Architecture #22640
openUpgrade to spring 6.x, jetty 11 and servlet 5.0
Description
We use spring for spring security.
Spring had a major version update in 2022 that has several impact on us:
- it's the first release to use the jakarta.*
namespace in place of javax.*
namespace for servlet.
- it looks like they want servlet 6 (jetty 11)
- they require Java 17.
https://spring.io/blog/2021/09/02/a-java-17-and-jakarta-ee-9-baseline-for-spring-framework-6
Liftweb 4.0 support servlet 5: https://github.com/lift/framework/pull/2017
We need to update to that version and last version of Spring.
For reference, Spring 6 also changed consequently the way it manages authentication persistence, and nothing is automated be default anymore, see:
- having filter declaration compatible with 5.x semantic: https://docs.spring.io/spring-security/reference/5.8/migration/servlet/session-management.html#_require_explicit_invocation_of_sessionauthenticationstrategy
- setting the require persistence to false: https://docs.spring.io/spring-security/reference/servlet/authentication/persistence.html#securitycontextholderfilter
IE it means we need to have:
<http ... security-context-explicit-save="false"> <session-management ... authentication-strategy-explicit-invocation="false"> </session-management> ...
Updated by François ARMAND 4 months ago
- Subject changed from Upgrade to spring 6.x impossible with liftweb to Upgrade to spring 6.x, jetty 11 and servlet 5.0
- Description updated (diff)
Updated by François ARMAND 4 months ago
- Target version set to 8.2.0~beta1
This task will need several aspects:
- publish a version of Lift 4 locally so that we can use it before the real release is done
- upgrade to jetty 11 in packaging, and hopefully our patches from jetty 10 will mostly work (see #23710)
- upgrade rudder core to Lift4, last spring 6.x (6.1.12 as of today) and last spring-security (6.3.3 as of today)
- upgrade at least authentication-backend to work with these new version.
Updated by François ARMAND 4 months ago
- Related to Architecture #23710: Update to jetty 10.0.18 added
Updated by Vincent MEMBRÉ 4 months ago
- Target version changed from 8.2.0~beta1 to 8.2.0~rc1
Updated by François ARMAND 2 months ago
- Status changed from New to Pending release
This is completed in Rudder 8.2.0 beta1.
Updated by Vincent MEMBRÉ 2 months ago
This bug has been fixed in Rudder 8.2.0~rc1 which was released today.