I am pleased to announce the Spring Authorization Server project. It is a community-driven project led by the Spring Security team and is focused on delivering Authorization Server support to the Spring community.

A Foundation for Success

The story of how we got here is long, but the key takeaway is short and sweet: Spring would not be what it is without our amazing community.

Almost a decade ago, we brought in a community-driven, open-source project, Spring Security OAuth, and made it part of the Spring portfolio of projects. Since its inception, it has evolved into a mature project that supports a large portion of the OAuth specification, including resource servers, clients, login, and the authorization server. It is no wonder that it has become the basis for UAA, which, among other things, acts as the identity management service for all Cloud Foundry…

On behalf of the community, I’m pleased to announce the release of Spring Security 5.3.1 (release notes), 5.2.3 (release notes), 5.1.9 (release notes) , 5.0.15 (release notes), 4.2.15 (release notes). These releases deliver bug fixes along with some minor improvements. Users are encouraged to update to the latest patch release.

Project Site | Reference | Help

On behalf of the community, I’m pleased to announce the release of Spring Security 4.2.14 (release notes). These releases deliver bug fixes, dependency updates, and improvements with our build. Users are encouraged to update to the latest patch release.

Project Site | Reference | Help

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session Corn-M4. This release is picked up by Spring Boot 2.2.0.M6.

Spring Session Corn-M4

The Corn-M4 release is based on:

• Spring Session core modules 2.2.0.M4

• Spring Session Data Geode 2.2.0.M4

• Spring Session Data MongoDB 2.2.0.RC2

Some of the highlights of Spring Session 2.2.0.M4 are:

• support for customizing configuration of session repositories using new SessionRepositoryCustomizer/ReactiveSessionRepositoryCustomizer

• support for configuring transactional behavior for JdbcOperationsSessionRepository

• support for Spring Security’s AuthenticatedPrincipal in SpringSessionBackedSessionRegistry

…

In response to our nohttp announcement, Maven Central’s announcement, and JFrog’s announcement, beginning January 15 2020, Spring’s Maven Repository will no longer support HTTP. More concretely, http://repo.spring.io will not respond to requests. Users will need to ensure that they are using https://repo.spring.io

We are not going to redirect from http to https because it perpetuates the vulnerability. When the first request is made over http, a man in the middle (MITM) can prevent the redirect and replace the response with a malicious payload. Users that continue to use http will continue to…

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session Corn-M3 and Bean-SR7. These releases will be picked up by Spring Boot 2.2.0.M5 and 2.1.8.RELEASE, respectively.

Spring Session Corn-M3

The Corn-M3 release is based on:

• Spring Session core modules 2.2.0.M3

• Spring Session Data Geode 2.2.0.M2

• Spring Session Data MongoDB 2.2.0.RC1

Some of the highlights of Spring Session 2.2.0.M3 are:

• support for save mode, which allows control over how session changes are tracked and saved to the session store

• support for flush mode for JDBC-backed sessions

• common strategy for resolving session indexes

…

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session Corn-M2 and Bean-SR6. These releases will be picked up by Spring Boot 2.2.0.M4 and 2.1.6.RELEASE, respectively.

Spring Session Corn-M2

The Corn-M2 release is based on:

• Spring Session core modules 2.2.0.M2

• Spring Session Data Geode 2.2.0.M2

• Spring Session Data MongoDB 2.2.0.M3

Some of the highlights of Spring Session 2.2.0.M2 are:

• simple Redis-based implementation of SessionRepository

• reworked @Configuration classes are now compatible with proxyBeanMethods=false

• migration of project’s tests to JUnit 5

• simplified project structure

…

I’m pleased to announce the nohttp project, which lets users find, replace, and prevent the usage of http://.

Background

Today, Jonathan Leitschuh published a blog titled Want to take over the Java ecosystem? All you need is a MITM!. The blog demonstrates that hundreds of Java libraries are downloading dependencies over HTTP. This opens the projects up to potential MITM (man in the middle) attacks.

Unfortunately, there were multiple Spring projects that were using HTTP to download dependencies. Fortunately, we uncovered no signs of a successful MITM attack. We have also addressed the issue to…

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-SR2 (based on Spring Session 2.1.3.RELEASE), Apple-SR8 (based on 2.0.9.RELEASE), and 1.3.5.RELEASE. These maintenance releases bring a couple of bug fixes together with the usual dependency upgrades.

Complete details of these releases can be found in the following changelogs:

• 2.1.3.RELEASE

• 2.0.9.RELEASE

• 1.3.5.RELEASE

Project Page | Documentation | Issues | Gitter | Stack Overflow

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-SR1 and Apple-SR7. These maintenance releases are based on Spring Session 2.1.2.RELEASE and 2.0.8.RELEASE, respectively, which bring a couple of bug fixes together with the usual dependency upgrades.

Complete details of these releases can be found in the following changelogs:

• 2.1.2.RELEASE

• 2.0.8.RELEASE

Project Page | Documentation | Issues | Gitter | Stack Overflow