This Week in Spring - Aug 27th, 2013

Engineering | Josh Long | August 27, 2013 | ...

Welcome back to another installment of This Week in Spring. We have a lot to cover, as usual! Spring Security and lead Rob Winch feature heavily in this week's roundup! So, cheers to Rob Winch!

  1. Spring Security lead Rob Winch put together a post introducing some of the new, smart and convenient protection in Spring Security against cross-site request forgery (or CSRF).
  2. Rob also put together another epic blog post that demonstrates some of Spring Security's new support for security headers.
  3. Rob was also kind enough to integrate these new features into the Spring REST stack codebase where you can see them in action in the context of a full-stack, integrated Spring REST service. To see these changes, along with Spring Security and Spring Security OAuth, all integrated using Java Configuration, check out the oauth module.
  4. Reactor lead Jonathan Brisbin has announced Reactor 1.0.0.M2 is now available. The new release looks very exciting! From Jon's writeup: "This 2nd milestone includes a number of bugfixes and some really exciting new features. Reactor now includes a Processor abstraction, which is a highly-optimized task processor based on the LMAX Disruptor RingBuffer… Anecdotal benchmarks on a MacBook Pro show the Processor can pump around 100,000,000 events per second through the pipeline. Yes, you read that right: 100 million per second!"
  5. Hyperic, Cloud Foundry, Spring and Spring Data ninja Jennifer Hickey has announced the latest cut of the Spring Data Redis project. The new release includes support for millisecond precision in key expiration commands, resubscription of message listeners on connection failure, a full implementation of ConcurrentMap contract in RedisMap and RedisProperties
  6. Spring Batch lead Michael Minella has announced Spring Batch 3.0M1 has been released! This release marks the first steps towards implementing the JSR-352 Java Batch specification, among other things.
  7. Register now for the Aug 29th Webinar: Taming Coupling & Cohesive Beasts with Modularity Patterns and Spring with Param Rengaiah.
  8. Join our friends from Pivotal Labs as David Frank shows you How to Get Agile with Pivotal Tracker, on September 5th.
  9. Spring Security lead Rob Winch tweeted, "#Gradle made it dead simple to build #SpringSecurity with #SpringFramework 3 and run tests with both #Spring 3/4," and linked to this epic example. This isn't strictly speaking Spring related post, but it's a nice example of a really elegant Gradle build, for those who also work with it, as we do at SpringSource.
  10. Spring Security lead Rob Winch (boy, that guy sure gets around!) also announced the latest release of Spring Security LDAP.
  11. Our pal Xavier Padró is back, this time with a post introducing how to use resource-local JMS transactions on message receipt with Spring's JmsTemplate.
  12. Patrick Grimard's put together a nice post on integrating Yeoman Backbone with a Spring web application, as well as a way to sidestep some issues he was having with resource resolution by using Tuckey’s UrlRewriteFilter. Now, I like the UrlRewriteFilter. That said, I think (but haven't tested..) that Patrick could've accomplished the same thing using Spring MVC resource handling support, as he starts to do in an example in the code when overriding the public void addResourceHandlers(ResourceHandlerRegistry registry) configuration method. Perhaps I'm mistaken, and either way, cool post!
  13. SpringSource has released new trainings to the Q3 schedule, check out the training schedules for: Core Spring, Enterprise Integration with Spring and Spring Web.

Reactor 1.0.0.M2 – a foundation for reactive fast-data applications on the JVM

Engineering | Jon Brisbin | August 27, 2013 | ...

I'm excited to announce the 2nd milestone release of Reactor on our way toward 1.0! Maven artifacts for Reactor 1.0.0.M2 are available in the usual milestone repository.

What is Reactor?

Reactor is a foundational framework for building high-throughput, asynchronous, reactive applications on the JVM. It provides Selector-style topic matching for event routing, dynamic Consumer assignment, an uber-fast task processor, and reactive Stream and Promise APIs for working with data asynchronously and coordinating asynchronous tasks. It comes with comprehensive Groovy language support by providing langauge extensions to make writing Reactor applications in Groovy pretty darned Groovy! It also has easy-to-use Spring support that automagically wires annotated POJOs to Reactors.

What's in this Release?

This 2nd milestone includes a number of bugfixes and some really exciting new features. Reactor now includes a Processor abstraction, which is a highly-optimized task processor based on the LMAX Disruptor RingBuffer. It uses the common abstractions from Reactor to configure a RingBuffer and allows you to use Reactor's common API instead of the Disruptor-specific API. It also by design skips the Selector matching and dynamic Consumer assignment provided by a Reactor in order to wring every last drop of throughput it can. Anecdotal benchmarks on a MacBook Pro show the Processor can pump around 100,000,000 events per second through the pipeline. Yes, you read that right: 100 million per second!

1.0.0.M2 also includes a small, but significant new feature in the Reactor API which optimizes event publishing in a Reactor to get about 30-50% higher throughput. It won't suit every situation since it prepares an optimized list of Consumers from the Reactor, but for an extra 10 million events per second in throughput, it's a great new feature.

Optimized Publish

One of the powerful aspects of Reactor is the Selector matching topic(ish) pub/sub. It allows you to easily assign handlers to events using topics, anonymous objects, assignable type hierarchies, URI path matching, or regular expressions (or any other type of Selector matching if you implement your own, domain-specific Selectors). But many applications can assign their handlers at startup, which means the path to those Consumers can be optimized for efficient event publication. The new Reactor method prepare(Object) allows you to pre-select the Consumers for a key. It returns a Consumer itself that event publishers can use to efficiently notify about new events.

// Create Environment in which Reactors operate
Environment env = new Environment();
Reactor reactor = Reactors.reactor().env(env).get();

reactor.on($("say.hello"), new Consumer<Event<String>>() {
	public void accept(Event<String> ev) {
		System.out.println("Hello " + ev.getData() + "!");
	}
});

Consumer<Event<String>> sayHello = reactor.prepare("say.hello");
for(String name : listOfNames) {
	sayHello.accept(name);
}

RingBuffer Task Processor

Reactor 1.0.0.M2 includes the Processor abstraction. It is a simple task processor backed by the LMAX Disruptor RingBuffer and is designed to integrate it seamlessly into the reactive APIs used in Reactor, so it uses common abstractions like Supplier and Consumer. A fully-configured Processor can be created in a single expression and using Java 8 lambdas is more succinct yet:

Processor<Message> proc = new ProcessorSpec<Message>()
	.dataSupplier({ return new Message(); })
	.consume({ msg -> // handle the updated Message object…

Spring LDAP 1.3.2 Released

Releases | Rob Winch | August 26, 2013 | ...

It is with great pleasure that I am announcing the release of Spring LDAP 1.3.2. This release contains lots of bug fixes and will provide a solid foundation for a Spring LDAP 2.0 release.

I'd like to thank Mattias Arthursson from 261 Consulting for all his hard work on this release.

Spring Batch 3.0 Milestone 1 Released

Engineering | Michael Minella | August 23, 2013 | ...

Today we are pleased to announce the first milestone release towards Spring Batch 3.0 (download). With this release we take our first steps towards implementing the JSR-352 Java Batch specification. Spring Batch is a lightweight, comprehensive framework for the development of robust batch applications.

JSR-352

JSR-352 is billed as the standardization of batch processing for the java platform. As part of that standardization, this JSR has included three main pieces:

  • A XML based DSL for configuring jobs
  • An API for creating job related components (readers/writers/etc)
  • An API and description of behavior for a supporting classes and concepts

Spring has invested a large amount of time and resources in our contribution to this spec. Our collaboration with the other industry experts via the JCP, JSR-352 validates that the batch patterns that Spring Batch has implemented and battle tested over the past five years in countless production environments is the best approach for building mission critical batch applications.

Features in Milestone 1

This release is the first step towards Spring Batch being compliant with the JSR. Out of the 155 SE tests in the JSR-352 TCK, this release passes 70. The specific features implemented within this release are:

  • JobOperator implementation
  • Basic Job configuration via XML
  • batch.xml support

JobOperator

The JSR defines a JobOperator interface that is a combination of Spring Batch's JobOperator and JobExplorer interfaces. For the spec, this interface serves as the entry point for a batch application to both interact with the job itself (start/stop/restart/etc) as well as the job repository (providing the ability to query for previously run JobExecutions for example). Because of this, the JobOperator needs to provide a level of services out of the box. The JsrJobOperator (the Spring implementation of javax.batch.operations.JobOperator) bootstraps a Spring context similar to that of @EnableBatchProcessing. Out of the box, it includes a JobRepository, JobLauncher, JobOperator, JobExplorer, DataSource, TransactionManager, ParametersConverter, JobRegistry, and a PlaceholderPropertiesConfigurer. All of these can be overridden at runtime by overriding the default beans via the context provided when starting or restarting a job. By default, the JobRepository utilizes HSQLDB in an in-memory configuration.

Per the JSR, to launch a job is actually very easy:

JobOperator jobOperator = BatchRuntime.getJobOperator();
JobExecution jobExecution = jobOperator.start("jsrJob", new Properties());

The above two lines will bootstrap the previously defined base context (this occurs only once), then loads the batch.xml file from /META-INF (if it exists) and the context as defined at jsrJob.xml in /META-INF/batch-jobs. jsrJob.xml can be one of two configurations. It can be a standard Spring context configuration that defines any batch artifacts as Spring Beans and the job via the JSR-352 DSL, or it can be just the job definition as defined by the JSR. Per JSR-352, only one job can be defined within the jsrJob.xml context. The rest of the JsrJobOperator's functionality is virtually a direct wrapping of the existing JobOperator and JobExplorer's functionality (hence their inclusion in the base application context).

Basic Job configuration via XML

JSR-352 defines an XML based DSL that any Spring Batch user will immediately find familiar. Consisting of jobs, steps, readers and writers, most of the concepts that are found in the Spring Batch namespace are accounted for within JSR-352. As part of this release, developers will be able to configure basic jobs using the JSR defined DSL. Basic jobs include the following:

  • <job>
  • <step>
  • <chunk>
  • <batchlet>
  • <reader>
  • <processor>
  • <writer>
  • <decision>
  • <listeners>/<listener>
  • <properties>/<property>
  • <skippable-exception-classes> and related children
  • <retryable-exception-classes> and related children
  • <checkpoint-algorithm>
  • <next>/<end>//<code><fail>

With the JSR, a batch job that looks like this via the Spring Batch DSL:


<job id="data" xmlns="http://www.springframework.org/schema/batch">
    <step id="import" next="report">
        <tasklet>
            <chunk commit-interval="100"
                   reader="itemReader"
                   writer="dataWriter" />
        </tasklet>
    </step>
    <step id="report…

Spring Security 3.2.0.RC1 Highlights: Security Headers

Engineering | Rob Winch | August 23, 2013 | ...

UPDATE

NOTE This blog post is no longer maintained. Refer to the Headers documentation for up to date information about Spring Security's Headers.

Original Article

This is my last post in a two part series on Spring Security 3.2.0.RC1. My previous post discussed Spring Security's CSRF protection. In this post we will discuss how to use Spring Security to add various response headers to help secure your application.

Security Headers

Many of the new Spring Security features in 3.2.0.RC1 are implemented by adding headers to the response. The foundation for these features came from hard work from Marten Deinum. If the name sounds familiar, it may because one of his 10K+ posts on the Spring Forums has helped you out.

If you are using XML configuration, you can add all of the default headers using Spring Security's element with no child elements to add all the default headers to the response:

<http ...>
    ...
    <headers />
</http>

If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:

```xml @EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() ...; } }


<p>The remainder of this post will discuss each of the default headers in more detail:</p>
<ul>
<li><a href="#cache-control">Cache Control</a></li>
<li><a href="#content-type-options">Content Type Options</a></li>
<li><a href="#hsts">HTTP Strict Transport Security</a…

Spring Data Redis 1.1 RC1 Released

Releases | Jennifer Hickey | August 23, 2013 | ...

Dear Spring Community,

I am pleased to announce the first release candidate of Spring Data Redis 1.1!

Downloads | JavaDocs | Reference Documentation | Changelog

Highlights include:

  • Support for millisecond precision in key expiration commands
  • Resubscription of message listeners on connection failure
  • Full implementation of ConcurrentMap contract in RedisMap and RedisProperties

For more information about Spring Data Redis please see the home page for a live sample and webinar recording.

We look forward to your feedback on the forum or in the issue tracker. We hope to see you at the upcoming SpringOne conference in Santa Clara, CA. Checkout the schedule and register!

Spring Framework 3.2 and the SpringSource EBR

News | Pieter Humphrey | August 23, 2013 | ...

Beginning with version 3.2, Spring Framework JAR files such as spring-core, spring-context, and spring-webmvc no longer contain MANIFEST.MF files with OSGi metadata. Likewise, builds are not automatically promoted to the SpringSource EBR. To ensure that OSGi users are able to upgrade to Spring Framework 3.2, SpringSource will create and publish bundles for Spring Framework 3.2 GA to the EBR in a separate process shortly following the GA release. At least one 3.2 milestone or release candidate will also be published such that the community can validate the OSGi metadata prior to going GA. Note that any future releases in the Spring Framework 3.1.x line will continue to contain OSGi metadata and will be published immediately to the EBR as per usual. Interested users may want to place a watch on SPR-8903 to be notified of further updates, e.g. when Spring Framework 3.2 bundles are published to the EBR.

Free Spring - Hadoop Conference in Singapore

News | Michael Isvy | August 22, 2013 | ...

We are glad to announce that we will host a FREE conference about Spring and Hadoop on Friday August 30th in downtown Singapore from 6 to 8 PM.

Spring best practices: from Spring Petclinic to Spring Data Hadoop

Michael Isvy joined SpringSource (the company behind Spring, now part of Pivotal) in 2008. He has, since then, taught Spring to more than 1000 students in 10 different countries. He has presented on Spring at numerous conferences and is an active technical blogger on the SpringSource blog. Michael holds the position of Education Manager for the Asia-Pacific region at SpringSource…

Spring Security 3.2.0.RC1 Highlights: CSRF Protection

Engineering | Rob Winch | August 21, 2013 | ...

[callout title=Update]

This blog post is no longer maintained. Refer to the CSRF documentation for up to date information about Spring Security and CSRF protection.

[/callout]

On Monday I announced the release of Spring Security 3.2.0.RC1. This is the first of a two part blog series going over the new features found in Spring Security 3.2.0.RC1.

In this first entry, I will go over Spring Security's CSRF support. In the next post, I will go over the various security headers that have been added.

CSRF Attacks

Spring Security has added protection against Cross Site Request Forgery (CSRF) attacks. Great, but what is a CSRF attack and how can Spring Security protect me against it? Let's take a look at a concrete example to get a better…

Spring Security 3.2.0.RC1 Released (08/2013)

Engineering | Rob Winch | August 19, 2013 | ...

Spring Security 3.2.0.RC1 is now available from the SpringSource repository at http://repo.springsource.org. See here for a quick tutorial on resolving these artifacts via Maven.

This release includes tons of updates and fixes. The highlights include:

  • Polishing of Spring Security Java Configuration
  • Uses content negotiation to determine how to prompt user for authentication when multiple authentication mechanisms (i.e. HTTP Basic and Form login) enabled
  • AbstractSecurityWebApplicationInitializer allows registering Java Configuration directly
  • A number of bugs fixed
  • CSRF protection and automatic integration with Spring Web MVC jsp tags
  • Automatic cache control support
  • Defence against Clickjacking attacks
  • HTTP Strict Transport Security support to reduce Man in the Middle attacks
  • Samples include pom.xml so they can be imported as Maven projects
  • MediaTypeRequestMatcher for matching on requests with content negotiation
  • Over ten java configuration samples have been integrated into the samples directory
  • Three new guides that walk users through samples and provide detailed instructions on how to do specific tasks. More of these guides will follow in coming releases
  • Refer to Spring Security 3.2.0.RC1 preview for more details about this release.

    SpringOne2GX

    To learn about all the new features within Spring Security 3.2 attend my Getting Started with Spring Security 3.2 presentation at SpringOne2GX September 9-12, 2013. If you haven't already gotten your tickets, do so now before its too late!

    Changelog | Download | Reference Manual | Guides | FAQ

    Get the Spring newsletter

    Stay connected with the Spring newsletter

    Subscribe