close

Josh Cummings

Josh Cummings

Spring Security committer

Herriman, Utah

Josh has been a software engineer for over 15 years building enterprise applications across multiple industries. He has long been passionate about application security and loves opportunities to mentor and to learn from others about security awareness. When Josh isn't hacking away at code, he is either running, playing basketball, camping, or reading a Brandon Sanderson novel.
Blog Posts by Josh Cummings

Spring Security SAML Extensions 1.x EOL on October 6, 2021

With the recent release of Spring Security 5.4, we’d like to announce that maintenance for Spring Security SAML Extensions 1.x will end on 6 October 2021.

SAML 2.0 support has been added to the core Spring Security framework over the last three minor releases. There are two main reasons for this.

First, the extension project is based on a version of OpenSAML that the OpenSAML team no longer supports. This version has known CVEs that make it unsafe for use in a production system.

Second, moving the support to the core Spring Security framework allowed us to simplify the API, use the latest OpenSAML, and add long-requested support for features like multi-tenancy and Spring Boot integration.

Read more...

Spring Security 5.4.0-M2 Released

On behalf of the community, I’m pleased to announce the release of Spring Security 5.4.0-M2! You can find the complete details in the release notes and the highlights below:

OAuth 2.0

gh-8700 - OAuth2AuthorizedClientArgumentResolver picks up OAuth2AuthorizedClientManager bean
gh-8730 - Add JWTProcessor Configuration Post-Processor
gh-8669 - OAuth2AuthorizedClientArgumentResolver for XML
gh-8587 - Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter
gh-8603 - oauth2Client Test Support no longer requires an HttpSessionOAuth2AuthorizedClientRepository
gh-8501 - Add issuerUri to ClientRegistration
Read more...

Spring Security OAuth 2.0 Roadmap Update

Note
See the latest announcement on Announcing the Spring Authorization Server. This post is a follow-up to Next Generation OAuth 2.0 Support with Spring Security

Current State

In the Spring Security 5.x release train, we’ve endeavored to replace and simplify the feature set found in the Spring Security OAuth 2.x legacy project. In the process, we’ve also added numerous new features, including support for OpenID Connect 1.0.

We are pleased to announce that as of the 5.2 release, we are very close to feature parity with the client and resource server legacy support. What remains is quite minimal, and we fully anticipate announcing feature parity as part of the 5.3 release.

We would like to issue a special thank you to all those in the community who have brought Spring Security this far! We hope to see many more contributions from everyone down the road.

Read more...

CVE-2019-11272: Spring Security 4.2.13 Released

Users are encouraged to update immediately.

With Spring Boot, you can override the Spring Security version in Maven like so:

<properties>
    <spring-security.version>4.2.13.RELEASE</spring-security.version>
</properties>

Or in Gradle like so:

ext['spring-security.version'] = '4.2.13.RELEASE'

Note that users of Spring Security 5+ are not affected by this vulnerability.

Read more...

CVE-2019-11269: Spring Security OAuth 2.3.6, 2.2.5, 2.1.5, 2.0.18 Released

We have released Spring Security OAuth 2.3.6, 2.2.5, 2.1.5 and 2.0.18 to address CVE-2019-11269: Open Redirector in spring-security-oauth2. Please review the information in the CVE report and upgrade immediately.

For additional changes included in each release, please refer to:

NOTE: For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the fix for the CVE. Please see the Mitigation section in the CVE report for detailed instructions on how to override the version.

Read more...

Spring Security 5.2.0.M2 Released

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M2! This release includes 100+ updates. You can find the highlights below:

OAuth 2.0

gh-6446 - Client Support for PKCE

PKCE isn’t just for native or browser-based apps, but for any time we want to have a public client. Spring Security 5.2 introduces a secure way for backends to authenticate as public clients.

gh-5350 - OpenID Connect RP-Initiated Logout
gh-5465 - Ability to use symmetric keys with JwtDecoder
gh-5397 - Ability for NimbusReactiveJwtDecoder to take a custom processor
gh-6513 & gh-5200 - Support for Resource Server Token Introspection

Resource Server now supports a second OAuth 2.0 token verification strategy: Token Introspection. This is handy when a Resource Server wants to or must verify the token remotely.

gh-5351 - Support for Resource Server Multi-tenancy (Servlet only)

With the introduction of AuthenticationManagerResolver, initial support for multi-tenant Resource Servers has arrived.

Read more...