Spring Team
Joe Grandja

Joe Grandja

Spring Security Senior Engineer

Toronto, Canada

Joe has been in the Software Industry for over 20 years. He has successfully designed, built and delivered enterprise grade software in the financial services and health sector. He has been using Spring for over 10 years and is very excited to have joined the Spring Security engineering team, in early 2016. Outside of his passion for crafty software, Joe continues to travel the world with his family, snowboarding the most challenging mountains, exploring nature on foot and doing his best to enjoy what life brings.
Blog Posts by Joe Grandja

Spring Security OAuth 2.3.3, 2.2.2, 2.1.2, 2.0.15 Released

I’m pleased to announce the releases of Spring Security OAuth 2.3.3, 2.2.2, 2.1.2 and 2.0.15. These maintenance releases primarily deliver bug fixes.

For a complete list of changes, please refer to:

2018-05-09 Update: The releases address a vulnerability. Please see this blog post published after the associated Spring Boot 1.5.13 release.

Read more...

Spring Security OAuth Boot 2 Auto-config 2.0.0 Released

I’m pleased to announce the release of Spring Security OAuth Boot 2 Auto-config 2.0.0.

This project is intended to be used to help users transition between the old Spring Security OAuth 2.x support and the Next Generation OAuth 2.0 Support in Spring Security 5. It provides users of Spring Security OAuth 2.x the same auto-configuration capabilities in a Spring Boot 2.0 based application that is currently available in Spring Boot 1.5.x. For more details please refer to the documentation.

Read more...

Next Generation OAuth 2.0 Support with Spring Security

Current State

The current state of OAuth 2.0 Support, within the Spring projects portfolio, is spread out between Spring Security OAuth, Spring Cloud Security, Spring Boot 1.5.x, and the new support introduced in Spring Security 5. As a user of OAuth, you may be asking, "Which project(s) do I use? And why has Spring Security 5 introduced new support into the mix?"

To put it simply, there was a need to unify the OAuth 2.0 support into one project in order to provide a clear choice to the user and to avoid any potential confusion. In addition, the OAuth 2.0 support needed to take the next level and provide more extensive support for OAuth 2.0 and OpenID Connect 1.0. Also, based on community feedback, documentation needed to be re-vamped in order to allow for ease of use and promote developer productivity. Based on all these factors, we decided to start afresh and build the next generation of OAuth 2.0 support in Spring Security 5.

Read more...

Spring Security OAuth 2.2 Released

On behalf of the community, I’m pleased to announce the release of Spring Security OAuth 2.2.0.RELEASE.

The 2.2.0.RELEASE includes the following new features:

  • JwtClaimsSetVerifier that provides the capability of verifying the claim(s) contained in a JWT Claims Set.

  • IssuerClaimVerifier that verifies the Issuer (iss) claim contained in the JWT Claims Set.

  • DelegatingJwtClaimsSetVerifier that simply delegates claims verification to it’s internal list of JwtClaimsSetVerifier(s).

  • ProviderDiscoveryClient that is capable of discovering provider configuration information as defined by the OpenID Connect Discovery 1.0 specification.

  • JwkTokenStore now supports multiple JWK Set URL’s.

  • The ability to supply a custom AccessTokenConverter to JwkTokenStore.

Read more...

Spring Session 2.0 M3 Released

On behalf of the community I’m pleased to announce the release of Spring Session 2.0.0.M3. This release is focused primarily on ensuring compatibility with Spring Framework 5.0.0.RC3 and Spring Data Kay RC1 which is the minimum Spring version required.

This release includes the following new features:

  • Support added for Spring WebFlux

  • Support for WebFlux’s WebSession

  • Added ReactorSessionRepository to support a reactive SessionRepository API. The default implementation provided is MapReactorSessionRepository.

Read more...