Announcement Announcement Module
Collapse
No announcement yet.
Spring Security OAuth 1.0.5.RELEASE available Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security OAuth 1.0.5.RELEASE available

    Just a quick note to tell everyone that 1.0.5 is out (has been for a couple of weeks actually). It had a some bug fixes for 1.0.3 and 1.0.4, so upgrade if you can, but there's nothing new. The main change to be aware of is that a potential attack is avoided where a bad guy spoofs a client by using a URL with a different host but whose URL starts with the registered URL (the attack is only possible if redirect URIs are formed of only protocol and host name, and also if the bad guy has the client secret).

  • #2
    Could you publish the new version on Maven Central?

    Comment


    • #3
      Originally posted by Dave Syer View Post
      Just a quick note to tell everyone that 1.0.5 is out (has been for a couple of weeks actually).
      The maven repo referred to by the project's github page (https://github.com/SpringSource/spri...wiki/downloads) looks way out of date. Not even a 1.0.0 release, just RCs.

      Comment


      • #4
        Seems like this is still not available in Maven Central. This renders us unable to upgrade.

        Comment


        • #5
          Oops. Technically you could have used the SpringSource repo, so it has been publicly available all this time. I just pushed it to Central too.

          Comment


          • #6
            Thank you. Much appreciated. I will look into how I can get our local Nexus instance into using the SpringSource repo reliantly.

            Comment


            • #7
              If it took a month for someone to notice, and another month for the fix, should the documentation be updated to reflect that the SpringSource repo is really the one we should use? I'd read the docs on the download page as "Go to Maven central, unless you want snapshots and [other non-release builds]".

              But please don't think I'm not grateful that its fixed, and that it even exists! Thanks!
              Last edited by bkuker; Jul 19th, 2013, 08:03 AM.

              Comment


              • #8
                I don't know why you would think the SpringSource repo has junk in it. I don't really want to insist that people use it either - Central is really the best place for Spring artifacts. So thanks for the suggestion, but I think we just need to be more disciplined and remember to push to the right repo when there is a release.

                Comment


                • #9
                  Sorry! I meant "junk" as "other stuff" not "bad stuff".

                  Comment


                  • #10
                    What version of OAuth 2.0 currently supported?
                    According to wiki it is draft-31, but the standard has already been approved.
                    When is standard support planned?

                    Comment


                    • #11
                      Spring OAuth should meet or be close enough to the approved standard to be used as such (draft 31 was pretty late and the docs obviously need to be updated to reflect the current status). If you find any non-compliant behaviour we are open to patching to get as close as possible to the spec, but as you know it isn't a particularly strict specification and there's no standard test kit or anything, so sometimes there are issues that are open to interpretation.

                      Comment

                      Working...
                      X