On behalf of the community I’m pleased to announce the release of Spring Securiity 5.1.0.M1. This release resolves over 80 tickets. The highlights can be seen below:

• Spring Security OAuth2 Client Support for WebFlux. See the sample for how to use it.

• Numerous other enhancements to WebFlux Support

• Added OAuth2ClientArgumentResolver

• Implementation of the Authorization Code Grant. See the sample for how to use it.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping me @rob_winch , Joe @joe_grandja, or Josh @jzheaux…

I'm pleased to announce the release of Spring Security 4.2.6. The release primarily delivers bug fixes and dependency version updates along with some minor improvements.

For a complete list of changes, please refer to the 4.2.6 changelog.

Project Site | Reference | Help

On behalf of the community I’m pleased to announce the release of Spring Session BOM Apple-SR2. This release includes an update to the core modules and adds support for Spring Session for Apache Geode. You can use the BOM

With Maven:

<dependencyManagement>
	<dependencies>
		<dependency>
			<groupId>org.springframework.session</groupId>
			<artifactId>spring-session-bom</artifactId>
			<version>Apple-SR2</version>
			<type>pom</type>
			<scope>import</scope>
		</dependency>
	</dependencies>
</dependencyManagement>
<dependencies>
	<dependency>
		<groupId>org.springframework.session</groupId…

The Spring Security SAML project has been an integral part of the Spring ecosystem since its inception nearly 9 years ago. This critically important project was born through the incredible effort and contributions of Vladimír Schäfer. I’d like to take the time to personally thank Vladimír and our fantastic community for their tireless work. Without all of their efforts, this project would not be what it is today.

Vladimír, our amazing community, and the Spring engineering team are planning to team up to enhance Spring Security SAML to achieve the following primary goals:

• Ensuring all dependencies are up to date

• Ensure all Spring Security APIs do not expose any dependency APIs

• Graduate Spring Security SAML from an extension into Spring Security proper

…

This week, the software world found out that SAML Vulnerabilities Affecting Multiple Implementations were discovered. If you use Spring Security SAML’s defaults, you are not impacted by this vulnerability.

The underlying implementation that Spring Security SAML uses is Shibboleth’s OpenSAML Java library. The OpenSAML Java implementation was not listed in the libraries that contain the vulnerability (Shibboleth openSAML C++ was vulnerable). However, if the ParserPool has been customized, you may be impacted.

NOT Safe Configurations

Specifically, if the application explicitly sets the BasicParserPool or the StaticBasicParserPool to have ignoreComments = false, it is vulnerable to the…

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session BOM Apple-SR1. With the changes to Spring Session modules described in 2.0.0.RELEASE announcement, the addition of bill of materials (BOM) module was a logical next step.

Note

The originally released Apple-RELEASE contained a glitch in published BOM so make sure you use Apple-SR1.

The BOM provides dependency management for Spring Session core modules (which include Data Redis, Hazelcast and JDBC) and Spring Session Data MongoDB. The following table provides an overview of all…

I’m pleased to announce the release of Spring Security 5.0.3.

The main purpose of this release is to provide a significant performance improvement for Spring Security WebFlux. It also contains dependency updates to prepare for Spring Boot 2.0.0.RELEASE. For a complete list of changes, refer to the changelog.

Project Site | Reference | Help

I’m pleased to announce the release of Spring Security 5.0.2. This release fixes a number of bugs and updates to dependency versions to align with Spring Boot’s upcoming release. It also includes some changes to work with Jackson 2.9.4. For a complete list of changes, refer to the changelog.

Project Site | Reference | Help

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session 1.3.2.RELEASE. This maintenance release contains numerous bug fixes and improvements.

Some of the highlights include:

• #951 - SessionRepositoryFilter#changeSessionId does not copy the previous maxInactiveInterval into the new session

• #983 - Optimize HazelcastSessionRepository write operations

• #984 - Improve session event handling

You can find the complete details of the release in the changelog.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping Rob @rob_winch, Joe @joe_grandja, or me @vedran_pavic…

We have released Spring Security 5.0.1, 4.2.4, and 4.1.5 to address CVE-2018-1199: Security bypass with static resources Users are encouraged to update immediately.

One of the changes introduced for this CVE was setting StrictHttpFirewall as the default HttpFirewall. User’s can refer to the Javadoc and reference for additional information on how to configure it.

Project Site | Reference | Help