The Spring Blog

Engineering
Releases
News and Events

Security issue in Spring Data REST (CVE-2017-8046)

Last fall, a security vulnerability affecting Spring Data REST was discovered. We patched the affected modules and published a CVE. We’ve seen some recent news about this that’s led to confusion. Here’s the scoop:

tl;dr:

  • There was a security vulnerability allowing arbitrary code execution in Spring Data REST up to version 2.6.8 and 3.0.0.
  • This vulnerability has been fixed in the following versions:
    – Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017), included in Spring Boot 1.5.9 (Oct, 28th 2017).
    – Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017), included in Spring Boot 2.0 M6, (Nov. 6th 2017)
  • The CVE was originally published at the end of September 2017. We originally thought that we had fixed the issue with releases that had been published a couple of days before. Subsequent feedback showed that this wasn’t the case and the issue was eventually fixed in October / November 2017. Regrettably, the CVE was not updated to reflect this. The team is working on making sure that this lack of update does not happen again.
Read more...

Using Spring Security 5 to integrate with OAuth 2-secured services such as Facebook and GitHub

One of the key features in Spring Security 5 is support for writing applications that integrate with services that are secured with OAuth 2. This includes the ability to sign into an application by way of an external service such as Facebook or GitHub.

But with a little bit of extra code, you can also obtain an OAuth 2 access token that can be used to perform authorized requests against the service’s API.

In this article, we’re going to look at how to develop a Spring Boot application that, using Spring Security 5, integrates with Facebook. You can find the complete code for this article at https://github.com/habuma/facebook-security5.

Read more...

This Week in Spring - Tuesday March 6th, 2018

Hi Spring fans and welcome to another installment of This Week in Spring! As I write this it’s early morning Tuesday in Sydney, Australia, where I’ve been visiting with some of Pivotal’s amazing customers, and I’m now preparing for my flight to Dubai, in six short hours, where I’ll visit some more of Pivotal’s amazing customers. Later this week I’ll be in Bangalore, India, for the amazing Agile India conference, and then - early next week on Tuesday - I’ll be in Boston, MA for the first SpringOne Tour event. If you’re around don’t hesitate to say hi, as usual!

Read more...

Spring Security SAML Roadmap

The Spring Security SAML project has been an integral part of the Spring ecosystem since its inception nearly 9 years ago. This critically important project was born through the incredible effort and contributions of Vladimír Schäfer. I’d like to take the time to personally thank Vladimír and our fantastic community for their tireless work. Without all of their efforts, this project would not be what it is today.

Vladimír, our amazing community, and the Spring engineering team are planning to team up to enhance Spring Security SAML to achieve the following primary goals:

Read more...

Spring Security SAML and this week's SAML Vulnerability

This week, the software world found out that SAML Vulnerabilities Affecting Multiple Implementations were discovered. If you use Spring Security SAML’s defaults, you are not impacted by this vulnerability.

The underlying implementation that Spring Security SAML uses is Shibboleth’s OpenSAML Java library. The OpenSAML Java implementation was not listed in the libraries that contain the vulnerability (Shibboleth openSAML C++ was vulnerable). However, if the ParserPool has been customized, you may be impacted.

Read more...

This Week in Spring - February 27th, 2018

Hi Spring fans and welcome to another installment of Spring Tips! This is a super exciting week! Spring Boot 2.0 is coming! Keep your eyes on the Spring Initializr or you’ll miss it! :D

Today I was at the Okta Iterate conference talking to developers who are using Spring and Okta, thanks to my buddy Matt Raible. High point? I got to meet Jeff Atwood, the co-creator of Stack Overflow!

Tomorrow, I begin a whirlwind tour over the next two weeks. First, it’s off to Glasgow, Scotland; then Sydney, Australia; then Dubai; then Bangalore, India (for Agile India 2018); and then it’s off to Boston, Massachusetts for the SpringOne Tour event on March 13th. If you’re in any of those places, don’t hesitate to reach out! I’m elated to see and hear from you!

Read more...

Spring Cloud Stream 2.0 - Polled Consumers

This is the second blog in a series of pre-release blogs in preparation for Spring Cloud Stream 2.0.0.RELEASE.

Preface

Spring Cloud Stream 2.0 introduces polled consumers, where the application can control message processing rates.

Introduction

Spring Cloud Stream has the concepts of producers and consumers; when using the messaging paradigm, MessageChannels are bound to destinations (e.g. Kafka topics, Rabbit Exchanges/Queues). To-date, on the consumer side, messages are delivered whenever an idle consumer is available. In effect, the broker controls the rate of delivery; usually, the next message is delivered immediately after the current one is processed.

Read more...

Spring Cloud Stream 2.0 - content-type negotiation and transformation

This is the first blog in a series of pre-release blogs in preparation for Spring Cloud Stream 2.0.0.RELEASE.

Preface

Spring Cloud Stream 2.0 includes a complete revamp of content-type negotiation for the channel-based binders to address performance, flexibility and most importantly consistency. The following blog touches on some of the key points around what has been done, what to expect and how it may help you.

Introduction

Data transformation is one of the core features of any message-driven microservice architecture. In Spring Cloud Stream, such data is represented as a Spring Message.

Read more...

Spring Cloud Stream Elmhurst.RC1 /2.0.0.RC1 Release Announcement

After a long and exciting journey we are pleased to announce the first Release Candidate of the Spring Cloud Stream Elmhurst release train - Elmhurst.RC1/2.0.0.RC1.

Spring Cloud Stream Elmhurst 2.0.0.RC1 is available for use in the Spring Milestone repository. The release notes include relevant information about version compatibility with Spring Boot, Spring Cloud, Spring AMQP, and Spring for Apache Kafka.

Given that this is a Release Candidate the following section provides a brief summary of features and improvements not just included in this release but for 2.0 in general, with details to follow in a form of upcoming blogs and documentation updates in preparation for 2.0.0.RELEASE.

Read more...

This Week in Spring - February 20th, 2018

Hi Spring fans! Welcome to another installment of This Week in Spring! This week I’m speaking at the San Diego JUG with Mario Gray on testing with Spring. Then I’m off to the IBM Index conference here in San Francisco where I’ll be talking about building reactive microservices, and then it’s off to Devnexus in Atlanta, GA, where I’ll be talking about Kotlin and testing. I hope you’ll join me and say hi if you’re nearby.

Read more...