Spring blog

All Posts
Engineering
Releases
News and Events

This Week in Spring - November, 10, 2015

Engineering | Josh Long | November 10, 2015 | ...

Welcome to another installation of This Week in Spring! This week I'm in Antwerp, Belgium for the grand mother of all Devoxxes (Devoxxen?), Devoxx Belgium! I'm here along with several members of the team and if you're around, don't hesitate to say hi!

Read more

This Week in Spring (PCF 1.6 edition!) - November 3, 2015

Engineering | Josh Long | November 03, 2015 | ...

Welcome to another installation of This Week in Spring! This week I'm in Sofia, Bulgaria for one of my favorite shows, the epic Java2Days event!

Last week saw the release (finally!) of Pivotal Cloud Foundry 1.6, which contains more than a year and half of highly anticipated features and heavy lifting. The new release includes, among many other things, support for platform-managed GitLab, JFrog Artifactory, and CloudBees Jenkins CI; support for microservices infrastructure including the Spring Cloud Config Server, and Spring Cloud Eureka; and support for Docker container images and .NET applications; and support for running on Microsoft Azure. This release is packed with all sorts of features optimized for the continuous and safe delivery of software into production and I…

Read more

Spring XD 1.3 Demo: Flo for Batch

Engineering | Pieter Humphrey | November 03, 2015 | ...

Flo for Batch pipeline builds upon the newly supported Batch DSL in Spring XD that can be used to create composite batch workflows involving sequential, parallel or even the combination of both jobs.

Read more

Spring XD 1.3 RC1 released

Releases | Mark Pollack | November 03, 2015 | ...

On behalf of the Spring XD team, I am very pleased to announce the first release candidate of Spring XD 1.3 is now available for download. You can also install using brew and rpm.

This release includes some major new functionality for batch jobs. We have introduced the ability to create composed jobs that allows you to create a complex graph of jobs executed based on a new Job DSL. Flo for Spring XD UI has been updated to support the new Job DSL and provide a visual drag and drop canvas for creating composed jobs. Spring XD’s job execution UI also supports execution history of composed…

Read more

Spring Security 3.2.9 Released

Releases | Rob Winch | November 02, 2015 | ...

I’m pleased to announce the release of Spring Security 3.2.9.RELEASE. This release provides bug fixes and minor enhancements. For complete details on the release, refer to the Change Log.

Highlights of the release include:

  • SEC-2190 - Fixing integration with the JSP tag libraries when Spring Security is registered in a child ApplicationContext
  • SEC-2521 - Removal of synchronized in StandardPasswordEncoder which drastically improves performance
  • SEC-3108 - Fix potential race condition in DigestAuthenticationFilter
  • SEC-3109 - DelegatingSecurityContextExecutor works with Concurrent/ThreadPoolTaskScheduler
Read more

Spring Security 4.0.3 Released

Releases | Rob Winch | November 02, 2015 | ...

I’m pleased to announce the release of Spring Security 4.0.3.RELEASE. This release provides bug fixes and minor enhancements. For complete details on the release, refer to the Change Log.

Highlights of the release include:

  • SEC-3063 - Fixes for Spring Boot 1.3
  • SEC-2190 - Fixing integration with the JSP tag libraries when Spring Security is registered in a child ApplicationContext
  • SEC-2521 - Removal of synchronized in StandardPasswordEncoder which drastically improves performance
  • SEC-3108 - Fix potential race condition in DigestAuthenticationFilter
  • SEC-3109 - DelegatingSecurityContextExecutor works with Concurrent/ThreadPoolTaskScheduler
Read more

Spring IO Platform 2.0.0.RC1

Releases | Andy Wilkinson | October 29, 2015 | ...

Spring IO Platform 2.0.0.RC1 is available now from the Spring milestone repository. The 2.0 release upgrades the versions of a number of components including Spring Boot 1.3 and Spring Framework 4.2.

Please note that a number of dependencies that were previously part of the Platform have been removed or replaced in this release. Please refer to the documentation for further details.

All being well, 2.0.0.RELEASE will be released in a few weeks time once Spring Boot 1.3.0.RELEASE is available. Please take RC1 for a spin and let us know if you find any problems.

Project Page | GitHub | Issues |

Read more

This Week in Spring (JavaOne 2015 Edition) - October 27, 2015

Engineering | Josh Long | October 28, 2015 | ...

Welcome to another installation of This Week in Spring! This week I'm at JavaOne 2015 in San Francisco along with the rest of the Pivotal team. This week the Pivotal Spring team is out in full force, come stop by and say hi!

There are some great new SpringOne2GX 2015 recordings on line as well as some great community content this week so let's get to it!

Read more

React.js and Spring Data REST: Part 5 - Security

Engineering | Greg L. Turnquist | October 28, 2015 | ...
To see updates to this code, visit our React.js and Spring Data REST tutorial.

In the previous session, you made the app dynamically response to updates from other users via Spring Data REST’s built in event handlers and the Spring Framework’s WebSocket support. But no application is complete without securing the whole thing so that only proper users have access to the UI and the resources behind it.

Feel free to grab the code from this repository and follow along. This session is based on the previous session’s app with extra things added.

Adding Spring Security to the project

Before getting underway, you need to add a couple dependencies to your project’s pom.xml file:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>

This bring in Spring Boot’s Spring Security starter as well as some extra Thymeleaf tags to do security look ups in the web page.

Defining the security model

In the past session, you have worked with a nice payroll system. It’s handy to declare things on the backend and let Spring Data REST do the heavy lifting. The next step is to model a system where security controls need to be instituted.

If this is a payroll system, then only managers would be accessing it. So kick things off by modeling a Manager object:

@Data
@ToString(exclude = "password")
@Entity
public class Manager {

public static final PasswordEncoder PASSWORD_ENCODER = new BCryptPasswordEncoder();

private @Id @GeneratedValue Long id;

private String name;

private @JsonIgnore String password;

private String[] roles;

public void setPassword(String password) {
	this.password = PASSWORD_ENCODER.encode(password);
}

protected Manager() {}

public Manager(String name, String password, String... roles) {

	this.name = name;
	this.setPassword(password);
	this.roles = roles;
}



}

  • PASSWORD_ENCODER is the means to encrypt new passwords or to take password inputs and encrypt them before comparison.
  • id, name, password, and roles define the parameters needed to restrict access.

  • The customized setPassword() ensures that passwords are never stored in the clear.

There is a key thing to keep in mind when designing your security layer. Secure the right bits of data (like passwords) and do NOT let them get printed to console, into logs, or exported via JSON serialization.

  • @ToString(exclude = "password") ensures that the Lombok-generated toString() method will NOT print out the password.
  • @JsonIgnore applied to the password field protects from Jackson serializing this field.

Creating a manager’s repository

Spring Data is so good at managing entities. Why not create a repository to handle these managers?

@RepositoryRestResource(exported = false)
public interface ManagerRepository extends Repository<Manager, Long> {

Manager save(Manager manager);

Manager findByName(String name);



}

Instead of extending the usual CrudRepository, you don’t need so many methods. Instead, you need to save data (which is also used for updates) and you need to look up existing users. Hence, you can use Spring Data Common’s minimal Repository marker interface. It comes with no predefined operations.

Spring Data REST, by default, will export any repository it finds. You do NOT want this repository exposed for REST operations! Apply the @RepositoryRestResource(exported = false) annotation to block it from export. This prevents the repository from being served up as well as any metadata.

Linking employees with their managers

The last bit of modeling security is to associate employees with a manager. In this domain, an employee can have one manager while a manager can have multiple employees:

@Data
@Entity
public class Employee {

private @Id @GeneratedValue Long id…
Read more

Spring Integration Maintenance Releases Available

Releases | Gary Russell | October 27, 2015 | ...

We are pleased to announce the following release versions are now available. These versions include important bug fixes and users should upgrade as soon as possible. Click the version to see the appropriate JIRA release notes.

4.2.1.RELEASE 4.1.7.RELEASE 4.0.8.RELEASE 3.0.8.RELEASE

Please note that, unless some compelling reason arises, it is anticipated that the 4.1.7 and 4.0.8 releases will be the last in those lines; 4.x users are encouraged to upgrade to 4.2.1, which is the current release for the 4.x line.

We expect to continue to make available further 3.0.x releases to address…

Read more

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all