Introduction

Developers often incorrectly use encryption in an attempt to provide authenticity. For example, a RESTful application may mistakenly use an encrypted cookie to embed the current user's identity.

The mistake is that encryption can only be used to keep a secret while signing is used to verify authenticity of a message. In this post, I will explain and provide an example of why encryption is not a guarantee of authenticity.

If you just want to see code, feel free to skip to the end which has a sample Java application that demonstrates the exploit.

Encrypted Cookies (whoops)

Assume we…

Welcome back to another installment of This Week in Spring!

As usual, we've got a lot to cover, so let's dive right into it!

By the way, due to overwhelming demand, we're going to repeat the webinar introducing Spring 4 with Juergen Hoeller on January 23rd. Watch this space for when we open up registration. The expected times are:

Thursday, January 23, 2014 - 3:00pm GMT Time (London GMT)

• closed as of Jan 20th
  

Thursday, January 23, 2014 - 10:00am PST (San Francisco, GMT-08:00)

• registration open

1. The replay of Ben Hale's talk on RESTful API evolution from SpringOne2GX 2013 is now available online
2. Spring and Groovy/Grails Tool Suite lead Martin Lippert just refreshed the most popular article ever written on JavaLobby, Spring IDE and the Spring Tool Suite - Using Spring in Eclipse. Check it out!
3. Spring XD lead Dr. Mark Pollack has just announced that Spring XD 1.0.0.M5 is now available
4. Oliver Gierke's talk from SpringOne2GX "Spring RESTBucks: a Hypermedia Driven REST webservice" is now available online.
5. Following the crazy success of the Spring 4 webinar on the 9th, Spring project lead Juergen Hoeller has just written a blog detailing the next steps for the framework, including Spring 4.1 and Spring 3.2.7.
6. Have you tried the crazy cool shell built into Spring Boot? It's powered by CRaSH, which you can learn more about in this video
7. The replay from Gunnar Hillert and Michael Minella's talk from SpringOne2GX 2013, Integrating Spring Batch and Spring Integration, is now available online.
8. Matt Stine webinar, Spring with Immutability, is now available online.
9. Rob Winch just announced that Spring LDAP 2.0.0 is now available online!
10. Our pal Eugen Paraschiv is back at it again, this time with a post on Spring's HttpMessageConverters.
11. Jakub Kubrynski has a nice post on integration testing Spring Integration and Spring 4
12. Gary Russell has just announced that Spring AMQP 1.3.0.M1 and 1.2.1 RELEASE are now available. The new release is very meaty, so if you're using it, I strongly suggest upgrading!
13. Sproogle 0.3.0, which is an integration with Spring and parts of the Google stack (that don't so far as I can tell include the OAuth pieces that Spring Social Google takes care of), is now available.
14. On the GoPivotal blog, Steve Greenberg has a nice post on how to add a service to your Cloud Foundry architecture using Spring. Nice! I've been waiting for something like this for a long time!
15. Our pals on the Vaadin team are doing a webinar on Spring and Vaadin integration best-practices on January 30th, 2014. Check it out!
16. A little late, but RestHub, which integrates a full Spring-powered REST and web application stack, has just released RESTHub 2.1.4. Check it out!
17. Rest Assured, which provides an alternative testing API for REST services, has just released a new version that supports Spring MVC.
18. New Relic has just announced dedicated Grails support.
19. Zan Thrash did a nice talk on InfoQ about using Node.js ecosystem tools for client-side development along with Grails. The talk has very little to do with Grails, actually, and could as easily be applied to Java and Spring MVC development. These tools are front-and-center for many different types of web application developers, and this talk is a good primer.

Following up on my Spring Framework 4 webinar last week, I'd like to share the Spring Framework 4.1 plan introduced there. We have a few key themes that are being prepared towards 4.1, for a timely GA delivery in August 2014, with a 4.1 RC to appear in June:

Comprehensive web resource handling - resource pipelining, cache control refinements
Caching support revisited - aligned with JCache 1.0 final, user-requested enhancements
JMS support overhaul - aligned with our messaging module, annotation-driven endpoints
Performance improvements - application startup, SpEL expression evaluation

These…

Speaker: Matt Stine

Readers of Josh Bloch's "Effective Java" are sometimes perplexed when they reach Item #15: "Minimize Mutability." If we are to minimize mutability, then obviously we must maximize immutability. While all Java programmers utilize immutable objects every day (e.g. java.lang.String), when asked to create our own immutable classes, we often hesitate. However, if we push through this hesitation, we'll reap the benefits of simpler reasoning about program correctness, free thread safety, and other benefits. One of the primary issues faced by enterprise Java programmers seeking to utilize immutable classes are framework issues. Enterprise frameworks from Spring to Hibernate have varying levels of support for immutability, ranging from decent to nonexistent. However, there several practical solutions available to the Spring developer, and this session will illuminate what's available. Learn more about Spring Framework at http://projects.spring.io/spring-framework

!{iframe width="420" height="315" src="//www.youtube.com/embed/D8eCUR0QK-s" frameborder="0" allowfullscreen}{/iframe}

Speaker: Ben Hale

Recorded at SpringOne2GX 2013 in Santa Clara, CA. Speaker: Ben Hale As REST-ful data services become more widespread, it is becoming clear that they have to change to suit new consumer needs. This evolution is often disruptive to consumers, but it doesn't have to be. This session, a follow up to 'REST-ful API Design', discusses various strategies for evolving a REST-ful API and how the strategies can be implemented using Spring. Learn more about REST at:

http://projects.spring.io/spring-framework/ (Spring MVC's REST controller)

http://projects.spring.io/spring-hateoas/ (Hypermedia Support)

!{iframe width="420" height="315" src="//www.youtube.com/embed/fSFh9UCBp5s" frameborder="0" allowfullscreen}{/iframe}

Speakers: Gunnar Hillert, Michael Minella

Recorded at SpringOne2GX 2013 in Santa Clara, CA.

This talk is for everyone who wants to efficiently use Spring Batch and Spring Integration together. Users of Spring Batch often have the requirements to interact with other systems, to schedule the periodic execution Batch jobs and to monitor the execution of Batch jobs. Conversely, Spring Integration users periodically have Big Data processing requirements, be it for example the handling of large traditional batch files or the execution of Apache Hadoop jobs. For these scenarios, Spring Batch is the ideal solution. This session will introduce Spring Batch Integration, a project that provides support to easily tie Spring Batch and Spring Integration together. We will cover the following scenarios: Launch Batch Jobs through Spring Integration Messages Generate Informational Messages Externalize Batch Process Execution using Spring Integration Create Big Data Pipelines with Spring Batch and Spring Integration Learn more about Spring Batch: http://projects.spring.io/spring-batch/ Learn more about Spring Integration: http://projects.spring.io/spring-integration/

!{iframe width="420" height="315" src="//www.youtube.com/embed/8tiqeV07XlI" frameborder="0" allowfullscreen}{/iframe}

We are pleased to announce the availability of these two releases; the 1.2.1.RELEASE contains a few minor bug fixes, while the 1.3.0.M1 milestone release contains some significant new features, including:

• The listener container concurrency can be changed without first stopping the container and the listeners will be adjusted accordingly
• The listener container can dynamically adjust the concurrent consumers, based on workload
• The Connection Factory can now cache connections rather than all users sharing the same connection
• The RabbitTemplate now has several convenient receiveAndReply methods
• A fluent Java API is now provided to build a Message
• There is now a SimpleRoutingConnectionFactory to determine which connection factory to use at runtime
…

I'm pleased to announce that Spring LDAP 2.0.0.RELEASE is now available from Maven Central and Bintray. A special thanks to Mattias Arthursson for all the work he put into this release!

Refer to the What's new in Spring LDAP 2.0 to find the full details of this release. A list of changes can be found within JIRA's change logs. Highlights include:

• Spring Data Repository and QueryDSL support is now included in Spring LDAP.
• Fluent LDAP query support has been added.
• A custom XML namespace is now provided to simplify configuration of Spring LDAP.
• Spring LDAP core has been updated with Java 5 features such as generics and varargs.
• The ODM (Object-Directory Mapping) functionality has been moved to core and there are new methods in LdapOperations/LdapTemplate that uses this automatic translation to/from ODM-annotated classes.
…

The Spring XD team is pleased to announce that Spring XD 1.0.0 Milestone 5 is now available for download.

Spring XD makes it easy to solve common big data problems such as data ingestion and export, real-time analytics, and batch workflow orchestration. This release includes several notable new features:

• Pre-defined batch jobs for JDBC to HDFS
• Many additional job shell commands for controlling and reporting on batch jobs.
• Hadoop Dataset Avro sink that uses the Kite SDK
• HDFS sink now supports codecs (gzip, snappy, bzip2, lzo) and fine-grained control over file naming
• JMS source module now support Topics in addition to Queues
• Improved support for use of Gemfire Locators
• Aggregator module for batching that also supports a backing message store for checkpointing the event stream to memory, Redis, or a relational database.
• Support for separate control and data transport protocols
• XD servers are now built on top of …