Spring Session MongoDB 2.0.0.M3 released

Dear Spring Community,

Spring Session MongoDB 2.0.0.M3 is released. It is based on:

In this release, several new features have been added to simplify using it with your Spring WebFlux application.

public class SpringWebFluxConfig {


All you must do is apply the @EnableMongoWebSession to any of your Spring configuration classes to activate session support with MongoDB. Additionally, you must provide a ReactorMongoOperations Spring bean, but if you’re using Spring Boot’s spring-boot-starter-data-mongodb-reactive starter, this is already provided.


Spring Security 5.0.0 M4 Released

On behalf of the community, I’m pleased to announce the release of Spring Security 5.0.0 M4. This release includes bug fixes, new features, and is based off of Spring Framework 5.0.0 RC4. You can find complete details in the changelog. The highlights of the release include:


Spring Session 2.0.0 M4

On behalf of the community I’m pleased to announce the release of Spring Session 2.0.0.M4. This release is focused primarily on refining WebFlux support. The highlights are:

Simplified WebFlux Configuration

Configuring Spring Session for WebFlux is simplified to be:

public class HelloWebfluxSessionConfig {

  public MapReactorSessionRepository reactorSessionRepository() {
    return new MapReactorSessionRepository(new ConcurrentHashMap<>());

You can also switch the strategy for resolving session id’s by simply adding a WebSessionIdResolver Bean. For example, to switch from using cookies to resolve the session id to using headers, you can use Spring Framework’s new HeaderWebSessionIdResolver:

public HeaderWebSessionIdResolver webSessionIdResolver() {
  return new HeaderWebSessionIdResolver();

Spring Boot 2.0.0 M4 Available Now

Hot on the heels of the latest Spring Framework 5 release candidate, Spring Boot 2.0 M4 is now available from our milestone repository. This release closes 150 issues and pull requests and is a major step towards 2.0 GA. Thanks to all that contributed!

This milestone provides a host of minor tweaks and enhancements along with three major changes:

For a complete list of changes, and upgrade instructions, see the Spring Boot 2.0.0.M4 Release Notes on the WIKI. We are a bit behind with regards to updating the reference documentation, so please consider using the snapshot version which we’ll continue to update.


Security changes in Spring Boot 2.0 M4

Milestone 4 of Spring Boot 2.0 brings important changes to the security auto-configuration provided by Spring Boot.

Problem Statement

Until Spring Boot 1.x, the default auto-configuration secured all of the application endpoints using basic authentication. If actuator was on the classpath, there was a separate security configuration that applied to the actuator endpoints. The way these two auto-configurations would turn on and off was completely independent. Because of this, users wanting to provide custom security found themselves fighting ordering issues with WebSecurityConfigurerAdapters.