Upgrade to Spring Boot 3/Spring Security 6

Signed-off-by: Lauris Kaplinski <[email protected]>

Author: Lauris Kaplinski

example/.github/workflows/maven-build.yml

@@ -7,19 +7,19 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: zulu
-          java-version: 11
+          java-version: 17
 
       - name: Cache Maven packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.m2
-          key: ${{ runner.os }}-m2-v11-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2-v11-${{ secrets.CACHE_VERSION }}
+          key: ${{ runner.os }}-m2-v17-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v17-${{ secrets.CACHE_VERSION }}
 
       - name: Build
         run: mvn --batch-mode compile

example/README.md

@@ -49,7 +49,7 @@ You can specify the profile as a command-line argument to the Maven wrapper comm
 
 ### 5. Run the application
 
-Spring Boot web applications can be run from the command-line. You need to have the Java Development Kit 8 installed for building the application package and running the application.
+Spring Boot web applications can be run from the command-line. You need to have the Java Development Kit 17 installed for building the application package and running the application.
 
 Build and run the application with the following command in a terminal window:
 

example/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.15</version>
+		<version>3.1.9</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.webeid.example</groupId>
@@ -17,10 +17,10 @@
 	</description>
 
 	<properties>
-		<java.version>11</java.version>
+		<java.version>17</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<webeid.version>3.0.0</webeid.version>
-		<digidoc4j.version>5.2.0</digidoc4j.version>
+		<digidoc4j.version>5.3.0</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -24,53 +24,52 @@
 
 import eu.webeid.example.security.AuthTokenDTOAuthenticationProvider;
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
 @EnableWebSecurity
-@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
-public class ApplicationConfiguration extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {
+@EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
+public class ApplicationConfiguration implements WebMvcConfigurer {
     final AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider;
+    final SecurityContextRepository securityContextRepository;
 
     public ApplicationConfiguration(AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider) {
         this.authTokenDTOAuthenticationProvider = authTokenDTOAuthenticationProvider;
+        this.securityContextRepository = new HttpSessionSecurityContextRepository();
     }
 
-    @Override
-    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
-        authenticationManagerBuilder.authenticationProvider(authTokenDTOAuthenticationProvider);
+    @Bean
+    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
+        return authenticationConfiguration.getAuthenticationManager();
     }
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        // @formatter:off
-        http
-            .addFilterBefore(
-                    new WebEidAjaxLoginProcessingFilter("/auth/login", authenticationManager()),
-                    UsernamePasswordAuthenticationFilter.class)
-            .authorizeRequests()
-            .antMatchers("/auth/challenge", "/auth/login", "/")
-            .permitAll()
-            .antMatchers("/welcome")
-            .authenticated()
-         .and()
-            .logout()
-            .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler())
-         .and()
-            .headers()
-                .frameOptions().sameOrigin();
-        // @formatter:on
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        AuthenticationManager manager = authenticationManager(http.getSharedObject(AuthenticationConfiguration.class));
+
+        return http
+                .authenticationProvider(authTokenDTOAuthenticationProvider)
+                .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", manager, securityContextRepository),
+                        UsernamePasswordAuthenticationFilter.class)
+                .logout(logout -> logout.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
+                .headers(headers -> headers.frameOptions(options -> options.sameOrigin()))
+                .build();
     }
 
+    @Override
     public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/").setViewName("index");
         registry.addViewController("/welcome").setViewName("welcome");

example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java

@@ -26,7 +26,7 @@
 import eu.webeid.security.challenge.ChallengeNonce;
 import eu.webeid.security.challenge.ChallengeNonceStore;
 
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpSession;
 
 public class SessionBackedChallengeNonceStore implements ChallengeNonceStore {
 

example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java

@@ -37,7 +37,7 @@
 import eu.webeid.security.validator.AuthTokenValidator;
 import eu.webeid.security.validator.AuthTokenValidatorBuilder;
 
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpSession;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;

example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java

@@ -24,35 +24,42 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.IOException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import eu.webeid.example.security.ajax.AjaxAuthenticationFailureHandler;
 import eu.webeid.example.security.ajax.AjaxAuthenticationSuccessHandler;
 import eu.webeid.example.security.dto.AuthTokenDTO;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
+import org.springframework.security.web.context.SecurityContextRepository;
 
 public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProcessingFilter {
     private static final Logger LOG = LoggerFactory.getLogger(WebEidAjaxLoginProcessingFilter.class);
+    private final SecurityContextRepository securityContextRepository;
 
     public WebEidAjaxLoginProcessingFilter(
         String defaultFilterProcessesUrl,
-        AuthenticationManager authenticationManager
+        AuthenticationManager authenticationManager,
+        SecurityContextRepository securityContextRepository
     ) {
         super(defaultFilterProcessesUrl);
         this.setAuthenticationManager(authenticationManager);
         this.setAuthenticationSuccessHandler(new AjaxAuthenticationSuccessHandler());
         this.setAuthenticationFailureHandler(new AjaxAuthenticationFailureHandler());
         setSessionAuthenticationStrategy(new SessionFixationProtectionStrategy());
+        this.securityContextRepository = securityContextRepository;
     }
 
     @Override
@@ -76,4 +83,10 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
         LOG.info("attemptAuthentication(): Calling authentication manager");
         return getAuthenticationManager().authenticate(token);
     }
+
+    @Override
+    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
+        super.successfulAuthentication(request, response, chain, authResult); // Generated from nbfs://nbhost/SystemFileSystem/Templates/Classes/Code/OverriddenMethodBody
+        securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
+    }
 }

example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java

@@ -27,9 +27,9 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpSession;
 import java.io.IOException;
 
 public class AjaxAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java

@@ -29,8 +29,8 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.stream.Collectors;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.Authentication;

example/src/main/java/eu/webeid/example/service/SigningService.java

@@ -46,8 +46,8 @@
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.stereotype.Service;
 
-import javax.servlet.http.HttpSession;
-import javax.xml.bind.DatatypeConverter;
+import jakarta.servlet.http.HttpSession;
+import jakarta.xml.bind.DatatypeConverter;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.NoSuchAlgorithmException;