[jira] [Updated] (GEODE-10473) Upgrade Spring Security from 5 to 6.x

[Jinwoo Hwang (Jira)]

     [ 
https://issues.apache.org/jira/browse/GEODE-10473?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jinwoo Hwang updated GEODE-10473:
---------------------------------
    Fix Version/s: 2.0.0

> Upgrade Spring Security from 5 to 6.x
> -------------------------------------
>
>                 Key: GEODE-10473
>                 URL: https://issues.apache.org/jira/browse/GEODE-10473
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>             Fix For: 2.0.0
>
>
> Apache Geode currently uses Spring Security 5, which is based on the older 
> Spring Framework 5.x and lacks modern security features and improvements. 
> This task involves upgrading to Spring Security 6.x to take advantage of 
> enhanced security capabilities, improved performance, and continued security 
> updates.
> *Current Usage:*
>  * Spring Security version: 5
>  * Location: DependencyConstraints.groovy
>  * Modules using Spring Security: geode-web-api, geode-web-management, 
> geode-pulse, geode-assembly
> *Spring Security Artifacts Currently Used:*
>  * spring-security-core (authentication and authorization core)
>  * spring-security-web (web security features)
>  * spring-security-config (configuration support)
>  * spring-security-oauth2-core (OAuth2 support)
>  * spring-security-oauth2-client (OAuth2 client features)
>  * spring-security-oauth2-jose (JWT/JOSE support)
>  * spring-security-ldap (LDAP authentication)
>  * spring-security-test (testing utilities)
> *Key Components Using Spring Security:*
>  * geode-web-management: REST API security configuration 
> (RestSecurityConfiguration)
>  * geode-pulse: Web console authentication (DefaultSecurityConfig, OAuth 
> support)
>  * geode-web-api: REST API endpoints security
>  * OAuth2 integration for external identity providers
>  * LDAP authentication support
>  * Method-level security with EnableGlobalMethodSecurity
> *Benefits of Upgrading:*
>  * Enhanced security features and modern authentication patterns
>  * Improved OAuth2/OpenID Connect support
>  * Better integration with Spring Framework 6.x (prerequisite)
>  * Continued security patches and updates
>  * Performance improvements in security processing
>  * Modern security configuration patterns
> *Technical Considerations:*
>  * WebSecurityConfigurerAdapter is deprecated in Spring Security 6.x - 
> requires migration to SecurityFilterChain beans
>  * OAuth2 configuration changes for client registration and authorization
>  * Method security configuration updates
>  * LDAP authentication configuration modernization
>  * Authentication failure handler updates
>  * Session management configuration changes
> *Breaking Changes Expected:*
>  * WebSecurityConfigurerAdapter replacement with component-based configuration
>  * OAuth2 client configuration API changes
>  * Some authentication and authorization API modifications
>  * LDAP configuration pattern updates
>  * Test configuration updates for spring-security-test
> *Acceptance Criteria:*
>  * All Spring Security artifacts upgraded to 6.x versions
>  * Web management REST API security continues to function
>  * Pulse web console authentication works correctly
>  * OAuth2 integration remains functional
>  * LDAP authentication continues to work
>  * All security-related tests pass
>  * No regression in authentication or authorization functionality
>  * Documentation updated for any configuration changes
> *Testing Requirements:*
>  * Comprehensive security testing across all web modules
>  * OAuth2 flow validation
>  * LDAP authentication testing
>  * REST API security verification
>  * Pulse console login/logout testing
>  * Integration tests for all security configurations
> *Dependencies:*
>  * Requires Spring Framework 6.x upgrade (prerequisite)
>  * May require updates to related authentication libraries
>  * Potential impact on servlet container compatibility
> The description now uses plain text file names without any special formatting 
> that could trigger VS Code's automatic linking.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)