In this short article we look at Cross Site Request Forgery in the context of OAuth2, looking at possible attacks and how they can be countered when OAuth2 is being used to protect web resources. OAuth2 is a protocol enabling a Client application, often a web application, to act on behalf of a User, but Read more…

In a previous article, Behind the Spring Security Namespace, I talked about how the Spring Security namespace has been very successful in providing a simple alternative to plain Spring bean configuration, but how there is still a steep learning curve when you want to start customizing its behaviour. Behind the XML elements and attributes, various Read more…

Spring Security is a powerful library for securing your applications that comes with a bewildering number of options. Based on Spring, it can be readily integrated into a Grails application. But why not save the hassle and use the new improved Grails plugin? The plugin has gone through several evolutionary stages that started with the Read more…

Spring Security is well-known for being highly customizable, so for my first attempt at working with Google App Engine, I decided to create a simple application which would explore the use of GAE features by implementing some core Spring Security interfaces. In this article we'll see how to: Authenticate using Google Accounts. Implement "on-demand" authentication Read more…

SpringSource dm Server 2.0.1 is released today. The release fixes a few minor bugs and one security issue. The Admin Console's version of dojo is upgraded from 1.3.2 to 1.3.3 to prevent an open redirect attack. The release also includes the final Reference Implementation of the OSGi Web Container. The OSGi Web Container specification was Read more…

With the introduction of the security schema in Spring Security 2, it became much easier to get a simple secured application up and running. In older versions, users had to declare and wire-up all the implementation beans individually, resulting in large and complicated Spring application context files which were difficult to understand and maintain. There Read more…

We're pleased to announce that the first milestone of the Spring Security Kerberos Extension is now available for download. The release is also available through the Maven milestone repository at http://maven.springframework.org/milestone. With the Spring Security Kerberos Extension, your users are authenticated against your web application just by opening the URL. There is no need to Read more…

Last month we discovered how easy it is to build a fully-fledged enterprise application in just a few minutes using Spring Roo – our new productivity tool for Java developers. While many Java developers have already started evaluating Roo to help save time on their projects, I've received a lot of questions from people curious Read more…

We're pleased to announce that the first milestone of Spring Security 3.0 is now available for download. The release is also available through the Maven milestone repository at http://maven.springframework.org/milestone. As with Spring 3.0, this is the first release which requires a minimum JDK 1.5 to run and also require Spring 3.0, so you should get Read more…

Update: The third installment of the "Introducing Spring Roo" blog series is now available and covers Roo's internal architecture in detail. I have a confession to make. While many of you would know I've been busily working away on Spring Roo in recent months, I also have a separate project that hasn't made it into Read more…