A Bootiful Podcast: Spring Security lead Rob Winch on Spring Security 7.0, SpringOne 2025, and more

Hi, Spring fans! In this installment I'm joined by Spring Security lead Rob Winch to discuss the amazing new additions to Spring Security 7.0, coming in November of 2025, and the coverage you can expect when you see our talk at SpringOne 2025 have you registered - https://springone.io ?...

This Week in Spring - July 29th, 2025

It's the end of July! JULY! The seventh month of the year, done and dusted! AHHHHH! I've got memories of being on a tropical beach over the winter holidays, sipping rum and dodging mosquitoes like I was doing a rhythmic gymnastics routine just recently. It turns out that was seven months ago, not...

A Bootiful Podcast: José Paumard, Java developer advocate and professor

Hi, Spring fans! In this installment, recorded at Devoxx UK 2025, I talk to the legendary professor of computer science and legend José Paumard about Java, the ecosystem, and more,...

Spring Data JDBC and R2DBC 4.0 will support Composite IDs

I'm happy to announce, that Spring Data JDBC and R2DBC finally support Composite IDs starting with version 4.0.0-M4. Most of you probably know, but just to make sure everyone has the same understanding: From the database point of view a composite id or composite key is a primary key that consists...

This Week in Spring - July 22nd, 2025

Hi, Spring fans! It's almost SpringOne time!! AAAAH it's all moving so quickly! I can hardly stand it. SpringOne's next month, in lovely Las Vegas, and I'll be there. Will you? Have you registered? We'll be looking at the impending Spring Boot 4.0 and Spring Framework 7.0 releases! It's going to ...

A Bootiful Podcast: Spring legends Tasha Isenberg and Jason Konicki

Hi, Spring fans! In this edition, I had the pleasure of chatting with the brilliant Arjen Poutsma, our go-to API oracle. If you’re curious about his fantastic insights, thoughts, and consultancy services, be sure to check out poutsma-principles.com...

This Week in Spring - July 15th, 2025

Hi, Spring fans! It's already the 15th of July! We're closer to 2026 than we are to 2024. And time's sure flying. Like I will, tomorrow. I'll be flying to Denver for the amazing UBERCONF software show! I'll be doing a workshop and two talks, and if you're there, I hope you'll come say "hi"! Let's...

Authentication Leak On Redirect With Reactor Netty HTTP Client

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects...

A Bootiful Podcast: API oracle Arjen Poutsma

Hi, Spring fans! In this edition, I had the pleasure of chatting with the brilliant Arjen Poutsma, our go-to API oracle. If you’re curious about his fantastic insights, thoughts, and consultancy services, be sure to check out poutsma-principles.com...

This Week in Spring - July 8th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! I write this having spent a wonderful week in paradise Bora Bora, French Polynesia, to be precise with my partner Tam Mie. We were so very sad to have to say goodbye. But that means I'm officially back at my desk, with nary a...

A Bootiful Podcast: Dr. Heinz Kabutz, a legendary Java Champion, teacher, and author of the Java Specialists newsletter!

Hi, Spring fans! In this installment, I talk to Dr. Heinz Kabutz, a legendary Java Champion, trainer, teacher, and author of the Java Specialists newsletter! This episode was recorded live at Devoxx UK 2025...

This Week in Spring - July 1st, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's July!! This week, I'm on PTO, and as always, I'm looking for good reading material on the plane ride over for my holiday. Thank goodness for the ever-vibrant and awesome Spring community; there's tons of stuff to dive...

A Bootiful Podcast: DevOps and AI luminary Patrick Debois

Hi, Spring, cloud native, and AI fans! In this installment, I had the opportunity to briefly sit down and talk with DevOps and AI luminary Patrick Debois, from the amazing Devoxx UK 2025 show...

This Week in Spring - June 24th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! We're in the middle of June already! And you know what that means? Warm weather, fun, and of course: the amazing SpringOne event in lovely Las Vegas, NV! The content catalog went live today! I'll be there doing, among other...

A Bootiful Podcast: Micrometer.io lead Tommy Ludwig on the latest-and-greatest in observability for the Spring developer

Hi, Spring fans! In this episode, I talk to Micrometer.io lead Tommy Ludwig on the latest-and-greatest in observability for the Spring developer...

This Week in Spring - June 17th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! We're in the middle of June already! And you know what that means? Warm weather, fun, and of course: the amazing SpringOne event in lovely Las Vegas, NV! The content catalog went live today! I'll be there doing, among other...

RFD Attack via “Content-Disposition” Header Sourced from Request

In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an...

A Bootiful Podcast: The legendary Daniel Garnier-Moiroux on security, AI, MCP, and more

Hi, Spring fans! In this installment I talk to the legendary Daniel Garnier-Moiroux on security, AI, MCP, and more, recorded live at Devoxx UK 2025...

This Week in Spring - June 10th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's been a busy week indeed since we last spoke! Last week I was in Amsterdam for the IntelliJ IDEA conference and for the JSpring event in Utrecht. Now, I'm in Tokyo, Japan, for the JJUG Spring 2025 event. Importantly: both...

A Bootiful Podcast: IntelliJ IDEA lead Aleksey Stukalov

Hi, Spring fans! In this installment I talk to IntelliJ IDEA lead Aleksey Stukalov...

This Week in Spring - June 3rd, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! I just finished recording my session with IntelliJ IDEA project lead Aleksey Stukalov about all the amazing features coming to IntelliJ IDEA to better support Java, Kotlin, and Spring developers. It went off without a hitch...

A Bootiful Podcast: Java community legend Victor Rentea

Hi, Spring fans! In this installment we talk to the legendary Victor Rentea. This episode was recorded live at Devoxx UK 2025...

This Week in Spring (AI) - May 27th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! This time, I'm talking to you after an insane week behind me. Last week I flew from San Francisco to Stockholm, Sweden where I was the speaker for the JForum event, a monthly meetup. Spring drew the largest audience to JForum...

Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies...

Repository Vector Search Methods

The emergence of Large Language Models LLM has propelled Generative AI and surfaced one of its key components to a broad audience: Embeddings. Embeddings are a vector representation of data in a high-dimensional space capturing their semantic meaning. Vector representations allow for more efficie...

Spring Data Ahead of Time Repositories

In the past couple of years we have seen heavy investment throughout the Java ecosystem to reduce application startup times. The main focus gravitates around Ahead-of-Time optimizations. May it be condensing code into a GraalVM native executable, capturing already optimized bytecode with...

A Bootiful Podcast: Spring IO founder Sergi Almar on Spring IO 2025

Hi, Spring and Spring I/O fans! In this installment we have the privilege of chatting with friend of the community and legend Sergi Almar about the amazing Spring IO 2025, where this episode was published, and a lot more...

Your First Spring AI 1.0 Application

Your First Spring AI 1.0 Application by Dr. Mark Pollack, Christian Tsolov, and Josh Long Hi, Spring fans! Spring AI is live on the Spring Initializr and everywhere fine bytes might be had. Ask your doctor if AI is right for you! It's an amazing time to be a Java and Spring developer. There's nev...

A Bootiful Podcast: This Week in Spring (AI) - May 20th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this, I'm in sunny Stockholm, Sweden for the JForum 123 installment. This is, apparently, the first time the meetup is completely full up since before the pandemic, with more than 150 people in attendance! Tak,...

MCP Authorization in practice with Spring AI and OAuth2

Last month, we explored how to secure Spring AI MCP Servers1 with the OAuth2 authorization framework. In the conclusion of that article, we mentioned we'd explore using standalone Authorization Servers for MCP Security and deviate from the then-current specification. Since we published the articl...

Spring Security authorization bypass for method security annotations on private methods

Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: In that case, the target method may be able to be invoked without proper authorization. You...

A Bootiful Podcast: Donald Raab on Eclipse Collections

Hi, Spring fans! In this edition, we talk to Eclipse Collections founder Donald Raab...

Spring Framework DataBinder Case Sensitive Match Exception (2nd update)

CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks...

This Week in Spring - May 13th, 2025

Hi, Spring fans! As I write this, I'm at the amazing Code Remix event in Miami well, technically Tampa, Florida. I'll also be speaking at the Tampa JUG while I'm there, so look out! After that, I'll be headed back to Europe—a wee bit further north this time—to Stockholm for the amazing JForum...

Spring gRPC Promoted!

It's a few months since we had a blog about Spring gRPC that wasn't just a release announcement. This one marks the first release since the project was promoted from experimental to a full member of the Spring Portfolio. This doesn't change the way you consume the project, but it has some...

A Bootiful Podcast: V Körbes on security from the platform on up

Hi, Spring fans! In today's extra special installment I talk to Broadcom's V Körbes who works on security above and below the application...

This Week in Spring - May 6th, 2025

Hi, Spring fans! As I write this, I'm winging my way to lovely London, UK, for the amazing Devoxx UK event! I'll be looking at the wide and wonderful world of Springdom. Then, from there, it's off to Code Remix in Miami. I'll also be speaking at the Tampa JUG while I'm there, so look out! After...

Dynamic Tool Updates in Spring AI's Model Context Protocol

The Model Context Protocol MCP is a powerful feature in Spring AI that enables AI models to access external tools and resources through a standardized interface. One interesting capabilities of MCP is its ability to dynamically update available tools at runtime. This blog post explores how Spring...

A Bootiful Podcast: Spring instructor Mary Ellen Bowman

Hi, Spring fans! In this installment I talk to Mary Ellen Bowman, a legendary Spring instructor!...

A Bootiful Podcast: Java Champion, Tessl Devrel head, friend, Virtual JUG co-founder Simon Maple

Hi, Spring fans! In this episode, we catch up with Java Champion, Tessl Devrel head, Virtual JUG co-founder, and friend Simon Maple! This episode was recorded at the amazing ArcOfAI conference held in amazing Austin, TX!...

Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You are not affected if any of the following is true:...

Spring Security BCryptPasswordEncoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider...

This Week in Spring - April 22nd, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring , which I'm writing from magnificent Minneapolis, Minnesota, where I'm recording an amazing Frontend Masters course introducing Spring Boot. I love this article introducing Spring AI in JavaPro magazine Want to run an LLM...

A Bootiful Podcast: 'Mr. Apache' Jeff Genender

Hi, Spring fans! In this episode I'm joined by well-known member of the Java community Jeff Genender, whose contributions to Apache over the decades have driven several key projects with which you're no doubt familiar...

This Week in Spring - April 15th, 2025

Spring AI M7 is here! This new release includes a bunch of awesome new features! And some refactorings. Notably that the Spring AI auto-configuration has changed from a single monolithic artifact to individual auto-configuration artifacts per model, vector store, and other components. This change...

Prompt Engineering Techniques with Spring AI

This blog post demonstrates practical implementations of Prompt Engineering techniques using Spring AI. The examples and patterns in this article are based on the comprehensive Prompt Engineering Guide that covers the theory, principles, and patterns of effective prompt engineering. The blog show...

A Bootiful Podcast: Wiremock's leaders Lee Turner and Tom Akehurst

Hi, Spring fans! In this installment we talk to Wiremock's leaders Lee Turner and Tom Akehurst...

This Week in Spring - April 8th, 2025

Hi, Spring fans! How are ya? I'm doing fine. Excited, even. You see, Spring AI M7 is coming soon! In theory, it drops on Thursday. Don't hold us to that — these things can change :- But soon , and it's turning out to be a whopper of a release! You should try upgrading your application to the new ...

Spring Cloud Config Server May Not Use Vault Token Sent By Clients

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: In this case the SessionManager persists the first token it retrieves and will continue to use that...

Using Spring AI 1.0.0-SNAPSHOT: Part 2 - Important Changes and Updates

Using Spring AI 1.0.0-SNAPSHOT: Part 2 - Important Changes and Updates This blog post is a continuation of our previous article Using Spring AI 1.0.0-SNAPSHOT: Important Changes and Updates, where we introduced the significant changes to artifact IDs, dependency management, and autoconfiguration ...