is geode impacted by last RCE vulnerability in the Spring Framework ?
vulnerability details :
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
geode 1.14.2 has below dependencies - should spring framework used by geode upgraded to 5.3.18 ?
[1]: https://i.stack.imgur.com/U6Hi6.png
Please have a look at GEODE-10201, it contains the information you're looking for.
Related
i am trying to update my spring version to 2.7.3 for my existing spring microservice project but
Your project setup is incompatible with our requirements due to following reasons:
Spring Boot [2.7.3] is not compatible with this Spring Cloud release train
Action:
Consider applying the following actions:
Change Spring Boot version to one of the following versions [2.4.x, 2.5.x] .
You can find the latest Spring Boot versions here [https://spring.io/projects/spring-boot#learn].
If you want to learn more about the Spring Cloud Release train compatibility, you can visit this page [https://spring.io/projects/spring-cloud#overview] and check the [Release Trains] section.
If you want to disable this check, just set the property [spring.cloud.compatibility-verifier.enabled=false]
i updated spring cloud version to the latest one but then it throws cloud hystrix version compatibility issue can some one explain how to update spring verison for existing spring boot micro service project.
Thanks.
I know that Spring Boot 2.7 has an integration with Spring for GraphQL 1.0. However, I cannot find any information at which milestone of Spring Boot 3 the integration with GraphQL is scheduled. Any hint is appreciated.
There is no concrete, official plan right now but our intent is to have something out in time for Spring Boot 3.0. Spring for GraphQL just got out, so we're missing critical feedback to better understand the community.
Since Spring Boot 3.0 is a major version, most projects are also releasing major versions. This might be a bit too soon for Spring for GraphQL and we could consider a 1.1.0 with a limited amount of new features and target a 2.0 later in the 3.x line.
The situation is unusual, but as always the team is listening to the community. When it's official, the plan will materialize as a new milestone and/or in a blog post.
Update: there is now a scheduled 1.1.0 version to be released in time for Spring Boot 3.0
We have started new project on spring stack and using latest versions. But we have workflow requirement and I used activiti in past. But as I see there is no spring boot 2 support for activiti and camunda. Can anybody suggest which BPM is best that can be integrated with spring boot 2.
You will find a bunch of Spring Boot 2 starters in the Flowable github repo.
The documentation explains step-by-step how to create a BPM enabled Spring Boot application. There is also the blog post The road to Spring Boot 2.0 that the improved support for Flowable within Spring Boot as part of the Flowable 6.3.0 release.
You ask for suggestions on which BPM is best. Well, I cannot be objective since I am part of the Flowable Team, but I can say that our Spring Boot implementation is pretty neat:
All engines are supported (BPMN, CMMN, DMN), both embedded and exposing their respective REST APIs.
There is an automatic configuration of Spring Security to use the Flowable IDM engine (in case no other custom security is configured).
There is no "EE" version of the starter. Flowable provides Spring Boot 2 support 100% Open Source.
The Spring Actuator integration is quite powerful.
Did I mention Open Source? ;-)
In order to get the all engines you would need to use the flowable-spring-boot-starter(-rest) dependency. The (-rest) needs to be used if you want the Flowable REST APIs to be automatically configured.
There is also the option to run the BPMN, CMMN or DMN engines in standalone mode. For that you would need one of the following dependencies:
flowable-spring-boot-starter-process(-rest)
flowable-spring-boot-starter-cmmn(-rest)
flowable-spring-boot-starter-dmn(-rest)
So, compare for yourself, but for me, it's pretty clear and of course I am open to discussion.
The Activiti is working on Activiti Cloud fully based on Spring Boot 2 and Spring Cloud Finchley (targeting kubernetes deployments, but it can be used outside kubernetes if that is not your thing) if you are looking for a BPMN runtime for Cloud Native applications. We are working hard on releasing the first Beta1 release at the moment, and we will very welcome feedback about it. Hope this helps.
If you use the camunda-bpm-spring-boot-starter you can write self contained services running camunda process engine with spring boot 2.
I have started using spring boot 2.0.0-Snapshot and I see that all Metric related classes and interfaces does not exists ?
Example:
The jar spring-boot-actuator-2.0.0.BUILD-SNAPSHOT.jar does not have package
org.springframework.boot.actuate.metrics.writer at all
Are they moved to somewhere else?
In Spring Boot 2 the previous metrics implementation has been replaced by integration with Micrometer. From the release notes:
Spring Boot’s own metrics have been replaced with support, including auto-configuration, for Micrometer and dimensional metrics. You can learn more about Micrometer in its user manual and Spring Boot’s reference guide
I can't find any guide for migrating from 1.x Spring Boot Metrics to 2.x Spring Boot Metrics but this change is quite recent so I suspect any such docs are a TODO. In the meantime, you could perhaps dig into the Pull Request or follow the Spring Boot 2 docs ...
Micrometer provides a separate module for each supported monitoring system. Depending on one (or more) of these modules is sufficient to get started with Micrometer in your Spring Boot application. To learn more about Micrometer’s capabilities, please refer to its reference documentation.
our application currently uses JBoss Portal with JAAS as the authentication/authorization mechanism. The version of Spring we are currently using is 3.2.14. For various reasons we are unable to upgrade Spring right now.
We are going to be migrating to Spring Security shortly and are wondering if Spring Security 4.2.2 will be compatible with Spring 3.2.14. My thoughts are that since Spring Security is a separate project it should be OK?
I can't seem to find any information on the compatibility issues between major versions of Spring and major versions of Spring Security.
For Spring Security 4.2.2, the minimum recommended Spring version is 4.3.5.
This is stated in the SpringSecurityCoreVersion class which is located in the org.springframework.security.core package.