On behalf of the community, I’m pleased to announce the release of Spring LDAP 2.3.3 (release notes). The release delivers bug fixes along with some minor improvements. Users are encouraged to update to the latest patch release. Project Site | Reference | Help

The Spring team has decided to change the versioning scheme for both release trains and project modules. These changes will be coming in the next release train and minor releases for each project. In fact, the changes are already present in Spring Cloud 2020.0.0-M1. Maven and Gradle do not provide the exact same version ordering, but we are working with the Gradle team to ensure the Spring scheme ends up sorted in the same way with both tools. Release Train Version Changes Spring has been using alphabetically ordered, themed release train versions since 2013. Release trains contain a group of…

I am pleased to announce the Spring Authorization Server project. It is a community-driven project led by the Spring Security team and is focused on delivering Authorization Server support to the Spring community. A Foundation for Success The story of how we got here is long, but the key takeaway is short and sweet: Spring would not be what it is without our amazing community. Almost a decade ago, we brought in a community-driven, open-source project, Spring Security OAuth, and made it part of the Spring portfolio of projects. Since its inception, it has evolved into a mature project that…

On behalf of the community, I’m pleased to announce the release of Spring Security 5.3.1 (release notes), 5.2.3 (release notes), 5.1.9 (release notes) , 5.0.15 (release notes), 4.2.15 (release notes). These releases deliver bug fixes along with some minor improvements. Users are encouraged to update to the latest patch release. Project Site | Reference | Help

On behalf of the community, I’m pleased to announce the release of Spring Security 4.2.14 (release notes). These releases deliver bug fixes, dependency updates, and improvements with our build. Users are encouraged to update to the latest patch release. Project Site | Reference | Help

This post was authored by Vedran Pavić On behalf of the community I’m pleased to announce the releases of Spring Session Corn-M4. This release is picked up by Spring Boot 2.2.0.M6. Spring Session Corn-M4 The Corn-M4 release is based on: Spring Session core modules 2.2.0.M4 Spring Session Data Geode 2.2.0.M4 Spring Session Data MongoDB 2.2.0.RC2 Some of the highlights of Spring Session 2.2.0.M4 are: support for customizing configuration of session repositories using new SessionRepositoryCustomizer/ReactiveSessionRepositoryCustomizer support for configuring transactional behavior for…

In response to our nohttp announcement, Maven Central’s announcement, and JFrog’s announcement, beginning January 15 2020, Spring’s Maven Repository will no longer support HTTP. More concretely, http://repo.spring.io will not respond to requests. Users will need to ensure that they are using https://repo.spring.io We are not going to redirect from http to https because it perpetuates the vulnerability. When the first request is made over http, a man in the middle (MITM) can prevent the redirect and replace the response with a malicious payload. Users that continue to use http will continue to…

This post was authored by Vedran Pavić On behalf of the community I’m pleased to announce the releases of Spring Session Corn-M3 and Bean-SR7. These releases will be picked up by Spring Boot 2.2.0.M5 and 2.1.8.RELEASE, respectively. Spring Session Corn-M3 The Corn-M3 release is based on: Spring Session core modules 2.2.0.M3 Spring Session Data Geode 2.2.0.M2 Spring Session Data MongoDB 2.2.0.RC1 Some of the highlights of Spring Session 2.2.0.M3 are: support for save mode, which allows control over how session changes are tracked and saved to the session store support for flush mode for JDBC…

This post was authored by Vedran Pavić On behalf of the community I’m pleased to announce the releases of Spring Session Corn-M2 and Bean-SR6. These releases will be picked up by Spring Boot 2.2.0.M4 and 2.1.6.RELEASE, respectively. Spring Session Corn-M2 The Corn-M2 release is based on: Spring Session core modules 2.2.0.M2 Spring Session Data Geode 2.2.0.M2 Spring Session Data MongoDB 2.2.0.M3 Some of the highlights of Spring Session 2.2.0.M2 are: simple Redis-based implementation of SessionRepository reworked @Configuration classes are now compatible with proxyBeanMethods=false migration of…

I’m pleased to announce the nohttp project, which lets users find, replace, and prevent the usage of http://. Background Today, Jonathan Leitschuh published a blog titled Want to take over the Java ecosystem? All you need is a MITM!. The blog demonstrates that hundreds of Java libraries are downloading dependencies over HTTP. This opens the projects up to potential MITM (man in the middle) attacks. Unfortunately, there were multiple Spring projects that were using HTTP to download dependencies. Fortunately, we uncovered no signs of a successful MITM attack. We have also addressed the issue to…