Spring Cloud Hoxton Service Release 3 (SR3) is available.

On behalf of the community, I am pleased to announce that the Service Release 3 (SR3) of the Spring Cloud Hoxton Release Train is available today. The release can be found in Maven Central. You can check out the Hoxton release notes for more information.

Important Security Advisory

Spring Cloud Config contains fixes for CVE-2020-5405.

Notable Changes in the Hoxton Release Train

This milestone was primarily a bugfix release.

Please see the Hoxton.SR3 Github Project for all issues closed.

This milestone release is built with Spring Boot 2.2.5.RELEASE.

Spring Cloud Config

NOTE: The writable env endpoint has been disabled by default. To re-enable this please set management.endpoint.env.post.enabled=true

Spring Security 5.3 goes GA

Releases | Josh Cummings | March 05, 2020 | ...

On behalf of the community, it is my pleasure to announce the general availability of Spring Security 5.3. This release is the result of the work that went into 5.3.0.M1, 5.3.0.RC1, and 5.3.0.RELEASE. In combination they close 200+ tickets.

You can find the highlights of 5.3 in the What’s new section of the Spring Security reference.

As always, we look forward to hearing your feedback!

Project Site | Reference | Help

Spring Session Dragonfruit-RC1, Corn-SR2 and Bean-SR10 Released

Releases | Eleftheria Stein-Kousathana | March 04, 2020 | ...

On behalf of the community I’m pleased to announce the releases of Spring Session Dragonfruit-RC1, Corn-SR2 and Bean-SR10.

Spring Session Dragonfruit-RC1

The Dragonfruit-RC1 release is based on:

  • Spring Session core modules 2.3.0.RC1

  • Spring Session Data Geode 2.3.0.RC1

  • Spring Session Data MongoDB 2.3.0.RC1

Additional details of these releases can be found in the changelog.

Spring Session Corn-SR2

The Corn-SR2 release is based on:

  • Spring Session core modules 2.2.2.RELEASE

  • Spring Session Data Geode 2.2.3.RELEASE

  • Spring Session Data MongoDB 2.2.3.RELEASE

Additional details of these releases can be found in the changelog

Spring Tips: Kotlin and Spring Security

Engineering | Josh Long | March 04, 2020 | ...

Hi, Spring fans! Welcome to another installment of Spring Tips. In this episode we're going to look at the new Kotlin DSL for Spring Security. I love Kotlin. I introduced Kotlin in several other Spring Tips videos: The Kotlin Programming Language, Bootiful Kotlin Redux, and Spring's Support for Coroutines. Some of those videos are very old! There are already a number of different projects in the Spring diaspora that are shipping Kotlin DSLs. They include, among others, Spring Framework, Spring Webflux, Spring Data, Spring Cloud Contract and Spring Cloud Gateway. And now, Spring Security!

Spring Security is an amazing project - it solves some of the hardest problems in the industry and helps people secure their applications. And, as if that weren't enough, it's displayed a steadfast determination to make security easy. If you ever used Spring Security in its earliest incarnations, you'd know that it required loads of XML - pages! - to get anything done. That improved to the point where in Spring Security 3 you…

This Week in Spring - March 3rd, 2020

Engineering | Josh Long | March 03, 2020 | ...

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week, I'm home, in San Francisco, California, in the US, where the fears around Coronavirus have heated up and made things problematic for those of us who travel. It looks like, at least for the immediate future, I'll be - basically - grounded. Stay safe out there, my friends.

The good news is that this will let me get to a ton more other things like the blogs, A Bootiful Podcast and Spring Tips and of course my Reactive Spring book. And of course, we've got a ton of things to get to today in today's installment of This Week in Spring, so…

Getting Started With RSocket: Spring Boot Server

Engineering | Ben Wilcock | March 02, 2020 | ...

Time: approximately 15 mins.

In the diverse world of microservices, HTTP is the undisputed leader in agent-to-agent communications. It’s mature, well established, and everywhere. But in some cases, HTTP request-response can be cumbersome. What if you need communication patterns beyond traditional request-response, such as fire-and-forget or streaming? And what if you want to send messages in either direction?

With HTTP, there are ways to achieve this but it’s not what the protocol was built for. Many of the solutions come with additional tradeoffs or shortcomings. Plus, here’s no rulebook that…

Spring Boot 2.2.5 released

Releases | Andy Wilkinson | February 27, 2020 | ...

On behalf of the team and everyone who has contributed, I'm happy to announce that Spring Boot 2.2.5 has been released and is now available from repo.spring.io and Maven Central.

This release includes 62 bug fixes, enhancements, documentation improvements, and dependency upgrades. Thanks to all those who have contributed with issue reports and pull requests.

Important Security Advisory

This version of Spring Boot includes a dependency upgrade to Reactor Netty 0.9.5. It contains fixes for CVE-2020-5403 and CVE-2020-5404.

How can you help?

If you're interested in helping out, check out the "ideal for contribution" tag in the issue repository. If you have general questions, please ask on stackoverflow.com using the spring-boot tag or chat with the community on Gitter

Spring Boot 2.1.13 released

Releases | Andy Wilkinson | February 27, 2020 | ...

On behalf of the team and everyone who has contributed, I'm happy to announce that Spring Boot 2.1.13 has been released and is now available from repo.spring.io and Maven Central.

This release includes 34 bug fixes, documentation improvements, and dependency upgrades. Thanks to all those who have contributed with issue reports and pull requests.

Important Security Advisory

This version of Spring Boot includes a dependency upgrade to Reactor Netty 0.8.16. It contains a fix for CVE-2020-5404.

How can you help?

If you're interested in helping out, check out the "ideal for contribution" tag in the issue repository. If you have general questions, please ask on stackoverflow.com using the spring-boot tag or chat with the community on Gitter

CVE Reports Published for Reactor Netty

News | Rossen Stoyanchev | February 27, 2020 | ...

The following CVE reports were published today:

  • CVE-2020-5403 affecting Reactor Netty HttpServer 0.9.3 and 0.9.4.
  • CVE-2020-5404 affecting Reactor Netty HttpClient for all 0.8.x and 0.9.x versions in applications where the automatic following of redirects is explicitly enabled.

The fixes are in Reactor Netty 0.9.5 and 0.8.16. If using the reactor-bom, you can upgrade to Dysprosium-SR5 or Californium-SR16.

Reactor Netty is used internally in many frameworks including Spring WebFlux and its WebClient. If you have a Spring Boot application, you can upgrade to Spring Boot 2.2.5 or 2.1.13.

Get the Spring newsletter

Thank you for your interest. Someone will get back to you shortly.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all