Spring Security 5.0.0 M4 Released
On behalf of the community, I’m pleased to announce the release of Spring Security 5.0.0 M4. This release includes bug fixes, new features, and is based off of Spring Framework 5.0.0 RC4. You can find complete details in the changelog. The highlights of the release include:
OAuth2 / OIDC
OAuth2 Login Java Config
There are a number of improvements to the HttpSecurity.oauth2Login()
DSL.
You can now configure the Token Endpoint with a custom implementation of an AuthorizationGrantTokenExchanger
or SecurityTokenRepository<AccessToken>
, as follows:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.tokenEndpoint()
.authorizationCodeTokenExchanger(this.authorizationCodeTokenExchanger())
.accessTokenRepository(this.accessTokenRepository());
}
We’ve also added the capability of customizing the request paths for the Authorization Endpoint and Redirection Endpoint:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.authorizationEndpoint()
.requestMatcher(new AntPathRequestMatcher("/custom-path/{clientAlias}"))
.and()
.redirectionEndpoint()
.requestMatcher(new AntPathRequestMatcher("/custom-path/callback/{clientAlias}"));
}
As with all AbstractAuthenticationProcessingFilter
's in Spring Security, you can also set a custom AuthenticationSuccessHandler
and AuthenticationFailureHandler
:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.successHandler(this.customAuthenticationSuccessHandler())
.failureHandler(this.customAuthenticationFailureHandler());
}
Security Token Repository
We’ve introduced the SecurityTokenRepository<T extends SecurityToken>
abstraction, which is responsible for the persistence of SecurityToken
's.
The initial implementation InMemoryAccessTokenRepository
provides the persistence of AccessToken
's.
In an upcoming release we’ll also provide an implementation that supports the persistence of Refresh Token’s.
ID Token and Claims
A couple of minor improvements were introduced to the IdToken
along with some final implementation details for JwtClaimAccessor
,
StandardClaimAccessor
and IdTokenClaimAccessor
, which provide convenient access to claims
in their associated constructs, for example, Jwt
, IdToken
, UserInfo
.
Authorization Request Improvements
We’ve added the capability for an AuthorizationRequestRepository
to persist the Authorization Request to a Cookie
.
The current default implementation persists in the HttpSession
, however, a custom implementation may be provided to persist to a Cookie
instead.
Support was also added for URI
variables configured in the redirect-uri
for the AuthorizationCodeRequestRedirectFilter
.
OAuth2 Client Properties
There were a couple of minor updates to the properties for configuring an OAuth 2.0 Client. The configuration below outlines the current structure. You will notice that there is support for configuring multiple clients, for example, google, github, okta, etc.
security:
oauth2:
client:
google:
client-id: your-app-client-id
client-secret: your-app-client-secret
client-authentication-method: basic
authorization-grant-type: authorization_code
redirect-uri: "{scheme}://{serverName}:{serverPort}{contextPath}/oauth2/authorize/code/{clientAlias}"
scope: openid, profile, email, address, phone
authorization-uri: "https://accounts.google.com/o/oauth2/v2/auth"
token-uri: "https://www.googleapis.com/oauth2/v4/token"
user-info-uri: "https://www.googleapis.com/oauth2/v3/userinfo"
user-name-attribute-name: "sub"
jwk-set-uri: "https://www.googleapis.com/oauth2/v3/certs"
client-name: Google
client-alias: google
github:
...
okta:
...
A complete example for using the new Spring Security OAuth 2.0 / OpenID Connect 1.0 login feature can be found in the Spring Security samples at oauth2login. The guide will walk you through the steps for setting up the sample application for OAuth 2.0 login using an external OAuth 2.0 or OpenID Connect 1.0 Provider.
Reactive Security
Reactive Method Security
Spring Security’s Reactive support now includes method security by leveraging Reactor’s Context. The highlights are below, but you can find a complete example of it in action in samples/javaconfig/hellowebflux-method
The first step is to use @EnableReactiveMethodSecurity
to enable support for @PreAuthorize
and @PostAuthorize
annotations. This step ensures that the objects are properly proxied.
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfig {
The next step is to create a service that is annotated with @PreAuthorize
or @PostAuthorize
. For example:
@PreAuthorize("hasRole('ADMIN')")
public Mono<String> findMessage() {
Spring Security’s WebFlux support will then ensure that the Reactor Context will be populated with the current user which is used to determine if access is granted or denied.
Spring Security’s standard @WithMockUser
and related annotations has been updated to work with Reactive Method Security. For example:
@RunWith(SpringRunner.class)
// ...
public class HelloWorldMessageServiceTests {
@Autowired
HelloWorldMessageService messages;
@Test
public void messagesWhenNotAuthenticatedThenDenied() {
StepVerifier.create(this.messages.findMessage())
.expectError(AccessDeniedException.class)
.verify();
}
@Test
@WithMockUser
public void messagesWhenUserThenDenied() {
StepVerifier.create(this.messages.findMessage())
.expectError(AccessDeniedException.class)
.verify();
}
@Test
@WithMockUser(roles = "ADMIN")
public void messagesWhenAdminThenOk() {
StepVerifier.create(this.messages.findMessage())
.expectNext("Hello World!")
.verifyComplete();
}
}
The test support also works nicely with TestWebClient
. For example:
@RunWith(SpringRunner.class)
// ...
public class HelloWebfluxMethodApplicationTests {
@Autowired
ApplicationContext context;
WebTestClient rest;
@Before
public void setup() {
this.rest…
Spring Session MongoDB 2.0.0.M3 released
Dear Spring Community,
Spring Session MongoDB 2.0.0.M3 is released. It is based on:
-
Reactor Bismuth-M4
In this release, several new features have been added to simplify using it with your Spring WebFlux application.
@EnableMongoWebSession
public class SpringWebFluxConfig {
}
All you must do is apply the @EnableMongoWebSession
to any of your Spring configuration classes to activate session support with MongoDB. Additionally, you must provide a ReactorMongoOperations
Spring bean, but if you’re using Spring Boot’s spring-boot-starter-data-mongodb-reactive
…
Spring Session 2.0.0 M4
On behalf of the community I’m pleased to announce the release of Spring Session 2.0.0.M4. This release is focused primarily on refining WebFlux support. The highlights are:
Simplified WebFlux Configuration
Configuring Spring Session for WebFlux is simplified to be:
@Configuration
@EnableSpringWebSession
public class HelloWebfluxSessionConfig {
@Bean
public MapReactorSessionRepository reactorSessionRepository() {
return new MapReactorSessionRepository(new ConcurrentHashMap<>());
}
}
You can also switch the strategy for resolving session id’s by simply adding a WebSessionIdResolver
Bean. For example, to switch from using cookies to resolve the session id to using headers, you can use Spring Framework’s new HeaderWebSessionIdResolver
…
Spring Boot 2.0.0 M4 Available Now
Hot on the heels of the latest Spring Framework 5 release candidate, Spring Boot 2.0 M4 is now available from our milestone repository. This release closes 150 issues and pull requests and is a major step towards 2.0 GA. Thanks to all that contributed!
This milestone provides a host of minor tweaks and enhancements along with three major changes:
- A new Actuator endpoint infrastructure
- An overhaul of security
- Micrometer metrics support
For a complete list of changes, and upgrade instructions, see the Spring Boot 2.0.0.M4 Release Notes on the WIKI. We are a bit behind with regards to updating the reference documentation, so please consider using the snapshot version…
Spring Web Flow 2.4.6 released
Spring Web Flow 2.4.6 was released earlier today containing a security fix. Applications that use explicit data bindings through the <binder>
element in flow definitions are not affected. Those that do rely on default bindings should upgrade as soon as possible.
Spring Cloud Stream Ditmars/1.3 Release Candidate Announcement
We are pleased to announce that the release candidate Spring Cloud Stream Ditmars.RC1 is available for use in the Spring Milestone repository. The release notes include relevant information about version compatibility with Spring Boot, Spring Cloud, Spring AMQP, and Spring for Apache Kafka.
Kafka Streams for Apache Kafka
This release targets the promotion of Kafka Streams for Apache Kafka support as a top-level project in the Apache Kafka binder implementation. With Kafka Streams for Apache Kafka positioned as a first-class citizen, developers can now build Spring Cloud Stream applications by…
Spring Integration 5.0 Milestone 7 and 4.3.12 Available
On behalf of the Spring Integration team I am pleased to announce that the Milestone 7 for the Spring Integration 5.0 version (5.0.0.M7
) is now available.
It is available for download from the Milestone Repository:
repositories {
maven { url 'http://repo.spring.io/libs-milestone' }
}
compile "org.springframework.integration:spring-integration-core:5.0.0.M7"
21 JIRAs (and some GitHub issues) made into this release, including bug fixes and a number of new features. Some highlights of features in the M7
, since the previously announced Milestone 6:
-
Reactive WebFlux Channel Adapters has been extracted to the separate
spring-integration-webflux
module to distinguish Servlet-based MVC configuration from the Reactive foundation. -
The
EmbeddedJsonHeadersMessageMapper
is introduced to allow embedding message headers together with the payload into packages for target protocols which doesn’t support headers natively, for example TCP/IP, MQTT, AWS Kinesis and Apache Kafka before version0.11.x
. -
The
java.util.function.Supplier
can now act as aMessageSource
: …
Spring AMQP 2.0 Release Candidate, 1.7.4 and 1.6.11 Are Available
I am pleased to announce that the 2.0.0.RC1 release candidate of Spring AMQP is now available in the Spring milestone repository.
This release adds some minor fixes/improvements since the final milestone Milestone 5.
Thanks to all the community member for their feedback and contributions!
The GA release will follow shortly after the Spring Framework 5.0 GA release in September.
For a complete list of changes in 2.0, see What’s New in the reference manual.
Maintenance releases 1.7.4 and 1.6.11 are also available now.
Project Page | JIRA | Contributing | Help | Chat
Spring For Apache Kafka 2.0 and 1.3 Release Candidates Available
We are pleased to announce the availability of the 2.0.0.RC1 release candidate of the Spring for Apache Kafka 2.0
version.
As discussed in the 1.3.0.M2 announcement, we are concurrently releasing 1.3 with 2.0, where 1.3 contains a subset of the 2.0 features, supporting the Kafka 0.11.x.x client, while still supporting Spring Framework 4.3. As such, the 1.3.0.RC1 release candidate is also available.
They are available for download from the Milestone Repository:
repositories {
maven { url 'http://repo.spring.io/libs-milestone' }
}
compile "org.springframework.kafka:spring-kafka:2.0.0.RC1"
Since the previous announcement, the following is a summary…
Spring Boot 1.5.7 available now
On behalf of the team, I am pleased to announce that Spring Boot 1.5.7 has been released and is available now from repo.spring.io and Maven Central.
Spring Boot 1.5.7 includes 51 fixes, improvements and dependency updates. Thanks to all that have contributed with issue reports and pull requests.
What's next?
Spring Framework 5.0 RC4 has just been released and other Spring projects should follow. Spring Boot 2.0 M4 is just around the corner and this will be a nice way to test the last release candidate of Spring Framework before GA. If you want to take an early look at Spring Boot 2, and we’d love to hear your feedback if you do, please go to start.spring.io and select Spring Boot 2.0.0.BUILD-SNAPSHOT
…