Blog post Authors
Rob Winch

Rob Winch

Rob Winch is employed by VMware as the project lead of security related projects within Spring. He is also a committer on the core Spring Framework and co-author for Spring Security LiveLessons and a Spring Security book. In the past he has worked in the health care industry, bioinformatics research, high performance computing, and as a web consultant. When he is not sitting in front of a computer he enjoys cycling with his friends.

Recent Blog posts by Rob Winch

Spring Security 3.2.0.RC1 Highlights: CSRF Protection

Engineering | August 21, 2013 | ...

[callout title=Update]

This blog post is no longer maintained. Refer to the CSRF documentation for up to date information about Spring Security and CSRF protection.

[/callout]

On Monday I announced the release of Spring Security 3.2.0.RC1. This is the first of a two part blog series going over the new features found in Spring Security 3.2.0.RC1.

In this first entry, I will go over Spring Security's CSRF support. In the next post, I will go over the various security headers that have been added.

CSRF Attacks

Spring Security has added protection against Cross Site Request Forgery (CSRF) attacks. Great, but what is a CSRF attack and how can Spring Security protect me against it? Let's take a look at a concrete example to get a better…

Read more

Spring Security 3.2.0.RC1 Released (08/2013)

Engineering | August 19, 2013 | ...

Spring Security 3.2.0.RC1 is now available from the SpringSource repository at http://repo.springsource.org. See here for a quick tutorial on resolving these artifacts via Maven.

This release includes tons of updates and fixes. The highlights include:

  • Polishing of Spring Security Java Configuration
  • Uses content negotiation to determine how to prompt user for authentication when multiple authentication mechanisms (i.e. HTTP Basic and Form login) enabled
  • AbstractSecurityWebApplicationInitializer allows registering Java Configuration directly
  • A number of bugs fixed
  • CSRF protection and automatic integration with Spring Web MVC jsp tags
  • Automatic cache control support
  • Defence against Clickjacking attacks
  • HTTP Strict Transport Security support to reduce Man in the Middle attacks
  • Samples include pom.xml so they can be imported as Maven projects
  • MediaTypeRequestMatcher for matching on requests with content negotiation
  • Over ten java configuration samples have been integrated into the samples directory
  • Three new guides that walk users through samples and provide detailed instructions on how to do specific tasks. More of these guides will follow in coming releases

    • Refer to Spring Security 3.2.0.RC1 preview for more details about this release.

    SpringOne2GX

    To learn about all the new features within Spring Security 3.2 attend my Getting Started with Spring Security 3.2 presentation at SpringOne2GX September 9-12, 2013. If you haven't already gotten your tickets, do so now before its too late!

    Changelog | Download | Reference Manual | Guides | FAQ

    Read more

    Spring Security Java Config Preview: Readability

    Engineering | July 11, 2013 | ...

    In this post, I will discuss how to make your Spring Security Java configuration more readable. The post is intended to elaborate on a point from Spring Security Java Config Preview: Web Security where I stated:

    By formatting our Java configuration code it is much easier to read. It can be read similar to the XML namespace equivalent where "and()" represents optionally closing an XML element.

    Indentation

    The indentation of Spring Security's Java configuration really impacts its readability. In general, indentation like a bullet list should be preferred.

    For a more concrete example, take a…

    Read more

    Spring Security Java Config Preview: OAuth

    Engineering | July 05, 2013 | ...

    This is the fourth post in my five part blog series that introduces Spring Security Java configuration. In this post, we will discuss how Spring Security Java configuration can be extended by walking through Spring Security OAuth Java configuration support.

    Proof of Concept

    While the Spring Security Java configuration works well for very basic configuration, it is just a proof of concept. We have not ensured that all the functionality available in the XML namespace is present within its Java configuration support. It was important to ensure that Spring Security's Java configuration would work…

    Read more

    Spring Security Java Config Preview: Method Security

    Engineering | July 04, 2013 | ...

    Update

    Users should refer to the Spring Security Reference which contains more up to date information.

    Original Blog Post

    This is the third installment of a four part blog series. In my first post, I introduced Spring Security Java configuration and discussed some of the logistics of the project. In my previous post, we walked through a few examples of configuring web based security.

    In this post, I will discuss how to configure method based security using Spring Security Java configuration. Like our previous post, we will start off with a very basic example and follow it up with an example…

    Read more

    Spring Security Java Config Preview: Web Security

    Engineering | July 03, 2013 | ...

    Update

    Users should refer to the Spring Security Reference which contains more up to date information.

    Original Blog Post

    In my previous post, I introduced Spring Security Java configuration and discussed some of the logistics of the project. In this post, we will start off by walking through a very simple web security configuration. We will then spice things up a bit with configuration that has been customized some.

    Hello Web Security

    In this section we go through the most basic configuration for web based security. It can be broken into four steps:

    Read more

    Spring Security Java Config Preview: Introduction

    Engineering | July 02, 2013 | ...

    Yesterday I announced the release of Spring Security Java Configuration support and the release of Spring Security 3.2.0.M2 which contains Java Configuration support.

    Spring Security's Java Configuration support is intended to provide a complete replacement of the XML namespace configuration. It is also designed to be extensible, so that Spring Security's extension projects can work nicely with the Java Configuration support.

    In this first post of a five part Spring Security Java Configuration blog series, I discuss the logistics of the Spring Security Java Configuration project.

    [callout title="Required Versions"]Regardless of how you decide to integrate with Spring Security, it is important to ensure you are using Spring 3.2.3.RELEASE+ to ensure that you avoid SPR-10546.[/callout]

    Availability

    Before we get started, I'd like to talk about the two modules that Spring Security's Java Configuration can be found.

    Availability in Spring Security 3.2.0.M2+

    Spring Security Java Configuration has been copied into the Spring Security 3.2.0.M2+ code base. This means if you are using Spring Security 3.2.0.M2+ you should ensure to have the spring-security-config jar on your classpath. For example, you might have the following…

    Read more

    Spring Security 3.2.0.M2 Released

    Releases | July 01, 2013 | ...

    The second milestone release toward Spring Security 3.2 is now available from the SpringSource repository at http://repo.springsource.org. See here for a quick tutorial on resolving these artifacts via Maven.

    I'd like to extend a special thanks to all those that contributed to this release by submitting bugs, pull requests, and feedback.

    The highlights of this release include:

    • Spring Security Java Configuration Support
    • SEC-2111 resolves an issue with Async support when a timeout occurs and the same Thread handles both the original request and the timeout.
    • Added support for configuring the remember me parameter via the XML namespace. Special thanks to Oliver Becker for submitting a pull request for this feature!
    • SEC-2002 Added SessionFixationProtectionEvent. Special thanks to Nick Williams for submitting a pull request for this feature!
    • Improvements to the Embedded LDAP container
    Stay tuned to the SpringSource Blog over the coming week for more information about Spring Security Java Configuration.

    Changelog | Download | Reference Manual | FAQ

    Read more

    Spring Security Java Configuration 1.0.0.M1 Released

    Releases | July 01, 2013 | ...

    I'm pleased to announce the release of Spring Security Java Configuration as a stand alone module. The milestone is compatible with Spring 3.2.3.RELEASE+ and Spring Security 3.1.4.RELEASE.

    This code has been merged into Spring Security 3.2.0.M2 release and will be maintained within the Spring Security code base going forward. We hope that by making the release available for stable versions of Spring and Spring Security it will encourage you to try it sooner and provide us feedback before the final release.

    Stay tuned to the SpringSource blog for an article that walks you through how to use Spring Security Java Configuration. In the mean time, you can find out how to obtain spring-security-javaconfig, documentation, and samples at http://github.com/SpringSource/spring-security-javaconfig

    Read more

    Get ahead

    VMware offers training and certification to turbo-charge your progress.

    Learn more

    Get support

    Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

    Learn more

    Upcoming events

    Check out all the upcoming events in the Spring community.

    View all