Upgrade to Spring Security 6 Framework

    Starting from version 23.11.0, the IJC has integrated the Spring Security 6 framework into its system. With the introduction of Spring Security 6 comes also a new schema version and consequent schema update. While the system will automatically handle the upgrade of most security configurations, it's essential to note that if extensive customizations were made in a security template, manual modifications may be required.

    Should there be a need for manual migration to the Spring Security 6 framework, detailed instructions can be found at Spring documentations, for example here.

    For those interested in understanding the core changes introduced with Spring Security 6, the following resources provide comprehensive insights:

    1. Official Spring Blog Post at Spring website
    2. What's New in Spring Framework 6.x at Github.

    As a precautionary measure, it is highly recommended to create a backup of current security configuration before proceeding with the upgrade. This backup will be crucial if you ever find the need to revert to the previous settings.

    Upgrading to Spring Security 5 framework

    From version 20.17.0, IJC uses Spring Security 5 framework, upgrading from version 3.2.9. With this change, there is a new schema version and schema upgrade necessary. There will be an automatic upgrade of the security configurations, but if the template was customized more heavily, it might need to be modified manually. The automatic upgrade will automatically do the following:

    • adjust the xsd schemas so that they versionless;

    • remove the deprecated usage of "ref local" and replace it with "ref bean";

    • adjust org.springframework.security.access.vote.AffirmativeBased beans;

    • adjust org.springframework.security.authentication.AnonymousAuthenticationProvider bean;

    • adjust org.springframework.security.authentication.ProviderManager beans;

    • remove and upgrade org.springframework.security.authentication.encoding.ShaPasswordEncoder beans (in Spring Security 5 there were significant changes in the password storage that can be checked here;

    • remove and upgrade org.springframework.security.authentication.encoding.PlaintextPasswordEncoder beans (in Spring Security 5 there were significant changes in the password storage that can be checked here;

    • remove all references to the deprecated salt beans;

    • adjust the hardcoded passwords (if they exist) to be prefixed with {noop};

    • adjust org.springframework.security.core.userdetails.memory.InMemoryDaoImpl bean.

    If there are changes that are not covered in the above list, manual migration will be needed. Most of the incompatible changes are between the versions 3 and 4 and following guide should be followed.

    About the main changes in Spring Security 5 please review following blog.

    Before the upgrade, making a temporary copy of your security configuration is recommended in case you need to restore it later.