[Auto] Upgrade to Spring Boot 3.0

dependencies.gradle

@@ -4,23 +4,23 @@ ext {
 }
 
 // Versions shared between multiple dependencies
-versions.aspectJVersion = "1.9.4"
+versions.aspectJVersion = "1.9.20.1"
 versions.apacheDsVersion = "2.0.0.AM27"
 versions.bouncyCastleFipsVersion = "2.0.0"
 versions.bouncyCastlePkixFipsVersion = "2.0.7"
 versions.bouncyCastleTlsFipsVersion = "2.0.19"
 versions.hamcrestVersion = "3.0"
-versions.springBootVersion = "2.7.18"
-versions.springFrameworkVersion = "5.3.39"
-versions.springSecurityVersion = "5.8.16"
-versions.tomcatCargoVersion = "9.0.97"
+versions.springBootVersion = "3.0.13"
+versions.springFrameworkVersion = "6.0.14"
+versions.springSecurityVersion = "6.0.8"
+versions.tomcatCargoVersion = "11.0.1"
 versions.guavaVersion = "33.3.1-jre"
 versions.seleniumVersion = "4.27.0"
 versions.braveVersion = "6.0.3"
 versions.jacksonVersion = "2.18.2"
 versions.jsonPathVersion = "2.9.0"
 versions.awaitilityVersion = "4.2.2"
-versions.opensaml = "4.0.1" // Spring Security 5.8.x allows OpenSAML 3 or 4. OpenSAML 3 has reached its end-of-life. Spring Security 6 drops support for 3, using 4.
+versions.opensaml = "5.1.2" // Spring Security 5.8.x allows OpenSAML 3 or 4. OpenSAML 3 has reached its end-of-life. Spring Security 6 drops support for 3, using 4.
 
 // Versions we're overriding from the Spring Boot Bom (Dependabot does not issue PRs to bump these versions, so we need to manually bump them)
 ext["mariadb.version"] = "2.7.12" // Bumping to v3 breaks some pipeline jobs (and compatibility with Amazon Aurora MySQL), so pinning to v2 for now. v2 (current version) is stable and will be supported until about September 2025 (https://mariadb.com/kb/en/about-mariadb-connector-j/).
@@ -51,7 +51,7 @@ libraries.bouncyCastlePkixFips = "org.bouncycastle:bcpkix-fips:${versions.bouncy
 libraries.bouncyCastleFipsProv = "org.bouncycastle:bc-fips:${versions.bouncyCastleFipsVersion}"
 libraries.bouncyCastleTlsFips = "org.bouncycastle:bctls-fips:${versions.bouncyCastleTlsFipsVersion}"
 libraries.braveInstrumentationSpringWebmvc = "io.zipkin.brave:brave-instrumentation-spring-webmvc:${versions.braveVersion}"
-libraries.braveContextSlf4j = "io.zipkin.brave:brave-context-slf4j:${versions.braveVersion}"
+
 libraries.commonsCodec = "commons-codec:commons-codec:1.17.1"
 libraries.commonsIo = "commons-io:commons-io:2.18.0"
 libraries.dumbster = "dumbster:dumbster:1.6"
@@ -66,9 +66,9 @@ libraries.hsqldb = "org.hsqldb:hsqldb"
 libraries.jacksonAnnotations = "com.fasterxml.jackson.core:jackson-annotations:${versions.jacksonVersion}"
 libraries.jacksonDatabind = "com.fasterxml.jackson.core:jackson-databind:${versions.jacksonVersion}"
 libraries.jacksonDataformatYaml = "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:${versions.jacksonVersion}"
-libraries.javaxServlet = "javax.servlet:jstl"
-libraries.javaxValidationApi = "javax.validation:validation-api"
-libraries.javaxXmlBindApi = "javax.xml.bind:jaxb-api"
+libraries.javaxServlet = "jakarta.servlet:jakarta.servlet-api:6.1.0"
+libraries.javaxValidationApi = "jakarta.validation:jakarta.validation-api:3.1.0"
+libraries.javaxXmlBindApi = "jakarta.xml.bind:jakarta.xml.bind-api:4.0.2"
 libraries.glassfishJaxb = "org.glassfish.jaxb:jaxb-runtime"
 libraries.jsonAssert = "org.skyscreamer:jsonassert"
 libraries.jsonPath = "com.jayway.jsonpath:json-path:${versions.jsonPathVersion}"
@@ -81,9 +81,12 @@ libraries.junitVintageEngine = "org.junit.vintage:junit-vintage-engine"
 libraries.log4jCore = "org.apache.logging.log4j:log4j-core"
 libraries.lombok = "org.projectlombok:lombok"
 libraries.mariaJdbcDriver = "org.mariadb.jdbc:mariadb-java-client"
-libraries.mockito = "org.mockito:mockito-core"
+libraries.mockito = "org.mockito:mockito-inline"
 libraries.mockitoJunit5 = "org.mockito:mockito-junit-jupiter"
 libraries.openSamlApi = "org.opensaml:opensaml-saml-api:${versions.opensaml}"
+libraries.openSamlImpl = "org.opensaml:opensaml-saml-impl:${versions.opensaml}"
+libraries.openSamlCoreApi = "org.opensaml:opensaml-core-api:${versions.opensaml}"
+libraries.openSamlCoreImpl = "org.opensaml:opensaml-core-impl:${versions.opensaml}"
 libraries.passay = "org.passay:passay:1.6.6"
 libraries.postgresql = "org.postgresql:postgresql:42.7.4"
 libraries.selenium = "org.seleniumhq.selenium:selenium-java:${versions.seleniumVersion}"
@@ -120,9 +123,9 @@ libraries.springWeb = "org.springframework:spring-web:${versions.springFramework
 libraries.springWebMvc = "org.springframework:spring-webmvc:${versions.springFrameworkVersion}"
 libraries.statsdClient = "com.timgroup:java-statsd-client:3.1.0"
 libraries.thymeleafDialect = "nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect"
-libraries.thymeleafExtrasSpringSecurity5 = "org.thymeleaf.extras:thymeleaf-extras-springsecurity5"
+libraries.thymeleafExtrasSpringSecurity5 = "org.thymeleaf.extras:thymeleaf-extras-springsecurity6"
 libraries.thymeLeaf = "org.thymeleaf:thymeleaf"
-libraries.thymeleafSpring5 = "org.thymeleaf:thymeleaf-spring5"
+libraries.thymeleafSpring5 = "org.thymeleaf:thymeleaf-spring6"
 libraries.tomcatElApi = "org.apache.tomcat.embed:tomcat-embed-el:${versions.tomcatCargoVersion}"
 libraries.tomcatEmbed = "org.apache.tomcat.embed:tomcat-embed-core:${versions.tomcatCargoVersion}"
 libraries.tomcatJasperEl = "org.apache.tomcat.embed:tomcat-embed-jasper:${versions.tomcatCargoVersion}"
@@ -135,7 +138,7 @@ libraries.xmlSecurity = "org.apache.santuario:xmlsec:4.0.3"
 libraries.xmlUnit = "org.xmlunit:xmlunit-assertj:2.10.0"
 libraries.orgJson = "org.json:json:20240303"
 libraries.jodaTime = "joda-time:joda-time:2.13.0"
-libraries.apacheHttpClient = "org.apache.httpcomponents:httpclient:4.5.14"
+libraries.apacheHttpClient = "org.apache.httpcomponents.client5:httpclient5:5.4.1"
 libraries.jacocoAgent = "org.jacoco:org.jacoco.agent:0.8.12"
 
 // gradle plugins

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/http/OAuth2ErrorHandler.java

@@ -5,6 +5,7 @@
 import org.cloudfoundry.identity.uaa.oauth.common.OAuth2AccessToken;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.HttpStatusCode;
 import org.springframework.http.client.ClientHttpResponse;
 import org.springframework.http.converter.HttpMessageConversionException;
 import org.springframework.http.converter.HttpMessageConverter;
@@ -66,12 +67,12 @@ public OAuth2ErrorHandler(ResponseErrorHandler errorHandler, OAuth2ProtectedReso
 	}
 
 	public boolean hasError(ClientHttpResponse response) throws IOException {
-		return HttpStatus.Series.CLIENT_ERROR.equals(response.getStatusCode().series())
+		return HttpStatus.Series.CLIENT_ERROR.equals(HttpStatus.valueOf(response.getStatusCode().value()).series())
 				|| this.errorHandler.hasError(response);
 	}
 
 	public void handleError(final ClientHttpResponse response) throws IOException {
-		if (!HttpStatus.Series.CLIENT_ERROR.equals(response.getStatusCode().series())) {
+		if (!HttpStatus.Series.CLIENT_ERROR.equals(HttpStatus.valueOf(response.getStatusCode().value()).series())) {
 			// We should only care about 400 level errors. Ex: A 500 server error shouldn't
 			// be an oauth related error.
 			errorHandler.handleError(response);
@@ -81,30 +82,33 @@ public void handleError(final ClientHttpResponse response) throws IOException {
 			ClientHttpResponse bufferedResponse = new ClientHttpResponse() {
 				private byte[] lazyBody;
 
-				public HttpStatus getStatusCode() throws IOException {
+				@Override
+                public HttpStatusCode getStatusCode() throws IOException {
 					return response.getStatusCode();
 				}
-
-				public synchronized InputStream getBody() throws IOException {
+                @Override
+                public synchronized InputStream getBody() throws IOException {
 					if (lazyBody == null) {
 						InputStream bodyStream = response.getBody();
 						lazyBody = FileCopyUtils.copyToByteArray(bodyStream);
 					}
 					return new ByteArrayInputStream(lazyBody);
 				}
-
-				public HttpHeaders getHeaders() {
+				@Override
+                public HttpHeaders getHeaders() {
 					return response.getHeaders();
 				}
 
+                @Override
 				public String getStatusText() throws IOException {
 					return response.getStatusText();
 				}
-
+                @Override
 				public void close() {
 					response.close();
 				}
 
+                @Override
 				public int getRawStatusCode() throws IOException {
 					return this.getStatusCode().value();
 				}

model/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProvider.java

@@ -29,7 +29,7 @@
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.springframework.util.StringUtils;
 
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 import java.io.IOException;
 import java.util.Date;
 

model/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlServiceProvider.java

@@ -16,7 +16,7 @@
 import java.io.IOException;
 import java.util.Date;
 
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.springframework.util.StringUtils;

model/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZone.java

@@ -8,7 +8,7 @@
 import lombok.EqualsAndHashCode;
 import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 import java.util.Calendar;
 import java.util.Date;
 

samples/api/src/main/java/org/cloudfoundry/identity/api/web/ApiController.java

@@ -12,8 +12,8 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.servlet.View;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.security.Principal;
@@ -52,7 +52,7 @@ public void setInfo(Resource info) {
         }
     }
 
-    @RequestMapping("/info")
+    @RequestMapping({"/info", "/info/"})
     public View info(Map<String, Object> model, Principal principal) {
         model.put("loginUrl", loginUrl);
         model.put("uaaUrl", uaaUrl);

samples/api/src/main/java/org/cloudfoundry/identity/api/web/ContentTypeFilter.java

@@ -17,13 +17,13 @@
 import java.util.HashMap;
 import java.util.Map;
 
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
 
 /**
  * A servlet filter that adds a content type header to any path that matches one

samples/api/src/main/webapp/WEB-INF/web.xml

@@ -3,8 +3,8 @@
     you under the Apache License, Version 2.0 (the "License"). You may not use this product except in compliance with the License.
     This product includes a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents
     is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file. -->
-<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
+<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd" version="6.0">
 
     <filter>
         <filter-name>springSecurityFilterChain</filter-name>

samples/api/src/test/java/org/cloudfoundry/identity/api/web/OAuth2ContextSetup.java

@@ -2,11 +2,11 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.apache.http.client.config.CookieSpecs;
-import org.apache.http.client.config.RequestConfig;
-import org.apache.http.client.config.RequestConfig.Builder;
-import org.apache.http.client.protocol.HttpClientContext;
-import org.apache.http.protocol.HttpContext;
+import org.apache.hc.client5.http.config.RequestConfig;
+import org.apache.hc.client5.http.config.RequestConfig.Builder;
+import org.apache.hc.client5.http.cookie.StandardCookieSpec;
+import org.apache.hc.client5.http.protocol.HttpClientContext;
+import org.apache.hc.core5.http.protocol.HttpContext;
 import org.cloudfoundry.identity.uaa.oauth.client.DefaultOAuth2ClientContext;
 import org.cloudfoundry.identity.uaa.oauth.client.OAuth2ClientContext;
 import org.cloudfoundry.identity.uaa.oauth.client.OAuth2RestTemplate;
@@ -335,7 +335,7 @@ protected HttpContext createHttpContext(HttpMethod httpMethod, URI uri) {
 
 				protected RequestConfig getRequestConfig() {
 					Builder builder = RequestConfig.custom()
-							.setCookieSpec(CookieSpecs.IGNORE_COOKIES)
+							.setCookieSpec(StandardCookieSpec.IGNORE)
 							.setAuthenticationEnabled(false).setRedirectsEnabled(false);
 					return builder.build();
 				}

samples/app/src/main/java/org/cloudfoundry/identity/app/web/HomeController.java

@@ -16,7 +16,7 @@
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import java.security.Principal;
 
 @Controller
@@ -67,15 +67,15 @@ public void setClientId(String clientId) {
         this.clientId = clientId;
     }
 
-    @RequestMapping("/browse")
+    @RequestMapping({"/browse", "/browse/"})
     public String browse(Model model) {
         model.addAttribute("userAuthorizationUri", userAuthorizationUri);
         model.addAttribute("clientId", clientId);
         model.addAttribute("dataUri", dataUri);
         return "browse";
     }
 
-    @RequestMapping("/home")
+    @RequestMapping({"/home", "/home/"})
     public String home(Model model, Principal principal) {
         model.addAttribute("principal", principal);
         model.addAttribute("approvalsUri", approvalsUri);
@@ -84,13 +84,13 @@ public String home(Model model, Principal principal) {
 
     // Home page with just the user id - useful for testing simplest possible
     // use case
-    @RequestMapping("/id")
+    @RequestMapping({"/id", "/id/"})
     public String id(Model model, Principal principal) {
         model.addAttribute("principal", principal);
         return "home";
     }
 
-    @RequestMapping("/logout")
+    @RequestMapping({"/logout", "/logout/"})
     public String logout(Model model, HttpServletRequest request) {
         String redirect = request.getRequestURL().toString();
         model.addAttribute("cflogout", logoutUrl + "?client_id=app&redirect=" + redirect);

samples/app/src/main/java/org/cloudfoundry/identity/app/web/TreeController.java

@@ -39,7 +39,7 @@ public void setTreeUrlPattern(String treeUrlPattern) {
         this.treeUrlPattern = treeUrlPattern;
     }
 
-    @RequestMapping("/apps")
+    @RequestMapping({"/apps", "/apps/"})
     public String apps(Model model, Principal principal) throws Exception {
         loadItems(model, "apps");
         addUserInfo(model, principal);

samples/app/src/main/webapp/WEB-INF/web.xml

@@ -3,8 +3,8 @@
     you under the Apache License, Version 2.0 (the "License"). You may not use this product except in compliance with the License.
     This product includes a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents
     is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file. -->
-<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
+<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd" version="6.0">
 
     <listener>
 		<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>

server/build.gradle

@@ -24,7 +24,13 @@ dependencies {
     implementation(libraries.springSecurityConfig)
     implementation(libraries.springBootStarterMail)
     implementation(libraries.openSamlApi)
-    implementation(libraries.springSecuritySamlServiceProvider)
+    implementation(libraries.openSamlImpl)
+    implementation(libraries.openSamlCoreApi)
+    implementation(libraries.openSamlCoreImpl)
+
+    implementation(libraries.springSecuritySamlServiceProvider) {
+        exclude group: "org.opensaml", module: "opensaml-core"
+    }
     implementation(libraries.jodaTime)
     implementation(libraries.xmlSecurity)
     implementation(libraries.springSessionJdbc)
@@ -70,7 +76,7 @@ dependencies {
     implementation(libraries.springWebMvc)
     implementation(libraries.springSecurityLdap)
     implementation(libraries.springLdapCore)
-    implementation(libraries.springLdapCoreTiger)
+    //implementation(libraries.springLdapCoreTiger)
     implementation(libraries.apacheLdapApi) {
         exclude(module: "slf4j-api")
         exclude(module: "mina-core")
@@ -82,6 +88,8 @@ dependencies {
     implementation(libraries.log4jCore)
 
     implementation(libraries.javaxXmlBindApi)
+    implementation(libraries.javaxServlet)
+
     implementation(libraries.glassfishJaxb)
 
     implementation(libraries.nimbusJwt)