Test Spring 7 pull requests

[MarkEWaite]

Test Spring v7 updates

Testing changes for pull requests:

• Update dependency org.springframework.security:spring-security-bom to v7 #11304
• Update dependency org.springframework:spring-framework-bom to v7 #11292

Includes my attempt to adapt to the encode() method becoming final when we extended it to provide a better error message.

Testing done

• Ran automated tests and confirmed that two tests fail in my environment, though one of the two tests does not fail when running in the debugger
• Performed minor interactive testing with the simplest security realm and found no issues

Screenshots (UI changes only)

Before

After

Proposed changelog entries

• N/A

Proposed changelog category

/label skip-changelog

Proposed upgrade guidelines

N/A

Submitter checklist

• The issue, if it exists, is well-described.
• The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see examples). Fill in the Proposed upgrade guidelines section only if there are breaking changes or changes that may require extra steps from users during upgrade.
• There is automated testing or an explanation as to why this change has no tests.
• New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadocs, as appropriate.
• New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO"), if applicable.
• UI changes do not introduce regressions when enforcing the current default rules of Content Security Policy Plugin. In particular, new or substantially changed JavaScript is not defined inline and does not call eval to ease future introduction of Content Security Policy (CSP) directives (see documentation).
• For dependency updates, there are links to external changelogs and, if possible, full differentials.
• For new APIs and extension points, there is a link to at least one consumer.

Desired reviewers

N/A

Before the changes are marked as ready-for-merge:

Maintainer checklist

• There are at least two (2) approvals for the pull request and no outstanding requests for change.
• Conversations in the pull request are over, or it is explicit that a reviewer is not blocking the change.
• Changelog entries in the pull request title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood.
• Proper changelog labels are set so that the changelog can be generated automatically.
• If the change needs additional upgrade steps from users, the upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the pull request title (see example).
• If it would make sense to backport the change to LTS, be a Bug or Improvement, and either the issue or pull request must be labeled as lts-candidate to be considered.

[MarkEWaite]

The two failing tests are related to the multi-factor authentication support that has been added to Spring Security v7. The change introduces the progressive authorization concept and notes that multi-factor authentication now returns an additional authority, FactorGrantedAuthority.PASSWORD_AUTHORITY (javadoc).

I assume that one solution might be to remove any FactorGrantedAuthority from the returned list of authorities. Needs more investigation in case we could use Spring Security v7 to more easily allow multi-factor authentication in Jenkins.

[MarkEWaite]

I've removed the new FactorGrantedAuthority.PASSWORD_AUTHORITY entry from the list of authorities in the failing tests so that the build can proceed and be used for further testing with plugin BOM and the acceptance test harness.

The addition of multi-factor authentication support in Spring Security v7 needs more evaluation, but that can be one step at a time with the help of the plugin BOM and the acceptance test harness.

[Copilot]

Pull request overview

This PR updates Jenkins to use Spring Framework 7.0.5 and Spring Security 7.0.3, upgrading from version 6.x of both frameworks. The changes adapt to breaking changes in Spring Security 7, particularly where the BCryptPasswordEncoder.encode() method became final, preventing the previous approach of overriding it to provide custom error messages. The solution introduces an encode2() method in the internal PasswordHashEncoder interface that wraps the final encode() method, allowing custom error handling for password validation. Additionally, tests are updated to filter out the new PASSWORD_AUTHORITY that Spring Security 7 automatically adds to indicate password-based authentication factors.

Changes:

• Updated Spring Framework BOM from 6.2.16 to 7.0.5 and Spring Security BOM from 6.5.8 to 7.0.3
• Added encode2() method to work around BCryptPasswordEncoder.encode() becoming final in Spring Security 7
• Updated authentication tests to filter out PASSWORD_AUTHORITY automatically added by Spring Security 7

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
bom/pom.xml	Updated Spring Framework and Spring Security dependency versions to 7.x
core/src/main/java/hudson/security/PasswordHashEncoder.java	Added encode2() default method to enable custom error handling despite encode() being final
core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java	Updated JBCryptEncoder to override encode2() for custom error messages; updated validation paths to call encode2()
core/src/test/java/hudson/security/HudsonPrivateSecurityRealmTest.java	Updated existing tests to use encode2() and added test documenting encode() behavior
test/src/test/java/jenkins/security/LastGrantedAuthoritiesPropertyTest.java	Added filtering of PASSWORD_AUTHORITY in authority assertions
test/src/test/java/hudson/security/TokenBasedRememberMeServices2Test.java	Added filtering of PASSWORD_AUTHORITY in authority assertions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[MarkEWaite]

The Spring Framework Wiki describes supported versions as:

• 7.0.x is the start of a new framework generation and the current production line (November 2025), to be followed up by the 7.1.x feature branch (November 2026).
• 6.2.x is the final feature branch of the 6th generation. Open source support ends in June 2026; commercial long-term support options are available.
• 5.3.x was the final feature branch of the 5th generation. Open source support ended in August 2024; commercial long-term support options remain available.

Since open source support for Spring Framework 6.2.x ends in June 2026, we should move to Spring Framework 7.x as soon as we can do it safely and confidently.

[MarkEWaite]

I've summarized the choices for the release of Spring v7 support in Jenkins to the Jenkins developer mailing list. Discussions are probably best held there with the details included in that email message