Hi, Spring fans! In this installment, Josh Long (@starbuxman) talks to his friend Chris Richardson (@crichardson), who helped articulate and advance cloud computing, reactive programming, microservices, domain-driven design, event sourcing, and so much more years before the zeitgeist. Also, we used to work together!
Want to meet more amazing people in our ecosystem, like Chris? SpringOne 2022 is almost here! I feel like it’s that anxious, exciting time before, sort of important holiday where you get given gifts! And with it, Spring Boot 3 and Spring Framework 6. We’re going to be announcing…
Using username/password credentials to access one application from another presents a huge security risk for many
reasons. Today, we are announcing the preview of passwordless connections for Java applications to Azure database
and eventing services, letting you finally shift away from using passwords.
Security Challenges with Passwords
Passwords should be used with caution, and developers must never place passwords in an unsecure location. Many Java
applications connect to backend data, cache, messaging, and eventing services using usernames and passwords, or other sensitive credentials such as access tokens or connection strings.
If exposed, the passwords could be used to gain unauthorized access to sensitive information such as a sales catalog
that you built for an upcoming campaign, or simply all customer data that must be private.
Embedding passwords in an application itself presents a huge security risk for many reasons, including discovery
through a code repository (see Figure 1 below). Many developers externalize such passwords using environment
variables so that applications can load them from different environments. However, this only shifts the risk from
the code itself to an execution environment. Anyone who gains access to the environment can steal passwords, which
in turn, increases your data exfiltration risk.
Figure 1 – shows Java code with an embedded username and password to connect to a database
Our customers can have strict security requirements to connect to Azure services without exposing passwords to
developers, operators, or anyone else. They often use a vault to store and load passwords into applications, and
they further reduce the risk by adding password-rotation requirements and procedures. This, in turn, increases the
operational complexity and can lead to application connection outages.
Passwordless Connections – Zero-Trust
Now you can use passwordless connections in your apps to connect to Azure-based services with a code-free
configuration. You no longer need to rotate passwords. Using the principle of "never trust, always verify and
credential-free", Zero-Trust helps to secure all communications by trusting machines or users only after verifying
identity before granting them access to backend services.
"Every password and every Key Vault we have is a potential liability, which adds more overhead and management cost. I'm always happy to see more of the authentication and authorization handled for us and shipped as simple integrations into the Java and Spring ecosystem on Azure. And I won't shed any tears when I delete our Key Vault, now PostgreSQL supports passwordless connections."
-Jonathan Jones, Lead Solutions Architect, Swiss Re Management Ltd. (Switzerland)
Using managed identities and Azure RBAC (role-based access control) combination is the recommended authentication
option for secure, passwordless connections from Java applications to Azure services. Developers or operators do not
need to manually track and manage many different secrets for managed identities because these tasks are securely
handled internally by Azure.
You can configure passwordless connections to Azure services using Service Connector (see Figure 2 below),
or you can manually configure them. Service Connector enables managed identities in app hosting services like Azure
Spring Apps, App Service and Azure Container Apps. It configures backend services with passwordless connections
using managed identities and Azure RBAC, and supplies applications with necessary connection information – no more
passwords.
Figure 2 – Service Connector configures passwordless connection for a Java app to a PostgreSQL database
If you inspect the running environment of an application configured for passwordless connections, you can see the
full connection string. For example, Figure 3 shows how it carries database server address, database name, and an
instruction to delegate authentication to Microsoft’s Azure’s JDBC authentication plugin.
Let’s consider a Spring Boot application that connects to a PostgreSQL database that uses Spring Cloud Azure starter.
The starter composes a connection string without password for a Spring Data JPA module. From the connection string,
the driver understands that it must load the Azure’s JDBC authentication plugin which uses the Azure Identity Client
Library to get an access token. The driver logs into a database using the token as password - no more
passwords.
For local development and testing, developers can use the same arrangement to connect to services without using
passwords. You will authenticate through Azure CLI, IntelliJ or any development tool and use that identity to secure
access for the application to connect with Azure services without passwords.
Learn More and Delete Passwords!
You can shift away from using passwords in your apps. Migrate your existing Java applications to use passwordless
connections for Azure services today!
Hi, Spring fans! Welcome to another installment of This Week in Spring!
It's the last week of September, already! The year's more done than not. The days are receding into darkness earlier. And the Pumpkin Spice Lattes are upon us. The darker and colder days are kind of a bummer, but I'm stil excited and overjoyed this time of year. You know why?
SpringOne 2022 is almost here! I feel like it's that anxious, exciting time before sort of important holiday where you get given gifts! And with it, Spring Boot 3 and Spring Framework 6. We're going to be announcing everything right here on the Spring blog, of course, but if you want a chance to learn from the source, then I hope you'll join us 6-8 December, 2022, right here in my hometown of San Francisco, my favorite west coast city in the USA, and my hometown. )Psst.: If you register now, there’s a $200 discount from the pass price with this code S1VM22_Advocate_200…
The Spring Team has been working on native image support for Spring Applications for quite some time. After 3+ years of incubation in the Spring Native experimental project with Spring Boot 2, native support is moving to General Availability with Spring Framework 6 and Spring Boot 3!
Native images provide almost instant startup time and reduced memory consumption for Java applications. The recent Spring Boot 3.0.0-M5 release marks the first time we’re asking for broader community feedback on our native story. If you need to catch-up on the basics, please refer to the Ahead Of Time basics blog post from late March. You can also learn how to prepare your applications for Spring Boot 3.0…
It has taken me an embarrassingly long time to appreciate and understand that the devil is in the details regarding software development. Writing happy-path business logic isn't the hard part! It's the failure cases, observability, resilience, and process. It's security and other so-called non-functional requirements. It's architecting for agility. It's production. Spring is unique because it sits at the crossroads of many exciting application development discussions.
Spring's community contains multitudes and is one of the key defining features. This diversity of discussion means that any conference that endeavors to cover the full sweep of ideas has its work cut out. I don't know of any other show - and I've spoken at many thousands of shows and events in my life! - that completely covers the different dimensions of application development like SpringOne…
Hi, Spring fans! In this installment, Josh Long (@starbuxman) talks to his friend, fellow Java Champion, and director of developer relations and strategy at Couchbase, Laurent Doguin (@ldoguin)
SpringOne 2022 is almost here! This is our first in-person event since the pandemic and it's when we release Spring Framework 6 and Spring Boot 3, the next generation of Spring and Spring Boot respectively. It's running 6-8 December in my sunny San Francisco, CA! Register now at SpringOne.io and use the code S1VM22_Advocate_200 to get $200 off the current registration price.
On behalf of the team, I’m pleased to announce the release of Spring Session 2022.0.0-M3. These releases deliver, enhancements, bug fixes, and dependency upgrades.
For your convenience, Spring Boot will pick up these artifacts with its upcoming releases.
The following modules were updated as part of 2022.0.0-M3:
Hi, Spring fans! Welcome to another installment of This Week in Spring wherein I endeavor as best as I can to capture the latest-and-greatest in the wide, wacky, and wonderful world of Springdom! Naturally, I fail miserably basically every week. There's no way I could hope to capture everything of note. But I persist...
Are you coming to SpringOne 2022? This is our first in-person event since the pandemic and it's when we release Spring Framework 6 and Spring Boot 3, the next generation of Spring and Spring Boot respectively. It's running 6-8 December here in my hometown of sunny San Francisco, CA! Register now at SpringOne.io and use the code S1VM22_Advocate_200 …
[09-19] Vulnerability announced here and Spring Data REST 3.6.7 and 3.7.3 released
[09-19] Blog post updated to refer to the CVE report published
The Spring Data 2021.1.7 and 2021.2.3 releases shipped on September 19th contained releases for Spring Data REST 3.6.7 and 3.7.3 which include fixes for CVE-2022-31679. Users are encouraged to update as soon as possible.
Hi, Spring fans! In this installment, Josh Long (@starbuxman) talks to big data legend, former Pivot, and friend to the Spring community, Tim Spann (@PaaSDev), about big data, StreamNative, and Apache Pulsar, and Spring for Apache Pulsar. Get your notebooks ready for this one, class!
