Skip to content

Issue 46 upgrade to spring boot 4 #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
devondragon merged 4 commits into from
Dec 14, 2025
Merged

Issue 46 upgrade to spring boot 4 #47

devondragon merged 4 commits into from
Dec 14, 2025

Conversation

@devondragon
Copy link
Owner

@devondragon devondragon commented Dec 14, 2025

Summary

Upgrades the Demo Application to Spring Boot 4.0.0 and Spring User Framework 4.0.0, bringing compatibility with Spring Security 7 and Java 21.

Changes

Dependencies

  • Upgraded Spring Boot from 3.5.x to 4.0.0
  • Upgraded Spring User Framework from 3.5.x to 4.0.0
  • Added modular test starters:
    • spring-boot-data-jpa-test
    • spring-boot-webmvc-test
    • spring-boot-starter-security-test

Configuration Fixes

  • Fixed unprotectedURIs in application.yml - all URL patterns now start with / as required by Spring Security 7
    • Changed error.htmla → /error,/error.html

Test Updates

  • Updated test annotation imports to new Spring Boot 4.0 packages:
    • @AutoConfigureMockMvc → org.springframework.boot.webmvc.test.autoconfigure
    • @DataJpaTest → org.springframework.boot.data.jpa.test.autoconfigure

Build Configuration

  • Updated bootJar task (removed deprecated launchScript - use systemd or other init systems instead)

Breaking Changes

  • Java 21 required - Spring Boot 4.0 requires Java 21+
  • Spring Security 7 - URL patterns must start with /

Testing

  • Application starts successfully
  • User registration works
  • User login works
  • Profile update works
  • All existing tests pass

Related

  • Spring User Framework PR: #[PR_NUMBER]
  • Spring User Framework v4.0.0 release

Checklist

  • Dependencies updated
  • Configuration compatible with Spring Security 7
  • Tests updated for new package structure
  • Application manually tested

devondragon and others added 4 commits December 14, 2025 13:01
@devondragon @claude
Upgrade to Spring Boot 4.0.0 with Java 21
228496c 
- Upgrade Spring Boot from 3.5.6 to 4.0.0
- Upgrade Java toolchain from 17 to 21 (required for Spring Boot 4)
- Add Spring Boot 4 modular test dependencies:
  - spring-boot-data-jpa-test
  - spring-boot-webmvc-test
  - spring-boot-starter-security-test
- Update ds-spring-user-framework to 4.0.0-SNAPSHOT
- Remove deprecated launchScript from bootJar (removed in Spring Boot 4)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@devondragon @claude
Fix unprotectedURIs typo causing Spring Security 7 startup failure
96478ce 
Spring Security 7 strictly enforces that all URL patterns must start
with '/'. The unprotectedURIs property had 'error.htmla' at the end
which was:
1. Missing the leading '/'
2. Had a typo ('htmla' instead of 'html')

Changed to '/error,/error.html' to properly allow error pages.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@devondragon @claude
Update test imports for Spring Boot 4 modular packages
cd84fc8 
Spring Boot 4 moved test annotations to separate modules with new
package locations. Updated all test files to use:
- @AutoConfigureMockMvc -> boot.webmvc.test.autoconfigure
- @WebMvcTest -> boot.webmvc.test.autoconfigure
- @DataJpaTest -> boot.data.jpa.test.autoconfigure
- @MockitoBean -> test.context.bean.override.mockito

Also updated ObjectMapper instantiation to manual creation since
Jackson 3 (used in Spring Boot 4) changed auto-configuration behavior.

Files updated across:
- demo/event tests
- user/api tests
- user/concurrent tests
- user/integration tests
- user/oauth2 tests
- user/security tests
- test annotations

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@devondragon @claude
Update ds-spring-user-framework to release version 4.0.0
a7d2582 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings December 14, 2025 21:26
@devondragon devondragon self-assigned this Dec 14, 2025
@devondragon devondragon added the enhancement New feature or request label Dec 14, 2025
@claude
Copy link

claude bot commented Dec 14, 2025

Pull Request Review: Spring Boot 4.0.0 Upgrade

I've completed a comprehensive review of this PR. Overall, this is a well-executed major version upgrade with clear documentation and systematic changes. Here's my detailed feedback:

Strengths

  1. Excellent PR Description: The summary clearly outlines all changes, breaking changes, and testing performed.

  2. Systematic Approach: The upgrade follows a logical progression:

    • Dependencies first
    • Configuration fixes
    • Test updates
    • Clean commit organization

  3. Good Security Fix: Fixing the error.htmla typo in application.yml:120 addresses both a typo and Spring Security 7 strict validation requirements.

  4. Proper Dependency Management: Using Spring Boot 4's managed versions for thymeleaf-extras-springsecurity6 (removed hardcoded version) follows best practices.

  5. Clear Documentation: Comments explain why changes were made (e.g., "launchScript removed in Spring Boot 4").

🔍 Code Quality & Best Practices

Dependencies (build.gradle)

  • ✅ Correctly upgraded Java 17 → 21 (required for Spring Boot 4)
  • ✅ Added modular test starters (spring-boot-data-jpa-test, spring-boot-webmvc-test)
  • ⚠️ Minor Issue: Line 42 shows version 4.0.0 but commit message mentions 4.0.0-SNAPSHOT. Ensure consistency.

Test Updates

  • ✅ All test annotation imports correctly updated to new Spring Boot 4 packages
  • ✅ ObjectMapper instantiation changed from @Autowired to manual creation with JavaTimeModule
  • ✅ Consistent pattern applied across all test files (17 test files updated)

Configuration

  • ✅ Fixed critical Spring Security 7 URL pattern requirement
  • ✅ All URLs in unprotectedURIs now properly start with /

⚠️ Potential Issues & Concerns

1. Inconsistent Test Assertions (Medium Priority)

  • Location: SecurityConfigurationTest.java:147 vs AuthenticationIntegrationTest.java:123,265
  • Issue: SecurityConfigurationTest was updated to use redirectedUrl() (exact match), but AuthenticationIntegrationTest still uses redirectedUrlPattern() (pattern match)
  • Impact: This inconsistency suggests incomplete migration. Spring Security 7 may have changed redirect URL behavior.
  • Recommendation: Review whether redirectedUrlPattern() is still supported in Spring Boot 4, or if all instances should use redirectedUrl() for consistency.
// SecurityConfigurationTest.java:147 (updated)
.andExpect(redirectedUrl("/login.html"));

// AuthenticationIntegrationTest.java:123 (not updated)
.andExpect(redirectedUrlPattern("**/user/login.html"));

2. Dependency Version Mismatch

  • Location: build.gradle:42
  • Issue: Current code shows 4.0.0, but one commit message mentions 4.0.0-SNAPSHOT
  • Recommendation: Verify the correct version. If using a SNAPSHOT, ensure it's intentional and the repository is configured to access snapshot artifacts.

3. Missing Migration Items

  • Jackson 3 Changes: Spring Boot 4 uses Jackson 3. While you manually create ObjectMapper with JavaTimeModule, consider:

    • Are there any custom Jackson configurations that need updating?
    • Have you verified all date/time serialization works as expected?

  • Spring Security 7 Changes: Beyond URL patterns, verify:

    • CSRF token handling changes
    • Session management updates
    • OAuth2 client configuration compatibility

🔒 Security Concerns

  1. URL Pattern Fix: Good catch on the error.htmla/error,/error.html fix
  2. No Security Regressions: Test coverage appears comprehensive
  3. ⚠️ Recommendation: After merging, perform a security audit to verify:
    • All protected endpoints remain protected
    • CSRF protection still works correctly
    • OAuth2 flows work with Spring Security 7

🚀 Performance Considerations

  1. Modular Test Dependencies: Adding specific test starters (spring-boot-data-jpa-test, etc.) should improve test startup time
  2. Removed Deprecated Features: Removing launchScript is appropriate; modern deployments should use systemd or container orchestration

🧪 Test Coverage

  • ✅ PR description mentions all tests pass
  • ✅ Manual testing completed (registration, login, profile update)
  • ⚠️ Recommendation: Consider adding a test that specifically validates the error page URLs (/error, /error.html) are accessible without authentication

📋 Action Items

Before Merging:

  1. High Priority: Resolve the redirectedUrlPattern vs redirectedUrl inconsistency in test assertions
  2. Medium Priority: Verify the framework dependency version (4.0.0 vs 4.0.0-SNAPSHOT)
  3. Medium Priority: Run the full test suite including UI tests to verify compatibility
  4. Low Priority: Consider adding test coverage for the error page fix

After Merging:

  1. Update CI/CD pipelines to use Java 21
  2. Update documentation to reflect Java 21 requirement
  3. Monitor for any Jackson 3 serialization issues in production
  4. Perform a security audit to verify Spring Security 7 configuration

📝 Minor Suggestions

  1. Commit Message: Consider adding migration notes for future reference
  2. Documentation: Update README.md to reflect Java 21 requirement (if not already done)
  3. Changelog: Document breaking changes for downstream consumers

🎯 Overall Assessment

Grade: A-

This is a high-quality upgrade PR with:

  • ✅ Clear documentation
  • ✅ Systematic changes
  • ✅ Good test coverage
  • ⚠️ A few minor inconsistencies to address

Recommendation: Approve with minor changes requested. Address the test assertion inconsistency and version verification before merging.

Great work on this substantial upgrade! The systematic approach and thorough testing make this a strong foundation for Spring Boot 4 adoption.

Copilot AI reviewed Dec 14, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the Demo Application to Spring Boot 4.0.0 and Spring User Framework 4.0.0, bringing compatibility with Spring Security 7 and Java 21. The upgrade involves systematic updates to dependencies, test infrastructure, and configuration to align with the new framework versions' requirements.

Key Changes:

  • Upgraded core dependencies (Spring Boot 3.5.x → 4.0.0, Spring User Framework 3.5.x → 4.0.0, Java 17 → 21)
  • Migrated test annotations to new Spring Boot 4 package structure (webmvc, data.jpa, and persistence packages)
  • Fixed Spring Security 7 URL pattern requirements and configuration typo in application.yml
  • Standardized ObjectMapper instantiation in tests with explicit JavaTimeModule registration
  • Added modular test starters and updated build configuration

Reviewed changes

Copilot reviewed 29 out of 30 changed files in this pull request and generated no comments.

Show a summary per file
File Description
build.gradle Upgraded Spring Boot to 4.0.0, Java to 21, added modular test dependencies, removed deprecated launchScript configuration
src/main/resources/application.yml Fixed typo (error.htmla) and added leading slashes to error URIs for Spring Security 7 compliance
src/test/java/com/digitalsanctuary/spring/user/test/annotations/IntegrationTest.java Updated test annotation imports to Spring Boot 4 package structure
src/test/java/com/digitalsanctuary/spring/user/test/annotations/IntegrationTestNoTx.java Updated test annotation imports to Spring Boot 4 package structure
src/test/java/com/digitalsanctuary/spring/user/UserApplicationTests.java Migrated EntityScan import to new persistence package
src/test/java/com/digitalsanctuary/spring/demo/DemoTests.java Migrated EntityScan import to new persistence package
src/test/java/com/digitalsanctuary/spring/demo/event/EventRepositoryTest.java Updated EntityScan and DataJpaTest imports to Spring Boot 4 packages
src/test/java/com/digitalsanctuary/spring/demo/event/EventControllerTest.java Updated WebMvcTest import and changed ObjectMapper to manual instantiation with JavaTimeModule
src/test/java/com/digitalsanctuary/spring/demo/event/EventAPIControllerTest.java Updated WebMvcTest import and changed ObjectMapper to manual instantiation with JavaTimeModule
src/test/java/com/digitalsanctuary/spring/user/security/*.java (4 files) Updated AutoConfigureMockMvc imports to new webmvc.test package
src/test/java/com/digitalsanctuary/spring/user/oauth2/GoogleOAuth2IntegrationTest.java Updated AutoConfigureMockMvc import to new webmvc.test package
src/test/java/com/digitalsanctuary/spring/user/integration/SecurityConfigurationTest.java Updated AutoConfigureMockMvc import and changed redirectedUrlPattern to redirectedUrl for precise assertion
src/test/java/com/digitalsanctuary/spring/user/integration/AuthenticationIntegrationTest.java Updated AutoConfigureMockMvc import to new webmvc.test package
src/test/java/com/digitalsanctuary/spring/user/concurrent/*.java (2 files) Updated AutoConfigureMockMvc imports to new webmvc.test package
src/test/java/com/digitalsanctuary/spring/user/api/*.java (13 files) Updated AutoConfigureMockMvc imports and standardized ObjectMapper instantiation with JavaTimeModule across all API test files

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@devondragon devondragon merged commit 07766de into main Dec 14, 2025
7 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in SpringUserFramework Dec 14, 2025
@devondragon devondragon deleted the issue-46-Upgrade-to-Spring-Boot-4 branch December 14, 2025 21:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@devondragon devondragon

Labels

enhancement New feature or request

Projects

SpringUserFramework
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@devondragon