Spring blog

All Posts
Engineering
Releases
News and Events

Spring Security 3.2.0.RC1 Highlights: Security Headers

Engineering | Rob Winch | August 23, 2013 | ...

UPDATE

NOTE This blog post is no longer maintained. Refer to the Headers documentation for up to date information about Spring Security's Headers.

Original Article

This is my last post in a two part series on Spring Security 3.2.0.RC1. My previous post discussed Spring Security's CSRF protection. In this post we will discuss how to use Spring Security to add various response headers to help secure your application.

Security Headers

Many of the new Spring Security features in 3.2.0.RC1 are implemented by adding headers to the response. The foundation for these features came from hard work from Marten Deinum. If the name sounds familiar, it may because one of his 10K+ posts on the Spring Forums has helped you out.

If you are using XML configuration, you can add all of the default headers using Spring Security's element with no child elements to add all the default headers to the response:

<http ...>
    ...
    <headers />
</http>

If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:

```xml @EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() ...; } }


<p>The remainder of this post will discuss each of the default headers in more detail:</p>
<ul>
<li><a href="#cache-control">Cache Control</a></li>
<li><a href="#content-type-options">Content Type Options</a></li>
<li><a href="#hsts">HTTP Strict Transport Security</a…
Read more

Spring Data Redis 1.1 RC1 Released

Releases | Jennifer Hickey | August 23, 2013 | ...

Dear Spring Community,

I am pleased to announce the first release candidate of Spring Data Redis 1.1!

Downloads | JavaDocs | Reference Documentation | Changelog

Highlights include:

  • Support for millisecond precision in key expiration commands
  • Resubscription of message listeners on connection failure
  • Full implementation of ConcurrentMap contract in RedisMap and RedisProperties

For more information about Spring Data Redis please see the home page for a live sample and webinar recording.

We look forward to your feedback on the forum or in the issue tracker. We hope to see you at the upcoming SpringOne conference in Santa Clara, CA. Checkout the schedule and register!

Read more

Spring Framework 3.2 and the SpringSource EBR

News | Pieter Humphrey | August 23, 2013 | ...

Beginning with version 3.2, Spring Framework JAR files such as spring-core, spring-context, and spring-webmvc no longer contain MANIFEST.MF files with OSGi metadata. Likewise, builds are not automatically promoted to the SpringSource EBR. To ensure that OSGi users are able to upgrade to Spring Framework 3.2, SpringSource will create and publish bundles for Spring Framework 3.2 GA to the EBR in a separate process shortly following the GA release. At least one 3.2 milestone or release candidate will also be published such that the community can validate the OSGi metadata prior to going GA. Note that any future releases in the Spring Framework 3.1.x line will continue to contain OSGi metadata and will be published immediately to the EBR as per usual. Interested users may want to place a watch on SPR-8903 to be notified of further updates, e.g. when Spring Framework 3.2 bundles are published to the EBR.

Read more

Free Spring - Hadoop Conference in Singapore

News | Michael Isvy | August 22, 2013 | ...

We are glad to announce that we will host a FREE conference about Spring and Hadoop on Friday August 30th in downtown Singapore from 6 to 8 PM.

Spring best practices: from Spring Petclinic to Spring Data Hadoop

Michael Isvy joined SpringSource (the company behind Spring, now part of Pivotal) in 2008. He has, since then, taught Spring to more than 1000 students in 10 different countries. He has presented on Spring at numerous conferences and is an active technical blogger on the SpringSource blog. Michael holds the position of Education Manager for the Asia-Pacific region at SpringSource…

Read more

Spring Security 3.2.0.RC1 Highlights: CSRF Protection

Engineering | Rob Winch | August 21, 2013 | ...

[callout title=Update]

This blog post is no longer maintained. Refer to the CSRF documentation for up to date information about Spring Security and CSRF protection.

[/callout]

On Monday I announced the release of Spring Security 3.2.0.RC1. This is the first of a two part blog series going over the new features found in Spring Security 3.2.0.RC1.

In this first entry, I will go over Spring Security's CSRF support. In the next post, I will go over the various security headers that have been added.

CSRF Attacks

Spring Security has added protection against Cross Site Request Forgery (CSRF) attacks. Great, but what is a CSRF attack and how can Spring Security protect me against it? Let's take a look at a concrete example to get a better…

Read more

Spring Security 3.2.0.RC1 Released (08/2013)

Engineering | Rob Winch | August 19, 2013 | ...

Spring Security 3.2.0.RC1 is now available from the SpringSource repository at http://repo.springsource.org. See here for a quick tutorial on resolving these artifacts via Maven.

This release includes tons of updates and fixes. The highlights include:

  • Polishing of Spring Security Java Configuration
  • Uses content negotiation to determine how to prompt user for authentication when multiple authentication mechanisms (i.e. HTTP Basic and Form login) enabled
  • AbstractSecurityWebApplicationInitializer allows registering Java Configuration directly
  • A number of bugs fixed
  • CSRF protection and automatic integration with Spring Web MVC jsp tags
  • Automatic cache control support
  • Defence against Clickjacking attacks
  • HTTP Strict Transport Security support to reduce Man in the Middle attacks
  • Samples include pom.xml so they can be imported as Maven projects
  • MediaTypeRequestMatcher for matching on requests with content negotiation
  • Over ten java configuration samples have been integrated into the samples directory
  • Three new guides that walk users through samples and provide detailed instructions on how to do specific tasks. More of these guides will follow in coming releases

    • Refer to Spring Security 3.2.0.RC1 preview for more details about this release.

    SpringOne2GX

    To learn about all the new features within Spring Security 3.2 attend my Getting Started with Spring Security 3.2 presentation at SpringOne2GX September 9-12, 2013. If you haven't already gotten your tickets, do so now before its too late!

    Changelog | Download | Reference Manual | Guides | FAQ

    Read more

    This Week in Spring - Aug 13th, 2013

    Engineering | Josh Long | August 14, 2013 | ...

    Welcome back to another installment of This Week in Spring. As usual, we've got a lot to cover, so let's get to it!

    1. The How to do in Java blog has a nice post on how to setup Siteminder pre-authentication using Spring Security 3.
    2. Another great SpringOne2GX 2013 session's just been added to the SpringOne2GX 2013 lineup, Real Time Analytics with Spring. This talk introduces one use case for Project Reactor, a foundation for asynchronous applications on the JVM.
    3. Andy Clement has just cut a new release of AspectJ, 1.8.0.M1, which will be used in Spring 4 and support Java 8. It is available through the SpringSource Maven repository as 1.8.0.M1. It is also in today's release of AJDT for Eclipse 4.3.
    4. The GoPivotal blog has an in-depth look at Apache Tomcat 8. Definitely worth a look!
    5. Eberhard Wolff has put together a very nice video on using the recently announced Spring Boot. Nice job, Eberhard! (as usual)
    6. Our pal Petri Kainulainen has written a very cool post on unit testing Spring MVC REST APIs.
    7. The Being Java Guys blog has a code-heavy post on how to do file uploads with Spring MVC. Nice job!
    8. This post from the Matthew's Thoughts! blog explains a simple Spring REST starter project that demonstrates how to use regular Spring Security to add a username and password-based authentication with a Spring MVC-powered REST service.
    9. The Code with Zen Mind blog has a nice series on building and testing Spring MVC applications. The first post introduces how to setup a test-driven project. The second post demonstrates how to do refactoring and how to introduce new test cases. The third post demonstrates how to use the tests established in the first two posts to survice a major refactoring (the implementation of the service under test changes). Really insightful!
    10. This post from the public static void blog() blog introduces how Spring's logging layering works. The post is in what Google Translate insists is Slovak, however, the translation was pretty good and - if we're honest - the diagrams are quite explanatory by themselves! Good stuff. Take a look, and - if possible - a read.
    11. The 1.5 version of the Cloud Foundry integration for Eclipse, which supports pushing applications to Pivotal Cloud Foundry organizations and spaces, using new Cloud Foundry services, and incrementally updating applications from Spring Tool Suite. The new integration may be installed from the STS dashboard or using the update site in the Help > Install New Software menu.
    Read more

    Spring XD 1.0 Milestone 2 Released

    Releases | Mark Pollack | August 14, 2013 | ...

    Today we are pleased to announce the 1.0 M2 release of Spring XD (download)  Spring XD is a unified, distributed, and extensible system for data ingestion, real time analytics, batch processing, and data export.  The project’s goal is to simplify the development of big data applications.

    The second milestone release of Spring XD introduces several new features that make it even easier to ingest and process real-time streams of data as well as orchestrate Hadoop based batch jobs.  In this blog post we will cover

    • Shell
    • New sources, sinks and transports
    • DSL improvements
    • Batch Jobs

    Shell

    The most noticeable new feature is the introduction of the interactive shell.  The shell provides you an easy way to create new streams and jobs, view metrics, interact with Hadoop, and more.  As an introduction to the shell I will redo some of the examples from the M1 blog post.

    Start…

    Read more

    SpringSource Training Schedule: September 2013

    News | Mark Baars | August 09, 2013 | ...

    If you are a Java developer looking to increase your Spring knowledge, Spring Training by Pivotal is the place to start. We are providing several Spring trainings across the globe closely connected to your needs as a professional developer. This month we provide the new 4-day Groovy & Grails class in Boston, MA. SpringSource has also started offering new Hibernate with Spring Classes in the Bay Area, Germany, London (GB) and the United States (Online Courses)

    The complete Spring training schedule for September, 2013 can be found below:

    Step 1: Core Spring

    Americas

    Asia Pacific

    Europe, Middle East & Africa

    Step 2: Spring Web / Enterprise Integration with Spring / Hibernate with Spring

    Americas

    Asia Pacific

    Europe, Middle East & Africa

    If you cannot find a professional training near you, you can always request an onsite SpringSource training

    Read more

    Get the Spring newsletter

    Stay connected with the Spring newsletter

    Subscribe