Rob Winch
@rwinch.github.io
Open source enthusiast; Project Lead for Spring Security
Pinned
Rob Winch
@rwinch.github.io
· Dec 4
How to verify your Bluesky account - Bluesky
Here's how to verify your Bluesky account by setting your website as your username.
bsky.social
I changed my username to rwinch.github.io so that I had a verified domain with a username that I'm well known by.
How did I do it?
How did I do it?
I've done a lot of cleanup on #SpringSecurity MFA support this past week. The updates (along with improved docs) can be seen in the reference docs.spring.io/spring-secur...
docs.spring.io
October 10, 2025 at 9:34 PM
I've done a lot of cleanup on #SpringSecurity MFA support this past week. The updates (along with improved docs) can be seen in the reference docs.spring.io/spring-secur...
#SpringSecurity 7 added MFA support docs.spring.io/spring-secur...
tldr Add following to require both password and one time token
`@EnableGlobalMultiFactorAuthentication(authorities = {
GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
GrantedAuthorities.FACTOR_OTT_AUTHORITY })`
tldr Add following to require both password and one time token
`@EnableGlobalMultiFactorAuthentication(authorities = {
GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
GrantedAuthorities.FACTOR_OTT_AUTHORITY })`
Adaptive Authentication :: Spring Security
docs.spring.io
September 30, 2025 at 9:38 PM
#SpringSecurity 7 added MFA support docs.spring.io/spring-secur...
tldr Add following to require both password and one time token
`@EnableGlobalMultiFactorAuthentication(authorities = {
GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
GrantedAuthorities.FACTOR_OTT_AUTHORITY })`
tldr Add following to require both password and one time token
`@EnableGlobalMultiFactorAuthentication(authorities = {
GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
GrantedAuthorities.FACTOR_OTT_AUTHORITY })`
Exciting News! Spring Authorization Server is moving to #SpringSecurity 7.0
spring.io/blog/2025/09...
spring.io/blog/2025/09...
Spring Authorization Server moving to Spring Security 7.0
Level up your Java code and explore what Spring can do for you.
spring.io
September 11, 2025 at 5:11 PM
Exciting News! Spring Authorization Server is moving to #SpringSecurity 7.0
spring.io/blog/2025/09...
spring.io/blog/2025/09...
Ever wanted to be able to change how the built in #SpringSecurity hasRole hasAuthority, etc methods work but continue to use the existing DSL? Enter AuthorizationManagerFactory.... docs.spring.io/spring-secur...
Thanks x.com/sjohnr for your PR github.com/spring-proje...
Thanks x.com/sjohnr for your PR github.com/spring-proje...
Authorization Architecture :: Spring Security
docs.spring.io
September 9, 2025 at 8:47 PM
Ever wanted to be able to change how the built in #SpringSecurity hasRole hasAuthority, etc methods work but continue to use the existing DSL? Enter AuthorizationManagerFactory.... docs.spring.io/spring-secur...
Thanks x.com/sjohnr for your PR github.com/spring-proje...
Thanks x.com/sjohnr for your PR github.com/spring-proje...
Reposted by Rob Winch
Neat episode of a Bootiful Podcast from @starbuxman.joshlong.com with @rwinch.github.io , the lead of @spring.io Security. Great insights on how the design and product decisions are made in an OSS project, and the timeframes for these.
podcasts.apple.com/gb/podcast/s...
podcasts.apple.com/gb/podcast/s...
Spring Security lead Rob Winch on Spring Security 7.0, SpringOne 2025, and more
Podcast Episode · A Bootiful Podcast · 31/07/2025 · 44m
podcasts.apple.com
August 4, 2025 at 6:15 AM
Neat episode of a Bootiful Podcast from @starbuxman.joshlong.com with @rwinch.github.io , the lead of @spring.io Security. Great insights on how the design and product decisions are made in an OSS project, and the timeframes for these.
podcasts.apple.com/gb/podcast/s...
podcasts.apple.com/gb/podcast/s...
Just pushed support for Spring Security OAuth + Interface REST Client integration docs.spring.io/spring-secur...
#SpringFramework #SpringSecurity
#SpringFramework #SpringSecurity
HTTP Interface Integration :: Spring Security
docs.spring.io
June 17, 2025 at 6:34 PM
Just pushed support for Spring Security OAuth + Interface REST Client integration docs.spring.io/spring-secur...
#SpringFramework #SpringSecurity
#SpringFramework #SpringSecurity
I'll be presenting "Secure All The Things With Spring Security" with @starbuxman.joshlong.com at #SpringOne #VMwareExplore
I hope to see you there!
event.vmware.com/flow/vmware/...
I hope to see you there!
event.vmware.com/flow/vmware/...
Content Catalog | Las Vegas | VMware Explore
event.vmware.com
June 17, 2025 at 6:09 PM
I'll be presenting "Secure All The Things With Spring Security" with @starbuxman.joshlong.com at #SpringOne #VMwareExplore
I hope to see you there!
event.vmware.com/flow/vmware/...
I hope to see you there!
event.vmware.com/flow/vmware/...
Reposted by Rob Winch
Anyone have any realistic use of Java's Scoped Values they can share? Yes, I know it's still a preview feature, but I can hope there are some eager people out there.
April 25, 2025 at 2:34 AM
Anyone have any realistic use of Java's Scoped Values they can share? Yes, I know it's still a preview feature, but I can hope there are some eager people out there.
Interesting post infosec.exchange/@briankrebs/...
- AI bots are used to commit financial aid fraud at universities
- rise in bots enrolling prevents some students from registering for classes
- teachers worry when the bots drop (after bot gets aid) it might cause them to lose their job
- AI bots are used to commit financial aid fraud at universities
- rise in bots enrolling prevents some students from registering for classes
- teachers worry when the bots drop (after bot gets aid) it might cause them to lose their job
April 18, 2025 at 5:08 PM
Interesting post infosec.exchange/@briankrebs/...
- AI bots are used to commit financial aid fraud at universities
- rise in bots enrolling prevents some students from registering for classes
- teachers worry when the bots drop (after bot gets aid) it might cause them to lose their job
- AI bots are used to commit financial aid fraud at universities
- rise in bots enrolling prevents some students from registering for classes
- teachers worry when the bots drop (after bot gets aid) it might cause them to lose their job
I'm glad to see that funding for the CVE program has been extended www.bleepingcomputer.com/news/securit...
I'm interested to see what happens with the foundation going forward.
tldr - CVE Program funding was going to expire, foundation was setup to preserve it, CVE Program funding was extended
I'm interested to see what happens with the foundation going forward.
tldr - CVE Program funding was going to expire, foundation was setup to preserve it, CVE Program funding was extended
April 16, 2025 at 2:17 PM
I'm glad to see that funding for the CVE program has been extended www.bleepingcomputer.com/news/securit...
I'm interested to see what happens with the foundation going forward.
tldr - CVE Program funding was going to expire, foundation was setup to preserve it, CVE Program funding was extended
I'm interested to see what happens with the foundation going forward.
tldr - CVE Program funding was going to expire, foundation was setup to preserve it, CVE Program funding was extended
Trying MacOS again Key binding suggestions for moving window left/right/top/bottom half screen, full screen, to next/previous display, & to next/previous "spaces" (desktops or in linux it was workspace)? Ideally bindings use arrows, are similar to each other, and don't collide with default bindings
March 21, 2025 at 3:23 PM
Trying MacOS again Key binding suggestions for moving window left/right/top/bottom half screen, full screen, to next/previous display, & to next/previous "spaces" (desktops or in linux it was workspace)? Ideally bindings use arrows, are similar to each other, and don't collide with default bindings
It's frustrating when authenticating to website (e.g. website.com) to be redirected to an external domain (e.g. website.idp.com) & expect website.com's credentials. Shame on both the website & the IdPs that follow this practice which primes users to be phished.
March 3, 2025 at 7:41 PM
It's frustrating when authenticating to website (e.g. website.com) to be redirected to an external domain (e.g. website.idp.com) & expect website.com's credentials. Shame on both the website & the IdPs that follow this practice which primes users to be phished.
I'm not speaking @devnexus.bsky.social this year, but I'm going as an attendee. If you will be there, I'd love to meet up. Hope to see you there!
February 5, 2025 at 6:35 PM
I'm not speaking @devnexus.bsky.social this year, but I'm going as an attendee. If you will be there, I'd love to meet up. Hope to see you there!
Linux user trying to figure out macos - How can I have the menu bar & doc on all displays AND have "Displays have separate Spaces" unchecked?
NOTE: I do not want separate spaces per display because then I have to switch a space per display. I prefer switch space updates all monitors at once.
NOTE: I do not want separate spaces per display because then I have to switch a space per display. I prefer switch space updates all monitors at once.
January 13, 2025 at 4:52 AM
Linux user trying to figure out macos - How can I have the menu bar & doc on all displays AND have "Displays have separate Spaces" unchecked?
NOTE: I do not want separate spaces per display because then I have to switch a space per display. I prefer switch space updates all monitors at once.
NOTE: I do not want separate spaces per display because then I have to switch a space per display. I prefer switch space updates all monitors at once.
Reposted by Rob Winch
Why You Probably Don't Need A VPN To Stay Secure On Public Wi-Fi
Why You Probably Don't Need A VPN To Stay Secure On Public Wi-Fi
You've probably heard advice about how hackers can steal all your sensitive information if you don't use a VPN on public Wi-Fi, but is that actually true? In...
www.youtube.com
January 9, 2025 at 4:56 AM
Why You Probably Don't Need A VPN To Stay Secure On Public Wi-Fi
I'm very excited that @spring.io is switching from a Contributor License Agreement to a Developer Certificate of Origin!
We're looking forward to seeing more & simplified contributions from you! If you have any questions, reach out to us in our issue trackers.
spring.io/blog/2025/01...
We're looking forward to seeing more & simplified contributions from you! If you have any questions, reach out to us in our issue trackers.
spring.io/blog/2025/01...
Hello DCO, Goodbye CLA: Simplifying Contributions to Spring
Level up your Java code and explore what Spring can do for you.
spring.io
January 6, 2025 at 10:48 PM
I'm very excited that @spring.io is switching from a Contributor License Agreement to a Developer Certificate of Origin!
We're looking forward to seeing more & simplified contributions from you! If you have any questions, reach out to us in our issue trackers.
spring.io/blog/2025/01...
We're looking forward to seeing more & simplified contributions from you! If you have any questions, reach out to us in our issue trackers.
spring.io/blog/2025/01...
Fantastic news to see the @antora.org collector has hit GA!
@spring.io you may be interested in upgrading to the final release. We've tested it extensively and are confident the upgrade should go smoothly.
More than 2 years after the initial alpha, Antora Collector 1.0.0 is finally available! A key reason the release was held up was to release with full docs.
This extension allows you to run external commands and import additional files into the content aggregate.
docs.antora.org/collector-ex...
This extension allows you to run external commands and import additional files into the content aggregate.
docs.antora.org/collector-ex...
December 5, 2024 at 3:45 PM
Fantastic news to see the @antora.org collector has hit GA!
Good advice for protecting against / recovering Hijacked Gmail (& other) Accounts
www.forbes.com/sites/daveyw...
- Setup recovery phone & email to your account
- For Gmail, if attacker changes your recovery phone number, then you have7 days to use that original number to regain control
www.forbes.com/sites/daveyw...
- Setup recovery phone & email to your account
- For Gmail, if attacker changes your recovery phone number, then you have7 days to use that original number to regain control
Gmail Takeover Hack Attack—Google Warns You Have Just 7 Days To Act
As Gmail users complain hackers have compromised accounts, changing passwords and passkeys in the process, Google advises they have 7 days to regain control—here’s how.
www.forbes.com
December 5, 2024 at 3:41 PM
Good advice for protecting against / recovering Hijacked Gmail (& other) Accounts
www.forbes.com/sites/daveyw...
- Setup recovery phone & email to your account
- For Gmail, if attacker changes your recovery phone number, then you have7 days to use that original number to regain control
www.forbes.com/sites/daveyw...
- Setup recovery phone & email to your account
- For Gmail, if attacker changes your recovery phone number, then you have7 days to use that original number to regain control
Reposted by Rob Winch
President Biden's deputy natsec advisor for cyber and emerging tech Anne Neuberger told reporters that Chinese hackers got into (at least) 8 U.S. telcos in a broad spying campaign that affected "dozens of countries" since it began.
The latest on All Things Considered: www.npr.org/2024/12/04/n...
The latest on All Things Considered: www.npr.org/2024/12/04/n...
www.npr.org
December 4, 2024 at 11:05 PM
President Biden's deputy natsec advisor for cyber and emerging tech Anne Neuberger told reporters that Chinese hackers got into (at least) 8 U.S. telcos in a broad spying campaign that affected "dozens of countries" since it began.
The latest on All Things Considered: www.npr.org/2024/12/04/n...
The latest on All Things Considered: www.npr.org/2024/12/04/n...
I changed my username to rwinch.github.io so that I had a verified domain with a username that I'm well known by.
How did I do it?
How did I do it?
How to verify your Bluesky account - Bluesky
Here's how to verify your Bluesky account by setting your website as your username.
bsky.social
December 4, 2024 at 8:08 PM
I changed my username to rwinch.github.io so that I had a verified domain with a username that I'm well known by.
How did I do it?
How did I do it?
Chinese is hacking US telco so stop using SMS
- Use 3rd party apps that do end to end encryption (eg WhatsApp)
- RCS iPhone <-> Android is not encrypted
- Use phone that auto updates in timely fashion
- Use MFA
www.forbes.com/sites/zakdof...
HT @starbuxman.joshlong.com
- Use 3rd party apps that do end to end encryption (eg WhatsApp)
- RCS iPhone <-> Android is not encrypted
- Use phone that auto updates in timely fashion
- Use MFA
www.forbes.com/sites/zakdof...
HT @starbuxman.joshlong.com
FBI Warns iPhone And Android Users—Stop Sending Texts
US officials urge citizens to use encrypted messaging and calls wherever they can—here’s what you need to know.
www.forbes.com
December 4, 2024 at 6:40 PM
Chinese is hacking US telco so stop using SMS
- Use 3rd party apps that do end to end encryption (eg WhatsApp)
- RCS iPhone <-> Android is not encrypted
- Use phone that auto updates in timely fashion
- Use MFA
www.forbes.com/sites/zakdof...
HT @starbuxman.joshlong.com
- Use 3rd party apps that do end to end encryption (eg WhatsApp)
- RCS iPhone <-> Android is not encrypted
- Use phone that auto updates in timely fashion
- Use MFA
www.forbes.com/sites/zakdof...
HT @starbuxman.joshlong.com