Merge pull request #16 from mo0mw/feature/spring-boot-3

Add Spring Boot 3.x support (breaking changes)
movewp3 · Dec 22, 2022 · 40673f4 · 40673f4
2 parents 5fb052f + 2e8a79c
commit 40673f4
Show file tree

Hide file tree

Showing 9 changed files with 64 additions and 72 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -15,7 +15,7 @@ jobs:
       - name: Set up Java
         uses: actions/setup-java@v2
         with:
-          java-version: '11'
+          java-version: '17'
           distribution: 'adopt'
 
       - name: Maven build

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Set up Maven Central repository
         uses: actions/setup-java@v2
         with:
-          java-version: '11'
+          java-version: '17'
           distribution: 'adopt'
           server-id: ossrh
           server-username: MAVEN_USERNAME

diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>io.dwpbank.movewp3</groupId>
     <artifactId>microservice-security-autoconfiguration</artifactId>
-    <version>0.7.2-SNAPSHOT</version>
+    <version>3.0.0-SNAPSHOT</version>
     <packaging>jar</packaging>
 
     <name>MoveWP3 Microservice Security Autoconfiguration</name>
@@ -19,14 +19,14 @@
     </licenses>
 
     <developers>
-        <developer>
-            <name>Thilo-Alexander Ginkel</name>
-            <email>tg@tgbyte.de</email>
-        </developer>
         <developer>
             <name>Jörn Gersdorf</name>
             <email>Joern.Gersdorf@dwpbank.de</email>
         </developer>
+        <developer>
+            <name>Nils Eckert</name>
+            <email>nils.eckert@eckert-partner.it</email>
+        </developer>
     </developers>
 
     <scm>
@@ -47,29 +47,29 @@
     </distributionManagement>
 
     <properties>
-        <java.version>11</java.version>
+        <java.version>17</java.version>
 
         <project.build.outputTimestamp>${git.commit.timestamp.datetime}</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
         <!-- Dependencies -->
-        <fabric8-mockwebserver.version>0.1.8</fabric8-mockwebserver.version>
-        <jackson.version>2.12.5</jackson.version>
-        <junit-jupiter.version>5.8.0</junit-jupiter.version>
-        <okhttp3.version>4.9.1</okhttp3.version>
-        <spring-boot.version>[2.3.0.RELEASE,2.6.0.M0)</spring-boot.version>
-        <spring-security.version>[5.3.0.RELEASE,5.6.0.M0)</spring-security.version>
+        <fabric8-mockwebserver.version>0.2.2</fabric8-mockwebserver.version>
+        <jackson.version>2.14.1</jackson.version>
+        <okhttp3.version>4.10.0</okhttp3.version>
+        <spring-boot.version>[3.0.0,3.1.0)</spring-boot.version>
+        <spring-security.version>[6.0.0,6.1.0)</spring-security.version>
+        <junit-4.version>4.13.2</junit-4.version>
 
         <!-- Plugins -->
-        <maven-compiler-plugin.version>3.8.1</maven-compiler-plugin.version>
+        <maven-compiler-plugin.version>3.10.1</maven-compiler-plugin.version>
         <maven-gpg-plugin.version>3.0.1</maven-gpg-plugin.version>
-        <maven-javadoc-plugin.version>3.3.1</maven-javadoc-plugin.version>
-        <maven-site-plugin.version>3.9.1</maven-site-plugin.version>
+        <maven-javadoc-plugin.version>3.4.1</maven-javadoc-plugin.version>
+        <maven-site-plugin.version>3.12.1</maven-site-plugin.version>
         <maven-source-plugin.version>3.2.1</maven-source-plugin.version>
         <maven-surefire-plugin.version>2.22.2</maven-surefire-plugin.version>
-        <nexus-staging-maven-plugin.version>1.6.8</nexus-staging-maven-plugin.version>
-        <sortpom-maven-plugin.version>3.0.0</sortpom-maven-plugin.version>
-        <versions-maven-plugin.version>2.8.1</versions-maven-plugin.version>
+        <nexus-staging-maven-plugin.version>1.6.13</nexus-staging-maven-plugin.version>
+        <sortpom-maven-plugin.version>3.2.0</sortpom-maven-plugin.version>
+        <versions-maven-plugin.version>2.14.1</versions-maven-plugin.version>
     </properties>
 
     <dependencies>
@@ -116,6 +116,14 @@
             <version>${okhttp3.version}</version>
             <scope>test</scope>
         </dependency>
+        <!-- Patch for CVE-2020-15250 junit 4 transitive dependency via com.squareup.okhttp3:mockwebserver -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit-4.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <!-- End Patch -->
         <dependency>
             <groupId>io.fabric8</groupId>
             <artifactId>mockwebserver</artifactId>
@@ -128,12 +136,6 @@
                 </exclusion>
             </exclusions>
         </dependency>
-        <dependency>
-            <groupId>org.junit.jupiter</groupId>
-            <artifactId>junit-jupiter</artifactId>
-            <version>${junit-jupiter.version}</version>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
@@ -144,6 +146,10 @@
                     <artifactId>junit-vintage-engine</artifactId>
                     <groupId>org.junit.vintage</groupId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-api</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>

diff --git a/...ewp3/microservice/security/autoconfiguration/client/WebClientOauth2AutoConfiguration.java b/...ewp3/microservice/security/autoconfiguration/client/WebClientOauth2AutoConfiguration.java
@@ -26,6 +26,7 @@
  * As a prerequisite the OAuth2 client registration needs to be configured using standard Spring Security means, such as:
  * </p>
  * <pre>
+ *   {@code
  *   spring:
  *    security:
  *      oauth2:
@@ -39,6 +40,7 @@
  *          provider:
  *           example-provider:
  *             token-uri: https://oauth2.example.com/oauth2/token
+ *  }
  * </pre>
  *
  * <p>
@@ -73,7 +75,6 @@ public WebClient.Builder oauth2AwareWebClientBuilder(
     return oauth2WebClientBuilder;
   }
 
-  @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
   @Bean
   public OAuth2AuthorizedClientManager authorizedClientManager(
       ClientRegistrationRepository clientRegistrationRepository,
@@ -91,7 +92,6 @@ public OAuth2AuthorizedClientManager authorizedClientManager(
     return authorizedClientManager;
   }
 
-  @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
   @Bean
   public static ServletOAuth2AuthorizedClientExchangeFilterFunction oAuth2ExchangeFilterFunction(
       @Value("${io.dwpbank.microservice-security-autoconfiguration.default-client-registration-id:default}") String defaultClientRegistrationId,

diff --git a/...ice/security/autoconfiguration/server/OidcResourceServerWebSecurityConfigurerAdapter.java b/...ice/security/autoconfiguration/server/OidcResourceServerWebSecurityConfigurerAdapter.java
diff --git a/.../movewp3/microservice/security/autoconfiguration/server/WebSecurityAutoConfiguration.java b/.../movewp3/microservice/security/autoconfiguration/server/WebSecurityAutoConfiguration.java
@@ -1,22 +1,25 @@
 package io.dwpbank.movewp3.microservice.security.autoconfiguration.server;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * An autoconfiguration that enables OIDC-based authentication for all HTTP endpoints (except for <code>/actuator/*</code> as soon as the
  * property <code>microservice.security.oauth2.resourceserver.jwt.jwk-set-uri</code> is set to the JWK Set URI of an OpenID Connect
  * provider.
  * <p>
  * In case both {@link OAuth2ClientAutoConfiguration} and this auto-configuration are applied onto an application, both would try and add a
- * {@link WebSecurityConfigurerAdapter}. To avoid such a conflict, the one defined in this class will take precedence over the one provided
- * via {@link OAuth2ClientAutoConfiguration}.
+ * {@link SecurityFilterChain}. To avoid such a conflict, the one defined in this class will take precedence over the one provided via
+ * {@link OAuth2ClientAutoConfiguration}.
  */
 @Configuration
 @EnableWebSecurity
@@ -25,9 +28,28 @@
 @ConditionalOnWebApplication
 public class WebSecurityAutoConfiguration {
 
+  @Value("${io.dwpbank.movewp3.microservice.security.allowlist:/actuator/**}")
+  private String[] allowlist;
+
   @Bean
-  WebSecurityConfigurerAdapter webSecurityConfigurerAdapter() {
-    return new OidcResourceServerWebSecurityConfigurerAdapter();
+  SecurityFilterChain oidcResourceServerSecurityFilterChain(HttpSecurity http) throws Exception {
+    // @formatter:off
+    http
+        .authorizeHttpRequests()
+        .requestMatchers(allowlist)
+        .permitAll()
+        .anyRequest()
+        .authenticated()
+        .and()
+        .oauth2ResourceServer().jwt();
+    // @formatter:on
+
+    http.sessionManagement()
+        .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+
+    http.csrf().disable();
+
+    return http.build();
   }
 }
 
diff --git a/src/main/resources/META-INF/spring.factories b/src/main/resources/META-INF/spring.factories
diff --git a/...esources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports b/...esources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
@@ -0,0 +1,2 @@
+io.dwpbank.movewp3.microservice.security.autoconfiguration.server.WebSecurityAutoConfiguration
+io.dwpbank.movewp3.microservice.security.autoconfiguration.client.WebClientOauth2AutoConfiguration
diff --git a/.../io/dwpbank/movewp3/microservice/security/autoconfiguration/client/TestConfiguration.java b/.../io/dwpbank/movewp3/microservice/security/autoconfiguration/client/TestConfiguration.java
@@ -25,7 +25,7 @@ public ClientRegistration clientRegistration(DefaultMockServer defaultMockServer
     return ClientRegistration.withRegistrationId("default")
         .clientId("client-1")
         .clientSecret("secret")
-        .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+        .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
         .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
         .scope("read", "write")
         .tokenUri(defaultMockServer.url("/oauth2/token"))