Merge branch 'release/5.0.0'

.github/workflows/build.yaml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/setup-java@v2
         with:
           distribution: 'adopt'
-          java-version: '11'
+          java-version: '17'
           cache: 'gradle'
       - uses: actions/cache@v2
         with:
@@ -32,18 +32,7 @@ jobs:
     strategy:
       matrix:
         springBootVersion:
-          - 2.0.9.RELEASE
-          - 2.1.18.RELEASE
-          - 2.2.13.RELEASE
-          - 2.3.12.RELEASE
-          - 2.4.13
-          - 2.5.14
-          - 2.6.14
-          - 2.7.6
-          # 3.0.0 will not be supported for now due to:
-          # * requires java 17
-          # * needs other imports for servlet classes (javax.servlet -> jakarta.servlet)
-          # * is not backwards compatible to 2.x
+          - 3.0.0
     runs-on: ubuntu-latest
     needs: build
     steps:
@@ -62,7 +51,7 @@ jobs:
       - uses: actions/setup-java@v2
         with:
           distribution: 'adopt'
-          java-version: '8'
+          java-version: '17'
           cache: 'gradle'
       - uses: niden/actions-memcached@v7
       - uses: supercharge/[email protected]

CHANGELOG.md

@@ -3,6 +3,10 @@
 ### [unreleased]
 * no changes yet
 
+### [5.0.0] (2022-11-24)
+* add support for spring boot 3 (breaking, _not_ backwards compatible)
+* require java 17 (as of spring boot 3)
+
 ### [4.6.3] (2022-11-24)
 * (all) upgrade jackson to 2.14.1
 * (all) upgrade nimbus-jose-jwt to 9.25.6
@@ -166,7 +170,8 @@
 * Initial release to github and maven central
 
 
-[unreleased]: https://github.com/bratkartoffel/security-jwt/compare/4.6.3...develop
+[unreleased]: https://github.com/bratkartoffel/security-jwt/compare/5.0.0...develop
+[5.0.0]: https://github.com/bratkartoffel/security-jwt/compare/4.6.3...5.0.0
 [4.6.3]: https://github.com/bratkartoffel/security-jwt/compare/4.6.2...4.6.3
 [4.6.2]: https://github.com/bratkartoffel/security-jwt/compare/4.6.1...4.6.2
 [4.6.1]: https://github.com/bratkartoffel/security-jwt/compare/4.6.0...4.6.1

base-spring-boot-starter/src/main/java/eu/fraho/spring/securityJwt/base/starter/SecurityJwtBaseAutoConfiguration.java

@@ -6,7 +6,6 @@
  */
 package eu.fraho.spring.securityJwt.base.starter;
 
-import eu.fraho.spring.securityJwt.base.config.JwtSecurityConfig;
 import eu.fraho.spring.securityJwt.base.config.RefreshCookieProperties;
 import eu.fraho.spring.securityJwt.base.config.RefreshProperties;
 import eu.fraho.spring.securityJwt.base.config.TokenCookieProperties;
@@ -25,7 +24,6 @@
 import eu.fraho.spring.securityJwt.base.service.TotpService;
 import eu.fraho.spring.securityJwt.base.service.TotpServiceImpl;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
@@ -35,17 +33,14 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Scope;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.config.BeanIds;
-import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
 @Configuration
 @AutoConfigureBefore(SecurityAutoConfiguration.class)
-@EnableWebSecurity
-@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
+@EnableMethodSecurity(securedEnabled = true)
 @Slf4j
 public class SecurityJwtBaseAutoConfiguration {
     @Bean
@@ -74,11 +69,6 @@ public RefreshProperties refreshProperties() {
         return new RefreshProperties();
     }
 
-    @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
-    public AuthenticationManager authenticationManagerBean(@Autowired JwtSecurityConfig config) throws Exception {
-        return config.authenticationManagerBean();
-    }
-
     @Bean
     public JwtTokenService jwtTokenService() {
         log.debug("Register JwtTokenService");
@@ -177,16 +167,4 @@ public LogoutRestController logoutRestController(final TokenCookieProperties tok
         controller.setRefreshCookieProperties(refreshCookieProperties);
         return controller;
     }
-
-    @Bean
-    public JwtSecurityConfig webSecurityConfig(final UserDetailsService userDetailsService,
-                                               final PasswordEncoder passwordEncoder,
-                                               final JwtTokenService jwtTokenService) {
-        log.debug("Register JwtSecurityConfig");
-        JwtSecurityConfig config = new JwtSecurityConfig();
-        config.setUserDetailsService(userDetailsService);
-        config.setPasswordEncoder(passwordEncoder);
-        config.setJwtTokenService(jwtTokenService);
-        return config;
-    }
 }

base-spring-boot-starter/src/main/resources/META-INF/spring.factories → base-spring-boot-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports

@@ -1,5 +1,5 @@
-org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
-eu.fraho.spring.securityJwt.base.starter.SecurityJwtBaseAutoConfiguration,\
-eu.fraho.spring.securityJwt.base.starter.SecurityJwtNoRefreshStoreAutoConfiguration,\
-eu.fraho.spring.securityJwt.base.starter.InstallBouncyCastleConfiguration,\
-eu.fraho.spring.securityJwt.base.starter.SecurityJwtPasswordAutoConfiguration
+eu.fraho.spring.securityJwt.base.config.JwtSecurityConfig
+eu.fraho.spring.securityJwt.base.starter.SecurityJwtBaseAutoConfiguration
+eu.fraho.spring.securityJwt.base.starter.SecurityJwtNoRefreshStoreAutoConfiguration
+eu.fraho.spring.securityJwt.base.starter.InstallBouncyCastleConfiguration
+eu.fraho.spring.securityJwt.base.starter.SecurityJwtPasswordAutoConfiguration

base/src/main/java/eu/fraho/spring/securityJwt/base/JwtAuthenticationTokenFilter.java

@@ -8,6 +8,10 @@
 
 import eu.fraho.spring.securityJwt.base.dto.JwtUser;
 import eu.fraho.spring.securityJwt.base.service.JwtTokenService;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import lombok.AllArgsConstructor;
 import lombok.NoArgsConstructor;
 import lombok.NonNull;
@@ -18,10 +22,6 @@
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.web.filter.OncePerRequestFilter;
 
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 @Slf4j

base/src/main/java/eu/fraho/spring/securityJwt/base/config/JwtSecurityConfig.java

@@ -18,37 +18,36 @@
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.config.BeanIds;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
-@EnableWebSecurity
-@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
+@EnableMethodSecurity(securedEnabled = true)
 @Order(90)
 @Slf4j
 @NoArgsConstructor
 @AllArgsConstructor
-public class JwtSecurityConfig extends WebSecurityConfigurerAdapter {
+public class JwtSecurityConfig {
     private UserDetailsService userDetailsService;
     private PasswordEncoder passwordEncoder;
     private JwtTokenService jwtTokenService;
 
-    @NonNull
-    @Override
-    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
+    @Bean
+    public AuthenticationProvider authenticationProvider() {
         log.debug("Configuring AuthenticationManagerBuilder");
-        authenticationManagerBuilder
-                .userDetailsService(userDetailsService)
-                .passwordEncoder(passwordEncoder);
+        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
+        authProvider.setUserDetailsService(userDetailsService);
+        authProvider.setPasswordEncoder(passwordEncoder);
+        return authProvider;
     }
 
     @Bean
@@ -59,19 +58,13 @@ public JwtAuthenticationTokenFilter authenticationTokenFilterBean() {
         return filter;
     }
 
-    @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
-    @Override
-    public AuthenticationManager authenticationManagerBean() throws Exception {
-        log.debug("Creating AuthenticationManager");
-        return super.authenticationManagerBean();
-    }
-
-    @Override
-    public void configure(HttpSecurity httpSecurity) throws Exception {
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
         log.info("Loading fraho security-jwt version {}", JwtSecurityConfig.class.getPackage().getImplementationVersion());
         log.debug("Configuring HttpSecurity");
 
         httpSecurity
+                .authenticationProvider(authenticationProvider())
                 // we don't need CSRF because our token is invulnerable
                 .csrf().disable()
                 // use our unauthorized handler
@@ -82,6 +75,13 @@ public void configure(HttpSecurity httpSecurity) throws Exception {
                 .and()
                 // Custom JWT based security filter
                 .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
+
+        return httpSecurity.build();
+    }
+
+    @Bean
+    public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfiguration) throws Exception {
+        return authConfiguration.getAuthenticationManager();
     }
 
     @Autowired

base/src/main/java/eu/fraho/spring/securityJwt/base/config/RefreshCookieProperties.java

@@ -40,22 +40,22 @@ public class RefreshCookieProperties implements CookieProperties {
     /**
      * The cookie will only be sent to these domains.
      *
-     * @see javax.servlet.http.Cookie#setDomain(String)
+     * @see jakarta.servlet.http.Cookie#setDomain(String)
      */
 
     private String domain;
 
     /**
      * The cookie will not be accessible by client JavaScript if enabled (highly recommend)
      *
-     * @see javax.servlet.http.Cookie#setHttpOnly(boolean)
+     * @see jakarta.servlet.http.Cookie#setHttpOnly(boolean)
      */
     private boolean httpOnly = true;
 
     /**
      * The cookie will only be sent over an encrypted (https) connection (recommend)
      *
-     * @see javax.servlet.http.Cookie#setSecure(boolean)
+     * @see jakarta.servlet.http.Cookie#setSecure(boolean)
      */
     private boolean secure = true;
 
@@ -64,7 +64,7 @@ public class RefreshCookieProperties implements CookieProperties {
      * <p>
      * This path spec has to include the endpoint for refreshing tokens, otherwise this won't work!
      *
-     * @see javax.servlet.http.Cookie#setPath(String)
+     * @see jakarta.servlet.http.Cookie#setPath(String)
      */
 
     @NonNull

base/src/main/java/eu/fraho/spring/securityJwt/base/config/TokenCookieProperties.java

@@ -40,7 +40,7 @@ public class TokenCookieProperties implements CookieProperties {
     /**
      * The issued access token cookie will only be sent by the client to URIs matching this pattern.
      *
-     * @see javax.servlet.http.Cookie#setPath(String)
+     * @see jakarta.servlet.http.Cookie#setPath(String)
      */
 
     @NonNull
@@ -49,22 +49,22 @@ public class TokenCookieProperties implements CookieProperties {
     /**
      * The issued tokens will only be valid for the specified domain. Defaults to the issuing server domain.
      *
-     * @see javax.servlet.http.Cookie#setDomain(String)
+     * @see jakarta.servlet.http.Cookie#setDomain(String)
      */
 
     private String domain;
 
     /**
      * The cookie will not be accessible by client JavaScript if enabled (highly recommend)
      *
-     * @see javax.servlet.http.Cookie#setHttpOnly(boolean)
+     * @see jakarta.servlet.http.Cookie#setHttpOnly(boolean)
      */
     private boolean httpOnly = true;
 
     /**
      * The cookie will only be sent over an encrypted (https) connection (highly recommend)
      *
-     * @see javax.servlet.http.Cookie#setSecure(boolean)
+     * @see jakarta.servlet.http.Cookie#setSecure(boolean)
      */
     private boolean secure = true;
 

base/src/main/java/eu/fraho/spring/securityJwt/base/controller/CookieSupport.java

@@ -8,9 +8,9 @@
 
 import eu.fraho.spring.securityJwt.base.config.CookieProperties;
 import eu.fraho.spring.securityJwt.base.dto.AbstractToken;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletResponse;
 
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
 import java.util.Optional;
 
 public interface CookieSupport {

base/src/main/java/eu/fraho/spring/securityJwt/base/controller/LoginRestController.java

@@ -15,6 +15,7 @@
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.servlet.http.HttpServletResponse;
 import lombok.NoArgsConstructor;
 import lombok.NonNull;
 import lombok.extern.slf4j.Slf4j;
@@ -26,8 +27,6 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletResponse;
-
 @RestController
 @RequestMapping(method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
 @Slf4j

base/src/main/java/eu/fraho/spring/securityJwt/base/controller/LogoutRestController.java

@@ -14,6 +14,7 @@
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.servlet.http.HttpServletResponse;
 import lombok.NoArgsConstructor;
 import lombok.NonNull;
 import lombok.extern.slf4j.Slf4j;
@@ -26,8 +27,6 @@
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletResponse;
-
 @RestController
 @RequestMapping(method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
 @Slf4j

base/src/main/java/eu/fraho/spring/securityJwt/base/controller/RefreshRestController.java

@@ -16,6 +16,8 @@
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import lombok.NoArgsConstructor;
 import lombok.NonNull;
 import lombok.extern.slf4j.Slf4j;
@@ -28,8 +30,6 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.util.Optional;
 
 @RestController

base/src/main/java/eu/fraho/spring/securityJwt/base/service/JwtTokenService.java

@@ -12,8 +12,8 @@
 import eu.fraho.spring.securityJwt.base.dto.AccessToken;
 import eu.fraho.spring.securityJwt.base.dto.JwtUser;
 import eu.fraho.spring.securityJwt.base.dto.RefreshToken;
+import jakarta.servlet.http.HttpServletRequest;
 
-import javax.servlet.http.HttpServletRequest;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;