Across 5.5.0 Release notes

By Davy

May 7, 2024

Despite being a minor release, 5.5 is definitely not backward compatible. You will almost certainly have to make adaptations w.r.t. Spring Security, and thoroughly test that.

On the bright side, the upgrade to Spring Boot 2.7 means you can upgrade to Java 21 (at least in theory, it has not been tested yet).

Spring Security

By far the biggest impact in Across 5.5 is in the integration with Spring Security in the spring-security-module . This also affects all modules that do anything with Spring Security (configuration). It also affects ALL applications, and at a very minimum, you will need to do some serious testing whether authentication and authorization of HTTP requests works correctly.

Creating SecurityFilterChain beans

The first major change is that the AcrossWebSecurityConfigurer interface (introduced in SpringSecurityModule 4.0.0, with Across Platform 5.0) and related classes have been deleted. Spring Security must be configured by creating SecurityFilterChain @Beans, using the instructions from the documentation:

https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html

or from the original blog:

https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

The manual is more recent, so I recommend that.

Of course there is also an Across gotcha: this only works when the SecurityFilterChain beans are all located in the Across SpringSecurityModule. You need to ensure that everything which creates a SecurityFilterChain, UserDetailsService, WebSecurityCustomizer or basically any Spring Security related bean is in an @ModuleConfiguration-annotated class that extends the SpringSecurityModule like this:

@ModuleConfiguration(SpringSecurityModule.NAME)

Keep in mind that such an @ModuleConfiguration bean needs to be in a module/application extensions package to be picked up automatically. Make sure to do this, otherwise you’ll get into a very confusing situation!

For examples, you can check the following classes in Across:

DebugWebSecurityConfiguration
AdminWebSecurityConfiguration

SecurityFilterChain order

If you are defining your own SecurityFilterChains, you probably need to control in which order the SecurityFilterChain are tried. You will need to put an @Order on the SecurityFilterChain bean (not on the @ModuleConfiguration annotated class!).

You can check the order of the SecurityFilterBeans using the debug-web-module .

Spring Security 5.8 instead of 5.7

We went straight to Spring Security 5.8, whose main purpose is to provide a intermediate migration step to 6.0:

Note also that Spring Security 5.8 (and Spring Framework 5.3) will receive updates until the end of August 2024.

Spring Security Lambda DSL

Lastly, when adapting your security configuration, consider switching immediately to the Lambda DSL (which will be the only one supported in Spring Security 7):

Lombok upgrade

Spring Boot 2.7 has upgraded to Lombok 1.18.30 from 1.18.26.

In one of the client projects, we gotten bitten by the “IMPROBABLE BREAKING CHANGE” in Lombok 1.18.24. Note that it’s not just “copy some of these new annotations”, but also actually introduces null checks. This includes for instance javax.annotation.Nonnull.

What’s even weirder: Spring Boot 2.6 (Across 5.4) actually already used 1.18.26 (e.g. a (newer) release). I’ve tracked that the behaviour change is indeed in 1.18.28, not in 1.18.24: so the release notes seem wrong. But it may be rather that change that triggered it, despite that that ticket is about jakarta.annotation.Nonnull, not javax.annotation.Nonnull.

Anyway, be advised: Lombok might now generate null-checks which you had not before.

Upgrades

With the upgrade to Spring Boot 2.7.18, Java 21 is supported according to the 2.7 System requirements, but we have not yet tested this.

Most important upgrades (compared to 5.4.2):

Spring Boot: from 2.6.15 to 2.7.18: 2.7 Release notes.
Spring Framework: from 5.3.32 to 5.3.34, including CVE fixes:
- 5.3.33 Announcement
- 5.3.34 Announcement
Spring Security: from 5.6.12 to 5.8.12:
- 5.7 What’s new
- 5.8 What’s new
Hibernate is still at 5.6.15, since that’s the very last 5.x release.
Jackson is still at 2.13.5.
Liquibase: from 4.17.0 to 4.27.0

Removed modules

Two security related modules have been removed, to avoid unnecessary effort adapting them to the Spring Security changes:

spring-security-acl-module was removed because it is only used (very sparingly) in one project. Previously user-module integrated with Spring Security ACL module, but that integration is obviously also removed now.
oauth2-module : also used in only one project. This is also based on the old Spring Security OAuth project, which has been unsupported for almost two years already.

Next steps

The next release of Across will be 6.0, and will be based on Spring Boot 3.x. Here are a few things that you can do to prepare for that:

Once you’ve migrated to Across 5.5, your next steps should be:

Upgrade your application(s) to JDK17 (minimum version for Spring Boot 3) or JDK21.
Switch your Maven project setup from “Across as a platform” to “Across as just another library”, since that will be the only option left in Across 6. See the Across 5.2.2 release notes for details how to do this.
Take a look at the various migration guides, and check if there’s anything else that you can already do:
- Spring Boot 3 Migration Guide
- Spring Framework 6 Upgrade instructions
  - Spring Security 6.0 Migration Guide

Thanks

Many thanks to:

Steven, for some suggestions on how we could solve the Spring Security changes (even though we took another approach).
Jesse, for providing valuable insights into how Across is used in our largest project, and what we could drop from this release.
Marlies, Arno and Branko for testing early versions of Across 5.5 with various client applications.