I’m pleased to announce the nohttp project, which lets users find, replace, and prevent the usage of http://.

Background

Today, Jonathan Leitschuh published a blog titled Want to take over the Java ecosystem? All you need is a MITM!. The blog demonstrates that hundreds of Java libraries are downloading dependencies over HTTP. This opens the projects up to potential MITM (man in the middle) attacks.

Unfortunately, there were multiple Spring projects that were using HTTP to download dependencies. Fortunately, we uncovered no signs of a successful MITM attack. We have also addressed the issue to…

Hi Spring fans! Can you believe it? We're already almost halfway through June! Summer's nearly here! It's 97 Fahrenheit / 37 Celsius in San Francisco! That's nuts! I'm glad I'm in beautiful Amsterdam and Eindhoven, NL, beating the heat, though. What a privilege. We've got a busy week, as always, to get to so let's get to it!

• The Spring team has undertaken a massive effort to eliminate insecure HTTP URLs in favor of HTTPS. Learn how we did it (and you could too) in this blog Announcing nohttp
• A Bootiful Podcast: Spring Cloud lead Spencer Gibb on Microservices, Brazil, and more
• Hi Spring fans! In last week's installment of Spring Tips: Organizational Consistency in your Spring Boot Applications I introduced things you can do to achieve consistency in your applications including auto-configuration, building starter-dependencies, the Spring JavaFormat Maven plugin and more.
• …

Hi Spring fans! In this installment Josh Long interviews Spring Cloud lead Spencer Gibb about open-source, Brazil, microservices, Spring, his journey to the Spring team, and more.

Spencer on Twitter: @SpencerBGibb

We are happy to announce today that start.spring.io is now built using React/Gatsby as the front-end framework. We also made UI improvements based on your feedback. Thank you to all those who have contributed to this update and to all the users who continue to tell us how to improve!

React.js

During the previous Web UI modernization (launched on March 5th), we realized that making even small changes to the site had become more time consuming than we anticipated. The architecture was inhibiting our ability to run experiments and move quickly to make small, incremental changes.

As a result, we decided to rewrite the front-end using a modern and popular javascript framework - Gatsby…

Hi Spring fans! In this installment we look at things you might do to achieve organizational consistency in your Spring Boot applications and services.

speaker: Josh Long (@starbuxman)

Hi Spring fans! Welcome to another installment of This Week in Spring! This week I'm in.... I'm home! Look at that! I'm home for the epic SpringOne Tour San Francisco event. I'm super excited to be here in this amazing weather with an amazing community. It's been a busy week though! Last week I returned from Spain for my kid's graduation, and I am still so so proud. Tomorrow I fly to Cork, Ireland for the Cork JUG and then it's off to London for a wedding. So, lot of travel, but a bit of a lighter load :-)

We've got a lot to cover so let's get to it!

• Introducing the Pivotal Spring Runtime, offering comprehensive support for OpenJDK, Spring, and Apache Tomcat
• Java CFEnv 1.1.0.M1 Released
• In last week's A Bootiful Podcast I talked to Verónica Lopez on Go, Kubernetes, Physics, the Cloud, and More
• Introducing Spring Cloud App Broker
• CVE-2019-11269: Spring Security OAuth 2.3.6, 2.2.5, 2.1.5, 2.0.18 Released
• Webinar: Boosting Microservice Performance with Kafka, RabbitMQ, and Spring
• Spring Cloud Edgware.SR6 Released
• Spring Tips: Debugging Reactor Applications
• Spring Cloud Open Service Broker 3.0.1 Released
• …

Hi Spring fans! In this episode I talk to Go-lang and Kubernetes-legend Verónica Lopez about community, physics, distributed systems and more.

Verónica on Twitter @maria_fibonacci

Introduction

On behalf of the community I am happy to announce the release of Java CFEnv 1.1 M1.

This release brings in contributions from several teams

• EMC Volume Service

• Pivotal Single Sign-On Service

• Pivotal Redis Service

Support for Volume Services is a new feature. Single Sign-On functionality has been improved to set Spring Security auto-configuration properties for Spring Security 5’s OAuth support. The Redis support has been improved to support auto-configuration of TLS.

The project README has more information.

A release candidate is going out next week, followed quickly by a GA release. Please try it out and give feedback on our github issues…

We have released Spring Security OAuth 2.3.6, 2.2.5, 2.1.5 and 2.0.18 to address CVE-2019-11269: Open Redirector in spring-security-oauth2. Please review the information in the CVE report and upgrade immediately.

For additional changes included in each release, please refer to:

• 2.3.6 changelog

• 2.2.5 changelog

• 2.1.5 changelog

• 2.0.18 changelog

NOTE: For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the fix for the CVE. Please see the Mitigation section in the CVE report…