I'd like to congratulate Vladimír Schäfer on the release of Spring Security SAML 1.0.0.RC2. Please use the links below for additional details.

Site | Download | Reference | Javadoc

Last week I announced the release of Spring Security 3.2 M1 that contains improved Servlet 3 support. In this post, I will introduce some of the more exciting features found in the 3.2 M1 release. Specifically, we will take a look at the following new Spring Security features:

• Concurrency Support
• Servlet 3 API Integration
• Servlet 3 Async Support
• Spring MVC Async Integration

Concurrency Support

You might ask "What is concurrency support doing in a release that has a Servlet 3 focused theme?" The reason is that the concurrency support provides a foundation for all the other features found in this release. While the concurrency support is used by the Servlet 3 integration, it can also serve as building blocks to support concurrency and Spring Security in any application. Let's take a look at Spring Security's concurrency support now.

DelegatingSecurityContextRunnable

One of the most fundamental building blocks within Spring Security's concurrency support is the DelegatingSecurityContextRunnable. It wraps a delegate Runnable in order to initialize the SecurityContextHolder with a specified SecurityContext for the delegate. It then invokes the delegate Runnable ensuring to clear the SecurityContextHolder afterwards. The DelegatingSecurityContextRunnable looks something like this:

public void run() {
  try {
    SecurityContextHolder.setContext(securityContext);
    delegate.run();
  } finally {
    SecurityContextHolder.clearContext();
  }
}

While very simple, it makes it seamless to transfer the SecurityContext from one Thread to another. This is important since, in most cases, the SecurityContextHolder acts on a per Thread basis. For example, you might have used Spring Security's <global-method-security> support to secure one of your services. You can now easily transfer the SecurityContext of the current Thread to the Thread that invokes the secured service. An example of how you might do this can be found below:

Runnable originalRunnable = new Runnable() {
  public void run() {
    // invoke secured service
  }
};

SecurityContext context = SecurityContextHolder.getContext();
DelegatingSecurityContextRunnable wrappedRunnable =
    new DelegatingSecurityContextRunnable(originalRunnable, context);

new Thread(wrappedRunnable).start();

The code above performs the following steps:

• Creates a Runnable that will be invoking our secured service. Notice that it is not aware of Spring Security
• Obtains the SecurityContext that we wish to use from the SecurityContextHolder and initializes the DelegatingSecurityContextRunnable
• Use the DelegatingSecurityContextRunnable to create a Thread
• Start the Thread we created

Since it is quite common to create a DelegatingSecurityContextRunnable with the SecurityContext from the SecurityContextHolder there is a shortcut constructor for it. The following code is the same as the code above:

Runnable originalRunnable = new Runnable() {
  public void run() {
    // invoke secured…

The first milestone release toward Spring Security 3.2 is now available from the SpringSource repository at http://repo.springsource.org. See here for a quick tutorial on resolving these artifacts via Maven.

The highlights of this release include:

• Concurency Support
• Servlet 3, Async Support
• Spring MVC Async Integration
• Servlet 3 API Integration
• New Servlet API Sample Application

Stay tuned to the SpringSource Blog over the coming week for information on what's new in 3.2.0.M1.

Changelog | Download | Reference Manual | FAQ

We're please to announce the relase of Spring Security 2.0.8, 3.0.8, and 3.1.3 which fixes CVE-2012-5055 and brings Spring Security's open bugs to 0. The releases are available from the Spring Community Downloads area and jars are available from Maven central repository. See the project website for more information.

A special thanks to Nicholas Goodwin (@NGoody) for disclosing the issue and keeping it private until a fix could be pushed out.

3.1.3: Changelog | Download | 3.1.3 Reference Manual | FAQ

3.0.8: Changelog | Download | Reference Manual

2.0.8: Changelog | Download | Reference Manual

We're pleased to an announce the GA release of Spring Security 3.1.2

The release is available from the Spring Community Downloads area and jars are available from Maven central repository. See the project website for more information.

Special thanks to Chris Beams for all his help and guidance with updating the Spring Security build to use the Spring release process.

Changelog | Download | Reference Manual | FAQ

We're pleased to an announce the GA release of Spring Security 3.1.1

The release is available from the Spring Community Downloads area and jars are available from Maven central repository. See the project website for more information.

Changelog | Download | Reference Manual | FAQ