Migrate to spring boot 4

build.gradle

@@ -79,7 +79,7 @@ subprojects {
             resolutionStrategy.eachDependency { DependencyResolveDetails details ->
                 if (details.requested.group == 'org.opensaml' && details.requested.name.startsWith("opensaml-")) {
                     details.useVersion "${versions.opensaml}"
-                    details.because 'Spring Security 5.8.x allows OpenSAML 3 or 4. OpenSAML 3 has reached its end-of-life. Spring Security 6 drops support for 3, using 4.'
+                    details.because 'Pinning all opensaml modules to the same version for OpenSAML 5 migration.'
                 }
             }
         }

dependencies.gradle

@@ -8,11 +8,12 @@ versions.apacheDsVersion = "2.0.0.AM27"
 versions.bouncyCastleFipsVersion = "2.1.2"
 versions.bouncyCastlePkixFipsVersion = "2.1.11"
 versions.bouncyCastleTlsFipsVersion = "2.1.23"
-versions.springBootVersion = "3.5.13"
+versions.springBootVersion = "4.0.4"
 versions.guavaVersion = "33.6.0-jre"
 versions.seleniumVersion = "4.43.0"
 versions.braveVersion = "6.3.1"
-versions.opensaml = "4.3.2"
+// OpenSAML 5.2.x pulls non-FIPS classes; stay on 5.1.x until resolved
+versions.opensaml = "5.1.6"
 
 // Versions we're overriding from the Spring Boot Bom (Dependabot does not issue PRs to bump these versions, so we need to manually bump them)
 ext["selenium.version"] = "${versions.seleniumVersion}" // Selenium for integration tests only
@@ -73,19 +74,37 @@ libraries.slf4jImpl = "org.apache.logging.log4j:log4j-slf4j2-impl"
 libraries.snakeyaml = "org.yaml:snakeyaml"
 libraries.springBeans = "org.springframework:spring-beans"
 libraries.springBootBom = "org.springframework.boot:spring-boot-dependencies:${versions.springBootVersion}"
+libraries.springBootJackson2 = "org.springframework.boot:spring-boot-jackson2"
 libraries.springBootStarter = "org.springframework.boot:spring-boot-starter"
+libraries.springBootStarterAspectj = "org.springframework.boot:spring-boot-starter-aspectj"
+libraries.springBootStarterFlyway = "org.springframework.boot:spring-boot-starter-flyway"
+libraries.springBootStarterFlywayTest = "org.springframework.boot:spring-boot-starter-flyway-test"
+libraries.springBootStarterLdap = "org.springframework.boot:spring-boot-starter-ldap"
+libraries.springBootStarterLdapTest = "org.springframework.boot:spring-boot-starter-ldap-test"
 libraries.springBootStarterLog4j2 = "org.springframework.boot:spring-boot-starter-log4j2"
+libraries.springBootStarterMail = "org.springframework.boot:spring-boot-starter-mail"
+libraries.springBootStarterMailTest = "org.springframework.boot:spring-boot-starter-mail-test"
+libraries.springBootStarterRestclient = "org.springframework.boot:spring-boot-starter-restclient"
+libraries.springBootStarterRestclientTest = "org.springframework.boot:spring-boot-starter-restclient-test"
+libraries.springBootStarterSecurity = "org.springframework.boot:spring-boot-starter-security"
+libraries.springBootStarterSecuritySaml2 = "org.springframework.boot:spring-boot-starter-security-saml2"
+libraries.springBootStarterSecuritySaml2Test = "org.springframework.boot:spring-boot-starter-security-saml2-test"
+libraries.springBootStarterSecurityTest = "org.springframework.boot:spring-boot-starter-security-test"
+libraries.springBootStarterSessionJdbc = "org.springframework.boot:spring-boot-starter-session-jdbc"
 libraries.springBootStarterTest = "org.springframework.boot:spring-boot-starter-test"
+libraries.springBootStarterThymeleaf = "org.springframework.boot:spring-boot-starter-thymeleaf"
+libraries.springBootStarterThymeleafTest = "org.springframework.boot:spring-boot-starter-thymeleaf-test"
 libraries.springBootStarterTomcat = "org.springframework.boot:spring-boot-starter-tomcat"
+libraries.springBootStarterValidation = "org.springframework.boot:spring-boot-starter-validation"
+libraries.springBootStarterValidationTest = "org.springframework.boot:spring-boot-starter-validation-test"
 libraries.springBootStarterWeb = "org.springframework.boot:spring-boot-starter-web"
-libraries.springBootStarterMail = "org.springframework.boot:spring-boot-starter-mail"
 libraries.springContext = "org.springframework:spring-context"
 libraries.springContextSupport = "org.springframework:spring-context-support"
 libraries.springJdbc = "org.springframework:spring-jdbc"
 libraries.springLdapCore = "org.springframework.ldap:spring-ldap-core"
 libraries.springRestdocs = "org.springframework.restdocs:spring-restdocs-mockmvc"
 libraries.springdocOpenapi = "org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.17"
-libraries.springRetry = "org.springframework.retry:spring-retry"
+libraries.springRetry = "org.springframework.retry:spring-retry:2.0.12"
 libraries.springSecurityConfig = "org.springframework.security:spring-security-config"
 libraries.springSecurityCore = "org.springframework.security:spring-security-core"
 libraries.springSecurityLdap = "org.springframework.security:spring-security-ldap"
@@ -98,7 +117,7 @@ libraries.springTx = "org.springframework:spring-tx"
 libraries.springWeb = "org.springframework:spring-web"
 libraries.springWebMvc = "org.springframework:spring-webmvc"
 libraries.statsdClient = "com.timgroup:java-statsd-client:3.1.0"
-libraries.thymeleafDialect = "nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect"
+libraries.thymeleafDialect = "nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:4.0.1"
 libraries.thymeleafExtrasSpringSecurity = "org.thymeleaf.extras:thymeleaf-extras-springsecurity6"
 libraries.thymeLeaf = "org.thymeleaf:thymeleaf"
 libraries.thymeleafSpring = "org.thymeleaf:thymeleaf-spring6"

metrics-data/build.gradle

@@ -10,3 +10,6 @@ processResources {
   //https://www.pivotaltracker.com/story/show/74344574
   filter { line -> line.contains('${project.artifactId}') ? line.replace('${project.artifactId}', 'cloudfoundry-identity-metrics-data') : line }
 }
+tasks.withType(Test).configureEach {
+    useJUnitPlatform()
+}

model/build.gradle

@@ -25,8 +25,19 @@ dependencies {
     testImplementation(libraries.junit5JupiterParams)
 
     testImplementation(libraries.jsonAssert)
+    testImplementation(libraries.springBootStarterRestclientTest) {
+        exclude(group: "org.springframework.boot", module: "spring-boot-starter-jackson")
+    }
+    testImplementation(libraries.springBootStarterSecurityTest)
 
     implementation(libraries.nimbusJwt)
+    implementation "org.jspecify:jspecify:1.0.0"
+    implementation(libraries.springBootStarterRestclient) {
+        exclude(group: "org.springframework.boot", module: "spring-boot-starter-jackson")
+    }
+    implementation(libraries.springBootStarterSecurity)
+    implementation(libraries.springBootStarterValidation)
+    implementation(libraries.springBootJackson2)
 }
 
 apply(from: file("build_properties.gradle"))
@@ -40,3 +51,6 @@ processResources {
 integrationTest {}.onlyIf { //disable since we don't have any
     false
 }
+tasks.withType(Test).configureEach {
+    useJUnitPlatform()
+}

model/src/main/java/org/cloudfoundry/identity/uaa/EntityWithAlias.java

@@ -2,9 +2,8 @@
 
 import java.util.Optional;
 
-import org.springframework.lang.Nullable;
-
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import org.jspecify.annotations.Nullable;
 
 /**
  * An entity that can have an alias in another identity zone.

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/OAuth2RestTemplate.java

@@ -129,12 +129,12 @@ protected ClientHttpRequest createRequest(URI uri, HttpMethod method) throws IOE
     }
 
     @Override
-    protected <T> T doExecute(URI url, HttpMethod method, RequestCallback requestCallback,
+    protected <T> T doExecute(URI url, String uriTemplate, HttpMethod method, RequestCallback requestCallback,
             ResponseExtractor<T> responseExtractor) throws RestClientException {
         OAuth2AccessToken accessToken = context.getAccessToken();
         RuntimeException rethrow = null;
         try {
-            return super.doExecute(url, method, requestCallback, responseExtractor);
+            return super.doExecute(url, uriTemplate, method, requestCallback, responseExtractor);
         }
         catch (AccessTokenRequiredException | OAuth2AccessDeniedException e) {
             rethrow = e;
@@ -146,7 +146,7 @@ protected <T> T doExecute(URI url, HttpMethod method, RequestCallback requestCal
         if (accessToken != null && retryBadAccessTokens) {
             context.setAccessToken(null);
             try {
-                return super.doExecute(url, method, requestCallback, responseExtractor);
+                return super.doExecute(url, uriTemplate, method, requestCallback, responseExtractor);
             }
             catch (InvalidTokenException e) {
                 // Don't reveal the token value in case it is logged

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/grant/AuthorizationCodeAccessTokenProvider.java

@@ -80,7 +80,7 @@ public String obtainAuthorizationCode(OAuth2ProtectedResourceDetails details, Ac
         ResponseExtractor<ResponseEntity<Void>> extractor = new ResponseExtractor<>() {
             @Override
             public ResponseEntity<Void> extractData(ClientHttpResponse response) throws IOException {
-                if (response.getHeaders().containsKey("Set-Cookie")) {
+                if (response.getHeaders().containsHeader("Set-Cookie")) {
                     copy.setCookie(response.getHeaders().getFirst("Set-Cookie"));
                 }
                 return delegate.extractData(response);

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/http/OAuth2ErrorHandler.java

@@ -4,6 +4,7 @@
 import org.cloudfoundry.identity.uaa.oauth.client.resource.OAuth2ProtectedResourceDetails;
 import org.cloudfoundry.identity.uaa.oauth.common.OAuth2AccessToken;
 import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.client.ClientHttpResponse;
 import org.springframework.http.converter.HttpMessageConversionException;
@@ -21,6 +22,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.URI;
 import java.util.List;
 import java.util.Map;
 
@@ -70,11 +72,12 @@ public boolean hasError(ClientHttpResponse response) throws IOException {
                 || this.errorHandler.hasError(response);
     }
 
-    public void handleError(final ClientHttpResponse response) throws IOException {
+    public void handleError(URI url, HttpMethod method, final ClientHttpResponse response) throws IOException {
         if (!HttpStatus.Series.CLIENT_ERROR.equals(HttpStatus.resolve(response.getStatusCode().value()).series())) {
             // We should only care about 400 level errors. Ex: A 500 server error shouldn't
             // be an oauth related error.
-            errorHandler.handleError(response);
+            // TODO: Replace (URI) null and (HttpMethod) null with actual values
+            errorHandler.handleError((URI) null, (HttpMethod) null, response);
         } else {
             // Need to use buffered response because input stream may need to be consumed multiple times.
             ClientHttpResponse bufferedResponse = new ClientHttpResponse() {
@@ -141,7 +144,8 @@ public int getRawStatusCode() throws IOException {
                 }
 
                 // then delegate to the custom handler
-                errorHandler.handleError(bufferedResponse);
+                // TODO: Replace (URI) null and (HttpMethod) null with actual values
+                errorHandler.handleError((URI) null, (HttpMethod) null, bufferedResponse);
             }
             catch (InvalidTokenException ex) {
                 // Special case: an invalid token can be renewed so tell the caller what to do
@@ -155,7 +159,8 @@ public int getRawStatusCode() throws IOException {
                 }
                 // This is not an exception that is really understood, so allow our delegate
                 // to handle it in a non-oauth way
-                errorHandler.handleError(bufferedResponse);
+                // TODO: Replace (URI) null and (HttpMethod) null with actual values
+                errorHandler.handleError((URI) null, (HttpMethod) null, bufferedResponse);
             }
         }
     }

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/OAuth2AccessTokenSupport.java

@@ -34,6 +34,7 @@
 
 import java.io.IOException;
 import java.net.HttpURLConnection;
+import java.net.URI;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Iterator;
@@ -132,7 +133,7 @@ protected OAuth2AccessToken retrieveToken(AccessTokenRequest request, OAuth2Prot
             ResponseExtractor<OAuth2AccessToken> extractor = new ResponseExtractor<>() {
                 @Override
                 public OAuth2AccessToken extractData(ClientHttpResponse response) throws IOException {
-                    if (response.getHeaders().containsKey("Set-Cookie")) {
+                    if (response.getHeaders().containsHeader("Set-Cookie")) {
                         copy.setCookie(response.getHeaders().getFirst("Set-Cookie"));
                     }
                     return delegate.extractData(response);
@@ -232,7 +233,7 @@ private class AccessTokenErrorHandler extends DefaultResponseErrorHandler {
 
         @SuppressWarnings("unchecked")
         @Override
-        public void handleError(ClientHttpResponse response) throws IOException {
+        public void handleError(URI url, HttpMethod method, ClientHttpResponse response) throws IOException {
             for (HttpMessageConverter<?> converter : messageConverters) {
                 if (converter.canRead(OAuth2Exception.class, response.getHeaders().getContentType())) {
                     OAuth2Exception ex;
@@ -246,7 +247,8 @@ public void handleError(ClientHttpResponse response) throws IOException {
                     throw ex;
                 }
             }
-            super.handleError(response);
+            // TODO: Replace (URI) null and (HttpMethod) null with actual values
+            super.handleError((URI) null, (HttpMethod) null, response);
         }
 
     }

model/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUser.java

@@ -28,7 +28,7 @@
 import org.cloudfoundry.identity.uaa.approval.Approval;
 import org.cloudfoundry.identity.uaa.impl.JsonDateSerializer;
 import org.cloudfoundry.identity.uaa.scim.impl.ScimUserJsonDeserializer;
-import org.springframework.lang.NonNull;
+import org.jspecify.annotations.NonNull;
 import org.springframework.util.Assert;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;

model/src/main/java/org/cloudfoundry/identity/uaa/zone/UserConfig.java

@@ -2,13 +2,12 @@
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
+import org.jspecify.annotations.Nullable;
 
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
-import org.springframework.lang.Nullable;
-
 @JsonInclude(JsonInclude.Include.NON_NULL)
 @JsonIgnoreProperties(ignoreUnknown = true)
 public class UserConfig {

model/src/test/java/org/cloudfoundry/identity/uaa/oauth/client/OAuth2RestTemplateTests.java

@@ -165,7 +165,7 @@ void noRetryAccessDeniedExceptionForNoExistingToken() {
             throw new AccessTokenRequiredException(resource);
         });
         assertThatExceptionOfType(AccessTokenRequiredException.class).isThrownBy(() ->
-                restTemplate.doExecute(new URI("https://foo"), HttpMethod.GET, new NullRequestCallback(),
+                restTemplate.doExecute(new URI("https://foo"), null, HttpMethod.GET, new NullRequestCallback(),
                         new SimpleResponseExtractor()));
     }
 
@@ -183,7 +183,7 @@ public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod) {
                 return request;
             }
         });
-        Boolean result = restTemplate.doExecute(new URI("https://foo"), HttpMethod.GET, new NullRequestCallback(),
+        Boolean result = restTemplate.doExecute(new URI("https://foo"), null, HttpMethod.GET, new NullRequestCallback(),
                 new SimpleResponseExtractor());
         assertThat(result).isTrue();
     }