The Spring Blog

News and Events

This Week in Spring - September 6th, 2016

Welcome to another installment of This Week in Spring! This week I’m in Shanghai, China and Hangzhou, China where I spoke at the ginormous Huawei Connect conference in Shanghai and where I’ll be working with Alibaba and Huawei for a week or so. I’ll also be speaking at the Hangzhou Java User Group, too.

(Can you believe we’re already in September?? Seriously blown away! 2017 is just around the corner!)

I’m also, technically, on vacation, so I’ll keep this post to a minimum! :)


Spring Security OAuth2 - Client Authentication Issue

Issue #808 was recently reported that allowed a user to authenticate as a client and obtain an access token via the client_credentials or password grant flow.

This unique scenario occurs when a client and user have the same identifier (clientId and username). The user’s credentials are used for client authentication during a client_credentials or password grant flow and is successful in obtaining an access token with the authorities of the client.

The Fix

This bug has been fixed in 1ed986a and released in 2.0.11.RELEASE.

If you’re using Java-based configuration, please update to 2.0.11.RELEASE.

However, if you’re using XML-based configuration, please take the following actions:

  • Update to 2.0.11.RELEASE

  • Look at this JUnit test and it’s associated XML configuration to ensure the AuthenticationManager for client authentication and the AuthenticationManager for user authentication is setup the same in your configuration.

  • As a precautionary step, make sure your XML configuration is NOT setup the same as in this JUnit test and associated XML configuration as it demonstrates the original issue.


Custom test slice with Spring Boot 1.4

Spring Boot 1.4 includes a major overhaul of testing support and one of these features is test slicing. I’d like to take the opportunity in this blog post to further explain what it is and how you can easily create your own slices.

Test slicing is about segmenting the ApplicationContext that is created for your test. Typically, if you want to test a controller using MockMvc, surely you don’t want to bother with the data layer. Instead you’d probably want to mock the service that your controller uses and validate that all the web-related interaction works as expected. This can be summarized in the example below:


This Week in Spring - August 30th, 2016

Welcome to another installment of This Week in Spring! This week I’ve been in San Francisco, (where I live and) where I addressed the Silicon Valley Spring User Group. Now it’s off to beautiful China to bring some Spring and Pivotal (and, maybe, take a little vacation!)

As usual, we have a lot to get to so let’s!


Spring Web Services 2.3.1/2.4.0 are released

Greetings Spring community,

Spring Web Services has just released versions 2.3.1.RELEASE and 2.4.0.RELEASE.

2.3.1.RELEASE is a minor patch release.

2.3.1 Release Notes | 2.3.1 Documentation.

2.4.0.RELEASE rebases Spring Web Services to run on Spring Framework 4.2.x & Spring Security 4.0.x, the stable baselines behind Spring 4.3/Spring Security 4.1. At the same time, it remains compatible with Java 7. This version includes changes to the code base making it forward compatible with Spring 4.3 and 5.0, so you are free to move up to whichever version of Spring/Spring Security you wish to use.


Check your Spring Security SAML config - XXE security issue

It was brought to our attention that the spring-security-saml sample application contained an XML External Entity (XXE) vulnerability. This meant that a malicious user could view any file that the Spring Application’s process had access to.

The issue was a direct result of OpenSAML Java ParserPool and Decrypter Vulnerable To XML Attacks. The default behavior of the ParserPool implementations is fixed in OpenSAML 2.6.1+ (which Spring Security SAML uses). However, the vulnerability is still possible if users construct their own ParserPool without the proper settings.


This Week in Spring - August 23, 2016

Welcome to another installation of This Week in Spring! This week I’m in NYC (for the NYC Java SIG), Austin and San Francisco (for the Silicon Valley Spring User Group) talking to customers and doing meetups! We’ve got a lot to cover, as usual, so let’s get to it!


Spring Cloud Spinnaker 1.0.0.M1

Greetings Spring community,

I am happy to release the first milestone for Spring Cloud Spinnaker. Spring Cloud Spinnaker bundles up the continuous delivery Spinnaker platform, and provides a 1-click installer to let you install it to any certified Cloud Foundry provider.

At this year’s SpringOne Platform 2016 conference, there were two talks about Spinnaker. If you have early release access and missed them, you can watch right now. Otherwise you can catch them on the SpringDeveloper YouTube Channel once they are published.


This Week in Spring - August 16th, 2016

Welcome to another installment of This Week in Spring! Since we last spoke I’ve presented at conferences and to customers in London, Beijing, Shanghai and Singapore - where I am now. Tomorrow, Wednesday, I’ll be speaking at the Singapore Spring Meetup - join me! It’s been quite a few days!


Managing your Database Secrets with Vault

In my previous post about Managing Secrets with Vault, I introduced you to Vault and how to store arbitrary secrets using the generic secret backend. Vault can manage more than just secret data like API keys, passwords, and other sensitive string-like data. Today we’re taking a look at Vault’s integration with databases, services, and certificates.

Database credentials tend to be static

When it comes to databases, the regular workflow of getting credentials applying for a database is asking some operator or a self-service tool to give you credentials so your application can log into the database. At this point, credentials are considered static. Credentials get usually changed in case the database is migrated or if there’s a security breach.