The Spring Blog

News and Events

Announcing nohttp

I’m pleased to announce the nohttp project, which lets users find, replace, and prevent the usage of http://.


Today, Jonathan Leitschuh published a blog titled Want to take over the Java ecosystem? All you need is a MITM!. The blog demonstrates that hundreds of Java libraries are downloading dependencies over HTTP. This opens the projects up to potential MITM (man in the middle) attacks.

Unfortunately, there were multiple Spring projects that were using HTTP to download dependencies. Fortunately, we uncovered no signs of a successful MITM attack. We have also addressed the issue to ensure that no MITM attacks can be made in the future.


React-ing to + User feedback updates

We are happy to announce today that is now built using React/Gatsby as the front-end framework. We also made UI improvements based on your feedback. Thank you to all those who have contributed to this update and to all the users who continue to tell us how to improve!


During the previous Web UI modernization (launched on March 5th), we realized that making even small changes to the site had become more time consuming than we anticipated. The architecture was inhibiting our ability to run experiments and move quickly to make small, incremental changes.


This Week in Spring - June 4, 2019

Hi Spring fans! Welcome to another installment of This Week in Spring! This week I’m in…. I’m home! Look at that! I’m home for the epic SpringOne Tour San Francisco event. I’m super excited to be here in this amazing weather with an amazing community. It’s been a busy week though! Last week I returned from Spain for my kid’s graduation, and I am still so so proud. Tomorrow I fly to Cork, Ireland for the Cork JUG and then it’s off to London for a wedding. So, lot of travel, but a bit of a lighter load :-)


Java CFEnv 1.1.0.M1 Released


On behalf of the community I am happy to announce the release of Java CFEnv 1.1 M1.

This release brings in contributions from several teams

  • EMC Volume Service

  • Pivotal Single Sign-On Service

  • Pivotal Redis Service

Support for Volume Services is a new feature. Single Sign-On functionality has been improved to set Spring Security auto-configuration properties for Spring Security 5’s OAuth support. The Redis support has been improved to support auto-configuration of TLS.

The project README has more information.

A release candidate is going out next week, followed quickly by a GA release. Please try it out and give feedback on our github issues page.


Introducing Spring Cloud App Broker

We recently announced the general availability of Spring Cloud Services 3.0, which involved a major redesign of the previous architecture used in that project. As detailed in the related blog post, Spring Cloud Services has moved to the latest versions of Spring Framework and Spring Boot, and is now built on a Reactive programming model and Spring WebFlux. Two key components of this redesign are offered as open source Spring Cloud projects.

The first project is Spring Cloud Open Service Broker. This project has been available for some time; however, the recent 3.0.0 release has itself been redesigned to incorporate a Reactive programming model and updated to support Spring WebFlux.


CVE-2019-11269: Spring Security OAuth 2.3.6, 2.2.5, 2.1.5, 2.0.18 Released

We have released Spring Security OAuth 2.3.6, 2.2.5, 2.1.5 and 2.0.18 to address CVE-2019-11269: Open Redirector in spring-security-oauth2. Please review the information in the CVE report and upgrade immediately.

For additional changes included in each release, please refer to:

NOTE: For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the fix for the CVE. Please see the Mitigation section in the CVE report for detailed instructions on how to override the version.


Webinar: Boosting Microservice Performance with Kafka, RabbitMQ, and Spring

Speaker: Mark Heckler, Pivotal

In today’s microservices-based world, many mission-critical systems have distributed elements or are entirely distributed. Ideally, these architectures should improve things such as performance, scalability, reliability, and resilience—but subpar design can limit those strengths, or worse yet, turn them into challenges that need to be overcome.

Messaging platforms help solve these problems and improve the “ilities,” but they come with a few complexities of their own. This webinar will teach you how to use open-source solutions like Spring Cloud Stream, RabbitMQ, and Apache Kafka to maximize your distributed systems’ capabilities while minimizing complexity.