Introduction

Developers often incorrectly use encryption in an attempt to provide authenticity. For example, a RESTful application may mistakenly use an encrypted cookie to embed the current user's identity.

The mistake is that encryption can only be used to keep a secret while signing is used to verify authenticity of a message. In this post, I will explain and provide an example of why encryption is not a guarantee of authenticity.

If you just want to see code, feel free to skip to the end which has a sample Java application that demonstrates the exploit.

Encrypted Cookies (whoops)

Assume we…

Welcome back to another installment of This Week in Spring!

As usual, we've got a lot to cover, so let's dive right into it!

By the way, due to overwhelming demand, we're going to repeat the webinar introducing Spring 4 with Juergen Hoeller on January 23rd. Watch this space for when we open up registration. The expected times are:

Thursday, January 23, 2014 - 3:00pm GMT Time (London GMT)

• closed as of Jan 20th
  

Thursday, January 23, 2014 - 10:00am PST (San Francisco, GMT-08:00)

• registration open

1. The replay of Ben Hale's talk on RESTful API evolution from SpringOne2GX 2013 is now available online
2. Spring and Groovy/Grails Tool Suite lead Martin Lippert just refreshed the most popular article ever written on JavaLobby, Spring IDE and the Spring Tool Suite - Using Spring in Eclipse. Check it out!
3. Spring XD lead Dr. Mark Pollack has just announced that Spring XD 1.0.0.M5 is now available
4. Oliver Gierke's talk from SpringOne2GX "Spring RESTBucks: a Hypermedia Driven REST webservice" is now available online.
5. Following the crazy success of the Spring 4 webinar on the 9th, Spring project lead Juergen Hoeller has just written a blog detailing the next steps for the framework, including Spring 4.1 and Spring 3.2.7.
6. Have you tried the crazy cool shell built into Spring Boot? It's powered by CRaSH, which you can learn more about in this video
7. The replay from Gunnar Hillert and Michael Minella's talk from SpringOne2GX 2013, Integrating Spring Batch and Spring Integration, is now available online.
8. Matt Stine webinar, Spring with Immutability, is now available online.
9. Rob Winch just announced that Spring LDAP 2.0.0 is now available online!
10. Our pal Eugen Paraschiv is back at it again, this time with a post on Spring's HttpMessageConverters.
11. Jakub Kubrynski has a nice post on integration testing Spring Integration and Spring 4
12. Gary Russell has just announced that Spring AMQP 1.3.0.M1 and 1.2.1 RELEASE are now available. The new release is very meaty, so if you're using it, I strongly suggest upgrading!
13. Sproogle 0.3.0, which is an integration with Spring and parts of the Google stack (that don't so far as I can tell include the OAuth pieces that Spring Social Google takes care of), is now available.
14. On the GoPivotal blog, Steve Greenberg has a nice post on how to add a service to your Cloud Foundry architecture using Spring. Nice! I've been waiting for something like this for a long time!
15. Our pals on the Vaadin team are doing a webinar on Spring and Vaadin integration best-practices on January 30th, 2014. Check it out!
16. A little late, but RestHub, which integrates a full Spring-powered REST and web application stack, has just released RESTHub 2.1.4. Check it out!
17. Rest Assured, which provides an alternative testing API for REST services, has just released a new version that supports Spring MVC.
18. New Relic has just announced dedicated Grails support.
19. Zan Thrash did a nice talk on InfoQ about using Node.js ecosystem tools for client-side development along with Grails. The talk has very little to do with Grails, actually, and could as easily be applied to Java and Spring MVC development. These tools are front-and-center for many different types of web application developers, and this talk is a good primer.

The Spring XD team is pleased to announce that Spring XD 1.0.0 Milestone 5 is now available for download.

Spring XD makes it easy to solve common big data problems such as data ingestion and export, real-time analytics, and batch workflow orchestration. This release includes several notable new features:

• Pre-defined batch jobs for JDBC to HDFS
• Many additional job shell commands for controlling and reporting on batch jobs.
• Hadoop Dataset Avro sink that uses the Kite SDK
• HDFS sink now supports codecs (gzip, snappy, bzip2, lzo) and fine-grained control over file naming
• JMS source module now support Topics in addition to Queues
• Improved support for use of Gemfire Locators
• Aggregator module for batching that also supports a backing message store for checkpointing the event stream to memory, Redis, or a relational database.
• Support for separate control and data transport protocols
• XD servers are now built on top of …

Welcome back to another installment of This Week in Spring! Things are starting to ramp up considerably here on the Spring team. This week, on the 9th, we have the very anticipated Spring 4 release webinar Registration has been crazy! I'll be there, watching and helping to MC. I hope you'll be there too!

Also, if you're in the Bay Area, I'll be speaking at the Oakland JUG on January 22nd for a few hours in an evening we're calling Have You Seen Spring Lately?. We'll look at the epic last year's worth of awesome, including the release of Spring 4, Spring Boot and Spring XD. I hope you'll join us there, too! Bring questions!

1. On Jan 16th, 2014, our Spring Security lead Rob Winch will introduce the Spring Security 3.2 release and talk about it's support for Java Configuration, CSRF Protection, Security Related HTTP response headers, optional Spring MVC integration, and of course, Spring Framework 4.0.
2. Patrick Grimard has put together a nice post on using Spring Security 3.2.0's CSRF protection with a Backbone (or, really, any client-facing application). There is, as Spring Security Rob Winch points out, a simpler still way to achieve this.
3. Feburary is Security month! We've just released a SpringOne2GX 2013 Replay: Data Modelling and Identity Management with OAuth2, with Dr. David Syer..
4. On the REST front, also just released another SpringOne2GX 2013 Replay: Spring RESTBucks - A hypermedia-driven REST webservice, with Oliver Gierke.
5. Roy Clarkson put together a great post on how to use WebJars, which lets you manage client-side dependencies like JavaScript using traditional JVM-based build-management tools like Gradle and Maven, along with Spring Boot.
6. This post - about application instrumentation for logging, is a little old, but I thought it worth mention because it's generally pretty insightful and it demonstrates its concepts in terms of not only the canonical Spring Pet Clinic application, but also the Node.js Node Cellar, and the .NET Music Store. Not bad!
7. Our pal Petri Kainulainen is back! He's written a nice post on how to use the JOOQ typesafe query API with Spring
8. This post has so very little to do with Spring, but it does have to do with GemFire XD (our in-memory, distributed data-store that can work in-memory or with HDFS) and a bit of clever Python tinkering to access GemFire XD from Python.
9. Did you see this epic post on running a Spring Boot-powered web service on a Raspberry Pi?
10. Ned Lowe's put together a nice post on migrating from Spring MVC 2.0-style MVC applications to the annotation-centric approach available since Spring MVC 2.5.
11. Thys Michels has put together a nice post on JUnit testing Spring MVC services.
12. And thanks to the Learning Spring blog for the friendly reminder that Spring applications expose a lot of valuable logging for your exploitation if you simply modify the right configuration files.
13. Tomas Zezula put together a nice post on Spring's @Primary annotation, which lets you disambiguate the choice for which dependency to use from among many possible dependencies.

Welcome to 2014! 2013 was an exciting year for Spring, and we look forward to another great year. We have focused on client-side development in a few recent posts, including that we have published several new client-side getting started guides. In a previous post, I also reviewed how easy it is to serve static web content with Spring Boot.

In this post I will continue the discussion about client-side development with Spring Boot as we explore another built-in capability. My previous post included the following excerpt from the source code for WebMvcAutoConfiguration which illustrates how static resources are automatically added to a Spring MVC ResourceHandlerRegistry…

Happy New Year! Welcome back to this year's final installment of This Week in Spring!

We'll do some of the news, as usual, and then I'll take a look back over the last year in news surrounding Spring, of which there's been much indeed!

1. Matt Raible, who we know has also been looking at Spring Boot, just wrote up our just-released Spring 4 for InfoQ. Definitely worth a read if you have the time!

• Xavier Padró has a nice post on retrying web service operations with RequestHandlerRetryAdvice.
• There's a great discussion on Stack Overflow on Spring's CrudRepository vs. the more JPA-specific JpaRepository with an awesome answer by Spring Data lead Oliver Gierke
• Ken Blair has put together a nice introduction to doing bean mapping using the Orika bean-mapping framework alongside Spring
• Groovy ninja Guillaume LaForge has started putting together a nice roundup of all the latest happenings in the Groovy community, and I'd just like to invite readers of …

Happy holidays! Hopefully with the holiday season comes some time off, and a chance to relax and more fully catch up on fun stuff you missed during a busy year. Readers of this column will know there are many channels for developers learning about Spring, and studying the field of technologies that Spring supports. Don't forget about our SpringSource YouTube page, Twitter account, our 15-30 minute "Getting Started" guides, the blog, and of course our Facebook and Google+ pages. I personally want to go back and watch as many SpringOne2GX talks on the YouTube channel as I can.

1. Remeber JHipster? Julien Dubois's Yeoman-powered code generator for Spring applications? Well, 0.0.6 has been released and it has no required Spring XML (and Java EE's web.xml's the last one!) and provides code-generation support for services.
…

We made a few announcements recently about the Spring getting started guides, including that the catalog of guides have been migrated to Asciidoctor. We also added several new client-side guides illustrating how to connect to Spring services from a variety of client technologies.

In this post I want to highlight an interesting capability of Spring Boot; within many of the client-side guides we utilized Spring Boot to stand up a Tomcat instance and serve static content. In these guides we are demonstrating JavaScript client code, not Java or Groovy! If you are already familiar with Boot, then…

Welcome to another installment of This Week in Spring! This week, well, I'm taking some vacation :) That, of course, means that this week's roundup was even more fun for me - I got to play with the just-released Spring 4! And, to sweeten my vacation, the steady stream of new releases based on Spring 4.0 from the other Spring projects has already started!

If you're using Spring (Spring 4, Spring Boot, and anything else) and have some great new blog, video or sample project you think people should see, don't hesitate to share it with me on Twitter! Matt Raible has already made a helpful blog post: A Webapp Makeover with Spring 4 and Spring Boot where he upgrades his existing Spring 3.2.5, Spring Security 3.1.4 and Jersey 1.18 app to run Spring Framework 4 and Spring Boot.

1. First, the BIG news! Spring CTO Adrian Colyer just announced that Spring 4 has gone GA! If you, like me, have been eagerly awaiting this all year, then don't wait a second longer! Grab those bits as soon as you can. Spring 4, of course, is the first major-version increment since Spring 3.0 back in 2009, and represents a major leap forward for application developers. Join Juergen Hoeller (and many other engineers) on January 9, 2014 for the launch webinar: Introduction to Spring Framework 4.0.
2. Concurrent with the Spring 4 release, we've just added several new guides to the insanely popular Getting Started guides collection. Among the new guides, you'll find help on CORS, jQuery-, Sencha-, Angular.js-integration, and much more!
3. Rob Winch followed very shortly after, announcing that Spring Security 3.2.0 RELEASE is available! Now, I'm going to finally update the code to my talk on using Spring's REST stack, along with Spring Security and Spring Security OAuth, to the new revision! Join Rob on January 16th, 2014 for a talk focused on the new release of Spring Security 3.2.
4. Once Spring 4 was released, Spring Integration lead Gary Russell wasted no time in getting the long-awaited Spring Integration 3.0 out the door! This new release features many new improvements, which were mostly covered in the release candidate announcement.
5. Projects lead Martin Lippert has just announced that Spring Tool Suite and Groovy/Grails Tool Suite 3.5.0.M1 are now available. This update revs to Groovy 2.2, Grails 2.3.4, and tc Server 2.9.4, and advanced content-assist for Spring Boot projects, improved dashboard feeds, and support for the new client-side getting started guides. This cut builds on Eclipse Kepler SR1. Check it out!
6. Spring Data project lead Oliver Gierke has just announced the latest Spring Data release train, Spring Data Babbage SR2, has just been released. The service release bundles a bunch of important enhancements and bug fixes and is a recommended upgrade. You can find all issues fixed in this release in our JIRA
7. Spring ninja Greg Turnquist put together a very nice look at the aforementioned Getting Started guides' migration to Asciidotor, behind the scenes.
8. Spring ninja and Boot co-lead Phil Webb and I did a talk, Improving Your Java Configuration Muscle Memory, for SpringOne2GX 2013, which is now available as a replay on our YouTube channel. Check it out!
9. Patrick Grimard's written a post introducing how to setup a Spring MVC interceptor to handle CORS requests. For more details on the subject of CORS, check out our Understanding CORS page, and then check out our new Getting Started guide which shows a Servlet Filter-centric alternative approach to basically do the same thing. This builds on Spring Boot, and uses a Filter instead of an interceptor, but the effect is the same.
10. Our pal Bozhidar Bozhanov has written a great post all about web sockets, which of course work great with Spring 4!, complete with slides and codes! Be sure to check it out! This post uses a more low level approach to websockets, which Spring also supports, where all messages get funneled through one handler. Me personally, I like using the higher level STOMP support to avoid having to funnel all requests through the same handler, and then picking each request apart with a switch statement. Either way, this is a great post and - because it's lower level - gives you a better understanding of what's happening underneath the hood. Check it out!
11. With a new release comes updated Maven artifacts. Last week, I mentioned that Spring 4 now features a very handy bill of materials Maven pom.xml. You should use that to simplify things. Additionally, if you're a BinTray user, be aware that the new release is already available there, as well.