The Spring Blog

News and Events

Micrometer: Spring Boot 2's new application metrics collector

What is it?

Micrometer is a dimensional-first metrics collection facade whose aim is to allow you to time, count, and gauge your code with a vendor neutral API. Through classpath and configuration, you may select one or several monitoring systems to export your metrics data to. Think of it like SLF4J, but for metrics!

Micrometer is the metrics collection facility included in Spring Boot 2’s Actuator. It has also been backported to Spring Boot 1.5, 1.4, and 1.3 with the addition of another dependency.

Micrometer adds richer meter primitives to the counters and gauges that existed in Spring Boot 1. For example, a single Micrometer Timer is capable of producing time series related to throughput, total time, maximum latency of recent samples, pre-computed percentiles, percentile histograms, and SLA boundary counts.

An Kibana-rendered timer

Despite its focus on dimensional metrics, Micrometer does map to hierarchical names to continue to serve older monitoring solutions like Ganglia or narrower scoped tools like JMX. The change to Micrometer arose out of a desire to better serve a wave of dimensional monitoring systems (think Prometheus, Datadog, Wavefront, SignalFx, Influx, etc). One of Spring’s strengths is the enablement of choice through abstraction. By integrating with Micrometer, Spring Boot is enabling you to choose one or more monitoring systems to use today, and change your mind later as your needs change without requiring a rewrite of your custom metrics instrumentation.

Before opting to develop "yet another" metrics collection library, we looked hard at existing or up-and-coming dimensional collectors. But as we looked at exporting to more and more monitoring systems, the importance of the structure of names and data became apparent. Micrometer builds in concepts of naming convention normalization, base unit of time scaling, and support for proprietary expressions of structures like histogram data that are essential to make metrics shine in each target system. Along the way, we added meter filtering as well, allowing you to exercise greater control over the instrumentation of your upstream dependencies.

To learn more about Micrometer’s capabilities, please refer to its reference documentation, in particular the concepts section.

This Week in Spring - March 13th, 2018

Hi Spring fans! Welcome to another installment of This Week in Spring! This week I’m in blizzard-besieged Boston, Massachusetts, for the epic Spring One Tour Boston event. Unfortunately, due to this crazy snow storm / blizzard, the event’s been postponed one day as we all grapple with the weather. Hope you were able to join the Spring Boot 2.0 launch webinar! If not the replay will be available here and don’t forget to check out the launch blog!

Snow or no snow! The show must go on, at least here on the Spring blog, so without further ado:


Upgrading to Spring Boot 2

Spring Boot 2 was released recently and the production instance of Spring Initializr ( was upgraded to Spring Boot 2 the same day.

In this post, I’d like to walk you through the process of upgrading a Spring Boot 1.x app to Spring Boot 2.

Release notes and migration guide

A good first step is to get yourself familiar with the main changes in Spring Boot 2 by reading the migration guide and the release notes.

Build upgrade

If you are using Maven and the spring-boot-starter-parent, you need to be aware that several plugins are going to be updated as part of the upgrade. If you’re not using the parent, it is worthwhile to inspect your build and upgrade the plugins that you are using. Spring Initializr is built with Maven so the easiest way is to scan spring-boot-dependencies and upgrade the plugins you are using if necessary.


Testing auto-configurations with Spring Boot 2.0

Auto-configuration is one of the most powerful features of Spring Boot. Tests for auto-configuration classes usually follow the same pattern. Most tests start up an ApplicationContext with the auto-configuration class under test and depending on the test, also load additional configuration to simulate user behavior. The recurrence of this pattern can add a lot of repetition in the code base.

Spring Boot 2.0 provides a suite of new test helpers for easily configuring an ApplicationContext to simulate auto-configuration test scenarios. The following example configures an ApplicationContextRunner to test the UserServiceAutoConfiguration:


Security issue in Spring Data REST (CVE-2017-8046)

Last fall, a security vulnerability affecting Spring Data REST was discovered. We patched the affected modules and published a CVE. We’ve seen some recent news about this that’s led to confusion. Here’s the scoop:


  • There was a security vulnerability allowing arbitrary code execution in Spring Data REST up to version 2.6.8 and 3.0.0.
  • This vulnerability has been fixed in the following versions:
    – Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017), included in Spring Boot 1.5.9 (Oct, 28th 2017).
    – Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017), included in Spring Boot 2.0 M6, (Nov. 6th 2017)
  • The CVE was originally published at the end of September 2017. We originally thought that we had fixed the issue with releases that had been published a couple of days before. Subsequent feedback showed that this wasn’t the case and the issue was eventually fixed in October / November 2017. Regrettably, the CVE was not updated to reflect this. The team is working on making sure that this lack of update does not happen again.

Using Spring Security 5 to integrate with OAuth 2-secured services such as Facebook and GitHub

One of the key features in Spring Security 5 is support for writing applications that integrate with services that are secured with OAuth 2. This includes the ability to sign into an application by way of an external service such as Facebook or GitHub.

But with a little bit of extra code, you can also obtain an OAuth 2 access token that can be used to perform authorized requests against the service’s API.

In this article, we’re going to look at how to develop a Spring Boot application that, using Spring Security 5, integrates with Facebook. You can find the complete code for this article at


This Week in Spring - Tuesday March 6th, 2018

Hi Spring fans and welcome to another installment of This Week in Spring! As I write this it’s early morning Tuesday in Sydney, Australia, where I’ve been visiting with some of Pivotal’s amazing customers, and I’m now preparing for my flight to Dubai, in six short hours, where I’ll visit some more of Pivotal’s amazing customers. Later this week I’ll be in Bangalore, India, for the amazing Agile India conference, and then - early next week on Tuesday - I’ll be in Boston, MA for the first SpringOne Tour event. If you’re around don’t hesitate to say hi, as usual!


Spring Security SAML Roadmap

The Spring Security SAML project has been an integral part of the Spring ecosystem since its inception nearly 9 years ago. This critically important project was born through the incredible effort and contributions of Vladimír Schäfer. I’d like to take the time to personally thank Vladimír and our fantastic community for their tireless work. Without all of their efforts, this project would not be what it is today.

Vladimír, our amazing community, and the Spring engineering team are planning to team up to enhance Spring Security SAML to achieve the following primary goals:


Spring Security SAML and this week's SAML Vulnerability

This week, the software world found out that SAML Vulnerabilities Affecting Multiple Implementations were discovered. If you use Spring Security SAML’s defaults, you are not impacted by this vulnerability.

The underlying implementation that Spring Security SAML uses is Shibboleth’s OpenSAML Java library. The OpenSAML Java implementation was not listed in the libraries that contain the vulnerability (Shibboleth openSAML C++ was vulnerable). However, if the ParserPool has been customized, you may be impacted.