Blog post Authors
Rob Winch

Rob Winch

Rob Winch is employed by VMware as the project lead of security related projects within Spring. He is also a committer on the core Spring Framework and co-author for Spring Security LiveLessons and a Spring Security book. In the past he has worked in the health care industry, bioinformatics research, high performance computing, and as a web consultant. When he is not sitting in front of a computer he enjoys cycling with his friends.

Recent Blog posts by Rob Winch

Spring Session 2.0.1 Released

Releases | January 25, 2018 | ...

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session 2.0.1.RELEASE. This maintenance release is focused primarily on addressing a classloading related regression when using a Redis backed session store in combination with Spring Boot’s DevTools.

You can find the complete details of the release in the changelog.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping Rob @rob_winch, Joe @joe_grandja, or me @vedran_pavic on…

Read more

Spring Session 2.0.0 Released

Releases | January 16, 2018 | ...

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session 2.0.0.RELEASE. This release evolved through 2.0.0.M1, 2.0.0.M2, 2.0.0.M3, 2.0.0.M4, 2.0.0.M5, 2.0.0.RC1, 2.0.0.RC2 and 2.0.0.RELEASE, closing over 130 issues and pull requests in total.

What’s New in Spring Session 2.0

You can find highlights of what’s new in the What’s New 2.0 section of the reference. For details refer to the changelog links above.

Requirements

This release moves to Java 8 and Spring Framework 5.0 as baseline requirements. Entire codebase is based on Java…

Read more

Spring Security 5.0.0.RELEASE Released

Releases | November 28, 2017 | ...

On behalf of the community, I’m pleased to announce the release of Spring Security 5.0.0.RELEASE. This release resolves 400+ tickets. For highlights and details about the release, refer to the What’s New in Spring Security 5.0 section.

We hope to see you at SpringOne Platform next week. It will be packed with many Spring talks, opportunities to learn about the latest and greatest features and of course some previews about what we’re planning to do next.

Project Site | Reference | Help

Read more

Spring Security 5.0.0.RC1 Released

Releases | November 01, 2017 | ...

On behalf of the community, I’m pleased to announce the release of Spring Security 5.0.0.RC1. This release resolves 150+ issues. Below are the highlights of this release:

ReactiveSecurityContextHolder

Previously, Spring Security used the ServerWebExchange.getPrincipal() as the source of truth for who was authenticated. The authenticated user was copied to Reactor’s Context to support method security which used the Reactor Context as it’s source of…

Read more

Spring Session 2.0.0.RC1 Released

Releases | November 01, 2017 | ...

On behalf of the community I’m pleased to announce the release of Spring Session 2.0.0.RC1. This release puts some final touches to preparing for 2.0.0.RELEASE. You can find the complete changelog in github, with the highlights below:

  • #906 Simplified integration with the Servlet APIs. With this simplification, we have removed the support for supporting multiple sessions for a single user. We plan on looking into other ways to bring this feature back.

  • #907 Support for configuring Redis session cleanup cron

Project Site | Reference | Help

Read more

Spring Security 5.0.0 M5 Released

Releases | October 10, 2017 | ...

On behalf of the community, I’m pleased to announce the release of Spring Security 5.0.0 M5. This release includes bug fixes & new features. The primary focus is being based off of Spring Framework 5.0.0.RELEASE, Reactor Bismuth-RELEASE, and Spring Data Kay-RELEASE.

This release also lays the foundation for Reactive and OAuth2 auto configuration in Spring Boot 2.0.0.M5

You can find complete details in the changelog.

Get Involved!

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping me @rob_winch or Joe @joe_grandja

Read more

Spring Security 5.0.0 M4 Released

Releases | September 15, 2017 | ...

On behalf of the community, I’m pleased to announce the release of Spring Security 5.0.0 M4. This release includes bug fixes, new features, and is based off of Spring Framework 5.0.0 RC4. You can find complete details in the changelog. The highlights of the release include:

OAuth2 / OIDC

OAuth2 Login Java Config

There are a number of improvements to the HttpSecurity.oauth2Login() DSL.

You can now configure the Token Endpoint with a custom implementation of an AuthorizationGrantTokenExchanger or SecurityTokenRepository<AccessToken>, as follows:

protected void configure(HttpSecurity http) throws Exception {
  http
    .authorizeRequests()
      .anyRequest().authenticated()
      .and()
    .oauth2Login()
      .tokenEndpoint()
        .authorizationCodeTokenExchanger(this.authorizationCodeTokenExchanger())
	.accessTokenRepository(this.accessTokenRepository());
}

We’ve also added the capability of customizing the request paths for the Authorization Endpoint and Redirection Endpoint:

protected void configure(HttpSecurity http) throws Exception {
  http
    .authorizeRequests()
      .anyRequest().authenticated()
      .and()
    .oauth2Login()
      .authorizationEndpoint()
        .requestMatcher(new AntPathRequestMatcher("/custom-path/{clientAlias}"))
        .and()
      .redirectionEndpoint()
        .requestMatcher(new AntPathRequestMatcher("/custom-path/callback/{clientAlias}"));
}

As with all AbstractAuthenticationProcessingFilter 's in Spring Security, you can also set a custom AuthenticationSuccessHandler and AuthenticationFailureHandler:

protected void configure(HttpSecurity http) throws Exception {
  http
    .authorizeRequests()
      .anyRequest().authenticated()
      .and()
     .oauth2Login()
       .successHandler(this.customAuthenticationSuccessHandler())
       .failureHandler(this.customAuthenticationFailureHandler());
}

Security Token Repository

We’ve introduced the SecurityTokenRepository<T extends SecurityToken> abstraction, which is responsible for the persistence of SecurityToken 's.

The initial implementation InMemoryAccessTokenRepository provides the persistence of AccessToken 's. In an upcoming release we’ll also provide an implementation that supports the persistence of Refresh Token’s.

ID Token and Claims

A couple of minor improvements were introduced to the IdToken along with some final implementation details for JwtClaimAccessor, StandardClaimAccessor and IdTokenClaimAccessor, which provide convenient access to claims in their associated constructs, for example, Jwt, IdToken, UserInfo.

Authorization Request Improvements

We’ve added the capability for an AuthorizationRequestRepository to persist the Authorization Request to a Cookie. The current default implementation persists in the HttpSession, however, a custom implementation may be provided to persist to a Cookie instead.

Support was also added for URI variables configured in the redirect-uri for the AuthorizationCodeRequestRedirectFilter.

OAuth2 Client Properties

There were a couple of minor updates to the properties for configuring an OAuth 2.0 Client. The configuration below outlines the current structure. You will notice that there is support for configuring multiple clients, for example, google, github, okta, etc.

security:
  oauth2:
    client:
      google:
        client-id: your-app-client-id
        client-secret: your-app-client-secret
        client-authentication-method: basic
        authorization-grant-type: authorization_code
        redirect-uri: "{scheme}://{serverName}:{serverPort}{contextPath}/oauth2/authorize/code/{clientAlias}"
        scope: openid, profile, email, address, phone
        authorization-uri: "https://accounts.google.com/o/oauth2/v2/auth"
        token-uri: "https://www.googleapis.com/oauth2/v4/token"
        user-info-uri: "https://www.googleapis.com/oauth2/v3/userinfo"
        user-name-attribute-name: "sub"
        jwk-set-uri: "https://www.googleapis.com/oauth2/v3/certs"
        client-name: Google
        client-alias: google
      github:
        ...
      okta:
        ...

A complete example for using the new Spring Security OAuth 2.0 / OpenID Connect 1.0 login feature can be found in the Spring Security samples at oauth2login. The guide will walk you through the steps for setting up the sample application for OAuth 2.0 login using an external OAuth 2.0 or OpenID Connect 1.0 Provider.

Reactive Security

Reactive Method Security

Spring Security’s Reactive support now includes method security by leveraging Reactor’s Context. The highlights are below, but you can find a complete example of it in action in samples/javaconfig/hellowebflux-method

The first step is to use @EnableReactiveMethodSecurity to enable support for @PreAuthorize and @PostAuthorize annotations. This step ensures that the objects are properly proxied.

@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfig {

The next step is to create a service that is annotated with @PreAuthorize or @PostAuthorize. For example:

@PreAuthorize("hasRole('ADMIN')")
public Mono<String> findMessage() {

Spring Security’s WebFlux support will then ensure that the Reactor Context will be populated with the current user which is used to determine if access is granted or denied.

Spring Security’s standard @WithMockUser and related annotations has been updated to work with Reactive Method Security. For example:

@RunWith(SpringRunner.class)
// ...
public class HelloWorldMessageServiceTests {
  @Autowired
  HelloWorldMessageService messages;

@Test
public void messagesWhenNotAuthenticatedThenDenied() {
StepVerifier.create(this.messages.findMessage())
.expectError(AccessDeniedException.class)
.verify();
}


@Test
@WithMockUser
public void messagesWhenUserThenDenied() {
StepVerifier.create(this.messages.findMessage())
.expectError(AccessDeniedException.class)
.verify();
}


@Test
@WithMockUser(roles = "ADMIN")
public void messagesWhenAdminThenOk() {
StepVerifier.create(this.messages.findMessage())
.expectNext("Hello World!")
.verifyComplete();
}
}

The test support also works nicely with TestWebClient. For example:

@RunWith(SpringRunner.class)
// ...
public class HelloWebfluxMethodApplicationTests {
  @Autowired
  ApplicationContext context;

WebTestClient rest;


@Before
public void setup() {
this.rest…
Read more

Spring Session 2.0.0 M4

Releases | September 15, 2017 | ...

On behalf of the community I’m pleased to announce the release of Spring Session 2.0.0.M4. This release is focused primarily on refining WebFlux support. The highlights are:

Simplified WebFlux Configuration

Configuring Spring Session for WebFlux is simplified to be:

@Configuration
@EnableSpringWebSession
public class HelloWebfluxSessionConfig {

  @Bean
  public MapReactorSessionRepository reactorSessionRepository() {
    return new MapReactorSessionRepository(new ConcurrentHashMap<>());
  }
}

You can also switch the strategy for resolving session id’s by simply adding a WebSessionIdResolver Bean. For example, to switch from using cookies to resolve the session id to using headers, you can use Spring Framework’s new HeaderWebSessionIdResolver

Read more

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all