Upgrade to Java 17 and Spring Boot 3.2.0

[devin-ai-integration]

Upgrade to Java 17 and Spring Boot 3.2.0

Summary

Major version upgrade from Java 11 / Spring Boot 2.6.3 to Java 17 / Spring Boot 3.2.0 across the build system, runtime dependencies, and application code.

Build & tooling:

• Java 11 → 17 (sourceCompatibility, targetCompatibility, CI workflow)
• Spring Boot 2.6.3 → 3.2.0
• Gradle wrapper 7.4 → 8.5
• spring-dependency-management 1.0.11 → 1.1.4
• MyBatis Spring Boot Starter 2.2.2 → 3.0.3
• Netflix DGS 4.9.21 → 8.7.1 (via platform BOM)
• DGS codegen plugin 5.0.6 → 6.0.3
• rest-assured 4.5.1 → 5.4.0 (required to resolve Groovy version conflict with Spring Boot 3)

Code migration:

• javax.validation.* / javax.servlet.* → jakarta.validation.* / jakarta.servlet.* (21 files)
• WebSecurityConfigurerAdapter removed; replaced with SecurityFilterChain bean using lambda DSL
• antMatchers → requestMatchers, authorizeRequests → authorizeHttpRequests
• handleMethodArgumentNotValid signature: HttpStatus → HttpStatusCode
• DGS DataFetcherExceptionHandler.onException() → handleException() returning CompletableFuture
• graphql.relay.DefaultPageInfo → generated io.spring.graphql.types.PageInfo builder in GraphQL datafetchers

Verification: Full test suite (./gradlew clean test) passes locally. CI build jobs pass. Snyk security check fails on a pre-existing vulnerability (non-required check, not introduced by this PR).

Review & Testing Checklist for Human

• Verify Spring Security authorization rules — the migration from antMatchers/authorizeRequests to requestMatchers/authorizeHttpRequests can subtly change matching behavior (Spring Security 6 is stricter about trailing slashes and servlet path matching). Manually test authenticated vs. unauthenticated access to key endpoints (/users, /users/login, /articles/feed, /tags, /graphql).
• Verify DGS GraphQL runtime — the DGS version jump (4→8) is large. Test GraphQL queries, especially paginated article/comment connections, since PageInfo construction was rewritten from DefaultPageInfo to the generated builder type. Also verify the GraphQLCustomizeExceptionHandler still surfaces validation errors correctly now that handleException returns CompletableFuture.
• Check jjwt 0.11.2 compatibility — JWT library was not upgraded. Verify authentication works end-to-end (login, token generation, authenticated requests).
• Spot-check rest-assured 5.4.0 test behavior — while tests pass, rest-assured 5.x changed some defaults (e.g., content type handling). Skim test results for any assertions that pass vacuously or behave differently.

Suggested test plan:

1. Run ./gradlew clean test and confirm all tests pass
2. Start the app with ./gradlew bootRun, then manually hit: GET /tags (public), POST /users (register), POST /users/login (login), GET /articles/feed with auth token (authenticated), and a GraphQL query to /graphql
3. Verify JWT flow: register → login → use token on protected endpoint

Notes

• javax.crypto.* imports were intentionally left unchanged (JDK package, not Jakarta EE).
• CORS config comments in WebSecurityConfig were removed during refactor.
• sqlite-jdbc (3.36.0.3) and other transitive dependencies were not upgraded; consider updating in a follow-up if issues arise.
• Snyk security check failure is a pre-existing vulnerability, not introduced by this upgrade.

---

Link to Devin run: https://app.devin.ai/sessions/6489edd6323a4931bee45fb016dd96b6
Requested by: @iancmoritz

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.