Spring Team
Rob Winch

Rob Winch

Spring Security, Session, & LDAP project lead

Rob Winch is employed by Pivotal as the project lead of security related projects within Spring. He is also a committer on the core Spring Framework and co-author of the Spring Security 3.1 book. In the past he has worked in the health care industry, bioinformatics research, high performance computing, and as a web consultant. When he is not sitting in front of a computer he enjoys playing the guitar.
Blog Posts by Rob Winch

Spring Session Bean-M1 and Apple-SR4 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-M1 and Apple-SR4. Spring Boot users will be happy to learn that these release were picked up in recent 2.1.0.M1 and 2.0.4.RELEASE releases of Spring Boot, respectively.

Spring Session Bean-M1

The Bean-M1 is first milestone release that is based on Spring Session 2.1.0.M1.

The following table provides an overview of all the included modules and their respective versions:

Module Version

Spring Session Core

2.1.0.M1

Spring Session Data GemFire

2.0.3.RELEASE

Spring Session Data Geode

2.0.3.RELEASE

Spring Session Data MongoDB

2.0.2.RELEASE

Spring Session Data Redis

2.1.0.M1

Spring Session Hazelcast

2.1.0.M1

Spring Session JDBC

2.1.0.M1

Spring Session 2.1.0.M1

The 2.1.0.M1 is the first milestone release in 2.1.x lifecycle. Highlights of this release are support for Same-Site Cookie, which is another mechanism that helps developers to protect from Cross-Site Request Forgery, and support for HttpSessionBindingListener. The release also includes the usual dependency upgrades, including picking up Spring Framework 5.1.0.RC1 as a baseline. You can find the complete details of the release in the changelog.

Using the BOM

With Maven:

<dependencyManagement>
	<dependencies>
		<dependency>
			<groupId>org.springframework.session</groupId>
			<artifactId>spring-session-bom</artifactId>
			<version>Bean-M1</version>
			<type>pom</type>
			<scope>import</scope>
		</dependency>
	</dependencies>
</dependencyManagement>
<dependencies>
	<dependency>
		<groupId>org.springframework.session</groupId>
		<artifactId>spring-session-data-redis</artifactId>
	</dependency>
	...
</dependencies>

With Gradle:

plugins {
	id 'io.spring.dependency-management' version '1.0.6.RELEASE'
}

dependencyManagement {
	imports {
		mavenBom 'org.springframework.session:spring-session-bom:Bean-M1'
	}
}

dependencies {
	compile 'org.springframework.session:spring-session-data-redis'
	...
}
Read more...

Spring Security 5.1.0.M2 Released

On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.M2. This release comes with 100+ tickets closed.

As always we look forward to hearing your feedback! You can find the highlights below:

OAuth2

OAuth2 Resource Server

Basic support for OAuth2 Resource Servers has been added. See oauth2resourceserver

Authorization Code Flow

User’s can now obtain an access token using the OAuth 2.0 Authorization Code grant. See the authcodegrant sample.

WebClient and OAuth2 Support

There is now built in support for OAuth2 and WebClient support. The support allows:

  • Adding the access token to the request

  • Automatic refreshing of the access token when it expires

  • Resolving the access token to use

For example, in a Servlet environment you can configure a Bean like this:

@Bean
WebClient webClient(OAuth2AuthorizedClientRepository repository) {
    ServletOAuth2AuthorizedClientExchangeFilterFunction filter =
        new ServletOAuth2AuthorizedClientExchangeFilterFunction(repository);
    return WebClient.builder()
        .filter(new OAuth2AuthorizedClientExchangeFilterFunction())
        .apply(filter.oauth2Configuration())
        .build();
 }

Now you can add the OAuth token in a number of different ways. If you want you can resolve the OAuth2AuthorizedClient using the Spring MVC support. If the authorization server returned a refresh token and the access token is about to expire, Spring Security will transparently update the access token and submit the updated access token instead.

@GetMapping("/users")
Mono<String> users(@RegisteredOAuth2AuthorizedClient("client-id")
        OAuth2AuthorizedClient authorizedClient) {
    return this.webClient.get()
        .uri("https://api.example.com/user")
        .attributes(oauth2AuthorizedClient(authorizedClient))
        .retrieve()
        .bodyToMono(String.class);
}

You can also resolve the access token through the WebClient. Fore example:

Mono<String> users() {
    return this.webClient.get()
        .uri("https://api.example.com/user")
        .attributes(clientRegistrationId("client-id"))
        .retrieve()
        .bodyToMono(String.class);
}

If you authenticated using OAuth2 Log In or OIDC, then a default access token can be applied with no user interaction.

Mono<String> users() {
    // if Authenticated with OIDC
    // OAuth2 Log In use the access token associated to log in
    return this.webClient.get()
        .uri("https://api.example.com/user")
        .retrieve()
        .bodyToMono(String.class);
}
Read more...

Spring Session Apple SR3 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session BOM Apple-SR3. This release includes an update of Spring Session core modules (which include Data Redis, Hazelcast and JDBC) to 2.0.4.RELEASE.

The following table provides an overview of all the included modules and their respective versions:

Module Version

Spring Session Core

2.0.4.RELEASE

Spring Session Data GemFire

2.0.2.RELEASE

Spring Session Data Geode

2.0.2.RELEASE

Spring Session Data MongoDB

2.0.2.RELEASE

Spring Session Data Redis

2.0.4.RELEASE

Spring Session Hazelcast

2.0.4.RELEASE

Spring Session JDBC

2.0.4.RELEASE

Read more...

Spring Security 5.1.0.M1 Released

On behalf of the community I’m pleased to announce the release of Spring Securiity 5.1.0.M1. This release resolves over 80 tickets. The highlights can be seen below:

  • Spring Security OAuth2 Client Support for WebFlux. See the sample for how to use it.

  • Numerous other enhancements to WebFlux Support

  • Added OAuth2ClientArgumentResolver

  • Implementation of the Authorization Code Grant. See the sample for how to use it.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping me @rob_winch , Joe @joe_grandja, or Josh @jzheaux on Twitter.

Read more...

Spring Session Apple SR2

On behalf of the community I’m pleased to announce the release of Spring Session BOM Apple-SR2. This release includes an update to the core modules and adds support for Spring Session for Apache Geode. You can use the BOM

With Maven:

<dependencyManagement>
	<dependencies>
		<dependency>
			<groupId>org.springframework.session</groupId>
			<artifactId>spring-session-bom</artifactId>
			<version>Apple-SR2</version>
			<type>pom</type>
			<scope>import</scope>
		</dependency>
	</dependencies>
</dependencyManagement>
<dependencies>
	<dependency>
		<groupId>org.springframework.session</groupId>
		<artifactId>spring-session-data-redis</artifactId>
	</dependency>
	...
</dependencies>
Read more...

Spring Security SAML Roadmap

The Spring Security SAML project has been an integral part of the Spring ecosystem since its inception nearly 9 years ago. This critically important project was born through the incredible effort and contributions of Vladimír Schäfer. I’d like to take the time to personally thank Vladimír and our fantastic community for their tireless work. Without all of their efforts, this project would not be what it is today.

Vladimír, our amazing community, and the Spring engineering team are planning to team up to enhance Spring Security SAML to achieve the following primary goals:

Read more...

Spring Security SAML and this week's SAML Vulnerability

This week, the software world found out that SAML Vulnerabilities Affecting Multiple Implementations were discovered. If you use Spring Security SAML’s defaults, you are not impacted by this vulnerability.

The underlying implementation that Spring Security SAML uses is Shibboleth’s OpenSAML Java library. The OpenSAML Java implementation was not listed in the libraries that contain the vulnerability (Shibboleth openSAML C++ was vulnerable). However, if the ParserPool has been customized, you may be impacted.

Read more...

Spring Session Apple SR1 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session BOM Apple-SR1. With the changes to Spring Session modules described in 2.0.0.RELEASE announcement, the addition of bill of materials (BOM) module was a logical next step.

Note
The originally released Apple-RELEASE contained a glitch in published BOM so make sure you use Apple-SR1.

The BOM provides dependency management for Spring Session core modules (which include Data Redis, Hazelcast and JDBC) and Spring Session Data MongoDB. The following table provides an overview of all the included modules and their respective versions:

Read more...