Upgrade tunnel-server to Spring Boot 3.5.11 to pull patched Spring Security/Tomcat dependencies

tunnel-server/pom.xml

@@ -12,9 +12,12 @@
 	<url>https://github.com/alibaba/arthas</url>
 
 	<properties>
-		<maven.compiler.target>1.8</maven.compiler.target>
-		<maven.compiler.source>1.8</maven.compiler.source>
-		<java.version>1.8</java.version>
+		<maven.compiler.target>17</maven.compiler.target>
+		<maven.compiler.source>17</maven.compiler.source>
+		<java.version>17</java.version>
+		<spring-boot.version>3.5.11</spring-boot.version>
+		<slf4j.version>2.0.17</slf4j.version>
+		<logback.version>1.5.32</logback.version>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 	</properties>
@@ -36,6 +39,21 @@
 				<type>pom</type>
 				<scope>import</scope>
 			</dependency>
+			<dependency>
+				<groupId>org.slf4j</groupId>
+				<artifactId>slf4j-api</artifactId>
+				<version>${slf4j.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-classic</artifactId>
+				<version>${logback.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-core</artifactId>
+				<version>${logback.version}</version>
+			</dependency>
 		</dependencies>
 	</dependencyManagement>
 

tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/WebSecurityConfig.java

@@ -2,9 +2,11 @@
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;
 
 import com.alibaba.arthas.tunnel.server.app.configuration.ArthasProperties;
 
@@ -14,17 +16,20 @@
  *
  */
 @Configuration
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
 
     @Autowired
     ArthasProperties arthasProperties;
-    @Override
-    protected void configure(HttpSecurity httpSecurity) throws Exception {
-        httpSecurity.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest()
-        .permitAll().and().formLogin();
+
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
+        httpSecurity.authorizeHttpRequests((authorize) -> authorize
+                .requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated()
+                .anyRequest().permitAll()).formLogin(Customizer.withDefaults());
         // allow iframe
         if (arthasProperties.isEnableIframeSupport()) {
-            httpSecurity.headers().frameOptions().disable();
+            httpSecurity.headers((headers) -> headers.frameOptions((frameOptions) -> frameOptions.disable()));
         }
+        return httpSecurity.build();
     }
-}
+}

tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/web/DetailAPIController.java

@@ -7,7 +7,7 @@
 import java.util.Map;
 import java.util.Set;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/web/ProxyController.java

@@ -7,7 +7,7 @@
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 
 import org.apache.commons.lang3.RandomStringUtils;
 import org.slf4j.Logger;