Upgrade to Spring Boot 4.x Compatibility #868
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update OAuth2 package imports and deprecated annotations for Spring Boot 4.x. Bump version to 3.1.0-SNAPSHOT.
- Update OAuth2 package paths to new Spring Boot 4.x locations - Replace deprecated @EnableGlobalMethodSecurity with @EnableMethodSecurity - Bump version to 3.1.0-SNAPSHOT for Spring Boot 3.5.x/4.x support - Update spring-boot.version to 4.0.1 (latest GA) BREAKING CHANGE: Requires Spring Boot 3.5.x or 4.x
- Add spring-boot-starter-oauth2-client and spring-boot-starter-oauth2-resource-server dependencies - Fix BearerTokenAuthenticationFilter import (moved to authentication subpackage) - Fix BearerTokenAuthenticationToken import (moved to authentication subpackage) - Replace ConditionalOnDefaultWebSecurity with ConditionalOnMissingBean (removed in Spring Boot 4.x)
…ependency - Revert OAuth2 imports back to org.springframework.boot.autoconfigure.security.oauth2.* - Add jackson-databind dependency for JSON processing - Spring Boot 4.x appears to maintain the same package structure
- Add spring-boot-starter-classic for OAuth2 autoconfiguration - Update OAuth2 package imports from org.springframework.boot.autoconfigure.security.oauth2.* to org.springframework.boot.security.oauth2.* (Spring Boot 4.x modular design) - Replace DefaultAuthorizationCodeTokenResponseClient with RestClientAuthorizationCodeTokenResponseClient (Spring Security 7.x) - Replace NimbusOpaqueTokenIntrospector with SpringOpaqueTokenIntrospector (Spring Security 7.x)
The spring-boot-starter-classic provides backward compatibility with the original org.springframework.boot.autoconfigure.security.oauth2.* packages. The new org.springframework.boot.security.oauth2.* packages don't exist.
- Replace spring-boot-starter-classic with: - spring-boot-starter-security-oauth2-client - spring-boot-starter-security-oauth2-resource-server - Update OAuth2 package imports to org.springframework.boot.security.oauth2.* - These are the correct module names for Spring Boot 4.x modular design
…ackages Based on the Spring Boot 4.0 Migration Guide and Spring Boot source code: OAuth2 Client: - OAuth2ClientProperties: org.springframework.boot.security.oauth2.client.autoconfigure - OAuth2ClientAutoConfiguration: org.springframework.boot.security.oauth2.client.autoconfigure - ReactiveOAuth2ClientAutoConfiguration: org.springframework.boot.security.oauth2.client.autoconfigure.reactive OAuth2 Resource Server: - OAuth2ResourceServerProperties: org.springframework.boot.security.oauth2.server.resource.autoconfigure - OAuth2ResourceServerAutoConfiguration: org.springframework.boot.security.oauth2.server.resource.autoconfigure.servlet - ReactiveOAuth2ResourceServerAutoConfiguration: org.springframework.boot.security.oauth2.server.resource.autoconfigure.reactive The Spring Boot 4.x modular design puts all auto-configuration in 'autoconfigure' sub-packages.
- Replace no-argument security methods with lambda DSL (exceptionHandling, oauth2Login, logout, oauth2Client, oauth2ResourceServer, authorizeExchange) - Change authorizeRequests() to authorizeHttpRequests() - Remove throws Exception from init() method signature - Add commons-logging dependency for DeferredLog
Spring Boot uses jcl-over-slf4j bridge, so DeferredLog works without commons-logging directly.
- Wrap checked exceptions (MalformedURLException, IllegalAccessException) in try-catch in OktaOAuth2Configurer.init() - Replace DeferredLog with SLF4J Logger in OktaOAuth2PropertiesMappingEnvironmentPostProcessor (DeferredLog requires commons-logging which is banned)
- Make OktaOAuth2PropertiesMappingEnvironmentPostProcessor public for test access - Update ReactiveSecurityAutoConfiguration to ReactiveWebSecurityAutoConfiguration - Update security autoconfigure imports to org.springframework.boot.security.autoconfigure - Update reactive web context import to org.springframework.boot.web.context.reactive
- Convert all security configurations to use lambda DSL style (authorizeExchange, authorizeHttpRequests, oauth2ResourceServer, oauth2Client, oauth2Login, csrf) - Update Java compiler target from 1.8 to 17 (required for Groovy 5.x) - Remove Spring Security version overrides that caused version conflicts - Add jcl-over-slf4j test dependency for Groovy compiler compatibility - Update test expectations for Spring Security 7.x behavioral changes Files updated: - pom.xml: Java 17 target, removed spring-security version overrides - oauth2/pom.xml: Added jcl-over-slf4j test dependency - examples/*/: Lambda DSL for security configurations - integration-tests/*/: Lambda DSL for security configurations - oauth2/src/test/groovy/*/: Lambda DSL and test expectations
prachi-okta
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR upgrades okta-spring-boot to be compatible with Spring Boot 4.0.1 and Spring Security 7.0.2.
Breaking Changes
Changes
Dependency Updates
spring-boot.versionto 4.0.1spring-cloud.versionto 4.2.0spring-boot-starter-security-oauth2-clientspring-boot-starter-security-oauth2-resource-serverspring-boot-security-oauth2-clientspring-boot-security-oauth2-resource-serverjcl-over-slf4jto replace bannedcommons-loggingdependencyPackage Path Updates
OAuth2 autoconfigure classes moved to new packages in Spring Boot 4.x:
org.springframework.boot.autoconfigure.security.oauth2.*→org.springframework.boot.security.oauth2.*Spring Security 7.x Migration
HttpSecurityconfiguration methods:.csrf().disable()→.csrf(csrf -> csrf.disable()).authorizeHttpRequests().anyRequest().authenticated()→.authorizeHttpRequests(auth -> auth.anyRequest().authenticated()).exceptionHandling().authenticationEntryPoint()→.exceptionHandling(ex -> ex.authenticationEntryPoint())RestTemplate-based token response client withRestClientAuthorizationCodeTokenResponseClientBearerTokenResolverfromDefaultBearerTokenResolvertoHeaderBearerTokenResolverCode Quality Fixes
summaryattribute with<caption>element)DeferredLogwith SLF4JLogger(DeferredLog removed in Spring Boot 4.x)