Spring Team
Rob Winch

Rob Winch

Spring Security, Session, & LDAP project lead

Rob Winch is employed by Pivotal as the project lead of security related projects within Spring. He is also a committer on the core Spring Framework and co-author of the Spring Security 3.1 book. In the past he has worked in the health care industry, bioinformatics research, high performance computing, and as a web consultant. When he is not sitting in front of a computer he enjoys playing the guitar.
Blog Posts by Rob Winch

Spring Session Corn-M2 and Spring Session Bean-SR6 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session Corn-M2 and Bean-SR6. These releases will be picked up by Spring Boot 2.2.0.M4 and 2.1.6.RELEASE, respectively.

Spring Session Corn-M2

The Corn-M2 release is based on:

  • Spring Session core modules 2.2.0.M2

  • Spring Session Data Geode 2.2.0.M2

  • Spring Session Data MongoDB 2.2.0.M3

Some of the highlights of Spring Session 2.2.0.M2 are:

  • simple Redis-based implementation of SessionRepository

  • reworked @Configuration classes are now compatible with proxyBeanMethods=false

  • migration of project’s tests to JUnit 5

  • simplified project structure

Complete details of these releases can be found in the changelog.

SimpleRedisOperationsSessionRepository

The biggest highlight of the release is the new, simple, Redis-based implementation of SessionRepository that’s offered as an alternative to the well known RedisOperationsSessionRepository.

The original RedisOperationsSessionRepository, on top of core SessionRepository functionality, provides support for session events (that are translated to HttpSessionEvent instances) and also implements FindByIndexNameSessionRepository (that allows retrieval of sessions for a given principal). The support for these two features comes at a cost, as there’s some complexity around how the sessions need to be persisted in Redis.

For many applications, support for session events and principal index isn’t essential and this was the main motivation for providing an alternative in SimpleRedisOperationsSessionRepository. The new SessionRepository does not yet have a first-class support in Spring Session’s configuration infrastructure, so it can be configured as follows:

@EnableSpringHttpSession
public class RedisSessionConfiguration {

    @Autowired
    private RedisConnectionFactory redisConnectionFactory;

    @Bean
    public RedisOperations<String, Object> sessionRedisOperations() {
        RedisTemplate<String, Object> redisTemplate = new RedisTemplate<>();
        redisTemplate.setConnectionFactory(this.redisConnectionFactory);
        redisTemplate.setKeySerializer(new StringRedisSerializer());
        redisTemplate.setHashKeySerializer(new StringRedisSerializer());
        return redisTemplate;
    }

    @Bean
    public SimpleRedisOperationsSessionRepository sessionRepository(
            RedisOperations<String, Object> sessionRedisOperations) {
        return new SimpleRedisOperationsSessionRepository(sessionRedisOperations);
    }

}

Consider giving Corn-M2 release and SimpleRedisOperationsSessionRepository a spin, and let us know of your feedback!

Read more...

Announcing nohttp

I’m pleased to announce the nohttp project, which lets users find, replace, and prevent the usage of http://.

Background

Today, Jonathan Leitschuh published a blog titled Want to take over the Java ecosystem? All you need is a MITM!. The blog demonstrates that hundreds of Java libraries are downloading dependencies over HTTP. This opens the projects up to potential MITM (man in the middle) attacks.

Unfortunately, there were multiple Spring projects that were using HTTP to download dependencies. Fortunately, we uncovered no signs of a successful MITM attack. We have also addressed the issue to ensure that no MITM attacks can be made in the future.

Read more...

Spring Session Bean-SR2, Apple-SR8, and 1.3.5 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-SR2 (based on Spring Session 2.1.3.RELEASE), Apple-SR8 (based on 2.0.9.RELEASE), and 1.3.5.RELEASE. These maintenance releases bring a couple of bug fixes together with the usual dependency upgrades.

Complete details of these releases can be found in the following changelogs:

Read more...

Spring Session Bean-SR1 and Apple-SR7 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session BOM Bean-SR1 and Apple-SR7. These maintenance releases are based on Spring Session 2.1.2.RELEASE and 2.0.8.RELEASE, respectively, which bring a couple of bug fixes together with the usual dependency upgrades.

Complete details of these releases can be found in the following changelogs:

Read more...

Spring Session Bean GA Released

This post was authored by Vedran Pavić

On behalf of the community, I’m pleased to announce the general availability of Spring Session BOM Bean. This is the first release based on Spring Session 2.1 and can be easily consumed with freshly released Spring Boot 2.1. Please read on for the highlights of the release.

Same-Site Cookie is another mechanism that helps developers to protect from Cross-Site Request Forgery. Our DefaultCookieSerializer has been enhanced to support adding SameSite attribute to session cookie produced by Spring Session. The SameSite attribute is enabled by default with value Lax and is customizable using DefaultCookieSerializer#setSameSite.

Note that the equivalent support for WebSession is present in the Spring WebFlux itself starting with Spring Framework 5.1.

Read more...

Spring Session BOM Bean-RC1 Released

This post was authored by Vedran Pavić

On behalf of the community, I’m pleased to announce the release of Spring Session BOM Bean-RC1. This release is based on Spring Session 2.1.0.RC1 which resolves a total of 13 issues. Please read on for the highlights of the release.

Support for Java 11

Spring Session now supports Java 11, while the required version of course stays at Java 8. Our CI pipeline has been enhanced so that the project is now continuously verified against Java 8, 10 and 11.

Dependency Upgrades

Spring Session 2.1.0.RC1 builds on the following latest and greatest releases of key dependencies:

  • Spring Framework 5.1.0.RELEASE

  • Spring Data Lovelace-RELEASE

  • Spring Security 5.1.0.RELEASE

  • Project Reactor Californium-RELEASE

  • Hazelcast 3.10.5

Read more...