I'm pleased to announce the release of Spring Session 1.0.0.RELEASE. You can find the release in Maven Central. Features Spring Session provides the following features: API and implementations (i.e. Redis) for managing a user's session HttpSession - allows replacing the HttpSession in an application container (i.e. Tomcat) neutral way. Additional features include: Clustered Sessions - Spring Session makes it trivial to support clustered sessions without being tied to an application container specific solution. Multiple Browser Sessions - Spring Session supports managing multiple users…

We are please to announce the release of Spring Security 4.0.0.RC1. This release resolved 40 tickets. You can find a highlight of the changes below. Updated Defaults - As security evolves, so does Spring Security. We took this opportunity to ensure that the defaults were more secure. For example, the XML Namespace support now enables CSRF protection by default. Polish WebSocket Security - We received very valuable feedback from the community which allowed us to polish the WebSocket security. We also added XML Namespace configuration support for WebSocket security. Details can be found on the…

I'm pleased to announce the release of Spring Session 1.0.0.RC1. For full details on the changes made in the release, please refer to the changelog. The highlights of this release include: WebSocket support. See the websocket sample for details. Support for multiple simultaneous sessions in a single browser. Refer to the users sample for an example. Simplified configuration with @EnableRedisHttpSession and AbstractHttpSessionApplicationInitializer Support for background task to cleanup expired Redis sessions. See spring-session/gh-59 Added spring-session-data-redis pom to make declaring…

Introduction In my previous post, I discussed Spring Security WebSocket integration. One of the problems is that in a servlet container, the WebSocket requests do not keep the HttpSession alive. Consider an email application that does much of its work through HTTP requests. However, there is also a chat application embedded within it that works over WebSocket APIs. If a user is actively chatting with someone, we should not timeout the HttpSession since this would be pretty poor user experience. However, this is exactly what JSR-356 does. Another issue is that according to JSR-356 if the…

[callout title=Updated Dec 11 2014]Although originally about Spring Security 4.0.0.M2, the blog has been updated to reflect improvements found in Spring Security 4.0 RC1.[/callout] Introduction Previously, an application could use Spring Security to perform authentication in a WebSocket application. This worked because the Principal of an HttpServletRequest will be propagated to the WebSocket Session. The problem is that authorization was limited to handshake. This means that once the connection was made, there was no way to provide any granularity to authorization of the WebSocket application…

I'm pleased to announce the release of Spring Security 4.0.0.M2 available in the Spring Milestone repository. [callout title=SpringOne 2GX 2014 is around the corner]Book your place at SpringOne in Dallas, TX for Sept 8-11 soon. It's simply the best opportunity to find out first hand all that's going on and to provide direct feedback. From 0 to Spring Security 4.0 session will contain detailed information on how to get started with Spring Security and provide a deep dive into the new features found in Spring Security 4. Of course there plenty of other exciting Spring related talks![/callout…

Spring Security 3.2.5 (change log) and 3.1.7 (change log) have been released and are available in Maven Central. Important highlights of this release are: This release contains a fix for CVE-2014-3527 which resolves an issue where a malicious CAS Service can impersonate another CAS Service when using proxy tickets. This release updates the transitive dependencies of the cas module to cas-client-core which has a fix for CVE-2014-4172. This issue was not in Spring Security itself, but the library in which it depends on. A special thanks to Scott Battaglia & the rest of the CAS team for relaying…

I'm pleased to announce the second milestone release of Spring MVC Test HtmlUnit. The project’s aim is to provide integration between [Spring MVC Test](Spring MVC Test Framework) and HtmlUnit. This simplifies performing end to end testing when using HTML based views. Changelog You can view the complete changelog on github. Below are the highlights of the release: The release contains Reference Documentation and Publishes the API Docs The artifact name has changed from spring-test-mvc-htmlunit to spring-test-htmlunit See the Updating Dependencies to see how to add Spring MVC Test HtmlUnit as…

I'm pleased to announce the release of Spring Session 1.0.0.M1. Benefits This project provides a number of benefits including: Accessing a session from any environment (i.e. web, messaging infrastructure, etc) In a web environment Support for clustering in a vendor neutral way Pluggable strategy for determining the session id Easily keep the HttpSession alive when a WebSocket is active Getting Started Refer to the Quick Start section of the README to learn how to you can use Spring Session in your application. Feedback Please If you have feedback, I encourage you to reach out via github issues…

[callout title=Updated March 31 2015]This blog is outdated and no longer maintained. Please refer to the Test Section of the reference documentation for updated documentation. [/callout] In my previous blog we demonstrated how the new Spring Security testing support can ease testing method based security. In this blog we will explore how we can use the testing support with Spring MVC Test. Setting Up MockMvc and Spring Security In order to use Spring Security with Spring MVC Test it is necessary to add the Spring Security FilterChainProxy as a Filter. For example: [callout title=Source Code…