924 matches found
Spring Office Hours Podcast: S5E13 - Community Potluck
Join Dan Vega and DaShaun Carter for the latest updates from the Spring Ecosystem. In this Potluck episode, Dan and DaShaun open up the floor to the community, answering your questions on Spring Boot, Spring AI, Spring Security, and whatever else is on your mind. Potluck episodes are shaped...
Unauthorized User Impersonation when Using X.509 Client Certificates
SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user...
Servlet Path Not Correctly Included in Path Matching of XML Authorization Rules
If an application uses to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass...
Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers
If an application is using securityMatchersString and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication,...
Static resource cache poisoning in Spring MVC and WebFlux
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: When all the conditions above are met, the attacker can send malicious requests and poison the resource cache wi...
A Bootiful Podcast: the legendary Craig Walls
Hi Spring fans! In this installment we talk to the legendary Craig Walls, author of Spring In Action , Spring AI in Action , and more!...
RediSearch Query via Unescaped TAG Filter Values in RedisVectorStore
In RedisFilterExpressionConverter of spring-ai-redis-store , when a user-controlled string is passed as a filter value for a TAG field, stringValue inserts the value directly into the @field:VALUE RediSearch TAG block without escaping characters...
This Week in Spring - March 24th, 2026
Hi, Spring fans! Welcome to yet another rip-roarin' installment of This Week in Spring. As usual, we've got a ton to look into, so let's dive right in! Happy 22nd birthday to Spring Framework, released this day 22 years ago! and of course, next week, 1 April 2026, marks 12 years since Spring Boot...
This Week in Spring - March 3rd, 2026
Hi Spring fans! Welcome to another rip-roaring installment of This Week in Spring! I'm writing this in an Uber en route to the airport to get to awsome Atlanta, GA, for Devnexus 2026! Who's goin'? You goin'? We - the Spring team - will be there in force! Come say hi at the boothes or come see our...
Moving beyond Strings in Spring Data
If you've worked with data access in Java and especially with Spring Data for a while, then you are familiar with various Query and Update programming models. You write data access code. You refactor a property name. You run your tests. They fail. Your query strings? Still pointing to the old...
A Bootiful Podcast - John Willis, author of 'Rebels of Reason'
Hi Spring fans! In this installment I sit down with DevOps legend and industry analyst extraordinaire John Willis and talk about his new book Rebels of Reason: The Long Road from Aristotle to ChatGPT and AI's Heroes Who Kept the Faith , and talk about the nature of the ecosystem, AI, the role of...
This Week in Spring - February 24th, 2026
Hi, Spring fans! Welcome to another awesome and oh-so-agentic week in Spring! We've got a ton to look into, and I've got even more to prepare for next week's DevNexus event in Atlanta, GA, so let's dive right into it! Be sure to say "hi" if you're going to be there, though! You've heard of Agent...
Spring AI Agentic Patterns (Part 5): Building Interoperable Agents with the Agent2Agent (A2A) Protocol
The Agent2Agent A2A Protocol is an open standard for seamless AI agent communication. It enables agents to discover capabilities, exchange messages, and coordinate workflows across platforms—regardless of their implementation. Spring AI A2A integrates the A2A Java SDK with Spring AI through Sprin...
This Week in Spring - January 26th, 2026
Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this, I cannot believe we're nearly at the end of the month! Time sure flies. Spring AI 2.0.0-M2 is available now Spring Modulith 2.1 M1, 2.0.2, and 1.4.7 released In last week's installment of A Bootiful Podcast ,...
Spring AI Agentic Patterns (Part 1): Agent Skills - Modular, Reusable Capabilities
Agent Skills are modular folders of instructions, scripts, and resources that AI agents can discover and load on demand. Instead of hardcoding knowledge into prompts or creating specialized tools for every task, skills provide a flexible way to extend agent capabilities. Spring AI's implementatio...
This Year in Spring – December 30th, 2025
Hi, Spring fans! Can you believe it? It's already the 30th of December! I celebrated Christmas with my family in Los Angeles, then we jumped on a flight headed for Southeast Asia to ring in the New Year with more friends and family. I'm sitting at a café in the sweltering city of Kuala Lumpur,...
Evolving Spring Vault: Introducing VaultClient
Back in September 2016, nearly a decade ago now, we introduced Spring Vault as a integration layer for HashiCorp Vault within Spring applications, complemented by Spring Cloud Vault for Spring Boot arrangements. The core idea has always been straightforward: Externalizing secrets to encrypted Vau...
Smart Tool Selection: Achieving 34-64% Token Savings with Spring AI's Dynamic Tool Discovery
As AI agents connect to more services—Slack, GitHub, Jira, MCP servers—tool libraries grow rapidly. A typical multi-server setup can easily have 50+ tools consuming 55,000+ tokens before any conversation starts. Worse, tool selection accuracy degrades when models face 30+ similarly-named tools. T...
A Bootiful Podcast: The legendary Sébastien Deleuze on all that's new and nice in Spring Framework 7
Hi, Spring fans! Happy Spring Boot 4.0 release day! Make sure to get the bits on the Spring Initializr you know - start.spring.io! This release is packed with new features, a lot of which comes from Spring Framework 7. To help break it down for us this week, we’re joined by none other than the...
OpenTelemetry with Spring Boot
This is a new blog post in the Road to GA series, and this time we're taking a look at OpenTelemetry with Spring Boot. Introduction In modern cloud native architectures, observability is no longer optional; it is a fundamental requirement. You want to understand what your application is doing via...
Spring gRPC Next Steps for 1.0.0
This is a new blog post in the Road to GA series, this time updating everyone on the plans to integrate Spring gRPC with Spring Boot 4. The original plan was to move the autoconfiguration from Spring gRPC into Spring Boot in time for the 4.0 release. Unfortunately we haven't been able to find the...
AWS Bedrock Prompt Caching Support in Spring AI
In our previous blog post about Anthropic prompt caching, we explored how prompt caching dramatically reduces API costs and latency by reusing previously processed prompt content. We introduced Spring AI's five strategic caching patterns for Anthropic Claude models and showed how they automatical...
New Home for Spring Integration AWS
The Spring Integration for AWS was always an independent Spring Integration extension project with its own plans and release cycles. The consumption of this single jar library has always added a complexity from the dependency management perspective. It depends not only on Spring Integration modul...
Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true:...
Path traversal vulnerability on non-compliant Servlet containers
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not...
This Week in Spring - July 15th, 2025
Hi, Spring fans! It's already the 15th of July! We're closer to 2026 than we are to 2024. And time's sure flying. Like I will, tomorrow. I'll be flying to Denver for the amazing UBERCONF software show! I'll be doing a workshop and two talks, and if you're there, I hope you'll come say "hi"! Let's...
A Bootiful Podcast: API oracle Arjen Poutsma
Hi, Spring fans! In this edition, I had the pleasure of chatting with the brilliant Arjen Poutsma, our go-to API oracle. If you’re curious about his fantastic insights, thoughts, and consultancy services, be sure to check out poutsma-principles.com...
This Week in Spring - July 8th, 2025
Hi, Spring fans! Welcome to another installment of This Week in Spring! I write this having spent a wonderful week in paradise Bora Bora, French Polynesia, to be precise with my partner Tam Mie. We were so very sad to have to say goodbye. But that means I'm officially back at my desk, with nary a...
This Week in Spring - July 1st, 2025
Hi, Spring fans! Welcome to another installment of This Week in Spring! It's July!! This week, I'm on PTO, and as always, I'm looking for good reading material on the plane ride over for my holiday. Thank goodness for the ever-vibrant and awesome Spring community; there's tons of stuff to dive...
A Bootiful Podcast: DevOps and AI luminary Patrick Debois
Hi, Spring, cloud native, and AI fans! In this installment, I had the opportunity to briefly sit down and talk with DevOps and AI luminary Patrick Debois, from the amazing Devoxx UK 2025 show...
This Week in Spring - June 17th, 2025
Hi, Spring fans! Welcome to another installment of This Week in Spring! We're in the middle of June already! And you know what that means? Warm weather, fun, and of course: the amazing SpringOne event in lovely Las Vegas, NV! The content catalog went live today! I'll be there doing, among other...
This Week in Spring - June 3rd, 2025
Hi, Spring fans! Welcome to another installment of This Week in Spring! I just finished recording my session with IntelliJ IDEA project lead Aleksey Stukalov about all the amazing features coming to IntelliJ IDEA to better support Java, Kotlin, and Spring developers. It went off without a hitch...
Repository Vector Search Methods
The emergence of Large Language Models LLM has propelled Generative AI and surfaced one of its key components to a broad audience: Embeddings. Embeddings are a vector representation of data in a high-dimensional space capturing their semantic meaning. Vector representations allow for more efficie...
A Bootiful Podcast: My friend Anthony Dahanne on Buildpacks, Production, Docker images, and more
Salut fans de Spring! In this installment I'm joined by the legendary Anthony Dahanne. If you've enjoyed success in production using Spring's built-in spring-boot:build-image capability, you've got today's guest Anthony to thank for it!...
A Bootiful Podcast: Java Champion and legend Henri Tremblay
Hi, Spring fans! In this installment I talk to Henri Tremblay, head of TS Imagine Canada, Java Champion, Montreal JUG leader, EasyMock lead dev and all around legend!...
Spring Security authorization bypass for method security annotations on parameterized types
Spring Security may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. Your application may be affected by this if the following are true: In that case, the target method may be able to be invoked without proper authorizatio...
A Bootiful Podcast: Jonatan Ivanov, observability legend on the Micrometer team
Hi, Spring fans! In this installment we talk to one of the Willy Wonka's of observability, the amazing Jonatan Ivanov! This episode was recorded at ConFoo 2025...
A Bootiful Podcast: Spring Boot and Spring Initializr legend Moritz Halbritter
Hi, Spring fans! In this installment I talk to Spring Boot and Spring Initializr legend Moritz Halbritter...
A Bootiful Podcast: Spring Legend Glenn Renfro on Devnexus 2025, Cold brews, and More
Hi, Spring fans! In today's installment, I talk to Spring legend Glenn Renfro...
A Bootiful Podcast: 'Just Use Postgres!' author Denis Magda
Hi, Spring fans! In this installment we talk to Java and distributed database ninja Denis Magda about his new book, "Just Use Postgres!", which looks at how to wield Postgres for a variety of use cases that an application developer should know...
A Bootiful Podcast: Java Developer Advocate Billy Korando on JavaOne 2025, Java 24, and so much more
Hi, Spring fans! in this installment I talk to Java developer advocate Billy Korando about the latest and greatest in the amazing Java ecosystem! java JavaOne Oracle...
Building Effective Agents with Spring AI (Part 1)
In a recent research publication: Building effective agents, Anthropic shared valuable insights about building effective Large Language Model LLM agents. What makes this research particularly interesting is its emphasis on simplicity and composability over complex frameworks. Let's explore how...
This Week in Spring - January 21st, 2025
Hi, Spring fans! Welcome to another rip-roaring installment of This Week in Spring! It's time to dive into this week's wondrous roundup! Good news, everybody! Spring Cloud AWS 3.3.0 is available! A neat video on stored procedures in Spring A very interesting article on the flow diagrams for Sprin...
This Week in Spring - December 17th, 2024
This Week in Spring - December 17th, 2024 Hi, Spring fans! Welcome to another installment of a Bootiful Podcast! It's the 17th of December, 2024! And you know what means? The end of the year is nearly upon us! I can't believe it. It's been a very long year indeed, but I'm happy to get on board a...
Authorization Bypass of Static Resources in WebFlux Applications
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true:...
This Week in Spring - October 8th, 2024
Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in Antwerp, Belgium, for the amazing Devoxx Belgium 2024 event! I am so happy to be back here, one of the best shows in the Java ecosystem! We've got a lot to get into so let's dive right in! From Spring Cloud Data Flow...
Signature Forgery Vulnerability in Spring Boot's Loader
Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...
A Bootiful Podcast: Cloud Native Cora Iberkleid on architecture, Spring Modulith, and more
Hi, Spring fans! Welcome to another installment of a Bootiful Podcast! In today’s episode, I talk to cloud native Cora Iberkleid about the awesome modular sensation that’s sweeping applications, Spring Modulith!...
Spring Cloud Function Web DOS Vulnerability
Description In Spring Cloud Function framework, versions 4.1.x prior to 4.1.2, 4.0.x prior to 4.0.8 an application is vulnerable to a DOS attack when attempting to compose functions with non-existing functions. Specifically, an application is vulnerable when all of the following are true: User is...
A Bootiful Podcast: Oleg Šelajev, Docker and Testcontainers legend
Hi, Spring and Testcontainers fans! In this interview, I talk to Oleg Šelajev...