Upgrade to Spring Boot 4.0, Hibernate 7, Liquibase 5, Jackson 3

[krusche]

Summary

• Spring Boot: 3.5.x → 4.0.2 (includes Spring Framework 7, Tomcat 11, Spring Security 7)
• Hibernate ORM: 6.6.x → 7.2.1 (managed by Spring Boot BOM)
• Liquibase: 4.33.0 → 5.x (via new spring-boot-starter-liquibase)
• Jackson: 2.x → 3.x (tools.jackson packages)

Migration Details

Build changes

• Renamed starters: spring-boot-starter-web → spring-boot-starter-webmvc, oauth2-client → security-oauth2-client, oauth2-resource-server → security-oauth2-resource-server
• Replaced org.liquibase:liquibase-core with spring-boot-starter-liquibase
• Added spring-boot-starter-webmvc-test for MockMvc support in tests

Source code changes

• Migrated Jackson imports from com.fasterxml.jackson to tools.jackson namespace
• Migrated @Nullable/@NonNull from org.springframework.lang to org.jspecify.annotations
• Updated AutoConfigureMockMvc import for Spring Boot 4.0 modular package structure
• Fixed Hibernate 7 stricter schema validation (keywords column nullability in Thesis entity)
• Replaced deprecated JsonNode.asText() with asString()

Test plan

• All 149 server tests pass
• Checkstyle and Spotless checks pass
• Server starts successfully with local Docker (Keycloak + PostgreSQL)
• Health check endpoint returns 200
• Test on dev server with full Keycloak integration
• Verify client application works correctly with updated API responses

Summary by CodeRabbit

• Chores

  • Upgraded Spring Boot and Gradle wrapper; simplified build wrapper scripts.
  • Updated web, security, and database migration starters to align with the new platform.

• Bug Fixes

  • Improved error responses and handling for malformed requests.
  • Enforced non-nullable keywords to strengthen data integrity.

• Refactor

  • Strengthened ID/topic type handling and validation to reduce parsing errors.

• Tests

  • Aligned test JSON parsing/serialization with updated libraries.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Upgrade Spring Boot and Gradle, replace several starters, migrate Jackson usage to tools.jackson with corresponding test API changes, change topic/previous ID handling from String to UUID with validation, rename ErrorDto factory and widen its parameter, tighten an entity column nullability, and simplify Gradle wrapper scripts.

Changes

Cohort / File(s)	Summary
Build & Gradle configuration server/build.gradle, server/gradle/wrapper/gradle-wrapper.properties	Bump Spring Boot plugin 3.5.10 → 4.0.2; replace starters (web → spring-boot-starter-webmvc, OAuth2 starters → spring-boot-starter-security-oauth2-client & spring-boot-starter-security-oauth2-resource-server, liquibase-core → spring-boot-starter-liquibase); add spring-boot-starter-webmvc-test. Update Gradle wrapper distro 9.2.1 → 9.3.1.
Gradle wrapper scripts server/gradlew, server/gradlew.bat	Removed explicit CLASSPATH initialization and removed -classpath argument from Java invocation; wrapper relies on wrapper JAR for classpath handling.
Exception handling & error DTO server/src/main/java/.../exception/ResponseExceptionHandler.java, server/src/main/java/.../dto/ErrorDto.java	ResponseExceptionHandler: replace jackson exceptions with tools.jackson.core.JacksonException, widen handler parameter types, and switch to ErrorDto.fromException(Exception) (renamed from fromRuntimeException). ErrorDto: rename factory and accept Exception, guard message extraction when null.
Jackson package & tests API server/src/test/java/.../*, server/src/main/java/.../exception/...	Switch imports from com.fasterxml.jackson.* → tools.jackson.* across tests and handler; change JsonNode.asText() → JsonNode.asString() where used; update MockMvc test import to org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc.
ID type changes and validation server/src/main/java/de/tum/cit/aet/thesis/repository/ApplicationRepository.java, server/src/main/java/de/tum/cit/aet/thesis/service/ApplicationService.java	Change previousIds and topics parameter types from Set<String> → Set<UUID>; ApplicationService now parses incoming String IDs into UUID via UUID.fromString and throws ResourceInvalidParametersException on invalid values.
Entity nullability server/src/main/java/de/tum/cit/aet/thesis/entity/Thesis.java	Made keywords column non-nullable (nullable = false, retains columnDefinition = "text[]").
Nullability annotations server/src/main/java/de/tum/cit/aet/thesis/security/JwtAuthConverter.java	Replaced Spring @NonNull/@Nullable imports with JSpecify @NonNull/@Nullable; no behavior changes.
Tests — specific files updated server/src/test/java/de/tum/cit/aet/thesis/controller/ApplicationControllerTest.java, .../ThesisControllerTest.java, .../ThesisControllerAdditionalTest.java, .../UserControllerTest.java, .../keycloak/BaseKeycloakIntegrationTest.java, .../mock/BaseIntegrationTest.java	Multiple tests updated to use tools.jackson.databind.*, use JsonNode.asString() for value extraction, and adjust MockMvc config import. Minor parsing adjustments where UUIDs are read from responses.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 1.49% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main objective—upgrading major dependencies (Spring Boot 4.0, Hibernate 7, Liquibase 5, Jackson 3)—and aligns with the extensive build and source migrations detailed in the PR.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/major-dependency-updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

server/src/main/java/de/tum/cit/aet/thesis/security/JwtAuthConverter.java (1)

33-35: ⚠️ Potential issue | 🟡 Minor

Potential NPE: Converter.convert() is @Nullable.

jwtGrantedAuthoritiesConverter.convert(jwt) can return null per the Converter contract. Calling .stream() directly on line 34 would throw an NPE. In practice JwtGrantedAuthoritiesConverter always returns a non-null collection, but it's safer to guard against the contract.

Proposed fix

 	public AbstractAuthenticationToken convert(`@NonNull` Jwt jwt) {
+		var jwtAuthorities = jwtGrantedAuthoritiesConverter.convert(jwt);
 		Collection<GrantedAuthority> authorities = Stream.concat(
-				jwtGrantedAuthoritiesConverter.convert(jwt).stream(),
+				jwtAuthorities != null ? jwtAuthorities.stream() : Stream.empty(),
 				extractResourceRoles(jwt).stream()).collect(Collectors.toSet());

🤖 Fix all issues with AI agents

In `@server/src/main/java/de/tum/cit/aet/thesis/service/ApplicationService.java`:
- Line 134: topicsFilter creation uses UUID::fromString which will throw
IllegalArgumentException for malformed values; update the logic in
ApplicationService where topicsFilter is built to validate or catch parsing
errors (wrap the stream mapping in a try/catch or validate each topic before
mapping) and on invalid UUIDs convert the error to a controlled domain/HTTP
error (e.g., throw a BadRequestException or a custom InvalidRequestException)
instead of allowing a 500; reference the topicsFilter variable and the
UUID::fromString mapping when making the change.

🧹 Nitpick comments (5)

server/src/test/java/de/tum/cit/aet/thesis/mock/BaseIntegrationTest.java (1)

271-271: Inconsistent UUID parsing pattern compared to other test files.

These two lines use .asString().transform(UUID::fromString) while every other file in this PR uses UUID.fromString(node.asString()). Consider aligning for consistency.

Suggested diff

-		return objectMapper.readTree(response).get("topicId").asString().transform(UUID::fromString);
+		return UUID.fromString(objectMapper.readTree(response).get("topicId").asString());

-		return objectMapper.readTree(response).get("thesisId").asString().transform(UUID::fromString);
+		return UUID.fromString(objectMapper.readTree(response).get("thesisId").asString());

Also applies to: 297-297

server/src/main/java/de/tum/cit/aet/thesis/entity/Thesis.java (1)

112-137: Pre-existing: seven EAGER @OneToMany collections on a single entity.

Not introduced by this PR, but worth noting: every Thesis load fetches roles, proposals, assessments, presentations, feedback, files, and states eagerly. This can cause significant N+1 / Cartesian product issues, especially with Hibernate 7's stricter fetch semantics. Consider migrating to LAZY with entity graphs or fetch joins in a follow-up.

server/build.gradle (1)

69-70: Empty version strings on logback dependencies.

These resolve via the Spring Boot BOM, which is fine, but the trailing colon with no version is an unusual pattern. The more conventional approach when relying on the BOM is to omit the version segment entirely.

Suggested cleanup

-	implementation "ch.qos.logback:logback-classic:"
-	implementation "ch.qos.logback:logback-core:"
+	implementation "ch.qos.logback:logback-classic"
+	implementation "ch.qos.logback:logback-core"

server/src/main/java/de/tum/cit/aet/thesis/service/ApplicationService.java (1)

41-41: Collectors import can be avoided with Stream.toList() pattern (Java 16+).

Since you're on Java 25, you could use Collectors.toUnmodifiableSet() or keep as-is. Minor nit — no action required.

server/src/main/java/de/tum/cit/aet/thesis/exception/ResponseExceptionHandler.java (1)

32-37: StreamReadException is redundant — it's a subclass of JacksonException.

In Jackson 3.x, StreamReadException extends JacksonException. Catching both means StreamReadException.class is already covered by JacksonException.class. You can simplify:

Remove redundant exception type

 	`@ExceptionHandler`({
 			ParseException.class,
 			ResourceInvalidParametersException.class,
-			StreamReadException.class,
 			JacksonException.class,
 	})

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

server/build.gradle (1)

78-83: ⚠️ Potential issue | 🟡 Minor

Remove the redundant spring-boot-starter-test declaration and migrate the still-needed xmlunit-core exclusion.

Spring Boot 4.0.2 no longer includes junit-vintage-engine or android-json in spring-boot-starter-test, making those exclusions obsolete. However, xmlunit-core (2.10.4) is still present. Since spring-boot-starter-webmvc-test already brings spring-boot-starter-test transitively, the explicit declaration at line 78 is redundant. Move the xmlunit-core exclusion to the remaining dependency:

Recommended fix

-	testImplementation("org.springframework.boot:spring-boot-starter-test") {
-		exclude group: "org.junit.vintage", module: "junit-vintage-engine"
-		exclude group: "com.vaadin.external.google", module: "android-json"
-		exclude group: "org.xmlunit", module: "xmlunit-core"
-	}
-	testImplementation "org.springframework.boot:spring-boot-starter-webmvc-test"
+	testImplementation("org.springframework.boot:spring-boot-starter-webmvc-test") {
+		exclude group: "org.xmlunit", module: "xmlunit-core"
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/build.gradle` around lines 78 - 83, Remove the redundant explicit
testImplementation("org.springframework.boot:spring-boot-starter-test")
declaration and migrate the xmlunit-core exclusion onto the remaining
testImplementation "org.springframework.boot:spring-boot-starter-webmvc-test"
dependency; specifically delete the explicit spring-boot-starter-test block and
add an exclude group: "org.xmlunit", module: "xmlunit-core" to the
spring-boot-starter-webmvc-test dependency so xmlunit-core is still excluded
while relying on the transitive starter.

🧹 Nitpick comments (2)

server/build.gradle (2)

9-9: Consider replacing io.spring.dependency-management with Gradle's native BOM support.

A Spring Boot 4.0.2-focused best-practices guide marks id("io.spring.dependency-management") as no longer necessary and recommends replacing it with implementation(platform(SpringBootPlugin.BOM_COORDINATES)). Gradle has had native BOM platform support since 5.0, and the Spring Boot Gradle plugin exposes a BOM_COORDINATES constant that removes the need for the dependency-management shim entirely. This isn't a blocker for 4.0.2, but it removes one layer of dependency resolution magic and aligns with current Spring Boot guidance.

♻️ Proposed migration to native BOM platform

 plugins {
     // ...
     id "org.springframework.boot" version "4.0.2"
-    id "io.spring.dependency-management" version "1.1.7"
     // ...
 }

+import org.springframework.boot.gradle.plugin.SpringBootPlugin
+
 dependencies {
+    implementation platform(SpringBootPlugin.BOM_COORDINATES)
     implementation "org.springframework.boot:spring-boot-starter-data-jpa"
     // ... rest unchanged
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/build.gradle` at line 9, Replace the io.spring.dependency-management
plugin usage by switching to Gradle's native BOM platform: remove the id
"io.spring.dependency-management" plugin declaration and instead add the Spring
Boot BOM as a platform dependency using
implementation(platform(SpringBootPlugin.BOM_COORDINATES)); update the
buildscript/plugins block to rely on the Spring Boot Gradle plugin (referencing
SpringBootPlugin.BOM_COORDINATES) for BOM management and remove any
dependency-management-specific configuration remnants.

---

22-24: Merge the two springBoot {} blocks.

springBoot is configured in two separate closures: lines 22–24 set mainClass and lines 107–109 call buildInfo(). While Groovy DSL merges these at runtime today, keeping them split is an easy source of confusion during future edits (e.g., someone adds a property to one block unaware the other exists).

♻️ Proposed consolidation

-springBoot {
-	mainClass = "de.tum.cit.aet.thesis.ThesisManagementApplication"
-}
+springBoot {
+	mainClass = "de.tum.cit.aet.thesis.ThesisManagementApplication"
+	buildInfo()
+}

 // ... (remove the second block at lines 107-109)
-springBoot {
-	buildInfo()
-}

Also applies to: 107-109

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/build.gradle` around lines 22 - 24, The build uses two separate
springBoot { } closures; consolidate them into a single springBoot block that
sets mainClass = "de.tum.cit.aet.thesis.ThesisManagementApplication" and calls
buildInfo() so both configurations live together (remove the duplicate
springBoot closure). Locate the existing springBoot closures (the one
configuring mainClass and the one invoking buildInfo()) and merge their contents
into one closure to avoid split configuration.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/build.gradle`:
- Around line 38-44: The build declares a non-existent dependency
"spring-boot-starter-security-oauth2-client" which will break the build; replace
that artifact with the correct starter coordinate
"spring-boot-starter-oauth2-client" in the dependencies list (the line currently
containing spring-boot-starter-security-oauth2-client) and verify the project’s
Spring Boot version supports that starter (or adjust to the correct coordinate
for Spring Boot 4.0.x if different) so the dependency resolves from Maven
Central.

---

Outside diff comments:
In `@server/build.gradle`:
- Around line 78-83: Remove the redundant explicit
testImplementation("org.springframework.boot:spring-boot-starter-test")
declaration and migrate the xmlunit-core exclusion onto the remaining
testImplementation "org.springframework.boot:spring-boot-starter-webmvc-test"
dependency; specifically delete the explicit spring-boot-starter-test block and
add an exclude group: "org.xmlunit", module: "xmlunit-core" to the
spring-boot-starter-webmvc-test dependency so xmlunit-core is still excluded
while relying on the transitive starter.

---

Nitpick comments:
In `@server/build.gradle`:
- Line 9: Replace the io.spring.dependency-management plugin usage by switching
to Gradle's native BOM platform: remove the id "io.spring.dependency-management"
plugin declaration and instead add the Spring Boot BOM as a platform dependency
using implementation(platform(SpringBootPlugin.BOM_COORDINATES)); update the
buildscript/plugins block to rely on the Spring Boot Gradle plugin (referencing
SpringBootPlugin.BOM_COORDINATES) for BOM management and remove any
dependency-management-specific configuration remnants.
- Around line 22-24: The build uses two separate springBoot { } closures;
consolidate them into a single springBoot block that sets mainClass =
"de.tum.cit.aet.thesis.ThesisManagementApplication" and calls buildInfo() so
both configurations live together (remove the duplicate springBoot closure).
Locate the existing springBoot closures (the one configuring mainClass and the
one invoking buildInfo()) and merge their contents into one closure to avoid
split configuration.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

server/src/main/java/de/tum/cit/aet/thesis/dto/ErrorDto.java (1)

5-9: Add @JsonInclude(JsonInclude.Include.NON_EMPTY) to this DTO.

All DTOs in the project should carry this annotation to minimize payload size. Without it, a null message (which Exception.getMessage() can return) serialises as "message": null in the error response. Given the Jackson 3 migration in this PR, use the tools.jackson package.

♻️ Proposed fix

 package de.tum.cit.aet.thesis.dto;

 import java.time.Instant;
+import tools.jackson.annotation.JsonInclude;

+@JsonInclude(JsonInclude.Include.NON_EMPTY)
 public record ErrorDto(
 	Instant timestamp,
 	String message,
 	String exception
 ) {

Based on learnings: "Apply JsonInclude(JsonInclude.Include.NON_EMPTY) to all DTOs to minimize payload size by excluding null or empty values from JSON. Ensure consistent DTO design across the project."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/src/main/java/de/tum/cit/aet/thesis/dto/ErrorDto.java` around lines 5
- 9, Add the Jackson 3 JsonInclude annotation to the ErrorDto record to omit
null/empty fields from JSON: annotate the ErrorDto record declaration (the
record named ErrorDto) with `@JsonInclude`(JsonInclude.Include.NON_EMPTY) using
the Jackson 3 package import (tools.jackson.annotation.JsonInclude) so that null
message/exception fields are not serialized; add the corresponding import and
ensure the annotation sits directly above the ErrorDto record declaration.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/src/main/java/de/tum/cit/aet/thesis/dto/ErrorDto.java`:
- Line 13: The code calls error.getMessage() which may return null; update the
ErrorDto construction (where error.getMessage() is passed) to guard against null
by substituting a fallback (e.g. Objects.toString(error.getMessage(),
error.toString()) or
Optional.ofNullable(error.getMessage()).orElse(error.getClass().getName())) so
the DTO always carries a useful, non-null message; locate the usage in
ErrorDto.java (the ErrorDto constructor/initialiser that currently passes
error.getMessage()) and replace with the null-safe expression.

---

Nitpick comments:
In `@server/src/main/java/de/tum/cit/aet/thesis/dto/ErrorDto.java`:
- Around line 5-9: Add the Jackson 3 JsonInclude annotation to the ErrorDto
record to omit null/empty fields from JSON: annotate the ErrorDto record
declaration (the record named ErrorDto) with
`@JsonInclude`(JsonInclude.Include.NON_EMPTY) using the Jackson 3 package import
(tools.jackson.annotation.JsonInclude) so that null message/exception fields are
not serialized; add the corresponding import and ensure the annotation sits
directly above the ErrorDto record declaration.

[coderabbitai]

🧹 Nitpick comments (1)

server/src/main/java/de/tum/cit/aet/thesis/dto/ErrorDto.java (1)

5-9: Add @JsonInclude(JsonInclude.Include.NON_EMPTY) to this record.

Per project convention, all DTOs should carry this annotation to minimize payload size.

♻️ Proposed fix

+import tools.jackson.annotation.JsonInclude;
 import java.time.Instant;
 
+@JsonInclude(JsonInclude.Include.NON_EMPTY)
 public record ErrorDto(
 	Instant timestamp,
 	String message,
 	String exception
 ) {

Based on learnings: "Apply JsonInclude(JsonInclude.Include.NON_EMPTY) to all DTOs to minimize payload size by excluding null or empty values from JSON."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/src/main/java/de/tum/cit/aet/thesis/dto/ErrorDto.java` around lines 5
- 9, The ErrorDto record is missing the Jackson annotation to exclude null/empty
fields; add the `@JsonInclude`(JsonInclude.Include.NON_EMPTY) annotation above the
ErrorDto record declaration and import
com.fasterxml.jackson.annotation.JsonInclude so that Instant timestamp, message,
and exception fields are omitted from JSON when empty, following the DTO
convention used across the project.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@server/src/main/java/de/tum/cit/aet/thesis/dto/ErrorDto.java`:
- Around line 5-9: The ErrorDto record is missing the Jackson annotation to
exclude null/empty fields; add the `@JsonInclude`(JsonInclude.Include.NON_EMPTY)
annotation above the ErrorDto record declaration and import
com.fasterxml.jackson.annotation.JsonInclude so that Instant timestamp, message,
and exception fields are omitted from JSON when empty, following the DTO
convention used across the project.