A Bootiful Podcast: Java developer advocate Ana-Maria Mihalceanu

I had a wonderful chat with Java Developer Advocate Ana-Maria Mihalceanu about Java Flight Recorder, Project Babylon, Project Panama, and so many other exciting things in the Java ecosystem...

A Bootiful Podcast: Cay Horstmaan, legendary Java professor, author, lecturer

Hi, Spring fans! In this installment, we talk to the legendary Java author, professor, and Java Champion Cay Horstmann, whom you might know from classics such as "Core Java." his web site And of course even the most cursory search will land you at his books... javaone java...

This Week in Spring - February 17th, 2026

Hi, Spring fans! Welcome to another rip-roaring installment of This Week in Spring! It's Lunar New Year or Chinese New Year for billions of people around the world and to those who celebrate, Happy Chinese/Lunar New Year 新年快乐! Or Happy Spring Festival 春节快乐! My favorite kind of festival! In honor ...

This Week in Spring - February 3rd, 2026

Hi, Spring fans! This week I'm in northern Europe. I went on the Vaadin cruise from Finland to Sweden, gave a talk on a boat, then arrived in Stockholm in time for the amazing JFokus 2026 event where I had the privilege yesterday of doing a deep dive with my pal James Ward on Spring AI and agenti...

A Bootiful Podcast: Start Your Year with Java Right with Java Developer Advocate Billy Korando

Hi, Spring and Java fans! In this episode I am beyond delighted to talk Java developer advocate and longtime friend of the show Billy Korando about the latest-and-greatest in the Java ecosystem...

A Bootiful Podcast: Jonatan Ivanov on how to measure all the things with Micrometer

Hi, Spring fans! This week we catch up with the observably awesome Jonatan Ivanov on how to measure all the things with Micrometer...

This Week in Spring - January 6th, 2026

Hi, Spring fans, to the first installment of This Week in Spring in the new year and , roughly, the fifteenth anniversary edition of this series! I've been writing these blogs since the first week of January of 2011, and I am proud to say that I haven't so far missed a single week! I've always...

A Bootiful Podcast: Apache Tomcat legend Mark Thomas (Happy new year!)

In this episode, I talk with Mark Thomas, the legendary and highly prolific committer to Apache Tomcat. Happy New Year!...

This Week in Spring - December 2nd, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring. By mistake, I inadvertently published older content in this installment, then tried to fix it and ended up re-publishing the same content. And, what's worse, I somehow ended up deleting the draft I had written for this...

This Week in Spring - November 18th, 2025

This Week in Spring - November 18th, 2025 Hi, Spring fans! I'm thrilled to be in New York City for an exciting week of joint presentations on Spring AI + Bedrock and Spring Boot with the legendary James Ward. First up: we'll present a workshop at the AI Native Dev Conf today, then speak at the...

LLM Response Evaluation with Spring AI: Building LLM-as-a-Judge Using Recursive Advisors

The challenge of evaluating Large Language Model LLM outputs is critical for notoriously non-deterministic AI applications, especially as they move into production. Traditional metrics like ROUGE and BLEU fall short when assessing the nuanced, contextual responses that modern LLMs produce. Human...

This Week in Spring - November 4th, 2025

Hi, Spring fans! Welcome to another all-out installment of This Week in Spring wherein we attempt to recap all that's new and novel in the wild, wacky, and wonderful world of Springdom. And this week, I'm doing so from an airport in Switzerland, en route to Malmo, Sweden, for the amazing Oredev...

Prompt Caching Support in Spring AI with Anthropic Claude

Large language model API costs can accumulate quickly when applications repeatedly send the same prompt content. A typical scenario: you're building a document analyzer that includes a 3,000-token document in every request. Five questions about that document means processing 15,000 tokens of...

A Bootiful Podcast: Oracle VP and GraalVM founder Thomas Weurthinger

Hi, Spring fans! In this installment I talk to Oracle VP and GraalVM founder Thomas Weurthinger, recorded at Devoxx 2025!...

Introducing Share Consumer Support (Kafka Queues) in Spring for Apache Kafka

Continuing our Road to GA series, this week we're exploring Share Groups in Apache Kafka 4.0.0 and their integration in Spring for Apache Kafka 4.0.0 - a feature that fundamentally expands how we can consume messages from Kafka topics. When we first start working with Kafka, the mental model is...

This Week in Spring - October 7th, 2025

Hi, Spring fans! How're you doing this fantastic October afternoon? I'm on a train returning from Frankfurt, Germany, where I spoke at the Cloud Foundry Day Frankfurt event about how awesome it is to build an application with Spring Boot and Cloud Foundry. Yesterday I was in Antwerp, Belgium, and...

The state of HTTP clients in Spring

This is a new blog post in the Road to GA series, this time exploring the new capabilities of our HTTP clients. This is also a good time to reflect on the state of HTTP clients in Spring, so we will use this opportunity to explain an important announcement: we are officially deprecating...

This Week in Spring: September 30th, 2025

Hi, Spring fans! As I write this I am about to board a flight for Colorado for the amazing Dev2Next conference! I'll be in Antwerp, Beglium for the amazing Devoxx event next week, and I'll be speaking at the Amsterdam JUG with James Ward on the Thursday after that, too! If you're around, be sure ...

This Week in Spring - September 23rd, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm preparing my talks for several amazing shows including: Commit Your Code conference in Plano, Texas starting tomorrow; Dev2Next in Colorado; Devoxx Belgium in Antwerp, Belgium; and CloudFoundry Days in Germany. So much go...

This Week in Spring - September 16th, 2025

Hi, Spring fans! Welcome to another extra special installment of This Week in Spring , wherein we celebrate a very auspicious day indeed: the release of Java 25 and GraalVM 25! That's right: an incredible new iteration of the JVM has just dropped and with it come a ton of features! Let's go throu...

A Bootiful Podcast: Spring Cloud guru Ryan Baxter

Hi, Spring fans! In this installment we talk to the amazing Spring Cloud contributor Ryan Baxter, live from SpringOne 2025!...

A Bootiful Podcast: Andrey Belyaev, product manager for IntelliJ IDEA

Hi, Spring fans! In this installment, we talk to Andrey Belyaev, a Product Manager at JetBrains working on the IntelliJ IDEA product, about the latest-and-greatest support for Spring in Jetbrains IntelliJ IDEA!...

This Week in Spring - August 5th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's August 5th! Which means we're only 20 days away until SpringOne 2025! Have you registered? There's so much to cover this week, so let's dive right into it! Spring Shell 3.4.1 is out! - the new release includes a number o...

A Bootiful Podcast: Spring legends Tasha Isenberg and Jason Konicki

Hi, Spring fans! In this edition, I had the pleasure of chatting with the brilliant Arjen Poutsma, our go-to API oracle. If you’re curious about his fantastic insights, thoughts, and consultancy services, be sure to check out poutsma-principles.com...

A Bootiful Podcast: This Week in Spring (AI) - May 20th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this, I'm in sunny Stockholm, Sweden for the JForum 123 installment. This is, apparently, the first time the meetup is completely full up since before the pandemic, with more than 150 people in attendance! Tak,...

This Week in Spring - April 15th, 2025

Spring AI M7 is here! This new release includes a bunch of awesome new features! And some refactorings. Notably that the Spring AI auto-configuration has changed from a single monolithic artifact to individual auto-configuration artifacts per model, vector store, and other components. This change...

A Bootiful Podcast: Wiremock's leaders Lee Turner and Tom Akehurst

Hi, Spring fans! In this installment we talk to Wiremock's leaders Lee Turner and Tom Akehurst...

This Week in Spring - March 25th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week, I’m in Portland, OR, then I'm off to Austin, TX for the Arc of AI show, and then I'm off to Amsterdam for Voxxed Days Amsterdam! If you're around, be sure to say hi! There's a ton of cool stuff to look at, so witho...

This Week in Spring - February 4th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's February 4th, 2025, as I write this. We are ten days away from Valentine's day, and about a month away from Devnexus. Lots to look forward to, in both the short term and the long term! Let's dive right into this week's...

A Bootiful Podcast: Intact's Luke Shannon

Hi, Spring fans! and happy holidays! in this installment I talk to Intact's Luke Shannon about their use of Spring, developer portals, and so much more...

This Week in Spring - December 10th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this I am in the southern hemisphere it's summer down here!, in Brisbane, waiting to board a plane for Sydney. It's been a ton of fun! I did a video looking at the latest-and-greatest in Spring Framework 6.2 - chec...

A Bootiful Podcast: Heroku's Terence Lee

Hi, Spring fans! Happy Spring Boot 3.4.0 release day to those who celebrate! Today I'm joined by both Terence Lee, from Heroku, and my friend DaShaun Carter, and we talk about platforms, buildpacks, and more. heroku paas buildpacks,...

A Bootiful Podcast: engineer, CTO, teacher, and pilot Ken Sipe

Hi, Spring fans, JVM enjoyers, and cloud natives! Have I got a treat for you today! We're going to be talking to my longtime pal Ken Sipe. groovy java kotlin go rust spring jvm...

This Week in Spring - September 24th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in delightful Dallas, TX, at the amazing JConf.dev show. Then I'm off to Germany, and then back home to do some laundry before heading out to Denver, CO, for the amazing Dev2Next show, before then heading out to Belgium f...

local information disclosure via temporary directory created with unsafe permissions

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in...

Spring Framework server Web DoS Vulnerability

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: Typically, Spring Boot applications need the...

Reactor Netty HTTP Server Metrics DoS Vulnerability

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in...

Directory Traversal in Reactor Netty HTTP Server

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured t...

Exposure of data and identity to wrong session in Spring for GraphQL

A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader...

This Week in Spring - May 9th, 2023

Hi, Spring fans! Welcome to another wonderful, fancyful installment of This Week in Spring! I was just at the first Devoxx GR, in the sunny mediterranean city of Athens, Greece. Uh, yah, this was a good'un. If you can get to it, you should. Don't miss next year's installment if you missed this on...

Empty SecurityContext Is Not Properly Saved Upon Logout

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

Spring Expression DoS Vulnerability

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition...

Spring Modulith 0.3 released

Hot on the heels of Spring Boot 3.0.2, I am excited to announce the 0.3 release of Spring Modulith. The release is packed with improvements. We have tweaked a couple of things that might require your attention and a couple of adapting changes to your code. The most notable changes are: GH-114 – W...

Remote Code Execution via YAML editors in STS4 extensions for Eclipse and VSCode

Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support. This library allows for some...

Privilege Escalation in spring-security-oauth2-client

Spring Security, versions 5.7 prior to 5.7.5 , and 5.6 prior to 5.6.9 , and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client via the browser to the Authorization Server whi...

Authorization rules can be bypassed via forward or include dispatcher types in Spring Security

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: An application is not vulnerable if any of the following i...

Reactor Netty HTTP Server may log request headers

Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled...

A Bootiful Podcast: the good Dr. David Syer on the new and novel in Spring and Kubernetes

Hi, Spring fans! In this installment, Josh Long talks to Spring Boot and Spring Cloud luminary, the good Dr. @DavidSyer, about the latest and greatest on Spring and Kubernetes...

Spring Framework RCE via Data Binding on JDK 9+

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is...

Remote code execution in Spring Cloud Function by malicious Spring Expression

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources...