Architecture #22640
Updated by François ARMAND 3 months ago
We use spring for spring security. Spring had a major version update in 2022 that has several impact on us: - it's the first release to use the @jakarta.*@ namespace in place of @javax.*@ namespace for servlet. - it looks like they want servlet 6 (jetty 11) - they require Java 17. https://spring.io/blog/2021/09/02/a-java-17-and-jakarta-ee-9-baseline-for-spring-framework-6 Liftweb 4.0 Since liftwev does not support servlet 5: https://github.com/lift/framework/pull/2017 We 6, we will need to update to that version and last version of Spring. For reference, Spring 6 also changed consequently the way it manages authentication persistence, and nothing is automated be default anymore, see: - having filter declaration compatible with remain on spring 5.x semantic: https://docs.spring.io/spring-security/reference/5.8/migration/servlet/session-management.html#_require_explicit_invocation_of_sessionauthenticationstrategy - setting for the require persistence to false: https://docs.spring.io/spring-security/reference/servlet/authentication/persistence.html#securitycontextholderfilter IE it means we need to have: <pre> <http ... security-context-explicit-save="false"> <session-management ... authentication-strategy-explicit-invocation="false"> </session-management> ... </pre> time beeing.