Spring blog

All Posts
Engineering
Releases
News and Events

This Week in Spring - September 26th, 2017 (Java 9 Edition)

Engineering | Josh Long | September 26, 2017 | ...

Hi Spring fans! What a crazy wonderful week it's been! I'm back in San Francisco talking to customers and local partners about all things Pivotal and, also, just enjoying some fun in the San Francisco Sun while playing with Java 9 . There's so much to like in this new release and so much to look forward to and, of course, Spring Framework 5 is Java 9 ready out of the box.

  • Spring IO Platform lead Andy Wilkinson just announced Spring IO Platform Brussels SR5. The new release includes Spring AMQP 1.7.4, Spring Boot 1.5.7, Spring Data Ingalls SR7, Spring Framework 4.3.11, Spring Integration 4.3.12, Spring Loaded 1.2.8, and Spring Web Flow 2.4.6. Lots to like in this new release so get the bits now!
  • Spring Tool Suite lead Martin Lippert just posted on how to overcome some issues when running STS on macOS High Sierra 10.13.
  • Spring Cloud Task lead Michael Minella just announced Spring Cloud Task 1.2.2.RELEASE
Read more

Spring Cloud Task 1.2.2.RELEASE is now available

Releases | Michael Minella | September 25, 2017 | ...

We are pleased to announce that Spring Cloud Task 1.2.2.RELEASE is now available via Maven Central, Github and the Pivotal download repository. This release adds support for Spring Framework's recent added support for db engines other than MYISAM for the sequence tables when using MySql. A special thanks to Thomas Risberg for the contributions around this issue.

Spring Cloud Task Home | Source on GitHub | Reference Documentation

We look forward to your feedback in Github, StackOverflow, to me directly via Twitter @michaelminella or at SpringOnePlatform in December!

Read more

How to get STS/Eclipse running on macOS High Sierra (10.13)

Engineering | Martin Lippert | September 21, 2017 | ...

The new version of macOS called High Sierra (10.13) will soon go GA and we expect many of our STS/Eclipse users and Spring developers will upgrade their machines sooner than later. In case you have your system running with an English locale, you are fine and everything will be good.

If you are running your system with a different language configured, you will see all menu items of Eclipse or STS being disabled after the upgrade to macOS High Sierra.

The good news is: you can quickly get this fixed without waiting for an update of Eclipse or STS. Go into the Eclipse.app or STS.app package, move…

Read more

This Week in Spring - September 19th, 2017

Engineering | Josh Long | September 19, 2017 | ...

Hi Spring fans! Welcome to another installment of This Week in Spring! This week I've been visiting the Spring and Cloud Foundry teams at Microsoft (this time, in Redmond, WA) and then it's off to San Francisco, CA and San Antonio, TX to visit some customers. So, with that, let's get to it!

Read more

Spring IO Platform Brussels-SR5

Releases | Andy Wilkinson | September 19, 2017 | ...

I am pleased to announce that Spring IO Platform Brussels-SR5 is now available from both repo.spring.io and Maven Central.

This maintenance release upgrades the versions of a number of the projects in the Platform:

  • Spring AMQP 1.7.4
  • Spring Boot 1.5.7
  • Spring Data Ingalls SR7
  • Spring Framework 4.3.11
  • Spring Integration 4.3.12
  • Spring Loaded 1.2.8
  • Spring Web Flow 2.4.6

The versions of a number of third-party dependencies have also been updated.

Project Page | GitHub | Issues | Documentation

Read more

Announcing First Release Candidate of Reactor Core 3.1

Releases | Simon Baslé | September 18, 2017 | ...

On behalf of the Reactor team, it is my pleasure to announce that reactor-core 3.1.0.RC1 has been released ?. This is a big last step towards GA release of 3.1 at the end of the month, the long term support version that will back Spring 5!

It is also complemented by various releases, all tied together in the Bismuth-M4 Release Train and BOM:

  • reactor-test, reactor-extra, reactor-adapter and reactor-logback all made the cut to 3.1.0.RC1
  • reactor-netty has seen significant updates and bug fixes in the new 0.7.0.M2 milestone
  • reactor-kafka has been released in its 1.0.0.M4 milestone

In order to get this release, the best way is to use the BOM, as described in the reference guide here. Make sure to read the part about milestones (transposing it to Bismuth-M4

Read more

Spring Cloud Data Flow 1.3.0.M2 released

Releases | Glenn Renfro | September 18, 2017 | ...

We are pleased to announce the 1.3.0. M2 release of the Spring Cloud Data Flow and its associated ecosystem of projects.

Local Server: Getting Started Guide.

Dashboard / Flo

In this second installment of 1.3 release of Dashboard/Flo, we have addressed the core functionalities backing the streaming and task/batch operations.

Continuing the Angular4 based infrastructure upgrades, the streaming and task/batch workflows now include the modern look and feel and are packed with usability improvements as well.

Documentation, test-coverage, and webpack bundle-analyzer have gone through significant…

Read more

Introducing Spring Shell 2.0M1!

Releases | Eric Bottard | September 18, 2017 | ...

We are pleased to announce the first release milestone of Spring Shell 2.x!

Two years in the making, Spring Shell 2 is a complete rewrite of Spring Shell, leveraging newer components (such as JLine 3) and applying better modularization. Spring Shell 2 is also built with Spring Boot in mind, making use of auto configuration and other boot features.

The internal architecture now uses a pluggable model to discover what methods to turn into commands, how to parse user input into argument values and how to handle return values. This is very similar to the approach taken by Spring MVC for example and allows extensions of the framework in ways that were not previously possible. Users of Spring Shell would typically not care though, only dealing with the new "standard" command API

Read more

Security changes in Spring Boot 2.0 M4

Engineering | Madhura Bhave | September 15, 2017 | ...

Milestone 4 of Spring Boot 2.0 brings important changes to the security auto-configuration provided by Spring Boot.

Problem Statement

Until Spring Boot 1.x, the default auto-configuration secured all of the application endpoints using basic authentication. If actuator was on the classpath, there was a separate security configuration that applied to the actuator endpoints. The way these two auto-configurations would turn on and off was completely independent. Because of this, users wanting to provide custom security found themselves fighting ordering issues with WebSecurityConfigurerAdapters.

Additionally, for actuator endpoints, the effects of the management.security.enabled

Read more

Spring Security 5.0.0 M4 Released

Releases | Rob Winch | September 15, 2017 | ...

On behalf of the community, I’m pleased to announce the release of Spring Security 5.0.0 M4. This release includes bug fixes, new features, and is based off of Spring Framework 5.0.0 RC4. You can find complete details in the changelog. The highlights of the release include:

OAuth2 / OIDC

OAuth2 Login Java Config

There are a number of improvements to the HttpSecurity.oauth2Login() DSL.

You can now configure the Token Endpoint with a custom implementation of an AuthorizationGrantTokenExchanger or SecurityTokenRepository<AccessToken>, as follows:

protected void configure(HttpSecurity http) throws Exception {
  http
    .authorizeRequests()
      .anyRequest().authenticated()
      .and()
    .oauth2Login()
      .tokenEndpoint()
        .authorizationCodeTokenExchanger(this.authorizationCodeTokenExchanger())
	.accessTokenRepository(this.accessTokenRepository());
}

We’ve also added the capability of customizing the request paths for the Authorization Endpoint and Redirection Endpoint:

protected void configure(HttpSecurity http) throws Exception {
  http
    .authorizeRequests()
      .anyRequest().authenticated()
      .and()
    .oauth2Login()
      .authorizationEndpoint()
        .requestMatcher(new AntPathRequestMatcher("/custom-path/{clientAlias}"))
        .and()
      .redirectionEndpoint()
        .requestMatcher(new AntPathRequestMatcher("/custom-path/callback/{clientAlias}"));
}

As with all AbstractAuthenticationProcessingFilter 's in Spring Security, you can also set a custom AuthenticationSuccessHandler and AuthenticationFailureHandler:

protected void configure(HttpSecurity http) throws Exception {
  http
    .authorizeRequests()
      .anyRequest().authenticated()
      .and()
     .oauth2Login()
       .successHandler(this.customAuthenticationSuccessHandler())
       .failureHandler(this.customAuthenticationFailureHandler());
}

Security Token Repository

We’ve introduced the SecurityTokenRepository<T extends SecurityToken> abstraction, which is responsible for the persistence of SecurityToken 's.

The initial implementation InMemoryAccessTokenRepository provides the persistence of AccessToken 's. In an upcoming release we’ll also provide an implementation that supports the persistence of Refresh Token’s.

ID Token and Claims

A couple of minor improvements were introduced to the IdToken along with some final implementation details for JwtClaimAccessor, StandardClaimAccessor and IdTokenClaimAccessor, which provide convenient access to claims in their associated constructs, for example, Jwt, IdToken, UserInfo.

Authorization Request Improvements

We’ve added the capability for an AuthorizationRequestRepository to persist the Authorization Request to a Cookie. The current default implementation persists in the HttpSession, however, a custom implementation may be provided to persist to a Cookie instead.

Support was also added for URI variables configured in the redirect-uri for the AuthorizationCodeRequestRedirectFilter.

OAuth2 Client Properties

There were a couple of minor updates to the properties for configuring an OAuth 2.0 Client. The configuration below outlines the current structure. You will notice that there is support for configuring multiple clients, for example, google, github, okta, etc.

security:
  oauth2:
    client:
      google:
        client-id: your-app-client-id
        client-secret: your-app-client-secret
        client-authentication-method: basic
        authorization-grant-type: authorization_code
        redirect-uri: "{scheme}://{serverName}:{serverPort}{contextPath}/oauth2/authorize/code/{clientAlias}"
        scope: openid, profile, email, address, phone
        authorization-uri: "https://accounts.google.com/o/oauth2/v2/auth"
        token-uri: "https://www.googleapis.com/oauth2/v4/token"
        user-info-uri: "https://www.googleapis.com/oauth2/v3/userinfo"
        user-name-attribute-name: "sub"
        jwk-set-uri: "https://www.googleapis.com/oauth2/v3/certs"
        client-name: Google
        client-alias: google
      github:
        ...
      okta:
        ...

A complete example for using the new Spring Security OAuth 2.0 / OpenID Connect 1.0 login feature can be found in the Spring Security samples at oauth2login. The guide will walk you through the steps for setting up the sample application for OAuth 2.0 login using an external OAuth 2.0 or OpenID Connect 1.0 Provider.

Reactive Security

Reactive Method Security

Spring Security’s Reactive support now includes method security by leveraging Reactor’s Context. The highlights are below, but you can find a complete example of it in action in samples/javaconfig/hellowebflux-method

The first step is to use @EnableReactiveMethodSecurity to enable support for @PreAuthorize and @PostAuthorize annotations. This step ensures that the objects are properly proxied.

@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfig {

The next step is to create a service that is annotated with @PreAuthorize or @PostAuthorize. For example:

@PreAuthorize("hasRole('ADMIN')")
public Mono<String> findMessage() {

Spring Security’s WebFlux support will then ensure that the Reactor Context will be populated with the current user which is used to determine if access is granted or denied.

Spring Security’s standard @WithMockUser and related annotations has been updated to work with Reactive Method Security. For example:

@RunWith(SpringRunner.class)
// ...
public class HelloWorldMessageServiceTests {
  @Autowired
  HelloWorldMessageService messages;

@Test
public void messagesWhenNotAuthenticatedThenDenied() {
StepVerifier.create(this.messages.findMessage())
.expectError(AccessDeniedException.class)
.verify();
}


@Test
@WithMockUser
public void messagesWhenUserThenDenied() {
StepVerifier.create(this.messages.findMessage())
.expectError(AccessDeniedException.class)
.verify();
}


@Test
@WithMockUser(roles = "ADMIN")
public void messagesWhenAdminThenOk() {
StepVerifier.create(this.messages.findMessage())
.expectNext("Hello World!")
.verifyComplete();
}
}

The test support also works nicely with TestWebClient. For example:

@RunWith(SpringRunner.class)
// ...
public class HelloWebfluxMethodApplicationTests {
  @Autowired
  ApplicationContext context;

WebTestClient rest;


@Before
public void setup() {
this.rest…
Read more

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all