Spring Team
Dave Syer

Dave Syer

Senior Consulting Engineer

London

Founder and contributor to Spring Batch, lead of Spring Security OAuth, and an active contributor to Spring Integration, Spring Framework, Spring AMQP, Spring Security. Experienced, delivery-focused architect and development manager. Has designed and built successful enterprise software solutions using Spring, and implemented them in major institutions worldwide.
Blog Posts by Dave Syer

Spring Security OAuth 2.0.4.RELEASE Available Now

Spring Security OAuth 2.0.4.RELEASE is available now in the usual repositories. It's a bug fix release, so upgrading is recommended, but there is also a small set of new features:

  • The OAuth2Request (and hence OAuth2Authentication) can now be queried explicitly to find the grant type for the associated token. If the token is being refreshed the grant type in the OAuth2Request presented to a TokenEnhancer is the original grant type, not "refresh_token".

  • The client authorities are exposed in the "/check_token" endpoint

  • Password grants are more flexible and open to extension because both client and server can add additional parameters to the request. A custom AuthenticationManager on the server side should still expect a UsernamePasswordAuthenticationToken, but the additional parameters will be available in the AuthenticationDetails. Multi-factor authentication for mobile devices could be implemented in this way, for instance.

  • Keystore support for JWT token signing and verification. User provides a Resource and a password and can then lift the keys out of the store by name. As long as they are RSA keys they can be injected into a JwtAccessTokenConverter (using a new setter).

Read more...

Spring Cloud 1.0.0.M2 Available Now

If you are building microservices with Spring you will be interested to see that Spring Cloud 1.0.0.M2 hit the streets yesterday and today, and can now be found in the Spring repository. Visit the individual project pages links in the main umbrella page or look at their github repositories for detailed instructions about how to get started using the individual components. There is also a Reference Guide covering the core modules.

Since Spring Cloud is an umbrella project we have a "release train" of related updates to all the sub-projects (like with Spring Data). The 1.0.0.M2 release has updates to spring Cloud Config, Spring Cloud Netflix, Spring Cloud Bus, Spring Cloud Security and Spring Cloud CLI.

Read more...

Spring Cloud 1.0.0.M1 Available Now

Spring Cloud (the new umbrella project announced in September) has reached a milestone, its first, and fresh jars are available in the repo.spring.io repository. Spring Cloud is going to follow a "release train" model for releases, a bit like Spring Data, but we haven't got a cool name for this one yet, so it's just 1.0.0.M1. The modules that are part of this release are

  • Spring Cloud Config: Centralized external configuration management backed by a git repository. The configuration resources map directly to Spring Environment but could be used by non-Spring applications if desired.

  • Spring Cloud Netflix: Integration with various Netflix OSS components (Eureka, Hystrix, Zuul, Archaius, etc.).

  • Spring Cloud Bus: An event bus for linking services and service instances together with distributed messaging. Useful for propagating state changes across a cluster (e.g. config change events).

  • Spring Cloud Security: A set of primitives for building secure applications and services with minimum fuss.

  • Spring Cloud CLI: Spring Boot CLI plugin for creating Spring Cloud component applications quickly in Groovy.

  • Spring Cloud Starters: Spring Boot-style starter projects to ease dependency management for consumers of Spring Cloud.

Read more...

Spring Security OAuth 2.0.3 Available Now

Spring Security OAuth 2.0.3 is available now in all the usual Maven repositories. It's a bug fix release, nothing major, so upgrading from 2.0.x should be painless (and is recommended). Some people were having issues getting JWT tokens to work properly, and those should be fixed. The only noteworthy functional change is that Resource Servers (if configured with @Configuration) will now check the validity of the client and scopes before allowing access to protected resources. This means that client privileges can be revoked quickly, but may also lead to a performance penalty (so caching the ClientDetailsService results would be recommended).

Read more...

Spring Boot 1.1.3 Available Now

Spring Boot 1.1.3 is available now in Maven Central. This was primarily a bugfix release for Windows users needing the executable JAR features of Spring Boot, but several other issues were resolved, and there are plenty of documentation and third-party version updates too.

Thanks again to all the people who contributed (84 committers now and rising)!

Read more...

Spring Boot 1.1.0.RC1 Available Now

Spring Boot 1.1.0.RC1 is available now in the Spring repositories. There are some new features and some new documentation:

  • Autoconfiguration support for Spring Data Elastic Search, HornetQ messaging, Spring Social

  • Support for @IntegrationTest in the Groovy CLI

  • Upgrades to Tomcat, Spring Integration, Reactor and Groovy

We are on schedule for a GA release some time in the next 2 weeks, so please try out the RC1 and get feedback onto github as soon as you have time.

Read more...

Spring Boot 1.1.0.M2 Available Now

Spring Boot 1.1.0.M2 is available now in the Spring repositories. There are quite a few new features and plenty of new documentation:

  • Groovy Template and Velocity support for MVC and offline rendering.

  • Big changes to the HealthIndicator interface and the existing implementations, e.g. all database backends (like Mongo etc.) have a default HealthIndicator and the Actuator aggregates them all up into a single readout.

  • Support for Spring Data Solr and Spring Data Gemfire, and upgrade to the Spring Data Dijkstra release train

  • Support for multiple DataSources through a convenient DataSourceBuilder abstraction, plus a similar feature for JPA EntityManagerFactories

  • Upgrades to various new versions of existing dependencies, e.g. Spring Batch 3.0, Spring Security 3.2.4

Read more...

Spring Boot 1.0.2.RELEASE Available Now

Spring Boot 1.0.2.RELEASE is available now in the Spring and Maven Central repositories. This is mostly a bug-fix release (nothing major, but please upgrade if you are using an older version). There are also a couple of nice new features.

My favourite additions are the new @IntegrationTest features. Here's an example:

@RunWith(SpringJUnit4ClassRunner.class)
@SpringApplicationConfiguration(classes = SampleActuatorApplication.class)
@WebAppConfiguration
@IntegrationTest("server.port=0")
public class SampleActuatorApplicationTests {

    @Value("${local.server.port}")
    private int port;

        ...

}
Read more...

Spring Security OAuth 2.0.0.RC1 Available

Spring Security OAuth 2.0.0.RC1 is available now from the Spring Repo. This is a huge step in the direction of modernisation and ease of use for OAuth server and client apps on Spring.

The headline feature is support for @Configuration(for OAuth2 only) and if you use Spring Boot to write your app you can serve tokens and protect the API resources in about 25 lines of code:

@Configuration
@EnableAutoConfiguration
@EnableResourceServer
@RestController
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @RequestMapping("/")
    public String home() {
        return "Hello World";
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints.authenticationManager(authenticationManager);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.inMemory()
                .withClient("my-trusted-client")
                    .authorizedGrantTypes("password", "authorization_code", "refresh_token")
                    .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                    .scopes("read", "write", "trust")
                    .resourceIds("oauth2-resource")
                    .secret("secret");
        }

    }

}
Read more...

Spring Boot 1.0.1.RELEASE Available Now

Spring Boot 1.0.1.RELEASE is available in Maven Central and the repo.spring.io repository. This is a bug fix release, although a couple of new features have been added:

  • MessageSource caching can be specified in application.properties
  • ActiveMQ connection credentials can be externalized to application.properties
  • There is a new section on Security auto configuration in the reference guide

There was a security bug-fix for the Actuator, so anyone using Spring Security and the Actuator endpoints should upgrade. No backwards compatibility problems or changes to existing functionality are anticipated.

Read more...