Hi, Spring fans! Welcome to another installment of This Week in Spring! How're you doin'? I hope you're doing well and had a great Halloween if you celebrate. I'm doing great. I'm in sunny Kuala Lumpur, Malaysia, eating delicious food and hanging out with amazing people. Tomorrow, I'm off to Penang, Malaysia, for a little tourism before I get back to a more code-driven kinda fun: I'll be doing a developer event looking at the latest-and-greatest from Spring Boot 3 here in Kuala Lumpur on the 11th of November - ten short days from now! - so please join me!

Also, I just joined Mastodon - a decentralized and open-source Twitter; I'm not leaving Twitter, of course, but I would love to make new friends and grow the community there: @[email protected]…

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible.

Impact

Users who have applied the mitigation should take note of the following impact:

No authorized scopes are mapped to the principal (current user) when the Authorization Server (AS) responds to the OAuth2 Access Token Response with an empty or missing scope parameter.

If you are affected by this vulnerability, users will not be granted any authorities beginning with SCOPE_ when the AS does not return scopes. Only the special authority ROLE_USER…

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31692 affecting the AuthorizationFilter. Users are encouraged to update as soon as possible.

On behalf of the community, I am pleased to announce that the Release Candidate 1 (RC1) of the Spring Cloud 2022.0 Release Train is available today. The release can be found in Spring Milestone repository. You can check out the 2022.0 release notes for more information.

Notable Changes in the 2022.0.0 Release Train

See all issues closed here.

Spring Cloud Function

• Updates for Observability and Native Hints

Spring Cloud OpenFeign

• Added support for target URL refreshing (#710)
• Added support for LoadBalancer X-Forwarded Headers (#748)
• Set Jackson Autoconfiguration to be enabled by default (#476)
• Removed deprecations and adjusted to the API changes in Feign (#768)
…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 5.7.5 and 5.6.9 are available now. In both cases the releases are composed of bug fixes.

To learn more, please visit the 5.7.5 and 5.6.9 release summaries.

Project Site | Reference | Help

Hi, Spring fans! In this installment, Josh Long (@starbuxman) talks to Spring mad scientist Andy Clement (@andy_clement) about the new native support in Spring Boot 3, SpringOne 2022, and Azure Spring Apps, among other things

Spring Session 3.1.0-RC1 has been released. The biggest news from this release is that Spring Session Geode was removed which means all of the Spring Modules now belong to the same lifecycle. This means that the Spring Session BOM no longer uses CalVer and instead uses the same version as the remaining Spring Session modules. For example, in this release the version of spring-session-bom is 3.0.0-RC1.

You can view the release notes for additional details around this release.

Project Site | Reference | Help

Hi, Spring fans! In this installment, we begin a journey to Spring Boot 3, due end of November 2022. In this installment, we'll look - at a very high level - at some of the amazing features in Spring Framework 6, which underpins Spring Boot 3.

Want to learn more about Spring Framework 6 and Spring Boot 3? Join us at SpringOne 2022! use the code S1VM22_Advocate_200 for $200 off the price of admission!

Dear Spring Community,

I am happy to announce the 4.16.1 release of the Spring Tools 4 for Eclipse, Visual Studio Code, and Theia.

major changes to the Spring Tools 4 for Eclipse distribution

• early access builds available for Spring Tools 4 on Eclipse 2022-12 milestones

important note for upgrading from a release prior to 4.16.0 on Eclipse

• If you are upgrading an existing Spring Tools 4 for Eclipse distribution 4.15.3 or older to 4.16.1, please take a look at the necessary manual steps described for the upgrade to 4.16.0.

fixes and improvements

• (Spring Boot) fixed: Spring XML Config support does not show symbols with scope "File" (#860)
• (Spring Boot) fixed: [open-rewrite] exception when executing quick fix for project (#853)
• (Spring Boot) fixed: [refactoring] quick fix to convert autowired field to constructor param shows up even if the constructor param already exists (#815)
• (VSCode) fixed: Vscode Spring Boot Tools 1.39.0 prevents Java project from Running/Debugging (#847)
• (Eclipse) fixed: Web Tools Platform (WTP) validation is activated by default (#859)
• (Eclipse) fixed: ask user to save dirty editors before deploying on docker (#803…