This Week in Spring - September 17, 2013

Engineering | Josh Long | September 17, 2013 | ...

This Week in Spring

Welcome back to another installment of This Week in Spring! I'm still reeling from last week. If you were there, you know what I mean, if not, then look forward to the videos coming out over the coming months. There's so much stuff to see.

For those of you who were at the show and sought me out because of This Week in Spring, it was really great to meet you all!

The world keeps on spinning of course, so let's look at some of what's happened this last week.

  1. Jennifer Hickey has announced that Spring Data Redis 1.1 has been released. The new release provides support for pipelining, data type conversion, and a modified API for adding or removing multiple List, Set, and Hash elements all in one call. Great stuff, check it out!
  2. AspectJ, Scala, Cloud Foundry, and Spring framework ninja Ramnivas Laddad has just announced the first cut of the Spring Cloud project, which in turn is a revolutionary API that takes the cloudfoundry-runtime library previously used with Cloud Foundry applications to the next level, opening the doors for support of multiple providers. Nice job, Ramnivas! And, dear community, if you want to see more, now's the time to check out the code and sound off!
  3. Over on the @GoPivotal blog, Stacey Schneider has put together a very nice post on her experiences at her first SpringOne2GX last week. Great read, and I echo her sentiments, even though this was not my first SpringOne2gx! :)
  4. Didn't get enough Data-love last week? Spring Data ninja Oliver Gierke just announced the latest cuts of two community modules: the first milestone of Spring Data Couchbase lead by Michael Nitschinger and the 1.0 GA of Spring Data Solr lead by Christoph Strobl.
  5. I put together a blog that introduces some of the things required to make the Spring Social binding that Roy Clarkson and I demonstrated last week at SpringOne2GX work with Spring Android, specifically as concerns the loading of certain classes in Spring core, Spring Security and Spring HATEOAS. Check it out!
  6. Groovy/Grails, and Spring, Tool Suite ninja Martin Lippert has just announced the latest iteration of STS and GGTS, versions 3.4.0.M1, has been released!
  7. Our pal Tobias Flohre is at it again, this time with two great SpringOne2GX wrapup posts. The first looks at some of the Spring XD, Batch and Hadoop technologies demonstrated, and the second looks at Spring Boot and the Spring IO platform.
  8. Rossen Stoyanchev, the genius behind the websockets support in Spring 4, has put together an amazing slate of demos using WebSockets and STOMP (which you can work with from RabbbitMQ!) and he showed these demos off last week at SpringOne2GX 2013 to wide acclaim. Nice job! If you missed it last week, at least check out the code, now.
  9. The blog has a nice (French-language!) interview with my pal Eric Bottard, a (French-speaking) developer on Spring XD. Good read!
  10. The fine folks over at IntelliGrape have put together a nice roundup of their favorite talks from SpringOne2GX on day 2. Check it out!

The Maven Dependency Dance with Spring Android, Spring Social and Spring Security

Engineering | Josh Long | September 17, 2013 | ...

Roy Clarkson (@royclarkson) and I gave a talk at SpringOne2GX 2013 in which we talked about building REST services with an eye towards consuming those services on mobile platforms like Android and iOS. This talk demonstrates the progressive evolution of an application using Spring MVC, Spring HATEOAS, Spring Data REST, Spring Security, Spring Security OAuth, and Spring Android. The code's benefited from a lot of help from Rob Winch,

Layout of the Code

The code for the talk is on my GitHub account ( Importantly, the code lives in the code directory. Beneath that there are two choices: web (where you'll find the rest, hateoas, hateoas-data, and oauth, social modules) and client (where you can load the Android module and the iOS module). The modules in the web folder in respective order, demonstrate the evolution of a simple REST service which incorporates hypermedia, Spring Data repositories and OAuth security. The social

This Week in Spring - September 10, 2013 - SpringOne2GX 2013 Edition

Engineering | Josh Long | September 10, 2013 | ...

Welcome to This Week in Spring, SpringOne2GX 2013 edition!

We're now in day 2 of the SpringOne2GX 2013 conference in Santa Clara, CA! Yesterday's keynote saw a lot of new exciting new announcements and introductions and I'll discuss some of those here, and then have subsequent coverage for the balance of the week.

Here, of course, is your abridged look at all that's glitters in the Spring community and (hurrayy!!) at SpringOne2GX 2013! With no exaggeration, this is the most exciting SpringOne2GX to date.

Some of the amazing Spring project leads at SpringOne2GX 2012

One of the things I most like about SpringOne2GX is the access it affords attendees to the brains behind the awesome. After tonight's keynote dinner a few of the project leads lingered a few minutes and took this impromptu photo for me. Spring core lead Juergen Hoeller is front-center, in the blue shirt. For what it's worth, Juergen doesn't actually tweet (the account is a placeholder!), which makes the opportunity to chat with him at SpringOne even more amazing! Going counter-clockwise, starting after Juergen, you then have Spring Security lead Rob Winch, Spring Mobile and Spring Android

This Week in Spring - Sept 3rd, 2013

Engineering | Josh Long | September 02, 2013 | ...

Welcome to This Week in Spring! SpringOne is almost upon us! It kicks off this weekend with the Cloud Foundry Platform event and continues on until next Thursday. I, personally, am very excited (and a bit nervous!) about this year's show. It's going to be so epic. Yesterday may have been a holiday here in the US (I hope you all enjoyed a wonderful holiday!), but most of us on the Spring team were working fast and furiously in preparation for SpringOne2GX!

My Road to SpringOne2GX 2013 the SpringOne2GX 2013 agenda looks soo good! I'm into a lot of different things like the open web (REST-powered architectures), big data, the cloud, and security and - at SpringOne - there's no reason I can't get my fill of each topic! Here are just some of the talks that I would love to see when I'm there.

  • Tackling Big Data Complexity with Spring with Mark Fisher and Mark Pollack. Does this one need any introduction? Spring XD leads Mark Pollack (Spring core contributor, Spring AMQP co-founder, Spring.NET founder, Spring Data and Spring Data for Hadoop lead) and Mark Fisher (Spring core contributor, Spring Integration founder, Spring AMQP co-founder) will introduce Spring XD, the most powerful way to build big data-centric applications today.
  • Build Your Very Own Private Cloud Foundry with the amazing Matt Stine. Matt's going to introduce how to setup your own on-premises Cloud Foundry instance using BOSH. Matt's a great speaker, a fantastic technologist, and I can't wait to see this talk.
  • Distributed rules engines and CEP with John Davies. John's the CEO of C24, and has got some incredible enterprise integration war-stories. The man's an epic speaker, too.
  • RabbitMQ is the new King with Jan Machacek and RabbitMQ Developer Advocate Alvaro Videla. Jan's a longtime Spring-guru and distributed systems guy, and Alvaro's the Pivotal RabbitMQ developer advocate (in the same way that I'm the Pivotal Spring developer advocate…). They're both sensational and I expect this one will be a wonderful talk.
  • Your Data, Your Search, Elasticsearch with Costin Leau. Costin worked on, among many things, the original Spring Cache integration with Spring core, Spring Data GemFire, Spring Data itself, the OSGi support in Spring DM server (years ago), and a lot more. He's now working with Elasticsearch, and I can't wait to hear his perspective. Costin's really good at taking complex topics and distilling their essences.

I have four presentations (with amazing co-presenters!) this year. Andy Piper and I will present on building Spring and Cloud Foundry-powered applications. Roy Clarkson and I will present on using Spring and REST to connect applications, Kevin Nilson and I will present on using Spring and profiles to build applications that adapt and Phil Webb and I will present on how to improve your Java configuration muscle memory.

I look forward to seeing you guys at SpringOne2GX! Ping me on Twitter (@starbuxman) if you're around and let's talk Spring!

And now, on to this Week's Roundup! Hopefully, this will sate your appetites until SpringOne2GX! :)

  1. Spring Scala lead Arjen Poutsma has just released Spring Scala 1.0.0.RC1. The new release is the first release candidate in the release cycle, towards a 1.0 release, so definitely check it out!
  2. Join our friends from Pivotal Labs as David Frank shows you How to Get Agile with Pivotal Tracker, on September 5th.
  3. Join Phil Webb as he dives into the one of the newest, hottest projects in Spring - Spring Boot on September 26th.
  4. Jan Stenberg put together a nice post on Russ Miles' Life Preserver pattern as used with Spring. The post is a little light on code, but you can check out the original presentation to get the details!
  5. The JavaBeat blog has a really detailed post on how to use Spring's @Tranactional annotation.
  6. Eugen Dvorkin has a nice post on how to use Storm, Groovy, a CEP engine and Spring together. This is really cool, although there's not a lot of code. I also wonder if this could've been done in a simpler way using Spring XD, though.
  7. Spring web-ninja Arjen Poutsma, and author of the original RestTemplate, has been hard at work on an asynchronous RestTemplate to be included in Spring 4. Looking awesome.
  8. Luis Miguel Gracia Luis has put together a nice post that introduces some of the great new stuff coming for Spring developers since the Spring team became part of Pivotal, including Spring XD, Spring Boot, Spring Loaded and Spring REST Shell. The post is Spanish language, but Google Translate does a fairly good job.
  9. Rajkumar Singh has put together a nice post - Apache Hadoop and Spring Data : Configuring mapreduce Job - that introduces Spring for Apache Hadoop. Great post!
  10. The Bluesoft blog has the second post in a series on using Angular.js with Spring MVC to build a login dialog. This is getting good…
  11. The Technicalpractical blog has a post, Display Model As JSON or XML using Spring. The post does a fine job introducing how to put together a JSON view using Spring MVC 2.5-era APIs, but I hope you'll check out some more recent introductions to building JSON-centric REST services with Spring. Here's a (much) simpler example.

Reactor 1.0.0.M2 – a foundation for reactive fast-data applications on the JVM

Engineering | Jon Brisbin | August 27, 2013 | ...

I'm excited to announce the 2nd milestone release of Reactor on our way toward 1.0! Maven artifacts for Reactor 1.0.0.M2 are available in the usual milestone repository.

What is Reactor?

Reactor is a foundational framework for building high-throughput, asynchronous, reactive applications on the JVM. It provides Selector-style topic matching for event routing, dynamic Consumer assignment, an uber-fast task processor, and reactive Stream and Promise APIs for working with data asynchronously and coordinating asynchronous tasks. It comes with comprehensive Groovy language support by providing langauge extensions to make writing Reactor applications in Groovy pretty darned Groovy! It also has easy-to-use Spring support that automagically wires annotated POJOs to Reactors.

What's in this Release?

This 2nd milestone includes a number of bugfixes and some really exciting new features. Reactor now includes a Processor abstraction, which is a highly-optimized task processor based on the LMAX Disruptor RingBuffer. It uses the common abstractions from Reactor to configure a RingBuffer and allows you to use Reactor's common API instead of the Disruptor-specific API. It also by design skips the Selector matching and dynamic Consumer assignment provided by a Reactor in order to wring every last drop of throughput it can. Anecdotal benchmarks on a MacBook Pro show the Processor can pump around 100,000,000 events per second through the pipeline. Yes, you read that right: 100 million per second!

1.0.0.M2 also includes a small, but significant new feature in the Reactor API which optimizes event publishing in a Reactor to get about 30-50% higher throughput. It won't suit every situation since it prepares an optimized list of Consumers from the Reactor, but for an extra 10 million events per second in throughput, it's a great new feature.

Optimized Publish

One of the powerful aspects of Reactor is the Selector matching topic(ish) pub/sub. It allows you to easily assign handlers to events using topics, anonymous objects, assignable type hierarchies, URI path matching, or regular expressions (or any other type of Selector matching if you implement your own, domain-specific Selectors). But many applications can assign their handlers at startup, which means the path to those Consumers can be optimized for efficient event publication. The new Reactor method prepare(Object) allows you to pre-select the Consumers for a key. It returns a Consumer itself that event publishers can use to efficiently notify about new events.

// Create Environment in which Reactors operate
Environment env = new Environment();
Reactor reactor = Reactors.reactor().env(env).get();

reactor.on($("say.hello"), new Consumer<Event<String>>() {
	public void accept(Event<String> ev) {
		System.out.println("Hello " + ev.getData() + "!");

Consumer<Event<String>> sayHello = reactor.prepare("say.hello");
for(String name : listOfNames) {

RingBuffer Task Processor

Reactor 1.0.0.M2 includes the Processor abstraction. It is a simple task processor backed by the LMAX Disruptor RingBuffer and is designed to integrate it seamlessly into the reactive APIs used in Reactor, so it uses common abstractions like Supplier and Consumer. A fully-configured Processor can be created in a single expression and using Java 8 lambdas is more succinct yet:

Processor<Message> proc = new ProcessorSpec<Message>()
	.dataSupplier({ return new Message(); })
	.consume({ msg -> // handle the updated Message object…

This Week in Spring - Aug 27th, 2013

Engineering | Josh Long | August 27, 2013 | ...

Welcome back to another installment of This Week in Spring. We have a lot to cover, as usual! Spring Security and lead Rob Winch feature heavily in this week's roundup! So, cheers to Rob Winch!

  1. Spring Security lead Rob Winch put together a post introducing some of the new, smart and convenient protection in Spring Security against cross-site request forgery (or CSRF).
  2. Rob also put together another epic blog post that demonstrates some of Spring Security's new support for security headers.
  3. Rob was also kind enough to integrate these new features into the Spring REST stack codebase where you can see them in action in the context of a full-stack, integrated Spring REST service. To see these changes, along with Spring Security and Spring Security OAuth, all integrated using Java Configuration, check out the oauth module.
  4. Reactor lead Jonathan Brisbin has announced Reactor 1.0.0.M2 is now available. The new release looks very exciting! From Jon's writeup: "This 2nd milestone includes a number of bugfixes and some really exciting new features. Reactor now includes a Processor abstraction, which is a highly-optimized task processor based on the LMAX Disruptor RingBuffer… Anecdotal benchmarks on a MacBook Pro show the Processor can pump around 100,000,000 events per second through the pipeline. Yes, you read that right: 100 million per second!"
  5. Hyperic, Cloud Foundry, Spring and Spring Data ninja Jennifer Hickey has announced the latest cut of the Spring Data Redis project. The new release includes support for millisecond precision in key expiration commands, resubscription of message listeners on connection failure, a full implementation of ConcurrentMap contract in RedisMap and RedisProperties
  6. Spring Batch lead Michael Minella has announced Spring Batch 3.0M1 has been released! This release marks the first steps towards implementing the JSR-352 Java Batch specification, among other things.
  7. Register now for the Aug 29th Webinar: Taming Coupling & Cohesive Beasts with Modularity Patterns and Spring with Param Rengaiah.
  8. Join our friends from Pivotal Labs as David Frank shows you How to Get Agile with Pivotal Tracker, on September 5th.
  9. Spring Security lead Rob Winch tweeted, "#Gradle made it dead simple to build #SpringSecurity with #SpringFramework 3 and run tests with both #Spring 3/4," and linked to this epic example. This isn't strictly speaking Spring related post, but it's a nice example of a really elegant Gradle build, for those who also work with it, as we do at SpringSource.
  10. Spring Security lead Rob Winch (boy, that guy sure gets around!) also announced the latest release of Spring Security LDAP.
  11. Our pal Xavier Padró is back, this time with a post introducing how to use resource-local JMS transactions on message receipt with Spring's JmsTemplate.
  12. Patrick Grimard's put together a nice post on integrating Yeoman Backbone with a Spring web application, as well as a way to sidestep some issues he was having with resource resolution by using Tuckey’s UrlRewriteFilter. Now, I like the UrlRewriteFilter. That said, I think (but haven't tested..) that Patrick could've accomplished the same thing using Spring MVC resource handling support, as he starts to do in an example in the code when overriding the public void addResourceHandlers(ResourceHandlerRegistry registry) configuration method. Perhaps I'm mistaken, and either way, cool post!
  13. SpringSource has released new trainings to the Q3 schedule, check out the training schedules for: Core Spring, Enterprise Integration with Spring and Spring Web.

Spring Security 3.2.0.RC1 Highlights: Security Headers

Engineering | Rob Winch | August 23, 2013 | ...


NOTE This blog post is no longer maintained. Refer to the Headers documentation for up to date information about Spring Security's Headers.

Original Article

This is my last post in a two part series on Spring Security 3.2.0.RC1. My previous post discussed Spring Security's CSRF protection. In this post we will discuss how to use Spring Security to add various response headers to help secure your application.

Security Headers

Many of the new Spring Security features in 3.2.0.RC1 are implemented by adding headers to the response. The foundation for these features came from hard work from Marten Deinum. If the name sounds familiar, it may because one of his 10K+ posts on the Spring Forums has helped you out.

If you are using XML configuration, you can add all of the default headers using Spring Security's element with no child elements to add all the default headers to the response:

<http ...>
    <headers />

If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:

```xml @EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() ...; } }

<p>The remainder of this post will discuss each of the default headers in more detail:</p>
<li><a href="#cache-control">Cache Control</a></li>
<li><a href="#content-type-options">Content Type Options</a></li>
<li><a href="#hsts">HTTP Strict Transport Security</a…

Spring Batch 3.0 Milestone 1 Released

Engineering | Michael Minella | August 23, 2013 | ...

Today we are pleased to announce the first milestone release towards Spring Batch 3.0 (download). With this release we take our first steps towards implementing the JSR-352 Java Batch specification. Spring Batch is a lightweight, comprehensive framework for the development of robust batch applications.


JSR-352 is billed as the standardization of batch processing for the java platform. As part of that standardization, this JSR has included three main pieces:

  • A XML based DSL for configuring jobs
  • An API for creating job related components (readers/writers/etc)
  • An API and description of behavior for a supporting classes and concepts

Spring has invested a large amount of time and resources in our contribution to this spec. Our collaboration with the other industry experts via the JCP, JSR-352 validates that the batch patterns that Spring Batch has implemented and battle tested over the past five years in countless production environments is the best approach for building mission critical batch applications.

Features in Milestone 1

This release is the first step towards Spring Batch being compliant with the JSR. Out of the 155 SE tests in the JSR-352 TCK, this release passes 70. The specific features implemented within this release are:

  • JobOperator implementation
  • Basic Job configuration via XML
  • batch.xml support


The JSR defines a JobOperator interface that is a combination of Spring Batch's JobOperator and JobExplorer interfaces. For the spec, this interface serves as the entry point for a batch application to both interact with the job itself (start/stop/restart/etc) as well as the job repository (providing the ability to query for previously run JobExecutions for example). Because of this, the JobOperator needs to provide a level of services out of the box. The JsrJobOperator (the Spring implementation of javax.batch.operations.JobOperator) bootstraps a Spring context similar to that of @EnableBatchProcessing. Out of the box, it includes a JobRepository, JobLauncher, JobOperator, JobExplorer, DataSource, TransactionManager, ParametersConverter, JobRegistry, and a PlaceholderPropertiesConfigurer. All of these can be overridden at runtime by overriding the default beans via the context provided when starting or restarting a job. By default, the JobRepository utilizes HSQLDB in an in-memory configuration.

Per the JSR, to launch a job is actually very easy:

JobOperator jobOperator = BatchRuntime.getJobOperator();
JobExecution jobExecution = jobOperator.start("jsrJob", new Properties());

The above two lines will bootstrap the previously defined base context (this occurs only once), then loads the batch.xml file from /META-INF (if it exists) and the context as defined at jsrJob.xml in /META-INF/batch-jobs. jsrJob.xml can be one of two configurations. It can be a standard Spring context configuration that defines any batch artifacts as Spring Beans and the job via the JSR-352 DSL, or it can be just the job definition as defined by the JSR. Per JSR-352, only one job can be defined within the jsrJob.xml context. The rest of the JsrJobOperator's functionality is virtually a direct wrapping of the existing JobOperator and JobExplorer's functionality (hence their inclusion in the base application context).

Basic Job configuration via XML

JSR-352 defines an XML based DSL that any Spring Batch user will immediately find familiar. Consisting of jobs, steps, readers and writers, most of the concepts that are found in the Spring Batch namespace are accounted for within JSR-352. As part of this release, developers will be able to configure basic jobs using the JSR defined DSL. Basic jobs include the following:

  • <job>
  • <step>
  • <chunk>
  • <batchlet>
  • <reader>
  • <processor>
  • <writer>
  • <decision>
  • <listeners>/<listener>
  • <properties>/<property>
  • <skippable-exception-classes> and related children
  • <retryable-exception-classes> and related children
  • <checkpoint-algorithm>
  • <next>/<end>//<code><fail>

With the JSR, a batch job that looks like this via the Spring Batch DSL:

<job id="data" xmlns="">
    <step id="import" next="report">
            <chunk commit-interval="100"
                   writer="dataWriter" />
    <step id="report…

Spring Security 3.2.0.RC1 Highlights: CSRF Protection

Engineering | Rob Winch | August 21, 2013 | ...

[callout title=Update]

This blog post is no longer maintained. Refer to the CSRF documentation for up to date information about Spring Security and CSRF protection.


On Monday I announced the release of Spring Security 3.2.0.RC1. This is the first of a two part blog series going over the new features found in Spring Security 3.2.0.RC1.

In this first entry, I will go over Spring Security's CSRF support. In the next post, I will go over the various security headers that have been added.

CSRF Attacks

Spring Security has added protection against Cross Site Request Forgery (CSRF) attacks. Great, but what is a CSRF attack and how can Spring Security protect me against it? Let's take a look at a concrete example to get a better…

Spring Security 3.2.0.RC1 Released (08/2013)

Engineering | Rob Winch | August 19, 2013 | ...

Spring Security 3.2.0.RC1 is now available from the SpringSource repository at See here for a quick tutorial on resolving these artifacts via Maven.

This release includes tons of updates and fixes. The highlights include:

  • Polishing of Spring Security Java Configuration
  • Uses content negotiation to determine how to prompt user for authentication when multiple authentication mechanisms (i.e. HTTP Basic and Form login) enabled
  • AbstractSecurityWebApplicationInitializer allows registering Java Configuration directly
  • A number of bugs fixed
  • CSRF protection and automatic integration with Spring Web MVC jsp tags
  • Automatic cache control support
  • Defence against Clickjacking attacks
  • HTTP Strict Transport Security support to reduce Man in the Middle attacks
  • Samples include pom.xml so they can be imported as Maven projects
  • MediaTypeRequestMatcher for matching on requests with content negotiation
  • Over ten java configuration samples have been integrated into the samples directory
  • Three new guides that walk users through samples and provide detailed instructions on how to do specific tasks. More of these guides will follow in coming releases
  • Refer to Spring Security 3.2.0.RC1 preview for more details about this release.


    To learn about all the new features within Spring Security 3.2 attend my Getting Started with Spring Security 3.2 presentation at SpringOne2GX September 9-12, 2013. If you haven't already gotten your tickets, do so now before its too late!

    Changelog | Download | Reference Manual | Guides | FAQ

    Get the Spring newsletter

    Thank you!

    Get ahead

    VMware offers training and certification to turbo-charge your progress.

    Learn more

    Get support

    Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

    Learn more

    Upcoming events

    Check out all the upcoming events in the Spring community.

    View all