It was brought to our attention that the spring-security-saml sample application contained an XML External Entity (XXE) vulnerability. This meant that a malicious user could view any file that the Spring Application’s process had access to.

The issue was a direct result of OpenSAML Java ParserPool and Decrypter Vulnerable To XML Attacks. The default behavior of the ParserPool implementations is fixed in OpenSAML 2.6.1+ (which Spring Security SAML uses). However, the vulnerability is still possible if users construct their own ParserPool without the proper settings.

Note

We did not consider this a CVE because the exploit was only found in the sample application which is not considered production code. However, we expect that our users may have copied this code to create their own applications. For this reason, we wanted to be transparent and communicate the issue and…

I’m pleased to announce the release of Spring Security 4.1.2.RELEASE which resolves some minor issues including fixes for the new MvcRequestMatcher.

For details refer to the changelog.

Contributions

Without the community we couldn’t be the successful project we are today. I’d like to thank everyone that created issues & provided feedback.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping me @rob_winch or Joe @joe_grandja on Twitter.

Of course the best feedback comes in the form of contributions…

Spring Framework 4.3.1 and Spring Security 4.1.1 provide fixes for CVE-2016-5007 "Spring Security / MVC Path Matching Inconsistency".

Applications using Spring Security and Spring MVC should upgrade to Spring Security 4.1.1+ and Spring Framework 4.3.1+ and use the MvcRequestMatcher.

Additional details and further mitigations can be found in CVE-2016-5007.

I’m pleased to announce the release of Spring Security 4.1.1.RELEASE which resolves over 50 issues. This release provides mitigation for CVE-2016-5007 There are also lots of bug fixes, but there are also a few notable enhancements.

• MvcRequestMatcher provides deep integration with Spring MVC to ensure consistent path matching strategies for authorization rules

• CORS Support that can leverage Spring MVC’s CORS configuration

• CookieCsrfTokenRepository.withHttpOnlyFalse() for easily integrating with AngularJS applications

Contributions

Without the community we couldn’t be the successful…

I'm pleased to announce the release of Spring Session 1.2.1.RELEASE. This release contains numerous bug fixes and trivial enhancements.

Project Site | Reference | Help

On behalf of the community, I'm pleased to announce the release of Spring LDAP 2.1.0.RELEASE. The highlights of this release include:

• #380 - Support for Spring Data Hopper
• #384 - Early support for Spring IO Platform 2.1
• #351 - Support for commons-pool2
• #370 - Support property placeholders in XML Namespace
• #392 - Document Testing Support
• Migrated from JIRA to GitHub Issues
• Added Gitter Chat

For complete details of 2.1 refer to the changelog for 2.1.0.RC1 and 2.1.0.RELEASE

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping me @rob_winch or Joe (our latest full time Spring Security team member) @joe_grandja…

On behalf of the community, I'm pleased to announce the release of Spring Session 1.2.0.RELEASE. This release evolved through 1.2.0 RC1, 1.2.0.RC2, 1.2.0.RC3, and 1.2.0.RELEASE closing over 60 issues.

What’s New in Spring Session 1.2.0

You can find highlights of what's new in the What’s New in Spring Session 1.2.0 section of the reference. For details refer to the changlog links above.

Contributions

Without the community we couldn't be the successful project we are today. I'd like to thank everyone that created issues & provided feedback.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping me @rob_winch or Joe (our latest full time Spring Security team member) @joe_grandja…

On behalf of the community, I'm pleased to announce the release of Spring Security 4.1.0.RELEASE. This release evolved through 4.1.0 RC1, 4.1.0 RC2, and 4.1.0 closing nearly 200 tickets.

What’s New in Spring Security 4.1

You can find highlights of what's new in the What’s New in Spring Security 4.1 section of the reference. For details refer to the changelog links above.

Contributions

Without the community we couldn't be the successful project we are today. I'd like to thank everyone that created issues & provided feedback.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping me @rob_winch or Joe (our latest full time Spring Security team member) @joe_grandja…

On behalf of the community, I'm pleased to announce the release of Spring Session 1.2.0.RC3. The release can be found in the Spring Milestone Repository (https://repo.spring.io/milestone/).

This release contains some fixes for the previous release.

Some highlights of the issues in this release include:

• JDBC Support persists session attributes on a separate table. This was in response to the community feedback (thanks!)
• Redis Session optimization
• Preparations for improved Spring Boot auto configuration
• Updated to Spring Data Hopper

See What's New in 1.2 for more details.

Our Community Support

On behalf of the community, I'm pleased to announce the release of Spring Security 4.1.0.RC2. This release resolved over 60 tickets.

What's New in 4.1

You can find a good summary of What's New in Spring Security 4.1 in the reference documentation.

Contributions

Without the community we couldn't be the successful project we are today. I'd like to thank everyone that created issues & provided feedback. A special thanks to the following people who provided pull requests for this release:

• #51 - SEC-1932 Add Pbkdf2PasswordEncoder Thanks Rob Worsnop
• #180 - Allow setting alwaysRemember from RememberMeConfigurer Thanks Leon Radley
• #183 - Remove duplicate test. Thanks Johnny Lim
• #193 - Fix corrupted character and add formatting per the duplicated text block Thanks Art O Cathain
• #196 - SEC-2978: fix typos in documentation Thanks Soeun Park
• #197 - Update HttpSecurity.java logout() sample code Thanks Jeffrey Walraven
• #228 - Fix typos Thanks Johnny Lim
• #3764 - Authentication Success and Failure Handlers in AbstractPreAuthenticatedProcessingFilter Thanks Shazin Sadakath
• #3777 - Content Negotiating Logout Success Handler #3282 Thanks …