close

Spring Security OAuth2 - Client Authentication Issue

Issue #808 was recently reported that allowed a user to authenticate as a client and obtain an access token via the client_credentials or password grant flow.

This unique scenario occurs when a client and user have the same identifier (clientId and username). The user’s credentials are used for client authentication during a client_credentials or password grant flow and is successful in obtaining an access token with the authorities of the client.

The Fix

This bug has been fixed in 1ed986a and released in 2.0.11.RELEASE.

If you’re using Java-based configuration, please update to 2.0.11.RELEASE.

However, if you’re using XML-based configuration, please take the following actions:

  • Update to 2.0.11.RELEASE

  • Look at this JUnit test and it’s associated XML configuration to ensure the AuthenticationManager for client authentication and the AuthenticationManager for user authentication is setup the same in your configuration.

  • As a precautionary step, make sure your XML configuration is NOT setup the same as in this JUnit test and associated XML configuration as it demonstrates the original issue.

Read more

Custom test slice with Spring Boot 1.4

Spring Boot 1.4 includes a major overhaul of testing support and one of these features is test slicing. I’d like to take the opportunity in this blog post to further explain what it is and how you can easily create your own slices.

Test slicing is about segmenting the ApplicationContext that is created for your test. Typically, if you want to test a controller using MockMvc, surely you don’t want to bother with the data layer. Instead you’d probably want to mock the service that your controller uses and validate that all the web-related interaction works as expected. This can be summarized in the example below:

Read more

This Week in Spring - August 30th, 2016

Welcome to another installment of This Week in Spring! This week I’ve been in San Francisco, (where I live and) where I addressed the Silicon Valley Spring User Group. Now it’s off to beautiful China to bring some Spring and Pivotal (and, maybe, take a little vacation!)

As usual, we have a lot to get to so let’s!

Read more

Spring Web Services 2.3.1/2.4.0 are released

Greetings Spring community,

Spring Web Services has just released versions 2.3.1.RELEASE and 2.4.0.RELEASE.

2.3.1.RELEASE is a minor patch release.

2.3.1 Release Notes | 2.3.1 Documentation.

2.4.0.RELEASE rebases Spring Web Services to run on Spring Framework 4.2.x & Spring Security 4.0.x, the stable baselines behind Spring 4.3/Spring Security 4.1. At the same time, it remains compatible with Java 7. This version includes changes to the code base making it forward compatible with Spring 4.3 and 5.0, so you are free to move up to whichever version of Spring/Spring Security you wish to use.

Read more

Spring Cloud Camden M1 is available

On behalf of the team, I am pleased to announce that Milestone 1 of the Spring Cloud Camden Release Train is available today. The release can be found in our Spring Milestone repository. We’ve made numerous enhancements and bug fixes! You can check out the Camden.M1 release notes for more information.

The following modules were updated as part of Camden.M1:

Spring Cloud Build        1.2.0.RELEASE
Spring Cloud Stream       Brooklyn.M1
Spring Cloud Bus          1.2.0.M1
Spring Cloud Config       1.2.0.M1
Spring Cloud Netflix      1.2.0.M1
Spring Cloud Consul       1.1.0.M1
Spring Cloud Contract     1.0.0.M2
Spring Cloud CLI          1.2.0.M1
Read more

Spring Cloud Data Flow for Mesos 1.0 RC2 released

We are pleased to announce the 1.0.0.RC2 release candidate of Spring Cloud Data Flow for Mesos, a team effort that encompasses many new features under the hood.

This release candidate builds upon the recent 1.0 GA release of Spring Cloud Data Flow. Some highlights include:

  • We now run the Spring Cloud Data Flow Server as a Docker image on Marathon, a container orchestration platform for Mesos.
  • This release adds features to support stream partitioning and scaling
    • Currently partitioning and scaling of sinks and processors are handled by using multiple application deployments, one for each app instance, identified by an index appended to the name.

    • Scaling of sources is handled by using additional application instances.
  • Streams are now deployed using Marathon Application Groups so it is easier to identify the different apps making up a stream.
  • We have added support for launching tasks using Chronos, a fault tolerant job scheduler for Mesos.
Read more

Spring Cloud Stream Brooklyn.M1 is available

On behalf of the team, I am pleased to announce the release of the first milestone of the Spring Cloud Stream Brooklyn release train. Spring Cloud Stream Brooklyn.M1 is available for use in the Spring Milestone repository, a detailed description of its features can be found in the reference documentation. Release notes are available here and include important information on the migration path.

From a Monolith to a Release Train

Spring Cloud Stream Brooklyn.M1 succeeds Spring Cloud Stream 1.0. The change in the naming scheme reflects the project’s structural changes, in particular switching from a monolithic structure, where the core components and the binder implementations are contained together, to a more decentralized one. In the new structure, the core and binder implementations are separate projects, with their own release cadence. A release train BOM aggregates the release components together and manages their versions.

Read more

Spring Cloud Data Flow for Cloud Foundry goes 1.0 GA

We are pleased to announce the general availability of Spring Cloud Data Flow for Cloud Foundry version 1.0.0.RELEASE.

Spring Cloud Data Flow for Cloud Foundry provides support for orchestrating long-running (streaming) and short-lived (task/batch) data microservices on Cloud Foundry runtime.

As the successor to Spring XD, this project benefits from a much more decoupled architecture, leveraging the Spring Cloud Deployer for Cloud Foundry library, which also goes GA today. More details about Spring Cloud Data Flow’s architecture and its ecosystem can be found in this blog.

Read more

Check your Spring Security SAML config - XXE security issue

It was brought to our attention that the spring-security-saml sample application contained an XML External Entity (XXE) vulnerability. This meant that a malicious user could view any file that the Spring Application’s process had access to.

The issue was a direct result of OpenSAML Java ParserPool and Decrypter Vulnerable To XML Attacks. The default behavior of the ParserPool implementations is fixed in OpenSAML 2.6.1+ (which Spring Security SAML uses). However, the vulnerability is still possible if users construct their own ParserPool without the proper settings.

Read more