Upgrade from Java 11/Spring Boot 2.6 to Java 17/Spring Boot 3.2

[devin-ai-integration]

Upgrade Java 11/Spring Boot 2.6 to Java 17/Spring Boot 3.2

Summary

Complete migration of the RealWorld example app from Java 11 / Spring Boot 2.6.3 to Java 17 / Spring Boot 3.2.5. This is a major version upgrade touching build tooling, namespace changes, security configuration, JWT handling, and GraphQL integration.

Build & tooling:

• Gradle 7.4 → 8.5, Spring Boot 2.6.3 → 3.2.5, Java 11 → 17
• DGS codegen plugin 5.0.6 → 6.2.1, Spotless 6.2.1 → 6.25.0
• CI workflow updated to JDK 17

Dependency upgrades:

• MyBatis Spring Boot 2.2.2 → 3.0.3
• DGS GraphQL 4.9.21 → 7.6.0
• jjwt 0.11.2 → 0.12.5
• rest-assured 4.5.1 → 5.4.0
• SQLite JDBC 3.36.0.3 → 3.45.1.0

Code changes:

• javax.validation.* / javax.servlet.* → jakarta.validation.* / jakarta.servlet.* (21 files)
• WebSecurityConfigurerAdapter → SecurityFilterChain bean with lambda DSL
• antMatchers → requestMatchers (Spring Security 6)
• handleMethodArgumentNotValid signature: HttpStatus → HttpStatusCode
• jjwt: setSubject/setExpiration/parserBuilder/parseClaimsJws/getBody → subject/expiration/parser/parseSignedClaims/getPayload
• jjwt: SignatureAlgorithm.HS512 + SecretKeySpec → Keys.hmacShaKeyFor() (auto-selects HMAC algorithm from key size)
• GraphQL: onException → handleException returning CompletableFuture
• GraphQL: graphql.relay.DefaultPageInfo → generated io.spring.graphql.types.PageInfo

All 68 existing tests pass locally.

Review & Testing Checklist for Human

• JWT algorithm change (HIGH RISK): The old code hardcoded HS512 via SignatureAlgorithm. The new code uses Keys.hmacShaKeyFor() which auto-selects algorithm by key length (≥64 bytes → HS512, 48-63 → HS384, 32-47 → HS256). The production secret in application.properties is 86 bytes so it stays HS512, but any existing tokens from a deployment using a shorter secret would break. Verify the production secret length is ≥64 bytes, or consider pinning Jwts.SIG.HS512 explicitly.
• Security config rewrite: The WebSecurityConfig was rewritten from the imperative WebSecurityConfigurerAdapter style to the SecurityFilterChain bean + lambda DSL. Verify all endpoint authorization rules match the original (OPTIONS, GraphQL, articles feed, user registration/login, public GETs, etc.) by testing the API manually.
• GraphQL integration: DGS jumped from 4.x → 7.x. Test GraphQL queries/mutations (especially pagination with PageInfo, error handling with ConstraintViolationException) to ensure no behavioral regressions.
• End-to-end smoke test: Run the app locally with Java 17, hit REST endpoints (POST /users, POST /users/login, GET /articles, POST /articles, etc.) and GraphQL endpoints to verify authentication, validation, and CRUD operations work.

Notes

• The javax.crypto.* imports in DefaultJwtService were intentionally NOT migrated to jakarta.* — these are JDK classes (java.base module), not Jakarta EE.
• Removed explanatory comments from WebSecurityConfig.corsConfigurationSource() — functionality unchanged.
• Link to Devin run: https://app.devin.ai/sessions/d20b94f8ca2f4dc1935b76fec1859532
• Requested by: @abj453demo

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.