Rob Winch

Rob Winch

Spring Security, Session, & LDAP project lead

Rob Winch is employed by Pivotal as the project lead of security related projects within Spring. He is also a committer on the core Spring Framework and co-author of the Spring Security 3.1 book. In the past he has worked in the health care industry, bioinformatics research, high performance computing, and as a web consultant. When he is not sitting in front of a computer he enjoys playing the guitar.
Blog Posts by Rob Winch

Spring Security 5.3.2, 5.2.4, 5.1.10, 5.0.16, 4.2.16 Released

UPDATE 2020-05-13: The following versions of Spring Security address CVE-2020-5407 and CVE-2020-5408

On behalf of the community, I’m pleased to announce the release of Spring Security 5.3.2 (release notes), 5.2.4 (release notes), 5.1.10 (release notes) , 5.0.16 (release notes), 4.2.16 (release notes). These releases deliver bug fixes along with some minor improvements. Users are encouraged to update to the latest patch release.


Updates to Spring Versions

The Spring team has decided to change the versioning scheme for both release trains and project modules. These changes will be coming in the next release train and minor releases for each project. In fact, the changes are already present in Spring Cloud 2020.0.0-M1. Maven and Gradle do not provide the exact same version ordering, but we are working with the Gradle team to ensure the Spring scheme ends up sorted in the same way with both tools.

Release Train Version Changes

Spring has been using alphabetically ordered, themed release train versions since 2013. Release trains contain a group of project versions that work well together but make no guarantees about the underlying libraries’ backward compatibility when upgrading to the next release train.


Announcing the Spring Authorization Server

I am pleased to announce the Spring Authorization Server project. It is a community-driven project led by the Spring Security team and is focused on delivering Authorization Server support to the Spring community.

A Foundation for Success

The story of how we got here is long, but the key takeaway is short and sweet: Spring would not be what it is without our amazing community.

Almost a decade ago, we brought in a community-driven, open-source project, Spring Security OAuth, and made it part of the Spring portfolio of projects. Since its inception, it has evolved into a mature project that supports a large portion of the OAuth specification, including resource servers, clients, login, and the authorization server. It is no wonder that it has become the basis for UAA, which, among other things, acts as the identity management service for all Cloud Foundry installations. The Spring Security OAuth project has become a model project and is a testament to what our wonderful community can accomplish.


Spring Session Corn-M4 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session Corn-M4. This release is picked up by Spring Boot 2.2.0.M6.

Spring Session Corn-M4

The Corn-M4 release is based on:

  • Spring Session core modules 2.2.0.M4

  • Spring Session Data Geode 2.2.0.M4

  • Spring Session Data MongoDB 2.2.0.RC2

Some of the highlights of Spring Session 2.2.0.M4 are:

  • support for customizing configuration of session repositories using new SessionRepositoryCustomizer/ReactiveSessionRepositoryCustomizer

  • support for configuring transactional behavior for JdbcOperationsSessionRepository

  • support for Spring Security’s AuthenticatedPrincipal in SpringSessionBackedSessionRegistry

Complete details of these releases can be found in the changelog.