Blog archive

Spring Authorization Server Set for November GA

The Spring Security team says it will release version 1.0 of its long-in-the-works Spring Authorization Server in November of this year.

The new authorization framework, which was announced in April 2020, provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specs. It's built on top of Spring Security, which is a highly customizable authentication and access-control framework. The result, say the project's leaders, is a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.

This version of the framework will come with a full feature set (it's a long list), and the APIs have stabilized and matured since the project was launched, said Joe Grandja, Spring Security senior engineer, in a blog post. " A lot of effort and care was put into this project to ensure that it can grow and adapt over the next few years," he wrote.

Spring Authorization Server 1.0 will be based on Spring Security 6.0, which will be based on Spring Framework 6.0 (it takes a village). It will require a minimum of Java 17 at runtime, as well as a minimum of Tomcat 10 or Jetty 11 (for Jakarta EE 9 compatibility). Also, this release will inherit the VMware Tanzu OSS support policy Commercial support, which offers an extended support period, is also available from VMware.

When the project was first announced, the team was careful to give credit where credit was due regarding the projects Spring Authorization Server would effectively be replacing:

"Almost a decade ago, we brought in a community-driven, open-source project, Spring Security OAuth, and made it part of the Spring portfolio of projects," Rob Winch, Spring Security project lead, wrote in a blog post at the time. "Since its inception, it has evolved into a mature project that supports a large portion of the OAuth specification, including resource servers, clients, login, and the authorization server. It is no wonder that it has become the basis for UAA, which, among other things, acts as the identity management service for all Cloud Foundry installations. The Spring Security OAuth project has become a model project and is a testament to what our wonderful community can accomplish."

The need for the new framework emerged gradually. As Winch explained, the original support for OAuth open-standard authorization protocol was provided very early, and the team could not have anticipated the myriad ways in which it would need to be used. With the new framework, the team was able to address the needs of the entire Spring portfolio and provide a single cohesive OAuth library, Winch explained

The Spring Security team has posted the release schedule for the Spring Authorization Server on GitHub.

"Over the next couple of months, we will focus on fine-tuning the public APIs and enhancing the configuration model to allow for easier configuration and greater extensibility," Grandja said. "We will also make some minor API changes, resulting in breaking changes, which may require updates to consuming applications."

The Spring Framework continues to be one of the most popular programming and configuration models for building modern Java-based enterprise applications on any type of deployment platform. It's an open-source, layered Java/J2EE framework based on code published in SpringSource founder Rod Johnson's book Expert One-on-One Java EE Design and Development (Wrox Press, October 2002).

Posted by John K. Waters on August 22, 2022