Spring Team

Dave Syer

Senior Consulting Engineer


Founder and contributor to Spring Batch, lead of Spring Security OAuth, and an active contributor to Spring Integration, Spring Framework, Spring AMQP, Spring Security. Experienced, delivery-focused architect and development manager. Has designed and built successful enterprise software solutions using Spring, and implemented them in major institutions worldwide.
Blog Posts by Dave Syer

Spring Security OAuth 2.0.0.RC1 Available

Spring Security OAuth 2.0.0.RC1 is available now from the Spring Repo. This is a huge step in the direction of modernisation and ease of use for OAuth server and client apps on Spring.

The headline feature is support for @Configuration(for OAuth2 only) and if you use Spring Boot to write your app you can serve tokens and protect the API resources in about 25 lines of code:

public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);

    public String home() {
        return "Hello World";

    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        private AuthenticationManager authenticationManager;

        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
                    .authorizedGrantTypes("password", "authorization_code", "refresh_token")
                    .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                    .scopes("read", "write", "trust")



Spring Boot 1.0.1.RELEASE Available Now

Spring Boot 1.0.1.RELEASE is available in Maven Central and the repo.spring.io repository. This is a bug fix release, although a couple of new features have been added:

  • MessageSource caching can be specified in application.properties
  • ActiveMQ connection credentials can be externalized to application.properties
  • There is a new section on Security auto configuration in the reference guide

There was a security bug-fix for the Actuator, so anyone using Spring Security and the Actuator endpoints should upgrade. No backwards compatibility problems or changes to existing functionality are anticipated.


Spring Boot 1.0.0.RC4 Available Now

Spring Boot 1.0.0 (RC4) has been released and is available in the repo.spring.io repository. There are some bug fixes from RC3 and a load of updated third-party dependencies. New features include

  • Support for Spring Loaded reloading of classes during development in Maven and Gradle builds.
  • A starter pom for spring-data-rest (and a sample).
  • Lots of new documentation (all in the source code but published as usual at http://projects.spring.io/spring-boot.
  • Automatic main class detection for "gradle run".
  • Support for relaunching and incrementing Spring Batch jobs on startup.

Spring Boot 0.5.0.M5 Released

Spring Boot 0.5.0.M5 is available in the Spring repo. Instructions for installing and using are on the project website or in github. Loads of new features including:

  • Autoconfigure support for JMS, AMQP, AOP, Mobile, MongoDB
  • Simplified @Grab usage (see example below)
  • A test command for Groovy scripts (supporting JUnit and Spock, more detail coming on that in a blog from Greg)
  • A new SpringApplicationBuilder with support for, amongst other things, application context hierarchies
  • A new PropertiesLauncher that can launch a Java application from properties discovered at runtime (e.g. to set up a classpath from a lib directory)

Spring Batch 2.1.9.RELEASE is available

spring #batch 2.1.9.RELEASE is available (download github http://bit.ly/NYXItL or Maven central). Thanks to all contributors!

It's mostly bugfixes for 2.1.8, plus a few interesting additions (e.g. nested tasklets from any namespace to support Spring Hadoop): http://static.springsource.org/sprin...1.8-2.1.9.html.

The first real commit for 2.2 came in as a pull request. Nice work! Please keep them coming.


Spring Security OAuth 1.0.0.RC2 released

spring #security #oauth 1.0.0.RC2 is released today http://bit.ly/xfE5PM. Download via github or Maven (SpringSource milestone repository).


  • Better error responses from the framework endpoints
  • Fixed some issues with validation and enhancement of token contents



Cross Site Request Forgery and OAuth2

<div id="container">

In this short article we look at Cross Site Request Forgery in the context of OAuth2, looking at possible attacks and how they can be countered when OAuth2 is being used to protect web resources.

OAuth2 is a protocol enabling a Client application, often a web application, to act on behalf of a User, but with the User’s permission. The actions a Client is allowed to perform are carried out on a Resource Server (another web application or web service), and the User approves the actions by telling an Authorization Server that he trusts the Client to do what it is asking. Common examples of Authorization Servers on the internet are Facebook and Google, both of which also provide Resource Servers (the Graph API in the case of Facebook and the Google APIs in the case of Google).


Social Coding: Pull Requests - What to Do When Things Get Complicated

Scenario: you want to contribute some code to an open source project hosted on a public git repository service like github. Lots of people make pull requests to projects I'm involved in and many times they are more complicated to merge than they need to be, which slows down the process a bit. The basic workflow is conceptually simple:

  1. fork a public open source project
  2. make some changes to it locally and push them up to your own remote fork
  3. ask the project lead to merge your changes with the main codebase

Git and Social Coding: How to Merge Without Fear

Git is great for social coding and community contributions to open source projects: contributors can try out the code easily, and there can be hordes of people all forking and experimenting with it but without endangering existing users. This article presents some examples with the Git command line that might help build your confidence with this process: how to fetch, pull and merge, and how to back out of mistakes. If you are interested in the social coding process itself, and how to contribute to Spring projects, check out another blog on this site by Keith Donald.


Uploading Job Configurations to Spring Batch Admin

An interesting problem that has no universal good solution is: how do I change the configuration of a running Spring application? Spring Batch Admin 1.0.0.M3 was released recently, and it has a configuration upload feature that solves this problem in a particular way. Someone asked for this feature at the recent S2GForum in Munich (if you missed that sign up for events in London and Amsterdam in May), and I was happy to tell him that it already existed, so maybe it deserves a bit more air time...