Rob Winch
Rob Winch is employed by VMware as the project lead of security related projects within Spring. He is also a committer on the core Spring Framework and co-author for Spring Security LiveLessons and a Spring Security book. In the past he has worked in the health care industry, bioinformatics research, high performance computing, and as a web consultant. When he is not sitting in front of a computer he enjoys cycling with his friends.
Recent Blog posts by Rob Winch
Spring LDAP 2.0.1 Released
I'm pleased to announce the release of Spring LDAP 2.0.1. This release can be found in Maven Central and contains a number of bug fixes including a fix to work with Spring Security 3.2. For additional details, please see the changelog.
Exploiting encrypted cookies for fun and profit
Introduction
Developers often incorrectly use encryption in an attempt to provide authenticity. For example, a RESTful application may mistakenly use an encrypted cookie to embed the current user's identity.
The mistake is that encryption can only be used to keep a secret while signing is used to verify authenticity of a message. In this post, I will explain and provide an example of why encryption is not a guarantee of authenticity.
If you just want to see code, feel free to skip to the end which has a sample Java application that demonstrates the exploit.
Encrypted Cookies (whoops)
Assume we…
Spring LDAP 2.0.0.RELEASE Released
I'm pleased to announce that Spring LDAP 2.0.0.RELEASE is now available from Maven Central and Bintray. A special thanks to Mattias Arthursson for all the work he put into this release!
Refer to the What's new in Spring LDAP 2.0 to find the full details of this release. A list of changes can be found within JIRA's change logs. Highlights include:
- Spring Data Repository and QueryDSL support is now included in Spring LDAP.
- Fluent LDAP query support has been added.
- A custom XML namespace is now provided to simplify configuration of Spring LDAP.
- Spring LDAP core has been updated with Java 5 features such as generics and varargs.
- The ODM (Object-Directory Mapping) functionality has been moved to core and there are new methods in LdapOperations/LdapTemplate that uses this automatic translation to/from ODM-annotated classes. …
Spring Security 3.2.0.RELEASE Released
I am pleased to announce the release of Spring Security 3.2.0.RELEASE. You can view the highlights of this release within the What’s new in Spring Security 3.2 section of the reference. A list of changes since 3.1.x and since the last release can be found within JIRA's change logs.
To learn more about Spring Security 3.2, I'd like to encourage you to view the new Spring Security guides and to attend the free Spring Security 3.2 Webniar on January 16th.
Please consider helping us spread the word on Twitter, ask questions on Stackoverflow with the spring-security tag and log any issues to the Spring Security JIRA…
Spring Security 3.2.0.RC2 Released
Spring Security 3.2.0.RC2 is now available from the SpringSource repository at http://repo.springsource.org. See here for a quick tutorial on resolving these artifacts via Maven.
What's new?
The release resolves 80+ issues. Most of the issues for this release were fixing bug, adding documentation, and converting our documentation to Asciidoctor.
Refer to the recently added What's new in Spring Security 3.2 to find all the highlights of this release. You will notice there are some nice features that have been added that I have not blogged about. Be sure to follow the links to see and links to…
Spring LDAP 2.0.0.M1 Released
I'm pleased to announce that Spring LDAP 2.0.0.M1 is now available from the SpringSource repository at http://repo.springsource.org. See here for a quick tutorial on resolving these artifacts via Maven.
What's New?
The release adds lots of new functionality! Some of the highlights can be found below:
- Spring Data Repository and QueryDSL support is now included in Spring LDAP.
- Fluent LDAP query support has been added.
- A custom XML namespace is now provided to simplify configuration of Spring LDAP.
- Spring LDAP core has been updated with Java 5 features such as generics and varargs.
- The ODM (Object-Directory Mapping) functionality has been moved to core and there are new methods in LdapOperations/LdapTemplate that uses this automatic translation to/from ODM-annotated classes. …
Spring Security 3.2.0.RC1 Released
Spring Security 3.2.0.RC1 is now available from the SpringSource repository at http://repo.springsource.org. See here for a quick tutorial on resolving these artifacts via Maven.
This release includes tons of updates and fixes. The highlights include:
- Uses content negotiation to determine how to prompt user for authentication when multiple authentication mechanisms (i.e. HTTP Basic and Form login) enabled
- AbstractSecurityWebApplicationInitializer allows registering Java Configuration directly
- A number of bugs fixed
Refer to Spring Security 3.2.0.RC1 preview for more details about this release.
SpringOne2GX
To learn about all the new features within Spring Security 3.2 attend my Getting Started with Spring Security 3.2 presentation at SpringOne2GX September 9-12, 2013. If you haven't already gotten your tickets, do so now before its too late!
Changelog | Download | Reference Manual | Guides | FAQ
Spring LDAP 1.3.2 Released
It is with great pleasure that I am announcing the release of Spring LDAP 1.3.2. This release contains lots of bug fixes and will provide a solid foundation for a Spring LDAP 2.0 release.
I'd like to thank Mattias Arthursson from 261 Consulting for all his hard work on this release.
Spring Security 3.2.0.RC1 Highlights: Security Headers
UPDATE
NOTE This blog post is no longer maintained. Refer to the Headers documentation for up to date information about Spring Security's Headers.
Original Article
This is my last post in a two part series on Spring Security 3.2.0.RC1. My previous post discussed Spring Security's CSRF protection. In this post we will discuss how to use Spring Security to add various response headers to help secure your application.
Security Headers
Many of the new Spring Security features in 3.2.0.RC1 are implemented by adding headers to the response. The foundation for these features came from hard work from Marten Deinum. If the name sounds familiar, it may because one of his 10K+ posts on the Spring Forums has helped you out.
If you are using XML configuration, you can add all of the default headers using Spring Security's
<http ...>
...
<headers />
</http>
If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:
```xml @EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() ...; } }
<p>The remainder of this post will discuss each of the default headers in more detail:</p>
<ul>
<li><a href="#cache-control">Cache Control</a></li>
<li><a href="#content-type-options">Content Type Options</a></li>
<li><a href="#hsts">HTTP Strict Transport Security</a…
Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreGet support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all