Upgraded to java 21, spring-boot 4

Author: Bas de Vos

CHANGELOG.md

@@ -5,17 +5,6 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-- Instructions (for deployment instructions).
-- Added (for new features).
-- Changed (for changes in existing functionality
-- Deprecated (for soon-to-be removed features).
-- Removed (for now removed features).
-- Fixed (for any bug fixes).
-- Security (in case of vulnerabilities).
+## [3.0.0] 2025-12-03
+- Upgraded to Java 21, Spring Boot 4
 
-## [Unreleased]
-
-### Issues
-
-- Upgraded to java 17
-- Updated spring from 2.4 to 2.7

owasp-suppressions.xml

@@ -1,6 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <cve>CVE-2025-48924</cve>
-    </suppress>
 </suppressions>

pom.xml

@@ -51,8 +51,8 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <maven.compiler.release>21</maven.compiler.release>
 
-        <spring-boot.version>3.5.8</spring-boot.version>
-        <rest-secure-starter.version>14.1.0</rest-secure-starter.version>
+        <spring-boot.version>4.0.0</spring-boot.version>
+        <rest-secure-starter.version>15.0.0</rest-secure-starter.version>
         <commons-io.version>2.21.0</commons-io.version>
 
         <dependency-check-maven-plugin.version>12.1.9</dependency-check-maven-plugin.version>

src/main/java/nl/_42/max_login_attempts_spring_boot_starter/DefaultTooManyLoginAttemptsErrorHandler.java

@@ -7,10 +7,8 @@
 import java.util.Collections;
 
 import jakarta.servlet.http.HttpServletResponse;
-
 import nl._42.max_login_attempts_spring_boot_starter.error.TooManyLoginAttemptsErrorHandler;
-
-import com.fasterxml.jackson.databind.ObjectMapper;
+import tools.jackson.databind.json.JsonMapper;
 
 /**
  * Default implementation of TooManyLoginAttemptsErrorHandler.
@@ -21,7 +19,7 @@ class DefaultTooManyLoginAttemptsErrorHandler implements TooManyLoginAttemptsErr
 
     @Override
     public void handle(HttpServletResponse response) throws IOException {
-        ObjectMapper objectMapper = new ObjectMapper();
+        JsonMapper objectMapper = JsonMapper.builder().build();
         response.setStatus(FORBIDDEN.value());
         response.setContentType(APPLICATION_JSON_VALUE);
         objectMapper.writeValue(response.getWriter(), Collections.singletonMap("errorCode", "TOO_MANY_LOGIN_ATTEMPTS"));

src/main/java/nl/_42/max_login_attempts_spring_boot_starter/filter/LoginAttemptFilter.java

@@ -11,6 +11,8 @@
 import nl._42.max_login_attempts_spring_boot_starter.error.TooManyLoginAttemptsErrorHandler;
 import nl._42.max_login_attempts_spring_boot_starter.listener.UsernameRemoteAddressBlockedException;
 import nl._42.max_login_attempts_spring_boot_starter.service.LoginAttemptService;
+import tools.jackson.databind.json.JsonMapper;
+import tools.jackson.databind.node.ObjectNode;
 
 import org.apache.commons.io.IOUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -19,9 +21,6 @@
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.node.ObjectNode;
-
 /**
  * Filter which checks if the login request is executed while the user is already blocked
  * due to an excessive amount of login attempts. If so, a forbidden status with a specific
@@ -96,7 +95,7 @@ private void handleUsernameIpAddressBlocked(HttpServletResponse response) throws
 
     private String readUsername(HttpServletRequest request) throws IOException {
         String loginFormJson = IOUtils.toString(request.getReader());
-        ObjectNode node = new ObjectMapper().readValue(loginFormJson, ObjectNode.class);
-        return node.get("username").asText();
+        ObjectNode node = JsonMapper.builder().build().readValue(loginFormJson, ObjectNode.class);
+        return node.get("username").asString();
     }
 }

src/test/java/nl/_42/max_login_attempts_spring_boot_starter/AbstractWebIntegrationTest.java

@@ -7,13 +7,13 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.log;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.webAppContextSetup;
 
+import tools.jackson.databind.ObjectMapper;
+
 import org.junit.jupiter.api.BeforeEach;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.context.WebApplicationContext;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-
 public abstract class AbstractWebIntegrationTest extends AbstractSpringTest {
 
     @Autowired

src/test/java/nl/_42/max_login_attempts_spring_boot_starter/TestConfiguration.java

@@ -6,6 +6,7 @@
 import nl._42.restsecure.autoconfigure.HttpSecurityCustomizer;
 import nl._42.restsecure.autoconfigure.RestAuthenticationFilter;
 import nl._42.restsecure.autoconfigure.WebSecurityAutoConfig;
+import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -18,8 +19,6 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-
 @Configuration
 @ComponentScan(value = "nl._42.max_login_attempts_spring_boot_starter")
 @Import({ WebSecurityAutoConfig.class })
@@ -36,8 +35,8 @@ public Clock clock() {
     }
 
     @Bean
-    public ObjectMapper objectMapper() {
-        return new ObjectMapper();
+    public JsonMapper objectMapper() {
+        return JsonMapper.builder().build();
     }
 
     @Bean