securityContextRepository in filters causes SessionRegistryImpl to be empty

  #16878 opened Apr 4, 2025

• proxy with spring security oauth2

  #16875 opened Apr 3, 2025

• Allow Custom PublicKeyCredentialRequestOptionsRepository in WebAuthnConfigurer

  #16874 opened Apr 3, 2025

• DenyAllPermissionEvaluator Used As Silent Backup When Two PermissionEvaluator Beans Exist

  #16872 opened Apr 3, 2025

• Update DeferredCsrfToken to implement Supplier

  #16870 opened Apr 2, 2025

• ServerCsrfTokenRequestHandler should return reactive types

  #16869 opened Apr 2, 2025

• Depecate org.springframework.security.crypto.codec.Hex

  #16867 opened Apr 2, 2025

• Example for customising AuthenticationEventPublisher does not work

  #16866 opened Apr 2, 2025

43 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Jackson deserialization of ClientAuthenticationMethods should recognize all values

  #16826 commented on Apr 8, 2025 • 4 new comments

• Add Support SupplierReactiveClientRegistrationRepository

  #16770 commented on Apr 7, 2025 • 2 new comments

• Unable to access encrypted SAML assertions in custom ResponseValidator after upgrade from 6.3 to 6.4

  #16367 commented on Apr 2, 2025 • 0 new comments

• Method Security does not switch to Interface Proxies for final Classes

  #16707 commented on Apr 6, 2025 • 0 new comments

• ClientRegistrations.fromIssuerLocation does not include failure information

  #16860 commented on Apr 6, 2025 • 0 new comments

• Adjust ClientRegistrations to allow to inject own instance of RestTemplate, ideally to use RestClient instead of ResTemplate

  #16833 commented on Apr 7, 2025 • 0 new comments

• Pass Http Request to OAuth2AuthorizationRequestResolver#authorizationRequestCustomizer

  #16306 commented on Apr 7, 2025 • 0 new comments

• mockJwt() WebTestClientConfigurer with MockMvcWebTestClient throws a NullPointerException.

  #9257 commented on Apr 7, 2025 • 0 new comments

• Spring Security's `Filter`s and `WebFilter`s Automatically Registered by Spring Boot

  #16222 commented on Apr 7, 2025 • 0 new comments

• Simplify CSRF Configuration for SPAs

  #14149 commented on Apr 8, 2025 • 0 new comments

• NimbusJwtEncoder should simplify constructing with javax.security Keys

  #16267 commented on Apr 8, 2025 • 0 new comments

• Allow retrieving username from SAML Assertion Attributes

  #12136 commented on Apr 8, 2025 • 0 new comments

• Make name resolution configurable in OpenSamlLogoutRequestValidator

  #12128 commented on Apr 8, 2025 • 0 new comments

• Simplify Custom Handling for Compromised Passwords

  #16223 commented on Apr 8, 2025 • 0 new comments

• Servlet and Reactive OAuth2 Client consistency

  #15299 commented on Apr 8, 2025 • 0 new comments

• JdbcUserDetailsManager.setEnableUpdatePassword

  #16863 commented on Apr 8, 2025 • 0 new comments

• Add CIBA support

  #14725 commented on Apr 9, 2025 • 0 new comments

• HttpSessionRequestCache#getMatchingRequest passes decoded Request URL to UriComponentsBuilder

  #16656 commented on Apr 9, 2025 • 0 new comments

• OAuth2 RefreshTokenAuthenticationConverter fails to refresh token in Spring Security OAuth2 Authorization Server 1.4.2

  #16855 commented on Apr 9, 2025 • 0 new comments

• Add BearerTokenAuthenticationConverter

  #14791 commented on Apr 2, 2025 • 0 new comments

• Simplify OIDC Back-Channel Logout DSL (Closes gh-15817)

  #16698 commented on Apr 6, 2025 • 0 new comments

• Deprecate Authentication#setAuthenticated

  #16838 commented on Apr 8, 2025 • 0 new comments

• Bcrypt fix breaks existing client credential flows

  #16802 commented on Apr 3, 2025 • 0 new comments

• [Azure Oauth2] IllegalArgumentException: Attribute value for "xxx" is null

  #16340 commented on Apr 3, 2025 • 0 new comments

• Declare authorization rules one at a time

  #16509 commented on Apr 3, 2025 • 0 new comments

• Consider Supporting Externalized OpenSAML Initialization

  #14656 commented on Apr 3, 2025 • 0 new comments

• Programatic Bean Registration

  #16817 commented on Apr 4, 2025 • 0 new comments

• Prepare for 2FA

  #11364 commented on Apr 4, 2025 • 0 new comments

• Include Compromised Password Information in `UserDetails`

  #15745 commented on Apr 4, 2025 • 0 new comments

• Throw custom Exception when the HTTP Method is rejected

  #12191 commented on Apr 4, 2025 • 0 new comments

• Use Include for All Samples in Documentation

  #16226 commented on Apr 4, 2025 • 0 new comments

• Consider adding `ClientRegistrationIdResolver` to `ExchangeFilterFunction`s

  #15825 commented on Apr 4, 2025 • 0 new comments

• Support Reactive One-Time Tokens in a Clustered Environment

  #15901 commented on Apr 4, 2025 • 0 new comments

• Sample Code in Documentation Should Link to a Complete Sample

  #16227 commented on Apr 4, 2025 • 0 new comments

• Add "Best Match" based Web Authorization Rules

  #16249 commented on Apr 4, 2025 • 0 new comments

• Add @AuthorizeRequestMapping annotation

  #16250 commented on Apr 4, 2025 • 0 new comments

• Consider adding `PrincipalResolver` to `ExchangeFilterFunctions`

  #16284 commented on Apr 4, 2025 • 0 new comments

• Default value for ClientRegistration redirect-uri

  #16377 commented on Apr 4, 2025 • 0 new comments

• Simplify Configuring Log In using Twitter / X v2 APIs

  #16378 commented on Apr 4, 2025 • 0 new comments

• Consider aligning OAuth 2.0 Access Token Response parsing in BodyExtractor

  #16001 commented on Apr 4, 2025 • 0 new comments

• Add support for requesting protected resources with `RestClient` similar to `ServletBearerExchangeFilterFunction`

  #15820 commented on Apr 4, 2025 • 0 new comments

• Consider adding support for pushed authorization requests (PAR, RFC 9126)

  #11301 commented on Apr 4, 2025 • 0 new comments

• Consider removing one level of the OIDC Backchannel Logout DSL

  #15817 commented on Apr 6, 2025 • 0 new comments