Spring Team
Rob Winch

Rob Winch

Spring Security, Session, & LDAP project lead

Rob Winch is employed by Pivotal as the project lead of security related projects within Spring. He is also a committer on the core Spring Framework and co-author of the Spring Security 3.1 book. In the past he has worked in the health care industry, bioinformatics research, high performance computing, and as a web consultant. When he is not sitting in front of a computer he enjoys playing the guitar.
Blog Posts by Rob Winch

Spring Session Bean GA Released

This post was authored by Vedran Pavić

On behalf of the community, I’m pleased to announce the general availability of Spring Session BOM Bean. This is the first release based on Spring Session 2.1 and can be easily consumed with freshly released Spring Boot 2.1. Please read on for the highlights of the release.

Same-Site Cookie is another mechanism that helps developers to protect from Cross-Site Request Forgery. Our DefaultCookieSerializer has been enhanced to support adding SameSite attribute to session cookie produced by Spring Session. The SameSite attribute is enabled by default with value Lax and is customizable using DefaultCookieSerializer#setSameSite.

Note that the equivalent support for WebSession is present in the Spring WebFlux itself starting with Spring Framework 5.1.

Read more...

Spring Session BOM Bean-RC1 Released

This post was authored by Vedran Pavić

On behalf of the community, I’m pleased to announce the release of Spring Session BOM Bean-RC1. This release is based on Spring Session 2.1.0.RC1 which resolves a total of 13 issues. Please read on for the highlights of the release.

Support for Java 11

Spring Session now supports Java 11, while the required version of course stays at Java 8. Our CI pipeline has been enhanced so that the project is now continuously verified against Java 8, 10 and 11.

Dependency Upgrades

Spring Session 2.1.0.RC1 builds on the following latest and greatest releases of key dependencies:

  • Spring Framework 5.1.0.RELEASE

  • Spring Data Lovelace-RELEASE

  • Spring Security 5.1.0.RELEASE

  • Project Reactor Californium-RELEASE

  • Hazelcast 3.10.5

Read more...

Spring Session Bean-M1 and Apple-SR4 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-M1 and Apple-SR4. Spring Boot users will be happy to learn that these release were picked up in recent 2.1.0.M1 and 2.0.4.RELEASE releases of Spring Boot, respectively.

Spring Session Bean-M1

The Bean-M1 is first milestone release that is based on Spring Session 2.1.0.M1.

The following table provides an overview of all the included modules and their respective versions:

Module Version

Spring Session Core

2.1.0.M1

Spring Session Data GemFire

2.0.3.RELEASE

Spring Session Data Geode

2.0.3.RELEASE

Spring Session Data MongoDB

2.0.2.RELEASE

Spring Session Data Redis

2.1.0.M1

Spring Session Hazelcast

2.1.0.M1

Spring Session JDBC

2.1.0.M1

Spring Session 2.1.0.M1

The 2.1.0.M1 is the first milestone release in 2.1.x lifecycle. Highlights of this release are support for Same-Site Cookie, which is another mechanism that helps developers to protect from Cross-Site Request Forgery, and support for HttpSessionBindingListener. The release also includes the usual dependency upgrades, including picking up Spring Framework 5.1.0.RC1 as a baseline. You can find the complete details of the release in the changelog.

Using the BOM

With Maven:

<dependencyManagement>
	<dependencies>
		<dependency>
			<groupId>org.springframework.session</groupId>
			<artifactId>spring-session-bom</artifactId>
			<version>Bean-M1</version>
			<type>pom</type>
			<scope>import</scope>
		</dependency>
	</dependencies>
</dependencyManagement>
<dependencies>
	<dependency>
		<groupId>org.springframework.session</groupId>
		<artifactId>spring-session-data-redis</artifactId>
	</dependency>
	...
</dependencies>

With Gradle:

plugins {
	id 'io.spring.dependency-management' version '1.0.6.RELEASE'
}

dependencyManagement {
	imports {
		mavenBom 'org.springframework.session:spring-session-bom:Bean-M1'
	}
}

dependencies {
	compile 'org.springframework.session:spring-session-data-redis'
	...
}
Read more...

Spring Security 5.1.0.M2 Released

On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.M2. This release comes with 100+ tickets closed.

As always we look forward to hearing your feedback! You can find the highlights below:

OAuth2

OAuth2 Resource Server

Basic support for OAuth2 Resource Servers has been added. See oauth2resourceserver

Authorization Code Flow

User’s can now obtain an access token using the OAuth 2.0 Authorization Code grant. See the authcodegrant sample.

WebClient and OAuth2 Support

There is now built in support for OAuth2 and WebClient support. The support allows:

  • Adding the access token to the request

  • Automatic refreshing of the access token when it expires

  • Resolving the access token to use

For example, in a Servlet environment you can configure a Bean like this:

@Bean
WebClient webClient(OAuth2AuthorizedClientRepository repository) {
    ServletOAuth2AuthorizedClientExchangeFilterFunction filter =
        new ServletOAuth2AuthorizedClientExchangeFilterFunction(repository);
    return WebClient.builder()
        .filter(new OAuth2AuthorizedClientExchangeFilterFunction())
        .apply(filter.oauth2Configuration())
        .build();
 }

Now you can add the OAuth token in a number of different ways. If you want you can resolve the OAuth2AuthorizedClient using the Spring MVC support. If the authorization server returned a refresh token and the access token is about to expire, Spring Security will transparently update the access token and submit the updated access token instead.

@GetMapping("/users")
Mono<String> users(@RegisteredOAuth2AuthorizedClient("client-id")
        OAuth2AuthorizedClient authorizedClient) {
    return this.webClient.get()
        .uri("https://api.example.com/user")
        .attributes(oauth2AuthorizedClient(authorizedClient))
        .retrieve()
        .bodyToMono(String.class);
}

You can also resolve the access token through the WebClient. Fore example:

Mono<String> users() {
    return this.webClient.get()
        .uri("https://api.example.com/user")
        .attributes(clientRegistrationId("client-id"))
        .retrieve()
        .bodyToMono(String.class);
}

If you authenticated using OAuth2 Log In or OIDC, then a default access token can be applied with no user interaction.

Mono<String> users() {
    // if Authenticated with OIDC
    // OAuth2 Log In use the access token associated to log in
    return this.webClient.get()
        .uri("https://api.example.com/user")
        .retrieve()
        .bodyToMono(String.class);
}
Read more...

Spring Session Apple SR3 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the release of Spring Session BOM Apple-SR3. This release includes an update of Spring Session core modules (which include Data Redis, Hazelcast and JDBC) to 2.0.4.RELEASE.

The following table provides an overview of all the included modules and their respective versions:

Module Version

Spring Session Core

2.0.4.RELEASE

Spring Session Data GemFire

2.0.2.RELEASE

Spring Session Data Geode

2.0.2.RELEASE

Spring Session Data MongoDB

2.0.2.RELEASE

Spring Session Data Redis

2.0.4.RELEASE

Spring Session Hazelcast

2.0.4.RELEASE

Spring Session JDBC

2.0.4.RELEASE

Read more...

Spring Security 5.1.0.M1 Released

On behalf of the community I’m pleased to announce the release of Spring Securiity 5.1.0.M1. This release resolves over 80 tickets. The highlights can be seen below:

  • Spring Security OAuth2 Client Support for WebFlux. See the sample for how to use it.

  • Numerous other enhancements to WebFlux Support

  • Added OAuth2ClientArgumentResolver

  • Implementation of the Authorization Code Grant. See the sample for how to use it.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping me @rob_winch , Joe @joe_grandja, or Josh @jzheaux on Twitter.

Read more...