Welcome back to another installment of This Week in Spring! As usual, we've got a lot to cover so let's dive into it!

Quick reminder: if you're in the San Francisco bay area, be sure to join me tomorrow evening at the Oakland JUG where I'll be speaking about Spring and Spring Boot!

1. Join us on February 11th for a webinar introducing what's coming in Apache Tomcat 8.
2. Join Spring Data engineers Oliver Gierke and Thomas Darimont on February 18 for a webinar introducing Spring Data repositories best-practices
3. Check out the replay of Spring MVC ninja Rossen Stoyanchev's talk from SpringOne2GX 2013 on WebSocket Applications with Spring Framework 4.0.
4. Check out the replay of Spring Security lead Rob Winch's webinar introducing Spring Security 3.2
5. Check out Mattias Severson's SpringOne 2013 session replay reviewing Spring MVC test APIs.
6. Spring Security lead Rob Winch has a nice post on how cookies can be exploited if not properly secured.
7. Meanwhile, over on the Pivotal blog, C24 Founder and CTO John Davies gives us a look at how C24 is delivering high scalability for large financial-services companies with Spring, RabbitMQ, Pivotal, and GemFire.
8. Les Cast Codeurs, a French language coding podcast (though, fairly well dominated by JVM technologies), interviewed Grails and Reactor committer Stephane Maldini, check it out!
9. The Squadron blog has a nice post on how to use TLS (and the instructions are basically the same for SSL). This post is not specific to Spring, but if you're looking at Spring Security's X.509 support, then this article will be very useful.
10. Mkyong is back with another post, this time on using TestNG with Spring.
11. The Blas from the Pas blog has a nice post on how to use Thymeleaf and Spring MVC. You might also check out our guide on the subject.
12. Andriy Redko has a nice post on how to use the Scala language sbt build tool with a simple Spring application. The thrust of this post is to introduce sbt, which is an alternative build tool to things like Maven or Gradle.
13. The Develop and Conquer blog has a nice post on using Spring 4's websocket support.
14. Our pal Xavier Padró is back, this time with a look at how to migrate XML-configured web applications to the recently released Spring 4.0
15. Spring Data lead Oliver Gierke's talk from Geecon, Data Access 2.0? Please welcome Spring Data!, is now available online to watch. Enjoy!
16. Jakub Kubrynski has a nice post on using Spring's Java-centric web configuration options.
17. The Remove duplications and fix bad names blog has a nice post on unit-testing with Spring and Mockito.
18. The Isos Tech blog has a post on the subject of using two JPA EntityManagers in one Spring application.

Speakers: Oliver Gierke and Thomas Darimont

The repository abstraction layer is one of the core pieces of the Spring Data projects. It provides a consistent, interface-based programming model to allow implementing data access layers easily for relational and NoSQL databases. We will have a look at the lessons learned from the application of it in various customer projects and summarize best practices for you to apply in your projects. The session will also discuss advanced features like the Querydsl integration, the integration of custom implementation code as well as hooks into Spring MVC and Spring HATEOAS.

Tuesday, February 18, 2014 3:00pm GMT Time (London GMT) Register

Tuesday, February 18, 2014 10:00am PST (San Francisco, GMT-08:00) Register

Intro to Apache Tomcat 8

Speakers: Daniel Mikusa and Stuart Williams

Apache Tomcat 8 implements new versions of the Servlet, JSP and EL specifications as well as adding support for the new WebSocket specification. Work has also been completed on internal refactoring in a number of areas that will impact a number of Tomcat specific features. This presentation will provide an overview of the changes and new features introduced by both the updated specifications and the Tomcat specific changes. This session will enable attendees to identify the Tomcat 8 features of greatest interest to them and provide them with the information required to start planning their migration to Tomcat 8.

Tuesday, February 11, 2014 3:00pm GMT Time (London GMT) Register

Tuesday, February 11, 2014 10:00am PST (San Francisco, GMT-08:00) Register

Recorded at SpringOne2GX 2013 in Santa Clara, CA

Speaker: Mattias Severson

Is it possible to decrease the turn-around time of your test suite? How can you make sure that your tests execute independently? Is it possible to automatically verify that the database schema is kept in sync with the source code? What are the trade-offs? In this presentation, you will learn how to apply features such as the Spring MVC Test Framework, Spring profiles, and embedded databases, to automate and improve your test suite, thus improving the overall quality of your project. A simplistic Spring web app will be used to show some practical code examples. Topics include:

• Basic Spring Testing
• Embedded Database
• Transactions
• Profiles
• Controller Tests
• Server Integration Tests

!{iframe width="420" height="315" src="//www.youtube.com/embed/LYVJ69h76nw" frameborder="0" allowfullscreen}{/iframe}

Speaker: Rossen Stoyanchev

Recorded at SpringOne2GX 2013 in Santa Clara, CA.

Last year's Intro to WebSocket presentation was as much about introducing WebSocket -- including specs, browser availability, server support -- as it was about summarizing short and long term challenges surrounding its use and leaving many open questions. What a world of difference a year can make! This update to last year's presentation, covers the new standard Java WebSocket API (JSR-356) including a discussion of positives and limitations, an update on the current status of WebSocket support across Servlet containers, and of course the Spring Framework 4.0 WebSocket support -- how to configure and use it and what additional benefits it provides. A central part of this is Spring's support for SockJS, the protocol for transparent WebSocket fallback options for use in applications that for example need to run in IE 10 and eariler. This presentation is for you if you want a comprehensive introduction to WebSocket including standard Java EE 7 and Spring Framework 4.0 support. For a more practical take on how to actually build WebSocket-style applications that skips the introduction, please attend the next presentation Building WebSocket Browser Applications with Spring by Rossen Stoyanchev and Scott Andrews, or attend both presentations. They are intended to be complementary. Learn more about WebSocket in Spring Framework at: http://projects.spring.io/spring-framework

Slides: http://rstoyanchev.github.io/s2gx2013-intro-websocket-spring-framework-4

!{iframe width="420" height="315" src="//www.youtube.com/embed/MJeEAVJR2FA" frameborder="0" allowfullscreen}{/iframe}

Speaker: Rob Winch

Spring Security is a powerful and highly customizable authentication and access-control framework and is the de-facto standard for securing Spring-based applications. Whether you are itching to learn how to use Spring Security for the first time or you want to learn about all the new features in Spring Security 3.2 this presentation is a must. In this talk Rob, the Spring Security project lead, will take you on a guided tour of how to get up and running with Spring Security 3.2's new features including:

· Java Configuration support

· CSRF protection

· Security related HTTP response headers

· Spring MVC integration

Learn more about Spring Security at http://projects.spring.io/spring-security

!{iframe width="420" height="315" src="//www.youtube.com/embed/qoR6lY6biO4" frameborder="0" allowfullscreen}{/iframe}

Introduction

Developers often incorrectly use encryption in an attempt to provide authenticity. For example, a RESTful application may mistakenly use an encrypted cookie to embed the current user's identity.

The mistake is that encryption can only be used to keep a secret while signing is used to verify authenticity of a message. In this post, I will explain and provide an example of why encryption is not a guarantee of authenticity.

If you just want to see code, feel free to skip to the end which has a sample Java application that demonstrates the exploit.

Encrypted Cookies (whoops)

Assume we…

Welcome back to another installment of This Week in Spring!

As usual, we've got a lot to cover, so let's dive right into it!

By the way, due to overwhelming demand, we're going to repeat the webinar introducing Spring 4 with Juergen Hoeller on January 23rd. Watch this space for when we open up registration. The expected times are:

Thursday, January 23, 2014 - 3:00pm GMT Time (London GMT)

• closed as of Jan 20th
  

Thursday, January 23, 2014 - 10:00am PST (San Francisco, GMT-08:00)

• registration open

1. The replay of Ben Hale's talk on RESTful API evolution from SpringOne2GX 2013 is now available online
2. Spring and Groovy/Grails Tool Suite lead Martin Lippert just refreshed the most popular article ever written on JavaLobby, Spring IDE and the Spring Tool Suite - Using Spring in Eclipse. Check it out!
3. Spring XD lead Dr. Mark Pollack has just announced that Spring XD 1.0.0.M5 is now available
4. Oliver Gierke's talk from SpringOne2GX "Spring RESTBucks: a Hypermedia Driven REST webservice" is now available online.
5. Following the crazy success of the Spring 4 webinar on the 9th, Spring project lead Juergen Hoeller has just written a blog detailing the next steps for the framework, including Spring 4.1 and Spring 3.2.7.
6. Have you tried the crazy cool shell built into Spring Boot? It's powered by CRaSH, which you can learn more about in this video
7. The replay from Gunnar Hillert and Michael Minella's talk from SpringOne2GX 2013, Integrating Spring Batch and Spring Integration, is now available online.
8. Matt Stine webinar, Spring with Immutability, is now available online.
9. Rob Winch just announced that Spring LDAP 2.0.0 is now available online!
10. Our pal Eugen Paraschiv is back at it again, this time with a post on Spring's HttpMessageConverters.
11. Jakub Kubrynski has a nice post on integration testing Spring Integration and Spring 4
12. Gary Russell has just announced that Spring AMQP 1.3.0.M1 and 1.2.1 RELEASE are now available. The new release is very meaty, so if you're using it, I strongly suggest upgrading!
13. Sproogle 0.3.0, which is an integration with Spring and parts of the Google stack (that don't so far as I can tell include the OAuth pieces that Spring Social Google takes care of), is now available.
14. On the GoPivotal blog, Steve Greenberg has a nice post on how to add a service to your Cloud Foundry architecture using Spring. Nice! I've been waiting for something like this for a long time!
15. Our pals on the Vaadin team are doing a webinar on Spring and Vaadin integration best-practices on January 30th, 2014. Check it out!
16. A little late, but RestHub, which integrates a full Spring-powered REST and web application stack, has just released RESTHub 2.1.4. Check it out!
17. Rest Assured, which provides an alternative testing API for REST services, has just released a new version that supports Spring MVC.
18. New Relic has just announced dedicated Grails support.
19. Zan Thrash did a nice talk on InfoQ about using Node.js ecosystem tools for client-side development along with Grails. The talk has very little to do with Grails, actually, and could as easily be applied to Java and Spring MVC development. These tools are front-and-center for many different types of web application developers, and this talk is a good primer.

Following up on my Spring Framework 4 webinar last week, I'd like to share the Spring Framework 4.1 plan introduced there. We have a few key themes that are being prepared towards 4.1, for a timely GA delivery in August 2014, with a 4.1 RC to appear in June:

Comprehensive web resource handling - resource pipelining, cache control refinements
Caching support revisited - aligned with JCache 1.0 final, user-requested enhancements
JMS support overhaul - aligned with our messaging module, annotation-driven endpoints
Performance improvements - application startup, SpEL expression evaluation

These…