Spring Team
Joe Grandja

Joe Grandja

Spring Security Senior Engineer

Toronto, Canada

Joe has been in the Software Industry for over 20 years. He has successfully designed, built and delivered enterprise grade software in the financial services and health sector. He has been using Spring for over 10 years and is very excited to have joined the Spring Security engineering team, in early 2016. Outside of his passion for crafty software, Joe continues to travel the world with his family, snowboarding the most challenging mountains, exploring nature on foot and doing his best to enjoy what life brings.
Blog Posts by Joe Grandja

Spring Security OAuth 2.0.12 Released

On behalf of the community, I’m pleased to announce the release of Spring Security OAuth 2.0.12.RELEASE. The release can be found in our Spring Release repository and Maven Central.

This release primarily includes bug fixes and minor enhancements.

Contributions

Without the community we couldn’t be the successful project we are today. I’d like to thank everyone that created issues & provided feedback.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues or via the comments section. You can also ping me Joe @joe_grandja, Dave @david_syer or Rob @rob_winch on Twitter.

Read more...

Spring Security OAuth2 - Client Authentication Issue

Issue #808 was recently reported that allowed a user to authenticate as a client and obtain an access token via the client_credentials or password grant flow.

This unique scenario occurs when a client and user have the same identifier (clientId and username). The user’s credentials are used for client authentication during a client_credentials or password grant flow and is successful in obtaining an access token with the authorities of the client.

The Fix

This bug has been fixed in 1ed986a and released in 2.0.11.RELEASE.

If you’re using Java-based configuration, please update to 2.0.11.RELEASE.

However, if you’re using XML-based configuration, please take the following actions:

  • Update to 2.0.11.RELEASE

  • Look at this JUnit test and it’s associated XML configuration to ensure the AuthenticationManager for client authentication and the AuthenticationManager for user authentication is setup the same in your configuration.

  • As a precautionary step, make sure your XML configuration is NOT setup the same as in this JUnit test and associated XML configuration as it demonstrates the original issue.

Read more...