close

Rob Winch

Rob Winch

Spring Security, Session, & LDAP project lead

Rob Winch is employed by Pivotal as the project lead of security related projects within Spring. He is also a committer on the core Spring Framework and co-author of the Spring Security 3.1 book. In the past he has worked in the health care industry, bioinformatics research, high performance computing, and as a web consultant. When he is not sitting in front of a computer he enjoys playing the guitar.
Blog Posts by Rob Winch

Spring Security 5.3.2, 5.2.4, 5.1.10, 5.0.16, 4.2.16 Released

UPDATE 2020-05-13: The following versions of Spring Security address CVE-2020-5407 and CVE-2020-5408

On behalf of the community, I’m pleased to announce the release of Spring Security 5.3.2 (release notes), 5.2.4 (release notes), 5.1.10 (release notes) , 5.0.16 (release notes), 4.2.16 (release notes). These releases deliver bug fixes along with some minor improvements. Users are encouraged to update to the latest patch release.

Read more...

Updates to Spring Versions

The Spring team has decided to change the versioning scheme for both release trains and project modules. These changes will be coming in the next release train and minor releases for each project. In fact, the changes are already present in Spring Cloud 2020.0.0-M1. Maven and Gradle do not provide the exact same version ordering, but we are working with the Gradle team to ensure the Spring scheme ends up sorted in the same way with both tools.

Release Train Version Changes

Spring has been using alphabetically ordered, themed release train versions since 2013. Release trains contain a group of project versions that work well together but make no guarantees about the underlying libraries’ backward compatibility when upgrading to the next release train.

Read more...

Announcing the Spring Authorization Server

I am pleased to announce the Spring Authorization Server project. It is a community-driven project led by the Spring Security team and is focused on delivering Authorization Server support to the Spring community.

A Foundation for Success

The story of how we got here is long, but the key takeaway is short and sweet: Spring would not be what it is without our amazing community.

Almost a decade ago, we brought in a community-driven, open-source project, Spring Security OAuth, and made it part of the Spring portfolio of projects. Since its inception, it has evolved into a mature project that supports a large portion of the OAuth specification, including resource servers, clients, login, and the authorization server. It is no wonder that it has become the basis for UAA, which, among other things, acts as the identity management service for all Cloud Foundry installations. The Spring Security OAuth project has become a model project and is a testament to what our wonderful community can accomplish.

Read more...

Spring Session Corn-M4 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session Corn-M4. This release is picked up by Spring Boot 2.2.0.M6.

Spring Session Corn-M4

The Corn-M4 release is based on:

  • Spring Session core modules 2.2.0.M4

  • Spring Session Data Geode 2.2.0.M4

  • Spring Session Data MongoDB 2.2.0.RC2

Some of the highlights of Spring Session 2.2.0.M4 are:

  • support for customizing configuration of session repositories using new SessionRepositoryCustomizer/ReactiveSessionRepositoryCustomizer

  • support for configuring transactional behavior for JdbcOperationsSessionRepository

  • support for Spring Security’s AuthenticatedPrincipal in SpringSessionBackedSessionRegistry

Complete details of these releases can be found in the changelog.

Read more...

Goodbye http://repo.spring (use https)

In response to our nohttp announcement, Maven Central’s announcement, and JFrog’s announcement, beginning January 15 2020, Spring’s Maven Repository will no longer support HTTP. More concretely, http://repo.spring.io will not respond to requests. Users will need to ensure that they are using https://repo.spring.io

We are not going to redirect from http to https because it perpetuates the vulnerability. When the first request is made over http, a man in the middle (MITM) can prevent the redirect and replace the response with a malicious payload. Users that continue to use http will continue to be vulnerable to MITM attacks.

Read more...

Spring Session Corn-M3 and Bean-SR7 Released

This post was authored by Vedran Pavić

On behalf of the community I’m pleased to announce the releases of Spring Session Corn-M3 and Bean-SR7. These releases will be picked up by Spring Boot 2.2.0.M5 and 2.1.8.RELEASE, respectively.

Spring Session Corn-M3

The Corn-M3 release is based on:

  • Spring Session core modules 2.2.0.M3

  • Spring Session Data Geode 2.2.0.M2

  • Spring Session Data MongoDB 2.2.0.RC1

Some of the highlights of Spring Session 2.2.0.M3 are:

  • support for save mode, which allows control over how session changes are tracked and saved to the session store

  • support for flush mode for JDBC-backed sessions

  • common strategy for resolving session indexes

Complete details of these releases can be found in the changelog.

Read more...