86 Pull requests merged by 5 people

• Remove PrePostTemplateDefaults

  #17312 merged Jul 3, 2025

• Remove Nimbus(Reactive)OpaqueTokenIntrospector

  #17326 merged Jul 3, 2025

• Remove RequestVariablesExtractor

  #17320 merged Jul 3, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17452 merged Jul 3, 2025

• Remove deprecated elements using AuthorizationDecision

  #17322 merged Jul 3, 2025

• Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21

  #17453 merged Jul 3, 2025

• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24

  #17451 merged Jul 3, 2025

• Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13

  #17454 merged Jul 3, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17455 merged Jul 3, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17461 merged Jul 3, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17462 merged Jul 3, 2025

• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24

  #17463 merged Jul 3, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17464 merged Jul 3, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final

  #17465 merged Jul 3, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17466 merged Jul 3, 2025

• Remove RelyingPartyRegistration deprecations

  #17329 merged Jul 3, 2025

• Improve logging clarity in CsrfFilter

  #17425 merged Jul 3, 2025

• Bump io.mockk:mockk from 1.14.2 to 1.14.4

  #17467 merged Jul 3, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17468 merged Jul 3, 2025

• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24

  #17469 merged Jul 3, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17470 merged Jul 3, 2025

• Remove deprecated classes moved to other packages

  #17330 merged Jul 3, 2025

• Bump io.mockk:mockk from 1.14.2 to 1.14.4

  #17456 merged Jul 3, 2025

• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24

  #17457 merged Jul 3, 2025

• Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1

  #17458 merged Jul 3, 2025

• Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final

  #17459 merged Jul 3, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17460 merged Jul 3, 2025

• Fix equals and hashCode in PathPatternRequestMatcher to include HTTP method

  #17337 merged Jul 2, 2025

• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24

  #17436 merged Jul 2, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final

  #17435 merged Jul 2, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17434 merged Jul 2, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17433 merged Jul 2, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17432 merged Jul 2, 2025

• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24

  #17431 merged Jul 2, 2025

• Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1

  #17430 merged Jul 2, 2025

• Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE

  #17429 merged Jul 2, 2025

• Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final

  #17428 merged Jul 2, 2025

• Bump io.mockk:mockk from 1.14.2 to 1.14.4

  #17427 merged Jul 2, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17437 merged Jul 2, 2025

• Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21

  #17438 merged Jul 2, 2025

• Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13

  #17439 merged Jul 2, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17440 merged Jul 2, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17441 merged Jul 2, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17442 merged Jul 2, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17443 merged Jul 2, 2025

• Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE

  #17444 merged Jul 2, 2025

• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24

  #17445 merged Jul 2, 2025

• Bump org-apache-maven-resolver from 1.9.23 to 1.9.24

  #17426 merged Jul 2, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17405 merged Jul 1, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17406 merged Jul 1, 2025

• Bump io.mockk:mockk from 1.14.2 to 1.14.4

  #17407 merged Jul 1, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final

  #17408 merged Jul 1, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final

  #17409 merged Jul 1, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17410 merged Jul 1, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17411 merged Jul 1, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17412 merged Jul 1, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17413 merged Jul 1, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17414 merged Jul 1, 2025

• Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21

  #17415 merged Jul 1, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17416 merged Jul 1, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17417 merged Jul 1, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17418 merged Jul 1, 2025

• Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13

  #17419 merged Jul 1, 2025

• Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final

  #17420 merged Jul 1, 2025

• Bump io.mockk:mockk from 1.14.2 to 1.14.4

  #17421 merged Jul 1, 2025

• Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1

  #17422 merged Jul 1, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17423 merged Jul 1, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17393 merged Jun 30, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final

  #17392 merged Jun 30, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17391 merged Jun 30, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17390 merged Jun 30, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17400 merged Jun 30, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17389 merged Jun 30, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17388 merged Jun 30, 2025

• Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21

  #17387 merged Jun 30, 2025

• Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13

  #17386 merged Jun 30, 2025

• Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13

  #17401 merged Jun 30, 2025

• Bump io.mockk:mockk from 1.14.2 to 1.14.4

  #17402 merged Jun 30, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final

  #17403 merged Jun 30, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17404 merged Jun 30, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17394 merged Jun 30, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17395 merged Jun 30, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17396 merged Jun 30, 2025

• Bump com.fasterxml.jackson:jackson-bom from 2.19.0 to 2.19.1

  #17397 merged Jun 30, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17398 merged Jun 30, 2025

• Bump org.hibernate.orm:hibernate-core from 7.0.1.Final to 7.0.4.Final

  #17399 merged Jun 30, 2025

12 Pull requests opened by 5 people

• Change `FilterBasedLdapUserSearch` to use `LdapClient`

  #17384 opened Jun 29, 2025

• Add ExpressionTemplateValueProvider

  #17448 opened Jul 2, 2025

• docs: fix typo in @AuthenticationPrincipal documentation

  #17474 opened Jul 3, 2025

• Remove ACL access implementations in favor of `AclPermissionEvaluator`

  #17475 opened Jul 3, 2025

• Update Shibboleth repository URL

  #17477 opened Jul 3, 2025

• Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE

  #17478 opened Jul 4, 2025

• Bump io-spring-javaformat from 0.0.46 to 0.0.47

  #17479 opened Jul 4, 2025

• Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7

  #17480 opened Jul 4, 2025

• Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8

  #17481 opened Jul 4, 2025

• Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final

  #17482 opened Jul 4, 2025

• Bump com.webauthn4j:webauthn4j-core from 0.29.3.RELEASE to 0.29.4.RELEASE

  #17483 opened Jul 4, 2025

• Implement equals and hashCode in `OidcIdToken`

  #17485 opened Jul 4, 2025

23 Issues closed by 3 people

• Remove deprecated elements from DaoAuthenticationProvider

  #17298 closed Jul 3, 2025

• Remove AllowFromStrategy in favor of ContentSecurityPolicy

  #17307 closed Jul 3, 2025

• Remove deprecated elements of RoleHierarchyImpl

  #17297 closed Jul 3, 2025

• Remove PrePostTemplateDefaults

  #17296 closed Jul 3, 2025

• Remove AssertingPartyDetails from APIs in favor of AssertingPartyMetadata

  #17304 closed Jul 3, 2025

• Remove RequestVariablesExtractor in favor of RequestMatcher#matcher

  #17308 closed Jul 3, 2025

• Simplify MvcRequestMatcher construction

  #13562 closed Jul 3, 2025

• Possible bug in AbstractRequestMatcherRegistry#requireOnlyPathMappedDispatcherServlet? (DispatcherServlet not found when resolving request matcher)

  #15684 closed Jul 3, 2025

• AntPathRequestMatcher and MvcRequestMatcher have inconsistent behaviour against requests with null method

  #16491 closed Jul 3, 2025

• Remove deprecated elements using AuthorizationDecision

  #17299 closed Jul 3, 2025

• ClientRegistration.Builder.tokenUri() should take a `URI` parameter, not a `String`

  #17424 closed Jul 3, 2025

• We should remove usage of PathMatcher in web modules

  #16887 closed Jul 3, 2025

• Remove HandlerMappingIntrospector Usage

  #16886 closed Jul 3, 2025

• Add PathPatternRequestMatcher static factory shortcuts

  #17476 closed Jul 3, 2025

• Add TestMockHttpServletRequests

  #17450 closed Jul 3, 2025

• Standarize Mock Request Paths

  #17449 closed Jul 3, 2025

• Raise log level from DEBUG to WARN for firewall-rejected requests in HttpStatusExchangeRejectedHandler

  #17471 closed Jul 3, 2025

• Wrong logging for CsrfFilter in trace level

  #17250 closed Jul 3, 2025

• Remove deprecated implementations of OAuth2AccessTokenResponseClient

  #16909 closed Jul 3, 2025

• Remove Resource Owner Password Credentials grant

  #17446 closed Jul 3, 2025

• Remove Resource Owner Password Credentials grant

  #17473 closed Jul 3, 2025

• PathPatternRequestMatcher should check method for equals and hashCode

  #17180 closed Jul 2, 2025

• Kotlin 2.2 Upgrade

  #16884 closed Jul 2, 2025

3 Issues opened by 3 people

• HttpSecurity.build() in a bean method that defines a security filter chain triggers a BeanCurrentlyInCreationException

  #17484 opened Jul 4, 2025

• Allow custom conversation for enum values in meta annotation expression templates

  #17447 opened Jul 2, 2025

• Stub the call to OpenID configuration in an `oauth2Client` `@SpringBootTest`

  #17385 opened Jun 30, 2025

15 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• Add SpEL support for nested username extraction in OAuth2 user info

  #16857 commented on Jul 3, 2025 • 4 new comments

• One Time Token should not be created if user does not exist

  #16483 commented on Jun 28, 2025 • 0 new comments

• Fail resolve argument CustomUserDetails when I test in only SecurityAutoConfiguration and @WebMvcTest

  #17383 commented on Jun 28, 2025 • 0 new comments

• SAML2 for reactive environment / spring-webflux

  #7954 commented on Jun 30, 2025 • 0 new comments

• Add `OAuth2AuthorizedClientManager` autoconfiguration without `spring-boot-starter-web` dependency

  #15877 commented on Jul 1, 2025 • 0 new comments

• OAuth2: ServletOAuth2AuthorizedClientExchangeFilterFunction can fail to remove client if webclient receives retryable responses.

  #17379 commented on Jul 1, 2025 • 0 new comments

• `ServerOAuth2AuthorizedClientExchangeFilterFunction`: scope client credential tokens to the application

  #17218 commented on Jul 3, 2025 • 0 new comments

• Improve CVE-2023-34035 detection

  #13568 commented on Jul 3, 2025 • 0 new comments

• MvcRequestMatcher does not match Servlet from ServletRegistrationBean

  #12755 commented on Jul 3, 2025 • 0 new comments

• NimbusJwtEncoder does not support Edwards Curve signature (EdDSA) family algorithms.

  #17098 commented on Jul 3, 2025 • 0 new comments

• [Azure Oauth2] IllegalArgumentException: Attribute value for "xxx" is null

  #16340 commented on Jul 3, 2025 • 0 new comments

• Remove Deprecations

  #13068 commented on Jul 3, 2025 • 0 new comments

• Default to XorCsrfChannelInterceptor in XML configuration

  #17323 commented on Jul 4, 2025 • 0 new comments

• Use `LdapName` instead of `DistinguishedName`

  #17325 commented on Jul 3, 2025 • 0 new comments

• Remove `AllowFromStrategy` in favor of `ContentSecurityPolicy`

  #17358 commented on Jul 3, 2025 • 0 new comments