Spring Team
Josh Cummings

Josh Cummings

Spring Security committer

Herriman, Utah

Josh has been a software engineer for over 15 years building enterprise applications across multiple industries. He has long been passionate about application security and loves opportunities to mentor and to learn from others about security awareness. When Josh isn't hacking away at code, he is either running, playing basketball, camping, or reading a Brandon Sanderson novel.
Blog Posts by Josh Cummings

Spring Security 5.2.0.M2 Released

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M2! This release includes 100+ updates. You can find the highlights below:

OAuth 2.0

gh-6446 - Client Support for PKCE

PKCE isn’t just for native or browser-based apps, but for any time we want to have a public client. Spring Security 5.2 introduces a secure way for backends to authenticate as public clients.

gh-5350 - OpenID Connect RP-Initiated Logout
gh-5465 - Ability to use symmetric keys with JwtDecoder
gh-5397 - Ability for NimbusReactiveJwtDecoder to take a custom processor
gh-6513 & gh-5200 - Support for Resource Server Token Introspection

Resource Server now supports a second OAuth 2.0 token verification strategy: Token Introspection. This is handy when a Resource Server wants to or must verify the token remotely.

gh-5351 - Support for Resource Server Multi-tenancy (Servlet only)

With the introduction of AuthenticationManagerResolver, initial support for multi-tenant Resource Servers has arrived.

Read more...

Spring Security OAuth2 Auto-config 2.0.6 & 2.1.0 Released

I’m pleased to announce on behalf of the community Spring Security OAuth2 Boot Auto-config 2.0.6 and 2.1.0.

Both releases primarily deliver bug fixes and dependency version updates along with some minor improvements. Of particular note is that these align with recent releases of Spring Boot.

Note that for 2.1.0, gaps in configuration of keys between Resource Server and Authorization Server were brought into parity. Now, it’s possible on the Authorization Server side to configure a single key:

security:
  oauth2:
    authorization:
      jwt:
        key-value: ${PRIVATE_KEY}
Read more...

Spring Security 5.1.0.RC2 Released

On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.RC2. This release comes with 50+ tickets closed.

As always we look forward to hearing your feedback! You can find the highlights below:

Table of Contents

Read more...

Spring Security OAuth2 Boot Auto-config 2.0.4 & 2.1.0.M2 Released

I’m pleased to announce on behalf of the community Spring Security OAuth2 Boot Auto-config 2.0.4 and 2.1.0.M2.

Both releases primarily deliver bug fixes and dependency version updates along with some minor improvements. Of particular note is that these align with recent releases of Spring Boot.

For a complete list of changes, please refer to the 2.0.4 changelog and 2.1.0.M2 changelog.

Read more...

Spring Security 5.1.0.RC1 Released

On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.RC1. This release comes with 50+ tickets closed.

As always we look forward to hearing your feedback! You can find the highlights below:

Table of Contents

Read more...