The Spring Blog

News and Events

CVE-2019-3799: Spring Cloud Config 2.1.2, 2.0.4, 1.4.6 Released

We have released Spring Cloud Config 2.1.2, 2.0.4, and 1.4.6 to address CVE-2019-3799: Directory Traversal with spring-cloud-config-server. Please review the information in the CVE report and upgrade immediately.

These fixes will be included in the next release of the respective Spring Cloud release train.

NOTE: To override the version in Maven, update the dependency to include the version, such as:


Spring Cloud Task 2.2.0.M1 is now available

We are pleased to announce that Spring Cloud Task 2.2.0.M1 is now available on Github and the Pivotal download repository. Many thanks to all of those who contributed to this release.

What’s New?

Spring Cloud Task 2.2.0.M1 is intended to be the version of the framework aligned with Spring Boot 2.2.0. Updates from 2.0.x include:

  • Update all dependencies.
  • Spring Cloud Task compiles and runs on Java 8, 9, 10, 11, 12.
  • Spring Cloud Task Reference documentation has been modernized.
  • Bug Fixes

What Else Is Going On?


Flight of the Flux 2 - Debugging Caveats

This blog post is the second in a series of posts that aim at providing a deeper look into Reactor’s more advanced concepts and inner workings.

It is derived from my Flight of the Flux talk, which content I found to be more adapted to a blog post format.

I’ll update the table below with links when the other posts are published, but here is the planned content:

  1. Assembly vs Subscription
  2. Debugging caveats (this post)
  3. Concurrent Agnostic
  4. Schedulers and publishOn vs subscribeOn
  5. Inner workings: work stealing
  6. Inner workings: operator fusion

Introducing Spring Cloud Circuit Breaker


When using a microservices architecture to build our applications, it is very common to end up with a pretty complex dependency tree amongst services. If the service down the dependency tree encounters an issue that causes it to start to respond slowly, it ends up causing a set of issues that cascade up the dependency tree. As more and more requests come in to the application, more and more resources may be consumed by waiting for the slow service to respond. Even worse, the additional load being put on the slow service may exacerbate the problem. To help alleviate the effect of these types of cascading failures, it is common practice to use circuit breakers as part of microservice applications.


Spring Security 5.2.0.M2 Released

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M2! This release includes 100+ updates. You can find the highlights below:

OAuth 2.0

gh-6446 - Client Support for PKCE

PKCE isn’t just for native or browser-based apps, but for any time we want to have a public client. Spring Security 5.2 introduces a secure way for backends to authenticate as public clients.

gh-5350 - OpenID Connect RP-Initiated Logout
gh-5465 - Ability to use symmetric keys with JwtDecoder
gh-5397 - Ability for NimbusReactiveJwtDecoder to take a custom processor
gh-6513 & gh-5200 - Support for Resource Server Token Introspection

Resource Server now supports a second OAuth 2.0 token verification strategy: Token Introspection. This is handy when a Resource Server wants to or must verify the token remotely.

gh-5351 - Support for Resource Server Multi-tenancy (Servlet only)

With the introduction of AuthenticationManagerResolver, initial support for multi-tenant Resource Servers has arrived.


Spring Boot 2.2 M2

On behalf of the team and everyone that contributed, I am pleased to announce that the second milestone of Spring Boot 2.2 has been released and is available from our milestone repository. This release closes almost 100 issues and pull requests.

Highlights of this milestone include:

  • Spring Framework 5.2.0.M1
  • @ConfigurationProperties scanning
  • Immutable @ConfigurationProperties binding
  • Initial RSocket Server Support
  • Lazy Initialization and performance improvements

For a complete list of changes and upgrade instructions, please see the Spring Boot 2.2 Release Notes on the wiki and the updated reference documentation.


This Week in Spring - April 16th, 2019

Hi Spring fans! What a week it’s been! When we last spoke I was in Capetown, South Africa or Johannesburg, South Africa. I’ve since been to Mauritius, back to Capetown, Serbia (for the amazing ITKonekt conference) and I’m now staring at the beautiful Bund river in beautiful Shanghai, China as I write this.

We’ve got a ton to get to this week, as usual, so let’s get to it.


Spring Session for Apache Geode & Pivotal GemFire 2.2.0.M1 Available

I am pleased to announce the release of Spring Session for Apache Geode & Pivotal GemFire (SSDG), 2.2.0.M1.

This release focuses on dependency updates to align with the rest of the Spring portfolio in their respective release lines, building on:

  • Spring Framework 5.2.0.M1

  • Spring Data Moore-M3

  • Spring Session 2.2.0.M1

  • And is targeted for use in Spring Boot 2.2.0.M1

SSDG 2.2.0.M1 bits are available in the Spring libs-milestone repository (here).

What’s Next

Some of the proposed and upcoming features in the SSDG 2.2 release line include:

  • Attached Sessions (option).

  • Stronger Consistency (option) using Map.replace(key, oldValue, newValue) for lightweight transactions supplanting the need for heavier, cache/local transactions.

  • Improvements in PDX Serialization support.

  • And much more…​


Spring Session for Apache Geode & Pivotal GemFire 2.0.9.RELEASE & 2.1.3.RELEASE Available

I am pleased to announce the release of Spring Session for Apache Geode & Pivotal GemFire (SSDG), 2.0.9.RELEASE and 2.1.3.RELEASE.

Both of these releases focus on dependency updates to align with the rest of the Spring portfolio in their respective release lines.

SSDG 2.0.9.RELEASE builds on:

  • Spring Framework 5.0.13.RELEASE

  • Spring Data Kay-SR14

  • Spring Session 2.0.10.RELEASE (Apple-SR9)

  • And is targeted for use in Spring Boot 2.0.9.RELEASE.

SSDG 2.1.3.RELEASE builds on:

  • Spring Framework 5.1.6.RELESE

  • Spring Data Lovelace-SR6

  • Spring Session 2.1.5.RELEASE (Bean-SR4)

  • And is targeted for use in Spring Boot 2.1.4.RELEASE