On behalf of the community, I'm pleased to announce the release of Spring Session 1.1.0.RC1. The release can be found in the Spring Milestone Repository (https://repo.spring.io/milestone/). This release contains lots of fixes and new features. You can find details in the What's New in 1.1 The highlights of 1.1.0.RC1 have been included below: Support for GemFire Thanks to John Blum! Allow writing to Redis immediately (instead of lazily) using redisFlushMode We look forward to your feedback and if all goes well plan to release 1.1.0.RELEASE in the next few weeks. Site | Documentation | Issues…

UPDATE: This is a summary of XSS without HTML: Client-Side Template Injection with AngularJS. Previously the citation was in the middle of the document and difficult to find. The goal of the summary is to present the exploit and a fix without all the nuances, not to claim the work as my own. Introduction AngularJS is a popular JavaScript framework that allows embedding expressions within double curly braces. For example, the expression 1+2={{1+2}} will render as 1+2=3. This means that if the server echos out user input that contains double curly braces, the user can perform a XSS exploit using…

On behalf of the community, I'm pleased to announce the release of Spring Session 1.1.0.M1. The release can be found in the Spring Milestone Repository (https://repo.spring.io/milestone/). This release contains lots of fixes and new features. You can find a complete list in the changelog. The highlights have been included below: Support for search for session by username Support Customize Cookie Creation. Thanks to everyone who provided PRs and feedback for this feature! Add HttpSessionListener support Allow override default RedisSerializer Added comprehensive Hazelcast and configuration…

I’m pleased to announce the release of Spring Security 3.2.9.RELEASE. This release provides bug fixes and minor enhancements. For complete details on the release, refer to the Change Log. Highlights of the release include: SEC-2190 - Fixing integration with the JSP tag libraries when Spring Security is registered in a child ApplicationContext SEC-2521 - Removal of synchronized in StandardPasswordEncoder which drastically improves performance SEC-3108 - Fix potential race condition in DigestAuthenticationFilter SEC-3109 - DelegatingSecurityContextExecutor works with Concurrent…

I’m pleased to announce the release of Spring Security 4.0.3.RELEASE. This release provides bug fixes and minor enhancements. For complete details on the release, refer to the Change Log. Highlights of the release include: SEC-3063 - Fixes for Spring Boot 1.3 SEC-2190 - Fixing integration with the JSP tag libraries when Spring Security is registered in a child ApplicationContext SEC-2521 - Removal of synchronized in StandardPasswordEncoder which drastically improves performance SEC-3108 - Fix potential race condition in DigestAuthenticationFilter SEC-3109 - DelegatingSecurityContextExecutor…

I’m pleased to announce the release of Spring LDAP 2.0.4.RELEASE. The highlights of this release include: LDAP-333 - Support for Spring Data Commons 1.11 (Spring Data Gosling) LDAP-334 - Compatibility with Spring IO Platform 2.0 LDAP-335 - Fix NoClassDefFoundError: RepositoryConfigurationExtension For additional information on the release, refer to the changelog. Project Site | Reference | Issues

I'm pleased to announce the release of Spring Session 1.0.2.RELEASE. You can find the release in Maven Central. This release fixes 20+ tickets. The general goal was to close out bugs before we start working on Spring Session 1.1. You can find the highlights below: Highlights The highlights of Spring Session 1.0.2 are available below: ERROR dispatch can cause two sessions to be created (#229) CookieHttpSessionStrategy can write the same Session id twice (#251) Updates to previous HttpSession references are not reflected after changeSessionId() invoked (#227) Official support for Spring…

On behalf of the Spring Security Kerberos team, I'm pleased to announce the release of Spring Security Kerberos 1.0.1. The highlights of the release are: Support Spring Security 4 Support Spring LDAP 2.0 Fix SPNEGO auth fails if client proposes MS krb5 OID #34 Project Site | Reference | Changelog

I'm pleased to announce the release of Spring Security 4.0.2.RELEASE. This release is the second maintenance release of the 4.0 line and focusses on fixing any major issues that were found in the new release. For complete details on the release, refer to the Change Log. Along with lots of bug fixes, the highlights of this release include: Support for Spring Framework 4.2 Spring Framework 4.2 GA is just around the corner. Spring Security 4.0.2 fixes some issues when running with Spring Framework 4.2. We are also rerunning our entire test suite using Spring Framework 4.2. Minor Improvements to…

I'm pleased to announce the release of Spring Security 3.2.8.RELEASE. This release focusses on fixing major issues. For complete details on the release, refer to the Change Log. While we will continue to support the 3.2.x line for some time, we encourage everyone to update to 4.x. To make this transition easy, we have a very detailed migration guide complete with sample migrations and a diff. If you have any problems migrating, create a StackOverflow question with the spring-security tag. If you don't get a response within a reasonable amount of time feel free to ping me at @rob_winch or in…