Architecture #22640
open
Upgrade to spring 6.x, jetty 11 and servlet 5.0
Description
We use spring for spring security.
Spring had a major version update in 2022 that has several impact on us:
- it's the first release to use the jakarta.* namespace in place of javax.* namespace for servlet.
- it looks like they want servlet 6 (jetty 11)
- they require Java 17.
https://spring.io/blog/2021/09/02/a-java-17-and-jakarta-ee-9-baseline-for-spring-framework-6
Liftweb 4.0 support servlet 5: https://github.com/lift/framework/pull/2017
We need to update to that version and last version of Spring.
For reference, Spring 6 also changed consequently the way it manages authentication persistence, and nothing is automated be default anymore, see:
- having filter declaration compatible with 5.x semantic: https://docs.spring.io/spring-security/reference/5.8/migration/servlet/session-management.html#_require_explicit_invocation_of_sessionauthenticationstrategy
- setting the require persistence to false: https://docs.spring.io/spring-security/reference/servlet/authentication/persistence.html#securitycontextholderfilter
IE it means we need to have:
<http ... security-context-explicit-save="false">
<session-management ... authentication-strategy-explicit-invocation="false">
</session-management>
...
Updated by 
Updated by