Steve Riesenberg

Steve Riesenberg

Spring Security committer | Papillion, Nebraska

Blog posts by Steve Riesenberg

Spring Authorization Server 1.3.0-M3 available now

Releases | March 19, 2024 | ...

On behalf of the team and everyone who has contributed, it is my pleasure to announce the release of Spring Authorization Server 1.3.0-M3! The milestone release of Spring Authorization Server contains a few noteworthy new features:

  • Add PKI Mutual-TLS client authentication method (tls_client_auth) #1558
  • Implement OAuth 2.0 Token Exchange #1525 (see related blog post)

See the 1.3.0-M3 release notes for complete details.

To get started using Spring Authorization Server, see the Getting Started chapter of the reference documentation and the samples to become familiar with setup and configuration…

Token Exchange support in Spring Security 6.3.0-M3

Engineering | March 19, 2024 | ...

I'm excited to share that the there will be support for the OAuth 2.0 Token Exchange Grant (RFC 8693) in Spring Security 6.3, which is available for preview now in the latest milestone (6.3.0-M3). This support provides the ability to use Token Exchange with OAuth2 Client. Similarly, server-side support is also shipping with Spring Authorization Server in 1.3 and is available for preview now in the latest milestone (1.3.0-M3).

OAuth2 Client features of Spring Security allow us to easily make protected resources requests to an API secured with OAuth2 bearer tokens. Similarly, OAuth2 Resource…

Spring Security 5.8.8, 6.0.8, 6.1.5 and 6.2.0-RC2 released

Releases | October 18, 2023 | ...

On behalf of the team and everyone who has contributed, I am pleased to announce that the Spring Security 5.8.8, 6.0.8, 6.1.5 and 6.2.0-RC2 versions are available now.

Please refer to the releases page for more detail on what is included in each release. In particular, you can review the release notes for each milestone that will make up the 6.2.0 release (6.2.0-M1, 6.2.0-M2, 6.2.0-M3, 6.2.0-RC1, 6.2.0-RC2) next month.

We encourage you to take the latest release candidate for a spin and provide any feedback you have! Some notable changes available in the 6.2 release candidate include:

  • Add with() method to apply SecurityConfigurerAdapter #13432
  • Automatically enable .cors() if CorsConfigurationSource bean is present #5011
  • Simplify configuration of OAuth2 Client component model #13587 (blog post, docs)
  • Add OIDC Back-channel Logout Support #7845 (docs)
  • Test coverage for virtual threads #12790, #12791
  • Add servlet pattern support to AuthorizeHttpRequests #13857 (docs)

Tackling the OAuth2 Client component model in Spring Security

Engineering | August 22, 2023 | ...

In Spring Security 5, we saw many developments in the OAuth2 story with the introduction of OAuth2 Resource Server and OAuth2 Client into the framework.

Today, it is quite convenient to develop applications that are secured by OAuth2 using the features available in OAuth2 Resource Server. Additionally, we can take advantage OAuth2 Client features to integrate with OAuth 2.0 and OpenID Connect 1.0 providers, making it possible to authenticate users with OAuth2 Login and/or make protected requests to applications secured by OAuth2.

However, the OAuth2 landscape is very complex, and customization…

Spring Authorization Server is on Spring Initializr!

Engineering | May 24, 2023 | ...

Today, I'm excited to announce that you have a new superpower: creating applications with Spring Authorization Server on Spring Initializr!

That's right, it's time to begin your OAuth2 journey and become the hero you always knew you could be! In this post, I'll explain how you can get the most from your new superpower and where to go to learn more.

What is Spring Authorization Server?

Spring Authorization Server is an open-source framework built on top of Spring Security that allows you to create your own standards-based OAuth2 Authorization Server or OpenID Connect Provider. It implements…

Spring Security 6.1 is now GA

Releases | May 15, 2023 | ...

On behalf of the team and everyone who has contributed, we are very excited to announce the general availability of Spring Security 6.1!

In addition to bug fixes and dependency upgrades, the 6.1 release brings many new features including:

  • AuthorizationManager enhancements

  • OAuth2 enhancements

  • SAML2 enhancements

  • RequestMatcher enhancements

  • Refreshed documentation pages and navigation improvements

Check out What’s New in Spring Security 6.1 for a comprehensive list of new features.

You can also see the release notes for 6.1.0-M1, 6.1.0-M2, 6.1.0-RC1, and 6.1.0 for an in-depth view.

Spring Authorization Server 1.1.0-M2 available now

Releases | March 21, 2023 | ...

On behalf of the team and everyone who has contributed, it is my pleasure to announce the general availability of Spring Authorization Server 1.1.0-M2.

The main feature delivered in this release is support for OAuth 2.0 Device Authorization Grant (gh-1106).

See the release notes for complete details.

To get started using Spring Authorization Server, see the Getting Started chapter of the reference documentation and the samples to become familiar with setup and configuration.

Project Page | GitHub Issues | ZenHub Board

Spring Security 5.8 and 6.0 are now GA

Releases | November 21, 2022 | ...

On behalf of the team and everyone who has contributed, we are very excited to announce the general availability of Spring Security 6.0! In addition, we are pleased to announce the general availability of Spring Security 5.8, which is provided to simplify upgrading to 6.0.

Spring Security 6 requires JDK 17 and uses the jakarta namespace. Among its many features, upgrading to Spring Security 6 will bring you:

  • Improved session management

  • Improved AOT processing

  • Security metrics and traces

  • Several defense-in-depth enhancements

  • A simplified authorization framework

Check out What’s New in Spring Security 5.8 and What’s New in Spring Security 6.0

CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client

Engineering | October 31, 2022 | ...

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible.

Impact

Users who have applied the mitigation should take note of the following impact:

No authorized scopes are mapped to the principal (current user) when the Authorization Server (AS) responds to the OAuth2 Access Token Response with an empty or missing scope parameter.

If you are affected by this vulnerability, users will not be granted any authorities beginning with SCOPE_ when the AS does not return scopes. Only the special authority ROLE_USER

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all