Migrate to Spring Boot 3.0.0

Author: rwinch

README.adoc

@@ -106,14 +106,13 @@ the classpath, Spring Boot {SpringBootSecurity}[automatically secures all HTTP e
 with "`basic`" authentication. However, you can further customize the security settings.
 The first thing you need to do is add Spring Security to the classpath.
 
-With Gradle, you need to add two lines (one for the application and one for testing) in
+With Gradle, you need to add three lines (one for the application, one for Thymeleaf & Spring Security integration, and one for testing) in
 the `dependencies` closure in `build.gradle`, as the following listing shows:
 
 ====
 [source,java]
 ----
-implementation 'org.springframework.boot:spring-boot-starter-security'
-implementation 'org.springframework.security:spring-security-test'
+include::complete/build.gradle[tags=security-dependencies,indent=0]
 ----
 ====
 
@@ -122,7 +121,7 @@ The following listing shows the finished `build.gradle` file:
 ====
 [source,text]
 ----
-include::complete/build.gradle[]
+include::complete/build.gradle[tags=**]
 ----
 ====
 
@@ -132,15 +131,7 @@ testing) to the `<dependencies>` element in `pom.xml`, as the following listing
 ====
 [source,zml]
 ----
-<dependency>
-  <groupId>org.springframework.boot</groupId>
-  <artifactId>spring-boot-starter-security</artifactId>
-</dependency>
-<dependency>
-  <groupId>org.springframework.security</groupId>
-  <artifactId>spring-security-test</artifactId>
-  <scope>test</scope>
-</dependency>
+include::complete/pom.xml[tags=security-dependencies,indent=0]
 ----
 ====
 
@@ -149,7 +140,7 @@ The following listing shows the finished `pom.xml` file:
 ====
 [source,text]
 ----
-include::complete/pom.xml[]
+include::complete/pom.xml[tags=**]
 ----
 ====
 
@@ -210,10 +201,12 @@ include::complete/src/main/resources/templates/hello.html[]
 ----
 ====
 
-We display the username by using Spring Security's integration with
-`HttpServletRequest#getRemoteUser()`. The "`Sign Out`" form submits a POST to `/logout`.
+We display the username by using Thymeleaf's integration with Spring Security. The "`Sign Out`" form submits a POST to `/logout`.
 Upon successfully logging out, it redirects the user to `/login?logout`.
 
+NOTE: Thymeleaf 3.1 no longer provides access to `HttpServletRequest` so `HttpServletRequest#getRemoteUser()` cannot be used to access the currently authenticated user.
+
+
 [[run_the_app]]
 == Run the Application
 

complete/build.gradle

@@ -1,23 +1,27 @@
 plugins {
-	id 'org.springframework.boot' version '2.7.1'
-	id 'io.spring.dependency-management' version '1.0.11.RELEASE'
 	id 'java'
+	id 'org.springframework.boot' version '3.0.0'
+	id 'io.spring.dependency-management' version '1.1.0'
 }
 
 group = 'com.example'
 version = '0.0.1-SNAPSHOT'
-sourceCompatibility = '1.8'
+sourceCompatibility = '17'
 
 repositories {
 	mavenCentral()
 }
 
 dependencies {
-	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	// tag::security-dependencies[]
 	implementation 'org.springframework.boot:spring-boot-starter-security'
+	//  Temporary explicit version to fix Thymeleaf bug
+	implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.1.RELEASE'
 	implementation 'org.springframework.security:spring-security-test'
-	testImplementation('org.springframework.boot:spring-boot-starter-test')
+	// end::security-dependencies[]
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
 test {

complete/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.1</version>
+		<version>3.0.0</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>com.example</groupId>
@@ -15,7 +15,7 @@
 	<description>Demo project for Spring Boot</description>
 
 	<properties>
-		<java.version>1.8</java.version>
+		<java.version>17</java.version>
 	</properties>
 
 	<dependencies>
@@ -27,15 +27,23 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
 		</dependency>
+		<!-- tag::security-dependencies[] -->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-security</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.thymeleaf.extras</groupId>
+			<artifactId>thymeleaf-extras-springsecurity6</artifactId>
+			<!-- Temporary explicit version to fix Thymeleaf bug -->
+			<version>3.1.1.RELEASE</version>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-test</artifactId>
 			<scope>test</scope>
 		</dependency>
+		<!-- end::security-dependencies[] -->
 
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
@@ -44,13 +52,4 @@
 		</dependency>
 	</dependencies>
 
-	<build>
-		<plugins>
-			<plugin>
-				<groupId>org.springframework.boot</groupId>
-				<artifactId>spring-boot-maven-plugin</artifactId>
-			</plugin>
-		</plugins>
-	</build>
-
 </project>

complete/src/main/java/com/example/securingweb/WebSecurityConfig.java

@@ -18,7 +18,7 @@ public class WebSecurityConfig {
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		http
 			.authorizeHttpRequests((requests) -> requests
-				.antMatchers("/", "/home").permitAll()
+				.requestMatchers("/", "/home").permitAll()
 				.anyRequest().authenticated()
 			)
 			.formLogin((form) -> form

complete/src/main/resources/templates/hello.html

@@ -1,11 +1,11 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
-      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
+      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity6">
     <head>
         <title>Hello World!</title>
     </head>
     <body>
-        <h1 th:inline="text">Hello [[${#httpServletRequest.remoteUser}]]!</h1>
+        <h1 th:inline="text">Hello <span th:remove="tag" sec:authentication="name">thymeleaf</span>!</h1>
         <form th:action="@{/logout}" method="post">
             <input type="submit" value="Sign Out"/>
         </form>

complete/src/main/resources/templates/login.html

@@ -1,6 +1,5 @@
 <!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
-      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
     <head>
         <title>Spring Security Example </title>
     </head>

complete/src/test/java/com/example/securingweb/SecuringWebApplicationTests.java

@@ -8,7 +8,9 @@
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.FormLoginRequestBuilder;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
 import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
@@ -58,7 +60,10 @@ public void accessSecuredResourceUnauthenticatedThenRedirectsToLogin() throws Ex
 	@Test
 	@WithMockUser
 	public void accessSecuredResourceAuthenticatedThenOk() throws Exception {
-		mockMvc.perform(get("/hello"))
-				.andExpect(status().isOk());
+		MvcResult mvcResult = mockMvc.perform(get("/hello"))
+				.andExpect(status().isOk())
+				.andReturn();
+
+		assertThat(mvcResult.getResponse().getContentAsString()).contains("Hello user!");
 	}
 }

initial/build.gradle

@@ -1,12 +1,12 @@
 plugins {
-	id 'org.springframework.boot' version '2.7.1'
-	id 'io.spring.dependency-management' version '1.0.11.RELEASE'
 	id 'java'
+	id 'org.springframework.boot' version '3.0.0'
+	id 'io.spring.dependency-management' version '1.1.0'
 }
 
 group = 'com.example'
 version = '0.0.1-SNAPSHOT'
-sourceCompatibility = '1.8'
+sourceCompatibility = '17'
 
 repositories {
 	mavenCentral()
@@ -15,7 +15,7 @@ repositories {
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
-	testImplementation('org.springframework.boot:spring-boot-starter-test')
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
 test {

initial/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.1</version>
+		<version>3.0.0</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>com.example</groupId>
@@ -15,7 +15,7 @@
 	<description>Demo project for Spring Boot</description>
 
 	<properties>
-		<java.version>1.8</java.version>
+		<java.version>17</java.version>
 	</properties>
 
 	<dependencies>

initial/src/main/resources/templates/hello.html

@@ -1,6 +1,5 @@
 <!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
-      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
     <head>
         <title>Hello World!</title>
     </head>