Migrate to spring boot 4#3805
Merged
strehle merged 59 commits intoMay 28, 2026
Merged
Conversation
cf-foundation-community-automation
Bot
moved this to Inbox
in Foundational Infrastructure Working Group
Member
|
thanks for this PR, we need to solve OpenSAML first and therefore started with: #3811 |
Member
|
@gdgenchev ok, with spring update you need opensaml5 and therefore rebase this and also pull changes from #3840 for testing. with this your SAML erros should disappear |
gdgenchev
force-pushed
the
migrate-to-spring-boot-4
branch
from
5e94f36 to
f142b62
Compare
gdgenchev
force-pushed
the
migrate-to-spring-boot-4
branch
2 times, most recently
from
2e4a063 to
51d132e
Compare
Contributor
Author
|
Current Progress: I picked saml 5 update. I did spring boot 4 migration without open rewrite from scratch, incrementally, so that I can isolate changes that are compatible with current Spring Boot 3. All such have been proposed as PRs. Maybe we can also try with open rewrite after those are merged. I reached a point where all unit tests pass and 35 ITs failed. But apidoc pipeline failed with Jackson issues, as I tried keeping Jackson 2... As effort was too high to make it work with Jackson 2, I just decided to try to migrate the whole project to Jackson 3 and it seems it worked nicely. Unit tests still pass, apidoc passes, but we have 90 failing ITs and I see some stacktraces related to jackson. Will check. |
gdgenchev
force-pushed
the
migrate-to-spring-boot-4
branch
from
8fde87c to
19fd5d4
Compare
Contributor
Author
|
Current progress: Unit tests pass locally, but fail with OOM in pipeline - seems to be infrastructure issue maybe? Integration tests pass except 2 possibly flaky saml tests that I am not sure if they actually work locally: Not sure if this is actual regression. |
Member
|
@gdgenchev I think all blockers are removed for you right now and after rebase from dev. you should get closer to a final PR |
gdgenchev
force-pushed
the
migrate-to-spring-boot-4
branch
from
47b9dd5 to
58e3a95
Compare
Contributor
Author
|
Current progress:
This is now ready for review. |
This version is support BC fips. Higher versions pull directly classes from non fips package. At least a version that could work together with spring security 7.x and then boot 4.x # Conflicts: # build.gradle # dependencies.gradle # server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSamlDecryptionUtils.java # server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSamlVerificationUtils.java # server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/Saml2BearerGrantAuthenticationConverter.java # server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlMetadataEndpoint.java # server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/UaaInResponseToHandlingResponseValidator.java # server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlMetadataEndpointKeyRotationTests.java # server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/TestCustomOpenSamlObjects.java
Spring Boot 4 moved DependsOnDatabaseInitialization to a separate spring-boot-sql module. Added this dependency to the server module where it's needed. Related to Spring Boot 4 migration.
Spring Security 7 moved vote classes (AuthenticatedVoter, RoleVoter, UnanimousBased) to a separate spring-security-access module that is not automatically included. Added explicit dependency. Related to Spring Boot 4 migration.
Spring Boot 4 moved autoconfigure classes to technology-specific modules: - org.springframework.boot.autoconfigure.jdbc → org.springframework.boot.jdbc.autoconfigure - org.springframework.boot.autoconfigure.transaction → org.springframework.boot.transaction.autoconfigure Updated DatabaseConfiguration imports. Related to Spring Boot 4 migration.
Spring Boot 4 reorganized autoconfigure packages. - Removed unused WebMvcAutoConfiguration import from WebConfig - Updated test annotation to use new autoconfigure package locations Related to Spring Boot 4 migration. # Conflicts: # server/src/main/java/org/cloudfoundry/identity/uaa/web/WebConfig.java
Replace deprecated HttpComponentsClientHttpRequestFactory.setConnectTimeout() with ConnectionConfig.setConnectTimeout() on PoolingHttpClientConnectionManager. The connection timeout is now configured at the connection manager level using the recommended ConnectionConfig.Builder API.
Spring Framework 7 replaced HttpHeaders.containsKey() with containsHeader(). This updates all occurrences in OAuth2 token handling code and test utilities. Related to Spring Boot 4 migration.
…ng 7 Spring 7 removed MediaType.sortByQualityValue() and QUALITY_VALUE_COMPARATOR that were deprecated in Spring 6. Copy the sorting logic into a new MediaTypeComparators utility class to preserve content negotiation behavior that respects client quality value preferences from Accept headers. https://github.com/spring-projects/spring-framework/blob/9f431e2eac1b6d8d5ca385d0cc367bac94dd37e7/spring-web/src/main/java/org/springframework/http/MediaType.java#L927-L965 # Conflicts: # server/src/main/java/org/cloudfoundry/identity/uaa/oauth/provider/error/DefaultOAuth2ExceptionRenderer.java # server/src/main/java/org/cloudfoundry/identity/uaa/web/ConvertingExceptionView.java
- Rename MediaTypeComparators to MediaTypeUtils for better semantics - Add sortByQualityValue() utility method to handle immutable lists - Fix usages to create mutable copies before sorting - Remove unnecessary if-else in ConvertingExceptionView - Add comprehensive unit tests including parameterized tests # Conflicts: # server/src/main/java/org/cloudfoundry/identity/uaa/util/MediaTypeUtils.java # server/src/test/java/org/cloudfoundry/identity/uaa/util/MediaTypeUtilsTest.java
Replace getAssertingPartyDetails() with getAssertingPartyMetadata() Replace withRelyingPartyRegistration() with mutate() Replace assertingPartyDetails() with assertingPartyMetadata() in builder Replace RelyingPartyRegistration.AssertingPartyMetadata with AssertingPartyMetadata
Replace check() method with authorize() in production code and tests Update parameter and return types to use AuthorizationResult Add jspecify nullable annotations
This method was removed in Spring Framework 6.0 without replacement. The default model is now always ignored on redirect. This requires changes to some controllers where model.addAttribute() was used that now won't be delegated. We need to use redirectAttributes.addAttribute(). # Conflicts: # server/src/main/java/org/cloudfoundry/identity/uaa/web/WebConfig.java # Conflicts: # server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java # server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java
Spring Boot 4 reorganized web server factory classes into dedicated modules: - ConfigurableServletWebServerFactory: org.springframework.boot.web.servlet.server → org.springframework.boot.web.server.servlet - TomcatServletWebServerFactory: org.springframework.boot.web.embedded.tomcat → org.springframework.boot.tomcat.servlet - ErrorPage: org.springframework.boot.web.server → org.springframework.boot.web.error - addAdditionalTomcatConnectors() → addAdditionalConnectors() Updated production code and tests in uaa module.
github-project-automation
Bot
moved this from Inbox
to Pending Merge | Prioritized
in Foundational Infrastructure Working Group
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates UAA toward Spring Boot 4 / Spring Framework 7 / Spring Security 7 compatibility, including Jackson 3 API updates, OpenSAML 5 API updates, and related test expectation changes.
Changes:
- Updates dependency versions and Spring Boot package/API usages.
- Migrates many Jackson usages from
com.fasterxml.jackson.databind/coretotools.jackson.*. - Adjusts tests and helpers for Spring Security, MockMvc redirect behavior, HTTP headers, SAML APIs, and RestTemplate JSON conversion.
Reviewed changes
Copilot reviewed 196 out of 197 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
build.gradle |
Adjusts global dependency excludes and test JVM settings. |
gradle/libs.versions.toml |
Updates Spring Boot/SpringDoc/Jackson/Spring dependency coordinates. |
statsd/build.gradle |
Updates Tomcat runtime dependency usage. |
server/build.gradle |
Adds Boot 4-related server dependencies. |
server/src/main/resources/spring-mvc.properties |
Removes legacy MVC/Jackson property file. |
server/src/main/java/org/cloudfoundry/identity/uaa/impl/config/JacksonMapperCustomizer.java |
Adds shared Jackson 3 mapper/message-converter configuration. |
server/src/main/java/org/cloudfoundry/identity/uaa/web/WebConfig.java |
Removes legacy property source wiring. |
server/src/main/java/org/cloudfoundry/identity/uaa/web/AuthorizationManagersUtils.java |
Updates authorization manager API usage. |
server/src/main/java/org/cloudfoundry/identity/uaa/web/SelfCheckAuthorizationManager.java |
Updates authorization manager method signatures. |
server/src/main/java/org/cloudfoundry/identity/uaa/security/web/SecurityFilterChainPostProcessor.java |
Handles Tomcat invalid-parameter exceptions as JSON 400 responses. |
server/src/main/java/org/cloudfoundry/identity/uaa/authentication/EmptyPasswordAwareEncoder.java |
Adds empty-client-secret password matching wrapper. |
server/src/main/java/org/cloudfoundry/identity/uaa/authentication/ClientDetailsAuthenticationProvider.java |
Wraps client password encoder for empty secrets. |
server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication*.java |
Migrates custom Jackson serializer/deserializer annotations/APIs. |
server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/* |
Updates OpenSAML/Spring Security SAML registration APIs. |
server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/* |
Migrates Jackson imports and metadata parsing. |
server/src/main/java/org/cloudfoundry/identity/uaa/oauth/**/*.java |
Updates Jackson imports, HTTP header APIs, and auth publisher wiring. |
server/src/main/java/org/cloudfoundry/identity/uaa/ratelimiting/**/*.java |
Migrates Jackson APIs in rate-limiting JSON handling. |
server/src/main/java/org/cloudfoundry/identity/uaa/db/beans/DatabaseConfiguration.java |
Updates Boot auto-configuration package names. |
server/src/main/java/org/cloudfoundry/identity/uaa/account/*.java |
Migrates Jackson TypeReference imports. |
server/src/main/java/org/cloudfoundry/identity/uaa/invitations/*.java |
Migrates Jackson TypeReference imports. |
server/src/main/java/org/cloudfoundry/identity/uaa/client/*.java |
Migrates Jackson annotation/import usage. |
server/src/test/java/** |
Updates unit tests for Spring Security/Jackson/SAML/HTTP API changes. |
model/src/main/java/** |
Migrates model serialization/deserialization to Jackson 3 APIs. |
model/src/test/java/** |
Updates model JSON tests for Jackson 3 behavior. |
metrics-data/src/main/java/org/cloudfoundry/identity/uaa/util/JsonUtils.java |
Migrates JSON utility to Jackson 3 mapper APIs. |
metrics-data/src/test/java/** |
Updates JSON utility and metrics tests for Jackson 3. |
statsd-lib/src/test/java/org/cloudfoundry/identity/statsd/integration/IntegrationTestUtils.java |
Updates HTTP header API usage. |
uaa/src/test/java/** |
Updates MockMvc/integration tests for Jackson 3, redirects, status codes, SAML/OIDC helpers, and Boot 4 test APIs. |
Comments suppressed due to low confidence (2)
uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/zones/IdentityZoneEndpointsMockMvcTests.java:1640
- This no-token client request should continue to return 401 Unauthorized. A 403 response is appropriate after authentication succeeds but authorization fails; for missing credentials the OAuth entry point should challenge the caller instead.
uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/zones/IdentityZoneEndpointsMockMvcZonePathTests.java:1648 - This no-token client request should continue to return 401 Unauthorized. A 403 response is appropriate after authentication succeeds but authorization fails; for missing credentials the OAuth entry point should challenge the caller instead.
The previous fall-through accepted any stored value whose contents after
an optional {prefix} were empty, including a raw "" database value or
unsupported prefixes like {plaintext} or a malformed {bcrypt} with no
hash. Restrict the empty-password match to a valid bcrypt hash of the
empty string and the explicit {noop} legacy marker.
Pull the {noop} legacy marker and the bcrypt hash prefixes into named
constants so the allow-list is readable at a glance.
gdgenchev
force-pushed
the
migrate-to-spring-boot-4
branch
from
57540ca to
1170160
Compare
strehle
approved these changes
May 22, 2026
duanemay
approved these changes
May 28, 2026
github-project-automation
Bot
moved this from Pending Merge | Prioritized
to Done
in Foundational Infrastructure Working Group
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I have worked on researching the spring boot 4 migration of uaa.
Current State:
Conclusions:
Jackson:
spring-boot-jackson2. I was given a recipe that does the spring migration without Jackson and this is the one that I have used as a base. I was suggested to do Spring Boot 4 without Jackson, as it causes too many issues (though, as we can see the spring migration itself also does..). So, it turns out Jackson 2 -> 3 could be done in isolation after spring boot 4 migrationOpenSAML 5:
Migration to boot 4 currently seems to be a dead end due to Open SAML 5 FIPS compliance.
#Bonus research:
Java 25:
bcgit/bc-java#1287 (comment) - from this it seems that FIPS certification can take up to 14 months, at least this is how long it has taken before. This is actually very good information, as previously we just didn't know and could not set any expectations.