Spring Boot 3

The steps below will describe most relevant changes to Valtimo. However, please also check the following guides when running into issues:

• Spring Boot 3 Migration Guide.

• Preparing for Spring Security 6.

• Migrating to Spring Security 6.

As a consequence of the Spring Boot 3 upgrade, some other frameworks / dependencies were also upgraded. Each chapter below describes the changes for the relevant framework or dependency.

Spring Boot 3 / Spring 6

• Java 8 is no longer supported. Please use Java 17.

• spring.factories have been replaced by META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports.

  • Listed configuration classes need to be annotated with @AutoConfiguration. More info can be found here

• @Controller or @RestController annotations are now mandatory.

  • When declaring the controller beans via autoconfiguration, please also annotate the controller with com.ritense.valtimo.contract.annotation.@SkipComponentScan to prevent duplicated beans.

• javax packages changed to jakarta.

• @ConstructingBinding on no longer supported/needed for @ConfigurationProperties classes.

Spring Security 6

• HttpSecurity.authorizeRequests has been deprecated.

  • When implementing the HttpSecurityConfigurer, this cannot be mixed with the replacement (authorizeHttpRequests).

Before:

http.authorizeRequests()
    .antMatchers(GET, "/api/v1/ping").permitAll()

New:

http.authorizeHttpRequests { requests ->
    requests.requestMatchers(antMatcher(GET, "/api/v1/ping")).permitAll()
}

• WebSecurityConfigurerAdapter has been removed.

  • Removed CoreHttpSecurityConfigurerAdapter. This has been replaced by ValtimoCoreSecurityFactory.

• AuthorizedUrl.acccess(..) no longer supports expressions as an argument.

  • WhitelistIpRequest has been replaced by WhitelistIpRequestMatcher. An example can be found in CamundaCockpitHttpSecurityConfigurer.

• Removed AuthenticationSecurityConfigurer. No replacement other than implementing a SecurityFilterChain directly.

• OpenAPI endpoint /v3/api-docs is now only available to ROLE_DEVELOPER.

Hibernate 6

• Overriding entity properties is no longer supported.

  As a result, ProcessLink implementations can no longer be a data class and cannot override the base properties of ProcessLink.

  Methods previously generated by the data type like equals(other: Any?), hashCode() and copy(...) should be migrated accordingly.

• SimpleJpaRepository.deleteById never followed spec to ignore not-found entities. This has been fixed in Hibernate 6. The existing endpoints will follow the new JPA behaviour to make the action idempotent:

  • DELETE /api/v1/choice-fields/{non-existent-id} -> 200

  • DELETE /api/v1/choice-field-values/{non-existent-id} -> 200

  • DELETE /api/management/v1/dashboard/{non-existent-id} -> 204

  • DELETE /api/v1/form-management/{non-existent-id} -> 204

• Changes to application.yaml:

  • Removal of spring.jpa.hibernate.naming.physical-strategy. No replacement needed.

  • Removal of spring.jpa.hibernate.naming.implicit-strategy. No replacement needed.

  • Removal of spring.jpa.hibernate.use-new-id-generator-mappings. No replacement needed.

• AuditRecordRepository.findByEventAndDocumentId(List<Class<? extends AuditEvent>> eventTypes, UUID documentId, Pageable pageable); changed to AuditRecordRepository.findByEventAndDocumentId(List<String> eventTypes, UUID documentId, Pageable pageable);

• If exists, change dependency com.fasterxml.jackson.datatype:jackson-datatype-hibernate5 to com.fasterxml.jackson.datatype:jackson-datatype-hibernate6

• If exists, change dependency org.liquibase.ext:liquibase-hibernate5 to org.liquibase.ext:liquibase-hibernate6

Other

• Camunda History TTL is now required by default. Either:

  • Set the camunda:historyTimeToLive via the modeler or XML.

  • Set the application property camunda.bpm.generic-properties.properties.enforceHistoryTimeToLive to false if you don't want to enforce a TTL.

• Mockito 5 vararg matching has changed.