Upgrade to Spring Boot 4.0 #18

2026-05-21T14:55:30+02:00

ansv7779 commented

2026-05-21 14:55:30 +02:00

The new "modular design" required a few changes in the starter Maven dependencies. It also caused some minor Java import changes. The main problem that arose was that the spring-boot-web-server dependency got scoped to "runtime" in Maven. This broke the embedded Docker build since it was excluded from dependency lists. Therefore, it had to be manually added back in the correct "provided" scope.

spring-boot-starter-web, JTE, and Testcontainers had new artifact names. Jackson had to be added as an explicit dependency (for testing only) since it's no longer included by default in Spring Boot.

Spring Boot OAuth 2.0 Authorization Server

There were some internal changes that broke the "custom" developer authorization. The OAuth2AuthorizationEndpointFilter got split into two separate ones (for MFA purposes), and the split off one is executed much much earlier in the chain. Therefore, the old method of changing the HTTP method of the request to trick the regular filter from the custom one no longer works. Luckily an unrelated change had added POST support to the OAuth2AuthorizationEndpointFilter which meant we could stop changing the HTTP method and change the form to submit everything as form fields instead of query parameters. A lot of mechanical changes in the tests were required for this.

MFA support also meant that OIDC ID tokens require the authenticated principal to have a FactorGrantedAuthority which was added to the Shibboleth authentication.

The new ["modular design"](https://spring.io/blog/2025/10/28/modularizing-spring-boot/) required a few changes in the starter Maven dependencies. It also caused some minor Java import changes. The main problem that arose was that the spring-boot-web-server dependency got scoped to "runtime" in Maven. This broke the embedded Docker build since it was excluded from dependency lists. Therefore, it had to be manually added back in the correct "provided" scope. spring-boot-starter-web, JTE, and Testcontainers had new artifact names. Jackson had to be added as an explicit dependency (for testing only) since it's no longer included by default in Spring Boot. ## Spring Boot OAuth 2.0 Authorization Server There were some internal changes that broke the "custom" developer authorization. The `OAuth2AuthorizationEndpointFilter` got split into two separate ones (for MFA purposes), and the split off one is executed much much earlier in the chain. Therefore, the old method of changing the HTTP method of the request to trick the regular filter from the custom one no longer works. Luckily an unrelated change had added POST support to the `OAuth2AuthorizationEndpointFilter` which meant we could stop changing the HTTP method and change the form to submit everything as form fields instead of query parameters. A lot of mechanical changes in the tests were required for this. MFA support also meant that OIDC ID tokens require the authenticated principal to have a `FactorGrantedAuthority` which was added to the Shibboleth authentication.

ansv7779 added 1 commit 2026-05-21 14:55:32 +02:00

Upgrade to Spring Boot 4.0

/ build (push) Successful in 2m19s

Details

9e21586c90

The new ["modular design"](https://spring.io/blog/2025/10/28/modularizing-spring-boot/) required a few changes in the starter Maven dependencies. It also caused some minor Java import changes. The main problem that arose was that the spring-boot-web-server dependency got scoped to "runtime" in Maven. This broke the embedded Docker build since it was excluded from dependency lists. Therefore, it had to be manually added back in the correct "provided" scope.

spring-boot-starter-web, JTE, and Testcontainers had new artifact names. Jackson had to be added as an explicit dependency (for testing only) since it's no longer included by default in Spring Boot.

## Spring Boot OAuth 2.0 Authorization Server
There were some internal changes that broke the "custom" developer authorization. The `OAuth2AuthorizationEndpointFilter` got split into two separate ones (for MFA purposes), and the split off one is executed much much earlier in the chain. Therefore, the old method of changing the HTTP method of the request to trick the regular filter from the custom one no longer works. Luckily an unrelated change had added POST support to the `OAuth2AuthorizationEndpointFilter` which meant we could stop changing the HTTP method and change the form to submit everything as form fields instead of query parameters. A lot of mechanical changes in the tests were required for this.

MFA support also meant that OIDC ID tokens require the authenticated principal to have a `FactorGrantedAuthority` which was added to the Shibboleth authentication.

ansv7779 requested review from stne3960 2026-05-21 14:55:32 +02:00

stne3960 requested changes 2026-05-22 13:02:04 +02:00

Dismissed

pom.xml

						
				@@ -75,1 +81,4 @@

				        </dependency>

				        <dependency>

				            <groupId>org.springframework.boot</groupId>

				            <artifactId>spring-boot-starter-webmvc-test</artifactId>