The Spring Blog

Engineering
Releases
News and Events

This Week in Spring - June 11th, 2019

Hi Spring fans! Can you believe it? We’re already almost halfway through June! Summer’s nearly here! It’s 97 Fahrenheit / 37 Celsius in San Francisco! That’s nuts! I’m glad I’m in beautiful Amsterdam and Eindhoven, NL, beating the heat, though. What a privilege. We’ve got a busy week, as always, to get to so let’s get to it!

Read more...

Announcing nohttp

I’m pleased to announce the nohttp project, which lets users find, replace, and prevent the usage of http://.

Background

Today, Jonathan Leitschuh published a blog titled Want to take over the Java ecosystem? All you need is a MITM!. The blog demonstrates that hundreds of Java libraries are downloading dependencies over HTTP. This opens the projects up to potential MITM (man in the middle) attacks.

Unfortunately, there were multiple Spring projects that were using HTTP to download dependencies. Fortunately, we uncovered no signs of a successful MITM attack. We have also addressed the issue to ensure that no MITM attacks can be made in the future.

Read more...

React-ing to start.spring.io + User feedback updates

We are happy to announce today that start.spring.io is now built using React/Gatsby as the front-end framework. We also made UI improvements based on your feedback. Thank you to all those who have contributed to this update and to all the users who continue to tell us how to improve!

React.js

During the previous Web UI modernization (launched on March 5th), we realized that making even small changes to the site had become more time consuming than we anticipated. The architecture was inhibiting our ability to run experiments and move quickly to make small, incremental changes.

Read more...

This Week in Spring - June 4, 2019

Hi Spring fans! Welcome to another installment of This Week in Spring! This week I’m in…. I’m home! Look at that! I’m home for the epic SpringOne Tour San Francisco event. I’m super excited to be here in this amazing weather with an amazing community. It’s been a busy week though! Last week I returned from Spain for my kid’s graduation, and I am still so so proud. Tomorrow I fly to Cork, Ireland for the Cork JUG and then it’s off to London for a wedding. So, lot of travel, but a bit of a lighter load :-)

Read more...

Java CFEnv 1.1.0.M1 Released

Introduction

On behalf of the community I am happy to announce the release of Java CFEnv 1.1 M1.

This release brings in contributions from several teams

  • EMC Volume Service

  • Pivotal Single Sign-On Service

  • Pivotal Redis Service

Support for Volume Services is a new feature. Single Sign-On functionality has been improved to set Spring Security auto-configuration properties for Spring Security 5’s OAuth support. The Redis support has been improved to support auto-configuration of TLS.

The project README has more information.

A release candidate is going out next week, followed quickly by a GA release. Please try it out and give feedback on our github issues page.

Read more...

Introducing Spring Cloud App Broker

We recently announced the general availability of Spring Cloud Services 3.0, which involved a major redesign of the previous architecture used in that project. As detailed in the related blog post, Spring Cloud Services has moved to the latest versions of Spring Framework and Spring Boot, and is now built on a Reactive programming model and Spring WebFlux. Two key components of this redesign are offered as open source Spring Cloud projects.

The first project is Spring Cloud Open Service Broker. This project has been available for some time; however, the recent 3.0.0 release has itself been redesigned to incorporate a Reactive programming model and updated to support Spring WebFlux.

Read more...

CVE-2019-11269: Spring Security OAuth 2.3.6, 2.2.5, 2.1.5, 2.0.18 Released

We have released Spring Security OAuth 2.3.6, 2.2.5, 2.1.5 and 2.0.18 to address CVE-2019-11269: Open Redirector in spring-security-oauth2. Please review the information in the CVE report and upgrade immediately.

For additional changes included in each release, please refer to:

NOTE: For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the fix for the CVE. Please see the Mitigation section in the CVE report for detailed instructions on how to override the version.

Read more...