Across 5.5.0 Release notes
By Davy
Despite being a minor release, 5.5 is definitely not backward compatible. You will almost certainly have to make adaptations w.r.t. Spring Security, and thoroughly test that.
On the bright side, the upgrade to Spring Boot 2.7 means you can upgrade to Java 21 (at least in theory, it has not been tested yet).
Spring Security
By far the biggest impact in Across 5.5 is in the integration with
Spring Security in the
spring-security-module
. This also affects all
modules that do anything with Spring Security (configuration). It also
affects ALL applications, and at a very minimum, you will need to do
some serious testing whether authentication and authorization of HTTP
requests works correctly.
Creating SecurityFilterChain beans
The first major change is that the AcrossWebSecurityConfigurer
interface (introduced in SpringSecurityModule 4.0.0, with Across
Platform 5.0) and related classes have been deleted. Spring Security
must be configured by creating SecurityFilterChain
@Bean
s, using
the instructions from the documentation:
https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html
or from the original blog:
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
The manual is more recent, so I recommend that.
Of course there is also an Across gotcha: this only works when the
SecurityFilterChain
beans are all located in the Across
SpringSecurityModule. You need to ensure that everything which creates
a SecurityFilterChain
, UserDetailsService
, WebSecurityCustomizer
or basically any Spring Security related bean is in an
@ModuleConfiguration
-annotated class that extends the SpringSecurityModule
like this:
@ModuleConfiguration(SpringSecurityModule.NAME)
Keep in mind that such an @ModuleConfiguration
bean needs to be in a
module/application extensions
package to be picked up
automatically. Make
sure to do this, otherwise you’ll get into a very confusing situation!
For examples, you can check the following classes in Across:
DebugWebSecurityConfiguration
AdminWebSecurityConfiguration
SecurityFilterChain order
If you are defining your own SecurityFilterChain
s, you probably need
to control in which order the SecurityFilterChain
are tried. You
will need to put an @Order
on the SecurityFilterChain
bean (not on
the @ModuleConfiguration
annotated class!).
You can check the order of the SecurityFilterBean
s using the
debug-web-module
.
Spring Security 5.8 instead of 5.7
We went straight to Spring Security 5.8, whose main purpose is to provide a intermediate migration step to 6.0:
-
https://docs.spring.io/spring-security/reference/5.8/whats-new.html
-
https://docs.spring.io/spring-security/reference/5.8/migration/servlet/index.html
Note also that Spring Security 5.8 (and Spring Framework 5.3) will receive updates until the end of August 2024.
Spring Security Lambda DSL
Lastly, when adapting your security configuration, consider switching immediately to the Lambda DSL (which will be the only one supported in Spring Security 7):
-
https://spring.io/blog/2019/11/21/spring-security-lambda-dsl
-
https://docs.spring.io/spring-security/reference/migration-7/configuration.html
Lombok upgrade
Spring Boot 2.7 has upgraded to Lombok 1.18.30 from 1.18.26.
In one of the client projects, we gotten bitten by the “IMPROBABLE
BREAKING CHANGE” in Lombok
1.18.24. Note
that it’s not just “copy some of these new annotations”, but also
actually introduces null checks. This includes for instance
javax.annotation.Nonnull
.
What’s even weirder: Spring Boot 2.6 (Across 5.4) actually already
used
1.18.26
(e.g. a (newer) release). I’ve tracked that the behaviour change is
indeed in
1.18.28,
not in 1.18.24: so the release notes seem wrong. But it may be rather
that change that triggered it, despite that that ticket is about
jakarta.annotation.Nonnull
, not javax.annotation.Nonnull
.
Anyway, be advised: Lombok might now generate null-checks which you had not before.
Upgrades
With the upgrade to Spring Boot 2.7.18, Java 21 is supported according to the 2.7 System requirements, but we have not yet tested this.
Most important upgrades (compared to 5.4.2):
-
Spring Boot: from 2.6.15 to 2.7.18: 2.7 Release notes.
-
Spring Framework: from 5.3.32 to 5.3.34, including CVE fixes:
-
Spring Security: from 5.6.12 to 5.8.12:
-
Hibernate is still at 5.6.15, since that’s the very last 5.x release.
-
Jackson is still at 2.13.5.
-
Liquibase: from 4.17.0 to 4.27.0
Removed modules
Two security related modules have been removed, to avoid unnecessary effort adapting them to the Spring Security changes:
-
spring-security-acl-module
was removed because it is only used (very sparingly) in one project. Previouslyuser-module
integrated with Spring Security ACL module, but that integration is obviously also removed now. -
oauth2-module
: also used in only one project. This is also based on the old Spring Security OAuth project, which has been unsupported for almost two years already.
Next steps
The next release of Across will be 6.0, and will be based on Spring Boot 3.x. Here are a few things that you can do to prepare for that:
Once you’ve migrated to Across 5.5, your next steps should be:
-
Upgrade your application(s) to JDK17 (minimum version for Spring Boot 3) or JDK21.
-
Switch your Maven project setup from “Across as a platform” to “Across as just another library”, since that will be the only option left in Across 6. See the Across 5.2.2 release notes for details how to do this.
-
Take a look at the various migration guides, and check if there’s anything else that you can already do:
Thanks
Many thanks to:
-
Steven, for some suggestions on how we could solve the Spring Security changes (even though we took another approach).
-
Jesse, for providing valuable insights into how Across is used in our largest project, and what we could drop from this release.
-
Marlies, Arno and Branko for testing early versions of Across 5.5 with various client applications.