11 Pull requests merged by 11 people

• Replace deprecated NimbusReactiveOpaqueTokenIntrospector with SpringReactiveOpaqueTokenIntrospector

  #16964 merged May 27, 2025

• Add Equals and HashCode methods for better comparison.

  #16842 merged May 27, 2025

• JwtTimestampsValidator can require exp and nbf claims

  #17030 merged May 27, 2025

• Create CsrfCustomizer for SPA configuration

  #16966 merged May 27, 2025

• Exceptions for Authorized Objects should propagate when returned from a Controller

  #17074 merged May 23, 2025

• Make AuthorizationProxyFactory.proxy generic

  #16996 merged May 23, 2025

• Add Support Credentialless COEP Header

  #17027 merged May 23, 2025

• Fix the problem of not deserializing SwitchUserGrantedAuthority in Webflux

  #17064 merged May 23, 2025

• Cleanup code

  #17142 merged May 23, 2025

• ClearSiteDataHeaderWriter log is misleading

  #17126 merged May 23, 2025

• Remove the redundant punctuation marks in the comments

  #17075 merged May 23, 2025

5 Pull requests opened by 4 people

• Add support setting X509PrincipalExtractor as bean

  #17171 opened May 26, 2025

• fix: #17175 relax type constraint (6.4 -> 6.5) compatible

  #17176 opened May 27, 2025

• Make X509CertificateThumbprintValidator to be public and non-final class

  #17178 opened May 28, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final

  #17183 opened May 29, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final

  #17184 opened May 29, 2025

12 Issues closed by 2 people

• Make `X509CertificateThumbprintValidator` configurable through `JwtValidators` create APIs

  #17131 closed May 28, 2025

• Update Type Validation Defaults

  #17181 closed May 28, 2025

• Begin Spring Security 7 to 8 Migration Guide

  #17182 closed May 28, 2025

• Add username property to UsernameNotFoundException

  #17179 closed May 28, 2025

• Consider allowing to hide UserNotFoundException in PreAuthenticatedAuthenticationProvider

  #15450 closed May 27, 2025

• Exceptions for Authorized Objects should propagate when returned from a Controller

  #16058 closed May 23, 2025

• ClearSiteDataHeaderWriter log is misleading

  #17166 closed May 23, 2025

• ClearSiteDataHeaderWriter log is misleading

  #17165 closed May 23, 2025

• Setup include-code extension for docs

  #17162 closed May 22, 2025

• Create demonstration of include-code usage

  #17163 closed May 22, 2025

• Setup include-code extension for docs

  #17160 closed May 22, 2025

• Create demonstration of include-code usage

  #17161 closed May 22, 2025

9 Issues opened by 9 people

• Publishing a default TargetVisitor should not override Spring MVC support

  #17185 opened May 29, 2025

• PathPatternRequestMatcher equals() only considers pattern instead of pattern, method, ...

  #17180 opened May 28, 2025

• 6.4 -> 6.5 cannot be cast to class

  #17175 opened May 27, 2025

• Kotlin security configuration examples call `AuthorizeHttpRequestsDsl::authorize` with an array of patterns, but this signature doesn't exist

  #17174 opened May 27, 2025

• DPoP filter is ignored when another AuthenticationFilter is present

  #17173 opened May 27, 2025

• OAuth2ResourceServer using authenticationManagerResolver results in `tokenAuthenticationManager cannot be null` while startup

  #17172 opened May 26, 2025

• Add support setting X509PrincipalExtractor as bean

  #17170 opened May 26, 2025

• Reactive WebClient OAuth2 SSO authentication performs too many /oauth2/token request when token expires

  #17167 opened May 25, 2025

• WebAuthn: credential registration fails with an unknown credential type error

  #17164 opened May 23, 2025

25 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• NimbusJwtEncoder should simplify constructing with javax.security Keys

  #17033 commented on May 29, 2025 • 8 new comments

• Add possibility to customize JwkSource of NimbusJwtDecoder

  #17046 commented on May 28, 2025 • 7 new comments

• Support Spring Data container types for AuthorizeReturnObject

  #16953 commented on May 29, 2025 • 5 new comments

• Remove GET request support from Saml2AuthenticationTokenConverter

  #17108 commented on May 25, 2025 • 2 new comments

• Add BearerTokenAuthenticationConverter

  #14791 commented on May 27, 2025 • 1 new comment

• Add serialize/deserialize PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions support with ObjectMapper

  #16446 commented on May 24, 2025 • 1 new comment

• Add option to disable anonymous authentication in `RSocketSecurity`

  #17159 commented on May 22, 2025 • 0 new comments

• Fix traceId discrepancy in case error in servlet web

  #17134 commented on May 26, 2025 • 0 new comments

• Add JdbcRelyingPartyRegistrationRepository

  #17077 commented on May 23, 2025 • 0 new comments

• Check for null Principal#getName

  #17068 commented on May 23, 2025 • 0 new comments

• Update LDAP authority and role handling to use LdapClient

  #17035 commented on May 23, 2025 • 0 new comments

• Add Support Extracting DN From X500Principal

  #16984 commented on May 26, 2025 • 0 new comments

• Fix `HttpSessionRequestCache#getMatchingRequest` query string parsing

  #16914 commented on May 23, 2025 • 0 new comments

• Add support for nested user-name-attribute using dot notation

  #16857 commented on May 25, 2025 • 0 new comments

• Deprecate Authentication#setAuthenticated

  #16838 commented on May 27, 2025 • 0 new comments

• WebSecurity.ignoring().anyRequest() no longer works

  #17155 commented on May 29, 2025 • 0 new comments

• `Authentication` in the security context is not updated during the refresh token flow

  #15509 commented on May 29, 2025 • 0 new comments

• Support UserDetailsService components in OAuth2 Resource Server flows

  #6237 commented on May 27, 2025 • 0 new comments

• Add support dpop customization

  #16940 commented on May 26, 2025 • 0 new comments

• Inconsistent constructor declaration on bean with name '_reactiveMethodSecurityConfiguration'

  #16325 commented on May 26, 2025 • 0 new comments

• There is no way to know if a custom logout success handler has been set

  #17043 commented on May 26, 2025 • 0 new comments

• Ability to disable anonymous authentication in RSocketSecurity

  #17132 commented on May 24, 2025 • 0 new comments

• Improve Integration between Authorized Objects and Spring MVC

  #16057 commented on May 23, 2025 • 0 new comments

• Use Include for All Samples in Documentation

  #16226 commented on May 23, 2025 • 0 new comments

• Consider removing com.nimbusds:oauth2-oidc-sdk dependency

  #14245 commented on May 23, 2025 • 0 new comments