The Spring Security SAML project has been an integral part of the Spring ecosystem since its inception nearly 9 years ago. This critically important project was born through the incredible effort and contributions of Vladimír Schäfer. I’d like to take the time to personally thank Vladimír and our fantastic community for their tireless work. Without all of their efforts, this project would not be what it is today.

Vladimír, our amazing community, and the Spring engineering team are planning to team up to enhance Spring Security SAML to achieve the following primary goals:

This week, the software world found out that SAML Vulnerabilities Affecting Multiple Implementations were discovered. If you use Spring Security SAML’s defaults, you are not impacted by this vulnerability.

The underlying implementation that Spring Security SAML uses is Shibboleth’s OpenSAML Java library. The OpenSAML Java implementation was not listed in the libraries that contain the vulnerability (Shibboleth openSAML C++ was vulnerable). However, if the ParserPool has been customized, you may be impacted.

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session BOM Apple-SR1. With the changes to Spring Session modules described in 2.0.0.RELEASE announcement, the addition of bill of materials (BOM) module was a logical next step.

The BOM provides dependency management for Spring Session core modules (which include Data Redis, Hazelcast and JDBC) and Spring Session Data MongoDB. The following table provides an overview of all the included modules and their respective versions:

I’m pleased to announce the release of Spring Security 5.0.3.

The main purpose of this release is to provide a significant performance improvement for Spring Security WebFlux. It also contains dependency updates to prepare for Spring Boot 2.0.0.RELEASE. For a complete list of changes, refer to the changelog.

Project Site | Reference | Help

I’m pleased to announce the release of Spring Security 5.0.2. This release fixes a number of bugs and updates to dependency versions to align with Spring Boot’s upcoming release. It also includes some changes to work with Jackson 2.9.4. For a complete list of changes, refer to the changelog.

Project Site | Reference | Help

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session 1.3.2.RELEASE. This maintenance release contains numerous bug fixes and improvements.

Some of the highlights include:

You can find the complete details of the release in the changelog.

We have released Spring Security 5.0.1, 4.2.4, and 4.1.5 to address CVE-2018-1199: Security bypass with static resources Users are encouraged to update immediately.

One of the changes introduced for this CVE was setting StrictHttpFirewall as the default HttpFirewall. User’s can refer to the Javadoc and reference for additional information on how to configure it.

Project Site | Reference | Help

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session 2.0.1.RELEASE. This maintenance release is focused primarily on addressing a classloading related regression when using a Redis backed session store in combination with Spring Boot’s DevTools.

You can find the complete details of the release in the changelog.

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping Rob @rob_winch, Joe @joe_grandja, or me @vedran_pavic on Twitter.

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session 2.0.0.RELEASE. This release evolved through 2.0.0.M1, 2.0.0.M2, 2.0.0.M3, 2.0.0.M4, 2.0.0.M5, 2.0.0.RC1, 2.0.0.RC2 and 2.0.0.RELEASE, closing over 130 issues and pull requests in total.

You can find highlights of what’s new in the What’s New 2.0 section of the reference. For details refer to the changelog links above.

On behalf of the community, I’m pleased to announce the release of Spring Security SAML 1.0.3.RELEASE which makes some minor changes to work with Spring Framework 5.0.0+ while keeping backward compatibility.

Project Site | Documentation | Changelog