Rossen Stoyanchev

Rossen Stoyanchev

Spring Framework committer | Cambridge, UK

Blog posts by Rossen Stoyanchev

Spring Web Flow 3.0 M1 Released

Engineering | August 10, 2022 | ...

It has been almost 4 years since the last set of Spring Web Flow releases. Nevertheless, the project continues to serve a specific need particularly well, arguably better than alternatives, and remains in active use. While there hasn't been a strong driver for new releases, the upcoming Spring Framework 6 brings a Java 17 baseline and makes the shift to Jakarta EE, which creates the need for such a release in order to enable applications to migrate to this new baseline.

Today I'm pleased to announce the availability of Spring Web Flow 3.0 M1 in the Spring milestone repository. This release focuses mainly on compatibility with Spring Framework 6 and Jakarta EE. The Travel booking-mvc sample on spring-projects/spring-webflow-samples has been updated and the commit history provides example changes…

Spring for GraphQL 1.0 Release

Engineering | May 19, 2022 | ...

On behalf of the Spring for GraphQL team and every contributor, it is my pleasure to announce the 1.0 GA release. It's been 10 months since the project was announced and under 2 years since the first commit, unremarkably called "first commit". The project began with the modest goal to replace the (now archived) minimal GraphQL Java Spring integration, but has since moved significantly beyond through community feedback and collaboration across Spring Boot, Spring Framework, Spring Data, and Spring Security.

The following are highlights from the release:

  • Annotation-based programming model for data fetchers
  • Data binding from input arguments with validation
  • Field-level security through annotations on data @Controller methods
  • Server handlers and interception over HTTP, WebSocket, and RSocket
  • Querydsl and Query by Example repositories as data fetchers
  • Batch loading support
  • Client for executing over HTTP, WebSocket, and RSocket
  • Test support with HTTP, WebSocket, RSocket, or directly, without a client
  • GraphiQL page and schema printing page

Spring Framework RCE, Mitigation Alternative

Engineering | April 01, 2022 | ...

Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat's side. While the vulnerability is not in Tomcat itself, in real world situations, it is important to be able to choose among multiple upgrade paths that in turn provides flexibility and layered protection.

Upgrading to Spring Framework 5.3.18+ or 5.2.20+ continues to be our main recommendation not only because it addresses the root cause…

Spring Framework RCE, Early Announcement

Engineering | March 31, 2022 | ...


Spring for GraphQL 1.0 Milestone 6 Released

Engineering | March 22, 2022 | ...

On behalf of everyone involved, I'm pleased to announce the availability of the sixth and final milestone of Spring for GraphQL on the way to 1.0. Our next stop is RC1 in 4 weeks, followed by the GA on May 17.

GraphQL Client

A GraphQL client is something we identified as a goal quite early on. It's issue number 10 from 336 at present in the issue tracker, but we viewed testing support as higher priority and so the GraphQL Tester came first and has been available from the start.

The Tester did prove valuable and popular, but we knew we had to fully explore the client before 1.0 as the two are…

Spring Framework CVE-2021-22060 has been published

Engineering | January 05, 2022 | ...

The Spring Framework 5.3.14 and 5.2.19 releases on December 16 included fixes for CVE-2021-22060 and are a follow-up to CVE-2021-22096, to address additional types of input that can cause the issue. As the Spring Boot releases 2.6.2 and 2.5.8 picking up these Spring Framework versions were due the day before Christmas and given the medium severity, we postponed the announcement until after the new year, to avoid disclosure during a period when many take time off. Please, upgrade to those latest maintenance releases.

Security Reports for Spring Framework, Spring Data REST, Spring AMQP, and Spring Cloud OpenFeign

Engineering | October 26, 2021 | ...

The recently released Spring Boot 2.5.6 and 2.4.12 releases contain fixes for the following security vulnerabilities:

In addition, Spring Cloud OpenFeign has released versions 3.0.5 and 2.2.10, based on the same Spring Boot versions, and containing a fix for the following security vulnerability:

Please, review the reports and upgrade!

Introducing Spring GraphQL

Engineering | July 06, 2021 | ...

Following the Spring GraphQL project announcement and the availability of a 1.0 milestone, this blog post aims to provide more details.


If you're looking to get started, please head over to our reference documentation and read the "Boot Starter" section, or run the samples.

If you don't know much about GraphQL, there are plenty of good resources. You can start at

GraphQL is widely adopted and in "Early Majority" based on the InfoQ Architecture Trends for 2020. It provides an alternative to REST APIs that is more focused on data, and provides a schema and a query language for clients to use. The appeal from a client perspective is clear in this State of JavaScript report. You can read GitHub's story

Hello, Spring GraphQL

Engineering | July 06, 2021 | ...

Guest Author: Andi Marek, GraphQL Java founder

I am very happy to announce the creation of the Spring GraphQL project and the availability of an initial milestone towards a 1.0 release. The project integrates GraphQL Java and Spring and was developed in collaboration between both teams.

Today is GraphQL Java's 6th birthday! One fundamental decision I made from the start was to leave any HTTP and IO aspects as a separate concern. GraphQL Java has always been "just" an engine to execute GraphQL requests. The decision has paid off but the obvious downside is the need to create your own HTTP…

URL Matching with PathPattern in Spring MVC

Engineering | June 30, 2020 | ...

The recent Spring Framework 5.3 M1 release announcement mentions "Spring MVC comes with PathPattern parsing for efficient URL matching". This post expands on that with more context and detail.


In Spring applications AntPathMatcher is used to identify classpath, file system, remote, and other resources in Spring configuration. It has also been used in Spring MVC to match URL paths. Over time the use of patterns in web applications grew in number and syntax with AntPathMatcher evolving to meet those needs but some pain points remain without a solution:

  1. In web applications, patterns need to be matched many times per request and therefore any gains in performance and efficiency matter. However String pattern matching limits what can be achieved.

  2. Choosing the most specific pattern among several that match a request has proven challenging over the years with no simple ways to make it more predictable without impacting other cases.

  3. Matching a String path to a String pattern makes it difficult to avoid URI encoding issues. For example should the incoming path be decoded first and then matched? That allows for patterns themselves to be declared without encoded characters, but what if the request path contains %2F or %3B which are / and ; respectively? Once decoded those alter the structure of the path making it harder to match reliably. We could leave the request path encoded via UrlPathHelper#urlDecode

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all