Jinwoo Hwang created GEODE-10473:
------------------------------------
Summary: Upgrade Spring Security from 5 to 6.x
Key: GEODE-10473
URL: https://issues.apache.org/jira/browse/GEODE-10473
Project: Geode
Issue Type: Improvement
Reporter: Jinwoo Hwang
Apache Geode currently uses Spring Security 5, which is based on the older
Spring Framework 5.x and lacks modern security features and improvements. This
task involves upgrading to Spring Security 6.x to take advantage of enhanced
security capabilities, improved performance, and continued security updates.
*Current Usage:*
* Spring Security version: 5
* Location: DependencyConstraints.groovy
* Modules using Spring Security: geode-web-api, geode-web-management,
geode-pulse, geode-assembly
*Spring Security Artifacts Currently Used:*
* spring-security-core (authentication and authorization core)
* spring-security-web (web security features)
* spring-security-config (configuration support)
* spring-security-oauth2-core (OAuth2 support)
* spring-security-oauth2-client (OAuth2 client features)
* spring-security-oauth2-jose (JWT/JOSE support)
* spring-security-ldap (LDAP authentication)
* spring-security-test (testing utilities)
*Key Components Using Spring Security:*
* geode-web-management: REST API security configuration
(RestSecurityConfiguration)
* geode-pulse: Web console authentication (DefaultSecurityConfig, OAuth
support)
* geode-web-api: REST API endpoints security
* OAuth2 integration for external identity providers
* LDAP authentication support
* Method-level security with EnableGlobalMethodSecurity
*Benefits of Upgrading:*
* Enhanced security features and modern authentication patterns
* Improved OAuth2/OpenID Connect support
* Better integration with Spring Framework 6.x (prerequisite)
* Continued security patches and updates
* Performance improvements in security processing
* Modern security configuration patterns
*Technical Considerations:*
* WebSecurityConfigurerAdapter is deprecated in Spring Security 6.x - requires
migration to SecurityFilterChain beans
* OAuth2 configuration changes for client registration and authorization
* Method security configuration updates
* LDAP authentication configuration modernization
* Authentication failure handler updates
* Session management configuration changes
*Breaking Changes Expected:*
* WebSecurityConfigurerAdapter replacement with component-based configuration
* OAuth2 client configuration API changes
* Some authentication and authorization API modifications
* LDAP configuration pattern updates
* Test configuration updates for spring-security-test
*Acceptance Criteria:*
* All Spring Security artifacts upgraded to 6.x versions
* Web management REST API security continues to function
* Pulse web console authentication works correctly
* OAuth2 integration remains functional
* LDAP authentication continues to work
* All security-related tests pass
* No regression in authentication or authorization functionality
* Documentation updated for any configuration changes
*Testing Requirements:*
* Comprehensive security testing across all web modules
* OAuth2 flow validation
* LDAP authentication testing
* REST API security verification
* Pulse console login/logout testing
* Integration tests for all security configurations
*Dependencies:*
* Requires Spring Framework 6.x upgrade (prerequisite)
* May require updates to related authentication libraries
* Potential impact on servlet container compatibility
The description now uses plain text file names without any special formatting
that could trigger VS Code's automatic linking.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
