Home
Projects
Guides
Blog
Training & Certification
Spring Team
Rob Winch

Rob Winch

Spring Security, Session, & LDAP project lead

Rob Winch is employed by Pivotal as the project lead of security related projects within Spring. He is also a committer on the core Spring Framework and co-author of the Spring Security 3.1 book. In the past he has worked in the health care industry, bioinformatics research, high performance computing, and as a web consultant. When he is not sitting in front of a computer he enjoys playing the guitar.
Blog Posts by Rob Winch

Spring Session Bean-SR2, Apple-SR8, and 1.3.5 Released
Releases

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-SR2 (based on Spring Session 2.1.3.RELEASE), Apple-SR8 (based on 2.0.9.RELEASE), and 1.3.5.RELEASE. These maintenance releases bring a couple of bug fixes together with the usual dependency upgrades.

Complete details of these releases can be found in the following changelogs:

Project Page | Documentation | Issues | Gitter | Stack Overflow

Read more...

Spring Session Bean-SR1 and Apple-SR7 Released
Releases

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-SR1 and Apple-SR7. These maintenance releases are based on Spring Session 2.1.2.RELEASE and 2.0.8.RELEASE, respectively, which bring a couple of bug fixes together with the usual dependency upgrades.

Complete details of these releases can be found in the following changelogs:

Project Page | Documentation | Issues | Gitter | Stack Overflow

Read more...

Spring Session Bean GA Released
Releases

This post was authored by Vedran Pavić

On behalf of the community, I’m pleased to announce the general availability of Spring Session BOM Bean. This is the first release based on Spring Session 2.1 and can be easily consumed with freshly released Spring Boot 2.1. Please read on for the highlights of the release.

Same-Site Cookie is another mechanism that helps developers to protect from Cross-Site Request Forgery. Our DefaultCookieSerializer has been enhanced to support adding SameSite attribute to session cookie produced by Spring Session. The SameSite attribute is enabled by default with value Lax and is customizable using DefaultCookieSerializer#setSameSite.

Note that the equivalent support for WebSession is present in the Spring WebFlux itself starting with Spring Framework 5.1.

Read more...

Spring Session BOM Bean-RC1 Released
Releases

This post was authored by Vedran Pavić

On behalf of the community, I’m pleased to announce the release of Spring Session BOM Bean-RC1. This release is based on Spring Session 2.1.0.RC1 which resolves a total of 13 issues. Please read on for the highlights of the release.

Support for Java 11

Spring Session now supports Java 11, while the required version of course stays at Java 8. Our CI pipeline has been enhanced so that the project is now continuously verified against Java 8, 10 and 11.

Dependency Upgrades

Spring Session 2.1.0.RC1 builds on the following latest and greatest releases of key dependencies:

  • Spring Framework 5.1.0.RELEASE

  • Spring Data Lovelace-RELEASE

  • Spring Security 5.1.0.RELEASE

  • Project Reactor Californium-RELEASE

  • Hazelcast 3.10.5

Read more...

Spring Session Bean-M1 and Apple-SR4 Released
Releases

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-M1 and Apple-SR4. Spring Boot users will be happy to learn that these release were picked up in recent 2.1.0.M1 and 2.0.4.RELEASE releases of Spring Boot, respectively.

Spring Session Bean-M1

The Bean-M1 is first milestone release that is based on Spring Session 2.1.0.M1.

The following table provides an overview of all the included modules and their respective versions:

Module Version

Spring Session Core

2.1.0.M1

Spring Session Data GemFire

2.0.3.RELEASE

Spring Session Data Geode

2.0.3.RELEASE

Spring Session Data MongoDB

2.0.2.RELEASE

Spring Session Data Redis

2.1.0.M1

Spring Session Hazelcast

2.1.0.M1

Spring Session JDBC

2.1.0.M1

Spring Session 2.1.0.M1

The 2.1.0.M1 is the first milestone release in 2.1.x lifecycle. Highlights of this release are support for Same-Site Cookie, which is another mechanism that helps developers to protect from Cross-Site Request Forgery, and support for HttpSessionBindingListener. The release also includes the usual dependency upgrades, including picking up Spring Framework 5.1.0.RC1 as a baseline. You can find the complete details of the release in the changelog.

Using the BOM

With Maven:

<dependencyManagement>
	<dependencies>
		<dependency>
			<groupId>org.springframework.session</groupId>
			<artifactId>spring-session-bom</artifactId>
			<version>Bean-M1</version>
			<type>pom</type>
			<scope>import</scope>
		</dependency>
	</dependencies>
</dependencyManagement>
<dependencies>
	<dependency>
		<groupId>org.springframework.session</groupId>
		<artifactId>spring-session-data-redis</artifactId>
	</dependency>
	...
</dependencies>

With Gradle:

plugins {
	id 'io.spring.dependency-management' version '1.0.6.RELEASE'
}

dependencyManagement {
	imports {
		mavenBom 'org.springframework.session:spring-session-bom:Bean-M1'
	}
}

dependencies {
	compile 'org.springframework.session:spring-session-data-redis'
	...
}
Read more...

Spring Security 5.1.0.M2 Released
Releases

On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.M2. This release comes with 100+ tickets closed.

As always we look forward to hearing your feedback! You can find the highlights below:

OAuth2

OAuth2 Resource Server

Basic support for OAuth2 Resource Servers has been added. See oauth2resourceserver

Authorization Code Flow

User’s can now obtain an access token using the OAuth 2.0 Authorization Code grant. See the authcodegrant sample.

WebClient and OAuth2 Support

There is now built in support for OAuth2 and WebClient support. The support allows:

  • Adding the access token to the request

  • Automatic refreshing of the access token when it expires

  • Resolving the access token to use

For example, in a Servlet environment you can configure a Bean like this:

@Bean
WebClient webClient(OAuth2AuthorizedClientRepository repository) {
    ServletOAuth2AuthorizedClientExchangeFilterFunction filter =
        new ServletOAuth2AuthorizedClientExchangeFilterFunction(repository);
    return WebClient.builder()
        .filter(new OAuth2AuthorizedClientExchangeFilterFunction())
        .apply(filter.oauth2Configuration())
        .build();
 }

Now you can add the OAuth token in a number of different ways. If you want you can resolve the OAuth2AuthorizedClient using the Spring MVC support. If the authorization server returned a refresh token and the access token is about to expire, Spring Security will transparently update the access token and submit the updated access token instead.

@GetMapping("/users")
Mono<String> users(@RegisteredOAuth2AuthorizedClient("client-id")
        OAuth2AuthorizedClient authorizedClient) {
    return this.webClient.get()
        .uri("https://api.example.com/user")
        .attributes(oauth2AuthorizedClient(authorizedClient))
        .retrieve()
        .bodyToMono(String.class);
}

You can also resolve the access token through the WebClient. Fore example:

Mono<String> users() {
    return this.webClient.get()
        .uri("https://api.example.com/user")
        .attributes(clientRegistrationId("client-id"))
        .retrieve()
        .bodyToMono(String.class);
}

If you authenticated using OAuth2 Log In or OIDC, then a default access token can be applied with no user interaction.

Mono<String> users() {
    // if Authenticated with OIDC
    // OAuth2 Log In use the access token associated to log in
    return this.webClient.get()
        .uri("https://api.example.com/user")
        .retrieve()
        .bodyToMono(String.class);
}
Read more...