Spring Security, Session, & LDAP project lead
This post was authored by Vedran Pavić
On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-SR1 and Apple-SR7. These maintenance releases are based on Spring Session 2.1.2.RELEASE and 2.0.8.RELEASE, respectively, which bring a couple of bug fixes together with the usual dependency upgrades.
Complete details of these releases can be found in the following changelogs:
This post was authored by Vedran Pavić
On behalf of the community I’m pleased to announce the release of Spring Session 1.3.4.RELEASE. This maintenance release contains several bug fixes and performance improvements. You can find the complete details of the release in the changelog.
This post was authored by Vedran Pavić
On behalf of the community, I’m pleased to announce the general availability of Spring Session BOM Bean. This is the first release based on Spring Session 2.1 and can be easily consumed with freshly released Spring Boot 2.1. Please read on for the highlights of the release.
HttpSession integrationSame-Site Cookie is another mechanism that helps developers to protect from Cross-Site Request Forgery. Our DefaultCookieSerializer has been enhanced to support adding SameSite attribute to session cookie produced by Spring Session. The SameSite attribute is enabled by default with value Lax and is customizable using DefaultCookieSerializer#setSameSite.
Note that the equivalent support for WebSession is present in the Spring WebFlux itself starting with Spring Framework 5.1.
On behalf of the community, I am pleased to announce that Spring Session Apple SR6 is released. The release includes Spring Session 2.0.8.RELEASE (changelog).
On behalf of the community, I am pleased to announce that Spring Security 5.1.1 (changelog) Spring Security 5.0.9 (changelog) and 4.2.9 (changelog) have been released. The releases primarily deliver bug fixes and dependency version updates along with some minor improvements. The releases will be found in the upcoming Spring Boot maintenance releases coming this week.
This post was authored by Vedran Pavić
On behalf of the community, I’m pleased to announce the release of Spring Session BOM Bean-RC1. This release is based on Spring Session 2.1.0.RC1 which resolves a total of 13 issues. Please read on for the highlights of the release.
This post was authored by Vedran Pavić
On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-M1 and Apple-SR4. Spring Boot users will be happy to learn that these release were picked up in recent 2.1.0.M1 and 2.0.4.RELEASE releases of Spring Boot, respectively.
Bean-M1The Bean-M1 is first milestone release that is based on Spring Session 2.1.0.M1.
The following table provides an overview of all the included modules and their respective versions:
| Module | Version |
|---|---|
Spring Session Core |
|
Spring Session Data GemFire |
|
Spring Session Data Geode |
|
Spring Session Data MongoDB |
|
Spring Session Data Redis |
|
Spring Session Hazelcast |
|
Spring Session JDBC |
|
2.1.0.M1The 2.1.0.M1 is the first milestone release in 2.1.x lifecycle. Highlights of this release are support for Same-Site Cookie, which is another mechanism that helps developers to protect from Cross-Site Request Forgery, and support for HttpSessionBindingListener. The release also includes the usual dependency upgrades, including picking up Spring Framework 5.1.0.RC1 as a baseline. You can find the complete details of the release in the changelog.
With Maven:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-bom</artifactId>
<version>Bean-M1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-redis</artifactId>
</dependency>
...
</dependencies>With Gradle:
plugins {
id 'io.spring.dependency-management' version '1.0.6.RELEASE'
}
dependencyManagement {
imports {
mavenBom 'org.springframework.session:spring-session-bom:Bean-M1'
}
}
dependencies {
compile 'org.springframework.session:spring-session-data-redis'
...
}On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.M2. This release comes with 100+ tickets closed.
As always we look forward to hearing your feedback! You can find the highlights below:
Basic support for OAuth2 Resource Servers has been added. See oauth2resourceserver
User’s can now obtain an access token using the OAuth 2.0 Authorization Code grant. See the authcodegrant sample.
There is now built in support for OAuth2 and WebClient support. The support allows:
Adding the access token to the request
Automatic refreshing of the access token when it expires
Resolving the access token to use
For example, in a Servlet environment you can configure a Bean like this:
@Bean
WebClient webClient(OAuth2AuthorizedClientRepository repository) {
ServletOAuth2AuthorizedClientExchangeFilterFunction filter =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(repository);
return WebClient.builder()
.filter(new OAuth2AuthorizedClientExchangeFilterFunction())
.apply(filter.oauth2Configuration())
.build();
}Now you can add the OAuth token in a number of different ways. If you want you can resolve the OAuth2AuthorizedClient using the Spring MVC support. If the authorization server returned a refresh token and the access token is about to expire, Spring Security will transparently update the access token and submit the updated access token instead.
@GetMapping("/users")
Mono<String> users(@RegisteredOAuth2AuthorizedClient("client-id")
OAuth2AuthorizedClient authorizedClient) {
return this.webClient.get()
.uri("https://api.example.com/user")
.attributes(oauth2AuthorizedClient(authorizedClient))
.retrieve()
.bodyToMono(String.class);
}You can also resolve the access token through the WebClient. Fore example:
Mono<String> users() {
return this.webClient.get()
.uri("https://api.example.com/user")
.attributes(clientRegistrationId("client-id"))
.retrieve()
.bodyToMono(String.class);
}If you authenticated using OAuth2 Log In or OIDC, then a default access token can be applied with no user interaction.
Mono<String> users() {
// if Authenticated with OIDC
// OAuth2 Log In use the access token associated to log in
return this.webClient.get()
.uri("https://api.example.com/user")
.retrieve()
.bodyToMono(String.class);
}This post was authored by Vedran Pavić
On behalf of the community I’m pleased to announce the release of Spring Session BOM Apple-SR3. This release includes an update of Spring Session core modules (which include Data Redis, Hazelcast and JDBC) to 2.0.4.RELEASE.
The following table provides an overview of all the included modules and their respective versions:
| Module | Version |
|---|---|
Spring Session Core |
|
Spring Session Data GemFire |
|
Spring Session Data Geode |
|
Spring Session Data MongoDB |
|
Spring Session Data Redis |
|
Spring Session Hazelcast |
|
Spring Session JDBC |
|