Note: the source code and test for this blog continue to evolve, but the changes to the text are not being maintained here. Please see the tutorial version for the most up to date content.

In this article we continue our discussion of how to use Spring Security with Angular JS in a "single page application". Here we start by breaking out the "greeting" resource that we are using as the dynamic content in our application into a separate server, first as an unprotected resource, and then protected by an opaque token. This is the third in a series of articles, and you can catch up on the basic building blocks of the application or build it from scratch by reading the first article, or you can just go straight to the source code in Github, which is in two parts: one where the …

Note: the source code and test for this blog continue to evolve, but the changes to the text are not being maintained here. Please see the tutorial version for the most up to date content.

In this article we show some nice features of Spring Security, Spring Boot and Angular JS working together to provide a pleasant and secure user experience. It should be accessible to beginners with Spring and Angular JS, but there also is plenty of detail that will be of use to experts in either. This is actually the first in a series of articles on Spring Security and Angular JS, with new features exposed in each one successively. We'll improve on the application in the second and subsequent installments…

Note: the source code and test for this blog continue to evolve, but the changes to the text are not being maintained here. Please see the tutorial version for the most up to date content.

In this article we continue our discussion of how to use Spring Security with Angular JS in a "single page application". Here we show how to use Angular JS to authenticate a user via a form and fetch a secure resource to render in the UI. This is the second in a series of articles, and you can catch up on the basic building blocks of the application or build it from scratch by reading the first article, or you can just go straight to the source code in Github. In the first article we built a simple application that used HTTP Basic authentication to protect the backend resources. In this one we add a login form, give the user some control over whether to authenticate or not, and fix the issues with the…

Another cheerful holiday message from the Spring team: Spring Cloud 1.0.0.RC1 is now available in the http://repo.spring.io Maven repository. There are plenty of new features including

• Support for Hystrix metrics aggregation via an annotation @EnableTurbine and @EnableTurbineAmqp (for an AMQP-based collector)

• A rehaul of the Ribbon configuration making it more friendly for Spring users. You can now configure each Ribbon client in its own ApplicationContext using @RibbonClient and override various bits, like the LoadBalancer, or the ServerListFilter, by providing @Bean definitions.

• DiscoveryHealthIndicator is now a composite that users can add information to by declaring @Beans of type DiscoveryHealthIndicator.

• Discovery is now abstracted away from Eureka into a new spring-cloud-commons library, and enabled via new annotations like @EnableDiscoveryClient (instead of the old @EnableEurekaClient). The same pattern also applies to circuit breakers

  …

Spring Security OAuth 2.0.5.RELEASE is available now in all the usual Maven repositories. This is a bugfix release but nothing critical. We recommend upgrading if you are having trouble with customizing the Java config, since most of the issues resolved relate to that (for instance it is much easier to customize the password encoder for client secrets). There is a small breaking change for anyone using the AuthorizationServerEndpointsConfigurer directly to configure a ClientDetailsService (it doesn't work that way, so you would be failing to configure it anyway).

For a range of samples using and displaying all the features of Spring Security OAuth please look in the github project (e.g. at the integration tests or the samples…

Spring Cloud 1.0.0.M3 is available now in the repo.spring.io repository. The following projects all had a 1.0.0.M3 release:

• Spring Cloud Config: centralized key-value (or YAML) configuration management. Now supports the config server being fully embedded in another application.

• Spring Cloud Netflix. Also has better support for embeddability of the server components. Now also properly records load balancer statistics in Ribbon-enabled Spring RestTemplate.

• Spring Cloud for Amazon Web Services. Has new Spring Boot integration points, externalizing configuration for AWS metadata.

• Spring Cloud Security: super simple OAuth2 in a declarative style.

• Spring Cloud Bus: broadcasts framework-level events to Spring Cloud components. Big news here is that we now have a RabbitMQ-based aggregator for Hystrix metrics (based on Turbine 2), so you don't have to rely on having direct HTTP access to all service instances.

  …

Spring Security OAuth 2.0.4.RELEASE is available now in the usual repositories. It's a bug fix release, so upgrading is recommended, but there is also a small set of new features:

• The OAuth2Request (and hence OAuth2Authentication) can now be

queried explicitly to find the grant type for the associated token. If the token is being refreshed the grant type in the OAuth2Request presented to a TokenEnhancer is the original grant type, not "refresh_token".

• The client authorities are exposed in the "/check_token" endpoint

• Password grants are more flexible and open to extension because both client and server can add additional parameters to the request. A custom AuthenticationManager on the server side should still expect a UsernamePasswordAuthenticationToken, but the additional parameters will be available in the AuthenticationDetails. Multi-factor authentication for mobile devices could be implemented in this way, for instance.

• Keystore support for JWT token signing and verification.

…

If you are building microservices with Spring you will be interested to see that Spring Cloud 1.0.0.M2 hit the streets yesterday and today, and can now be found in the Spring repository. Visit the individual project pages links in the main umbrella page or look at their github repositories for detailed instructions about how to get started using the individual components. There is also a Reference Guide covering the core modules.

Since Spring Cloud is an umbrella project we have a "release train" of related updates to all the sub-projects (like with Spring Data). The 1.0.0.M2 release has updates to spring Cloud Config, Spring Cloud Netflix, Spring Cloud Bus, Spring Cloud Security and Spring Cloud CLI…

Spring Cloud (the new umbrella project announced in September) has reached a milestone, its first, and fresh jars are available in the repo.spring.io repository. Spring Cloud is going to follow a "release train" model for releases, a bit like Spring Data, but we haven't got a cool name for this one yet, so it's just 1.0.0.M1. The modules that are part of this release are

• Spring Cloud Config: Centralized external configuration management backed by a git repository. The configuration resources map directly to Spring Environment but could be used by non-Spring applications if desired.

• Spring Cloud Netflix: Integration with various Netflix OSS components (Eureka, Hystrix, Zuul, Archaius, etc.).

• Spring Cloud Bus: An event bus for linking services and service instances together with distributed messaging. Useful for propagating state changes across a cluster (e.g. config change events).

• Spring Cloud Security: A set of primitives for building secure applications and services with minimum fuss.

  …

Spring Security OAuth 2.0.3 is available now in all the usual Maven repositories. It's a bug fix release, nothing major, so upgrading from 2.0.x should be painless (and is recommended). Some people were having issues getting JWT tokens to work properly, and those should be fixed. The only noteworthy functional change is that Resource Servers (if configured with @Configuration) will now check the validity of the client and scopes before allowing access to protected resources. This means that client privileges can be revoked quickly, but may also lead to a performance penalty (so caching the …