feat(NE-30): upgrade to Spring Boot 4 and enhance security configurations

pom.xml

@@ -21,7 +21,7 @@
     <maven.compiler.source>${version.java}</maven.compiler.source>
     <maven.compiler.target>${version.java}</maven.compiler.target>
 
-    <spring-boot.version>3.5.8</spring-boot.version>
+    <spring-boot.version>4.0.1</spring-boot.version>
   </properties>
 
   <scm>
@@ -55,6 +55,7 @@
     <dependency>
       <groupId>io.rest-assured</groupId>
       <artifactId>rest-assured</artifactId>
+      <version>6.0.0</version>
       <scope>test</scope>
     </dependency>
 

src/main/java/com/neverpile/urlcrypto/config/UrlCryptoAutoConfiguration.java

@@ -1,7 +1,5 @@
 package com.neverpile.urlcrypto.config;
 
-import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
-
 import jakarta.servlet.RequestDispatcher;
 import jakarta.servlet.http.HttpServletRequest;
 
@@ -16,6 +14,7 @@
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -71,13 +70,13 @@ SecurityFilterChain psuFilterChain(HttpSecurity http) throws Exception {
 
     context.getAutowireCapableBeanFactory().autowireBean(psuFilter);
     if(!config.getCsrfEnabled()){
-      http = http.csrf().disable();
+      http.csrf(AbstractHttpConfigurer::disable);
     }
     // @formatter:off
     http.securityMatcher(new PSURequestedMatcher())
             .addFilterBefore(psuFilter, BasicAuthenticationFilter.class)
             .authorizeHttpRequests(auth -> auth
-                    .requestMatchers(antMatcher(HttpMethod.OPTIONS, "/*")).permitAll()
+                    .requestMatchers(HttpMethod.OPTIONS, "/*").permitAll()
                     .anyRequest().authenticated()
             )
     ;

src/test/java/com/neverpile/urlcrypto/springsecurity/AutoConfigTest.java

@@ -5,12 +5,11 @@
 import org.junit.jupiter.api.Test;
 import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.autoconfigure.logging.ConditionEvaluationReportLoggingListener;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
-import org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
+import org.springframework.boot.webmvc.autoconfigure.WebMvcAutoConfiguration;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
-import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
 
 import com.neverpile.urlcrypto.UrlCryptoKit;
 import com.neverpile.urlcrypto.config.UrlCryptoAutoConfiguration;
@@ -19,8 +18,7 @@
 public class AutoConfigTest {
   private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner() //
       .withConfiguration(AutoConfigurations.of(UrlCryptoAutoConfiguration.class, //
-          // emulate @EnableWebSecurity annotation presence
-          WebSecurityConfiguration.class, AuthenticationConfiguration.class, SecurityAutoConfiguration.class, WebMvcAutoConfiguration.class)) //
+          SecurityAutoConfiguration.class, ServletWebSecurityAutoConfiguration.class, WebMvcAutoConfiguration.class)) //
       .withInitializer(new ConditionEvaluationReportLoggingListener());
 
   @Test

src/test/java/com/neverpile/urlcrypto/springsecurity/PreSignedUrlTest.java

@@ -2,6 +2,7 @@
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.not;
 import static org.springframework.web.util.UriUtils.decode;
@@ -137,7 +138,10 @@ public void testThat_PSUTransportsCredentials() {
         .get(psu.getPath())
       .then()
         .statusCode(200)
-        .body(equalTo("user/[ROLE_BAR, ROLE_FOO, ROLE_USER]"));
+        .body(containsString("user/"))
+        .body(containsString("ROLE_BAR"))
+        .body(containsString("ROLE_FOO"))
+        .body(containsString("ROLE_USER"));
     // @formatter:on
   }
 

src/test/java/com/neverpile/urlcrypto/springsecurity/TestConfiguration.java

@@ -2,20 +2,14 @@
 
 import org.springframework.boot.SpringBootConfiguration;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Import;
-import org.springframework.core.annotation.Order;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;