Blog post Authors
Joe Grandja

Joe Grandja

Joe Grandja is a core committer on the Spring Security team. He has been leading the efforts in building the next generation of OAuth2 and OpenID Connect support in Spring Security and Spring Authorization Server.

With over 25 years of industry experience, Joe has been a Solution Architect, a Software Engineer, a Team Lead, and a Consultant. His past experience has been mainly focused in the Financial Services sector in the Toronto, Canada, area. He has designed, built, and delivered enterprise grade banking applications and platforms in the Personal and Commercial and Brokerage and Investing divisions. He has worked closely with the InfoSec teams within banks to ensure security and regulatory compliance.

Recent Blog posts by Joe Grandja

Get the very first bits of Spring Authorization Server 0.0.1 !

Releases | August 21, 2020 | ...

On behalf of the team and everyone who has contributed, we are very excited to deliver the very first bits of Spring Authorization Server in the 0.0.1 release!

You can download it from repo.spring.io and Maven Central by using the module coordinates:

compile 'org.springframework.security.experimental:spring-security-oauth2-authorization-server:0.0.1'

For additional details on this new project, see the initial announcement and project page.

The main features delivered in this initial release are:

  • OAuth 2.0 Authorization Code Grant — RFC 6749

  • OAuth 2.0 Client Credentials Grant — RFC 6749

  • JSON Web Token (JWT) — RFC 7519

  • JSON Web Signature (JWS) — RFC 7515

  • JSON Web Key (JWK) — RFC 7517

  • Key Management for providing key(s) when signing a JWT (JWS)

Read more

End-of-Life for Spring Security OAuth

Engineering | May 07, 2020 | ...

In January 2018, we announced that the Spring Security OAuth (legacy) project is officially in maintenance mode. Later in November of 2019, we provided an update in the Spring Security OAuth 2.0 Roadmap, stating that the 2.3.x line will reach end-of-life in March 2020.

The currently supported version branches are 2.4.x and 2.5.x, with the 2.5.0 release scheduled for May 2020, which will be the final minor release.

To that end, the plan is to provide patch and security fixes for the 2.4.x and 2.5.x line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life. The same end-of-life timeline applies to the Spring Boot 2 auto-configuration project

Read more

CVE-2019-3778: Spring Security OAuth 2.3.5, 2.2.4, 2.1.4, 2.0.17 Released

Releases | February 21, 2019 | ...

We have released Spring Security OAuth 2.3.5, 2.2.4, 2.1.4 and 2.0.17 to address CVE-2019-3778: Open Redirector in spring-security-oauth2. Please review the information in the CVE report and upgrade immediately.

For additional changes included in each release, please refer to:

NOTE: For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the fix for the CVE. Please see the Mitigation section in the CVE report for…

Read more

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all