Hi, Spring fans! How are you? Welcome to another installment of This Week in Spring! I’m doing alright! It’s noon as I write this, and I’ve got GSUG joint presentation with Matt Raible later today. Then, tonight at midnight my time to 5 am or 6 am, I’m kicking off a two-day workshop for GOTO! I look forward to seeing ya there! Anyway, we’ve got a lot to cover so let’s dive into it!

• Read this first! If you’ve been living under a rock, you may not have heard of the recent Log4J2 vulnerability. If you’re using the default, out-of-the-box Spring Boot logging support, then this does not apply to you! But, if you are using Log4j2, specifically, then you need to read this post on Log4j2 and Spring Boot!
• Bruno Borges tweets this very simple workaround for those of you who are using Log4j2 and can’t change the startup scripts of your application afflicted by the Log4j2 exploit
• Once you’re sure your applications are healthy and happy, check out the new Spring Native 0.11 release! And its new AOT engine, which brings Spring Native to the Next Level.
• Don’t want to read the blog? I did a Spring Tips (@SpringTipsLive) video you can watch to see everything new and nice in Spring Native 0.11. This video goes deep, starting with the basics, looking at performance numbers (dramatic reductions in compile-time, startup time, and runtime memory footprint) for some typical workloads, and then looks at the new AOT engine’s extension planes.
• A Bootiful Podcast: Transformative leader, brilliant technologist, my friend, Patrick Chanezon
• Secure communications end-to-end for Spring Boot apps – in Zero Trust environment
• Spring Cloud Gateway and gRPC
• Spring Cloud Square 0.4.0-RC1 is available
• Spring GraphQL 1.0.0-M4 Released
• Spring Native for Serverless Java
• Spring Tools 4 on Twitter
• Spring Tools 4.13.0 released
• Both Vaadin Flow and Vaadin Fusion versions of the Spring Petclinic sample have joined the Spring Petclinic Community
• The amazing Gunnar Hillert has posted the Oracle Coherence Sock Shop Microservices example app for Spring Boot, which adds better Tracing support using Spring Cloud Sleuth for Jaeger and Zipkin. This is based on an original app from Weaveworks.
• Neo4j’s Michael Simons has this great tweet: Did you know that Neo4js releases the Neo4j Java driver as a slim option, under the coordinates org.neo4j.driver:neo4j-java-driver-slim, without shaded dependencies? This might be handy if your project already has a dependency to Project Reactor or Netty.
• Microsoft’s Rory Preddy tweeted that a demo-heavy Monitoring Java on Azure series is now available. Besides data migration, end-to-end monitoring is the #1 challenge for developers migrating Spring Boot apps to the cloud - in this series, we demystify all!
• Now Available: JDK migration guide Includes significant changes & enhancements in #JDK17 ☕️ Move your Java version forward
• Piotr Mińkowski has a nice little tip: If you use a dedicated management port for Actuator endpoints starting from Spring Boot 2.6 you may expose a particular health group on the server main port under the additional path. It is useful in #Kubernetes liveness and readiness probes.
• Tanzu Tuesdays 74 - Carvel support in Kubeapps - New pluggable gRPC-based architecture - YouTube
• Azure Spring Cloud scales #SpringBoot apps to billions of requests per day without the hassle of managing infrastructure. See it in action
• This is a great, video overview of VMware’s free, open-source Kubernetes distro, the Tanzu Community Edition.
• A nice report on the Microsoft Tech Community: How developers migrate Spring apps to the cloud

On behalf of the community, I am pleased to announce that the Release Candidate 1 (RC1) of the Spring Cloud Square 0.4.0 is available today. The release can be found in Spring Milestone repository. You can check out the 0.4.0-RC1 release notes for more information.

This is primarily a bugfix release. See all issues included in this release here.

Notable changes in RC1:

• Spring Cloud Sleuth integration for OkHttpClient #36

The documentation for this milestone can be found here.

The Spring GraphQL team has just released the 4th milestone towards a 1.0.0 release. Thanks to all contributors!

In this milestone, we have further improved the annotation programming model and extended the Spring Data support that were provided in the previous milestones.

Interface Projections for GraphQL Arguments

If you’re familiar with Spring Data’s Interface-based Projections, then this new feature will make perfect sense: you can use a well-defined interface to work with GraphQL arguments, without the need for any Object implementation.

Updates: Since this blog post has been published, a new logback 1.2.9 version has been published. While this fixes a security issue, prerequisites for exploits are very different as they “requires write access to logback’s configuration file”.
Log4J also released a new 2.17.0 version with fixes for CVE-2021-45046 and CVE-2021-45105.
Spring Boot 2.5.8 and 2.6.2 haven been released and provide dependency management for logback 1.2.9 and Log4J 2.17.0.
Log4J 2.17.1 contains a fix for CVE-2021-44832

As you may have seen in the news, a new zero-day exploit has been reported against the popular Log4J2 library which can allow an attacker to remotely execute code. The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar and has been fixed in Log4J v2.15.0.

Hi, Spring fans! This week, Josh Long (@starbuxman) talks to transformational leader, my old boss, legendary technologist, and friend Patrick Chanezon (@chanezon).

Dear Spring Community,

I am happy to announce the 4.13.0 release of the Spring Tools 4 for Eclipse, Visual Studio Code, and Theia.

major changes to the Spring Tools 4 for Eclipse distribution

• updated to Eclipse 2021-12 release (including support for Java 17) (new and noteworthy)
• builds for Apple Silicon platform (ARM M1) are available now from the regular download page

additional changes

• (Spring Boot) fixed: STS 4.12.0 (for eclipse) *.yml can’t automatic prompt (#690)
• (Spring Boot) fixed: A StackOverFlow error for serializable Kotlin data class for autocompletion in the Eclipse IDE (#693)
• (Eclipse) fixed: Typescript comparison: An internal error occurred during: “LSP4E Linked Editing Highlight” (#700)
• (Eclipse) fixed: js syntax highlight disabled by STS4 (#702)
• (Eclipse) fixed: Cannot copy/paste from ANSI console without escape sequences (#667) - fixed in ANSI Color Console project thanks to @mihnita

Secure communications end-to-end for Spring Boot apps - in a Zero Trust environment

Hi, Spring fans! Today, we are excited to announce the general availability of all the features to secure communications end-to-end for Spring Boot apps – in a Zero Trust environment. You can secure communications end-to-end or terminate transport level security at any communication point for Spring Boot apps. You can also automate the provisioning and configuration for all the Azure resources needed for securing communications.

Hi, Spring fans! Welcome to another installment of This Week in Spring! We’ve got a ton of stuff to dive into so let’s get goin’!

• A Bootiful Podcast: DataStax’s Christopher Bradford on the Apache Cassandra operator for Kubernetes, K8ssandra
• Accelerate Spring Apps to Cloud at Scale - Discussion with Azure Spring Cloud Customers
• Spring Authorization Server 0.2.1 available now
• Spring Cloud 2021.0.0 (codename Jubilee) Has Been Released
• Spring Cloud Function 3.2 is out!
• Spring Cloud Sleuth 3.1.0 is out!
• Spring Tips: @Controllers and RSocket
• JSON:API for Spring HATEOAS
• Living with Kubernetes: 12 Commands to Debug Your Workloads
• Hmm. I wonder what Mark Paluch’s cooking something awesome with the R2DBC SPI. I wonder what…?
• Nice job, Github Actions! There’s now integrated sigstore support! Safeguard your containers with new container signing capability in GitHub Actions
• Pull Request #762 adds Knative for incubation at CNCF - hurray!