I’m pleased to announce the release of Spring Security 4.1.3.RELEASE which updates libraries & resolves some minor issues including fixes for the new MvcRequestMatcher.

For details refer to the changelog.

Contributions

Without the community we couldn’t be the successful project we are today. I’d like to thank everyone that created issues & provided feedback.

Feedback Please

If you have feedback on this release, I encourage you to reach out via StackOverflow, GitHub Issues, or via the comments section. You can also ping me @rob_winch or Joe @joe_grandja on Twitter.

Of course the best feedback comes in the form of contributions…

We are pleased to announce the 1.0.0.RC1 release of Spring Cloud Data Flow for Cloud Foundry.

As we near completion towards a GA release in the upcoming days, this milestone brings the following improvements:

• Builds upon the 1.0.0.RC1 release of Spring Cloud Deployer Cloud Foundry, which itself builds upon Project Reactor 3.0.0.RELEASE and of CF-Java-Client 2.0.0.RELEASE

• Adds the ability to orchestrate short-lived tasks including Spring Batch Jobs in Cloud Foundry, which can be enabled as an experimental feature toggle

• Adds support for command line arguments as a separate set of properties to be passed to a Task when it’s launched

• Adds support to separate stream and task specific service bindings. This allows pinning stream and tasks specific services to stream and task applications respectively

  …

It was brought to our attention that the spring-security-saml sample application contained an XML External Entity (XXE) vulnerability. This meant that a malicious user could view any file that the Spring Application’s process had access to.

The issue was a direct result of OpenSAML Java ParserPool and Decrypter Vulnerable To XML Attacks. The default behavior of the ParserPool implementations is fixed in OpenSAML 2.6.1+ (which Spring Security SAML uses). However, the vulnerability is still possible if users construct their own ParserPool without the proper settings.

Note

We did not consider this a CVE because the exploit was only found in the sample application which is not considered production code. However, we expect that our users may have copied this code to create their own applications. For this reason, we wanted to be transparent and communicate the issue and…

Welcome to another installation of This Week in Spring! This week I'm in NYC (for the NYC Java SIG), Austin and San Francisco (for the Silicon Valley Spring User Group) talking to customers and doing meetups! We've got a lot to cover, as usual, so let's get to it!

• Spinnaker is a continuous delivery platform from Netflix built on Spring Boot. It supports a build-and-bake pipeline and works naturally with Spring Boot and various cloud platforms. It's enjoyed contributions from Microsoft, Google and Pivotal. In this post, Spring ninja Greg Turnquist introduces Spring Cloud Spinnaker 1.0.0.M1. Definitely worth a look!
• this seemed interesting - a code generator that supports Spring-based applications called Sifu
• JAX London just announced their top 20 social influencers for Java. Spring Data lead Oliver Gierke and I made the list…

I am pleased to announce that the Spring for Apache Kafka 1.1.0.M1 milestone release is available now.

As usual, thanks to the community for any feedback and contribution as always!

Highlights of this release:

• Support for the 0.10.x.x client (use 1.0.x for the 0.9.x.x client)

• Support for listeners that receive the entire batch of messages returned by the consumer.poll() operation

• Support for null payloads - used to delete keys when using log compaction

• Allow setting the initial offset to be relative to the current offset

Project Page | GitHub | Help | Documentation

On behalf of the team, I am pleased to announce that Service Release 5 of the Spring Cloud Brixton Release Train is available today. The release can be found in our Spring Release repository and Maven Central.

This release includes primarily bug fixes.

This release also deprecates Spring Cloud Cluster in favor of Spring Integration.

The following modules were updated as part of Brixton.SR5:

• Spring Cloud Bus 1.1.1.RELEASE
• Spring Cloud Config 1.1.3.RELEASE
• Spring Cloud AWS 1.1.1.RELEASE
• Spring Cloud Sleuth 1.0.6.RELEASE
• Spring Cloud Task 1.0.2.RELEASE

And, as always, we welcome feedback: either on GitHub, on gitter, on Stack Overflow, or on Twitter…

Greetings Spring community,

I am happy to release the first milestone for Spring Cloud Spinnaker. Spring Cloud Spinnaker bundles up the continuous delivery Spinnaker platform, and provides a 1-click installer to let you install it to any certified Cloud Foundry provider.

At this year’s SpringOne Platform 2016 conference, there were two talks about Spinnaker. If you have early release access and missed them, you can watch right now. Otherwise you can catch them on the SpringDeveloper YouTube Channel once they are published.

If your team/meetup/JUG is interested in hearing more about Spinnaker, check in with me and we can arrange a…

Welcome to another installment of This Week in Spring! Since we last spoke I've presented at conferences and to customers in London, Beijing, Shanghai and Singapore - where I am now. Tomorrow, Wednesday, I'll be speaking at the Singapore Spring Meetup - join me! It's been quite a few days!

• Spring Data ninja Mark Paluch has done another great post looking at Spring Cloud Vault
• Spring Security lead Rob Winch just announced Spring Security 4.1.2
• Spring Integration ninja Artem Bilan just announced Spring for Apache Kafka 1.0.3
• Check out this deck to learn about how Spring Boot is used at PayPal
• I liked my buddy Richard Seroter's review of our SpringOne Platform event a few weeks ago
• I loved Camille Fournier's post on some real-life architecture patterns of microservices and, particularly, her observations on the challenges of …

In my previous post about Managing Secrets with Vault, I introduced you to Vault and how to store arbitrary secrets using the generic secret backend. Vault can manage more than just secret data like API keys, passwords, and other sensitive string-like data. Today we’re taking a look at Vault’s integration with databases, services, and certificates.

Database credentials tend to be static

When it comes to databases, the regular workflow of getting credentials applying for a database is asking some operator or a self-service tool to give you credentials so your application can log into the…