Welcome to another installment of This Week in Spring! This week I've been in San Francisco, (where I live and) where I addressed the Silicon Valley Spring User Group. Now it's off to beautiful China to bring some Spring and Pivotal (and, maybe, take a little vacation!)

As usual, we have a lot to get to so let's!

• Spring ninja Greg Turnquist has just announced that Spring Web Services 2.3.1 and 2.4.0 are now available
• Spring Cloud ninja Marcin Grzejszczak just announced that Spring Cloud Camden M1 is now available
• Spring Cloud Data Flow ninja Thomas Risberg just announced that Spring Cloud Data Flow for Mesos 1.0.RC2 is now available
• Marius Bogoevici just announced Spring Cloud Stream Brooklyn M1 is now available. This release is packed full of new features including support for reactive programming
• Spring Cloud Data Flow ninja Eric Bottard just announced …

On behalf of the team, I am pleased to announce that Milestone 1 of the Spring Cloud Camden Release Train is available today. The release can be found in our Spring Milestone repository. We’ve made numerous enhancements and bug fixes! You can check out the Camden.M1 release notes for more information.

The following modules were updated as part of Camden.M1:

Spring Cloud Build        1.2.0.RELEASE
Spring Cloud Stream       Brooklyn.M1
Spring Cloud Bus          1.2.0.M1
Spring Cloud Config       1.2.0.M1
Spring Cloud Netflix      1.2.0.M1
Spring Cloud Consul       1.1.0.M1
Spring Cloud…

Greetings Spring community,

Spring Web Services has just released versions 2.3.1.RELEASE and 2.4.0.RELEASE.

2.3.1.RELEASE is a minor patch release.

2.3.1 Release Notes | 2.3.1 Documentation.

2.4.0.RELEASE rebases Spring Web Services to run on Spring Framework 4.2.x & Spring Security 4.0.x, the stable baselines behind Spring 4.3/Spring Security 4.1. At the same time, it remains compatible with Java 7. This version includes changes to the code base making it forward compatible with Spring 4.3 and 5.0, so you are free to move up to whichever version of Spring/Spring Security you wish to use.

2.4.0 Release Notes | 2.4.0 Documentation…

On behalf of the team, I am pleased to announce the release of the first milestone of the Spring Cloud Stream Brooklyn release train. Spring Cloud Stream Brooklyn.M1 is available for use in the Spring Milestone repository, a detailed description of its features can be found in the reference documentation. Release notes are available here and include important information on the migration path.

From a Monolith to a Release Train

Spring Cloud Stream Brooklyn.M1 succeeds Spring Cloud Stream 1.0. The change in the naming scheme reflects the project's structural changes, in particular switching…

We are pleased to announce the 1.0.0.RC2 release candidate of Spring Cloud Data Flow for Mesos, a team effort that encompasses many new features under the hood.

This release candidate builds upon the recent 1.0 GA release of Spring Cloud Data Flow. Some highlights include:

• We now run the Spring Cloud Data Flow Server as a Docker image on Marathon, a container orchestration platform for Mesos.
• This release adds features to support stream partitioning and scaling

• Currently partitioning and scaling of sinks and processors are handled by using multiple application deployments, one for each app instance, identified by an index appended to the name.
• Scaling of sources is handled by using additional application instances.

* Streams are now deployed using Marathon [Application Groups](https://mesosphere.github.io/marathon/docs/application-groups.html) so it is easier to identify the different apps making up a stream. * We have added support for launching tasks using Chronos, a fault tolerant job scheduler for Mesos.

As part of this effort we have developed a simple Java client for interacting with the Chronos API. This Java client is included in the latest 1.0.2.RELEASE version of the Spring Cloud Deployer for Mesos project…

We are pleased to announce the general availability of Spring Cloud Data Flow for Cloud Foundry version 1.0.0.RELEASE.

Spring Cloud Data Flow for Cloud Foundry provides support for orchestrating long-running (streaming) and short-lived (task/batch) data microservices on Cloud Foundry runtime.

As the successor to Spring XD, this project benefits from a much more decoupled architecture, leveraging the Spring Cloud Deployer for Cloud Foundry library, which also goes GA today. More details about Spring Cloud Data Flow’s architecture and its ecosystem can be found in this blog.

• Stream and Batch/Task Processing are the primary functionalities in Spring Cloud Data Flow and they map to Cloud Foundry Diego’s LRPs and Tasks1 respectively.

• Includes developer toolkits to build streaming and batch/task pipelines using the DSL, Shell, REST-APIs, Dashboard, Flo Designer, or any combination of those.

• Facilitates test-driven-development at individual data pipeline components along with test fixtures to develop and test "data-centric" apps in isolation.

• Leverages Cloud Foundry’s runtime capabilities such as security, metrics, operational monitoring, scaling, and reliable execution of streaming and batch/task pipelines.

  …

I’m pleased to announce the release of Spring Security 4.1.3.RELEASE which updates libraries & resolves some minor issues including fixes for the new MvcRequestMatcher.

For details refer to the changelog.

Contributions

Without the community we couldn’t be the successful project we are today. I’d like to thank everyone that created issues & provided feedback.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping me @rob_winch or Joe @joe_grandja on Twitter.

Of course the best feedback comes in the form of contributions…

We are pleased to announce the 1.0.0.RC1 release of Spring Cloud Data Flow for Cloud Foundry.

As we near completion towards a GA release in the upcoming days, this milestone brings the following improvements:

• Builds upon the 1.0.0.RC1 release of Spring Cloud Deployer Cloud Foundry, which itself builds upon Project Reactor 3.0.0.RELEASE and of CF-Java-Client 2.0.0.RELEASE

• Adds the ability to orchestrate short-lived tasks including Spring Batch Jobs in Cloud Foundry, which can be enabled as an experimental feature toggle

• Adds support for command line arguments as a separate set of properties to be passed to a Task when it’s launched

• Adds support to separate stream and task specific service bindings. This allows pinning stream and tasks specific services to stream and task applications respectively

  …

It was brought to our attention that the spring-security-saml sample application contained an XML External Entity (XXE) vulnerability. This meant that a malicious user could view any file that the Spring Application’s process had access to.

The issue was a direct result of OpenSAML Java ParserPool and Decrypter Vulnerable To XML Attacks. The default behavior of the ParserPool implementations is fixed in OpenSAML 2.6.1+ (which Spring Security SAML uses). However, the vulnerability is still possible if users construct their own ParserPool without the proper settings.

Note

We did not consider this a CVE because the exploit was only found in the sample application which is not considered production code. However, we expect that our users may have copied this code to create their own applications. For this reason, we wanted to be transparent and communicate the issue and…