chore(samples/java): bump to Spring Boot 4.0.6, spring-dotenv 5.1.0, keytool 2.0.2#145
Merged
Conversation
…+ keytool 2.0.2 Brings all 3 Java samples to the latest GA versions of every dep: - spring-boot-starter-parent 3.4.1 → 4.0.6 (latest GA — 4.1.x is RC) - keytool-maven-plugin 1.7 → 2.0.2 (latest) - me.paulschwarz:spring-dotenv 4.0.0 → springboot4-dotenv 5.1.0 (v5 split the artifact by Boot version; we now use the Boot 4 module) Required code changes for the Spring Boot 4 / Spring Security 7 jump: - AutoConfigureMockMvc moved from spring-boot-test-autoconfigure to a new spring-boot-webmvc-test module (added as test-scope dep) and changed package: org.springframework.boot.test.autoconfigure.web.servlet → org.springframework.boot.webmvc.test.autoconfigure. - Spring Security 7 dropped OpenSAML 4: OpenSaml4AuthenticationProvider → OpenSaml5AuthenticationProvider (same API surface, just renamed). - Spring Security 7 removed AntPathRequestMatcher from o.s.s.web.util.matcher: replaced with PathPatternRequestMatcher.withDefaults().matcher(path) at o.s.s.web.servlet.util.matcher (matches any HTTP method when no method is provided, matching the existing "GET on /logout" behavior). snippets.json regenerated because line numbers in saml-sp-login's Application.java shifted due to the matcher comment update. 11/11 tests pass across all 3 samples on the new stack: login-auth-code: 3/3, token-refresh: 5/5, saml-sp-login: 3/3. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Local Package.resolved had 2.0.0 cached from earlier AppAuth-iOS bump experiments, while project.yml on this branch is still 1.7.6. The extractor prefers Package.resolved over project.yml (more precise), so the locally-regenerated snippets.json carried 2.0.0 — but CI does a fresh checkout where Package.resolved (gitignored) doesn't exist, so it falls back to project.yml and reads 1.7.6. The drift check failed. Re-ran the extractor against a clean workspace (no Package.resolved) so local output matches CI's view. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates the Java Spring Boot samples to Spring Boot 4.0.6 (and corresponding Spring Framework/Security 7.x transitive upgrades), adjusting sample code and test dependencies to match module/package moves introduced in Boot/Security 7. Also updates snippet metadata versions to reflect the new dependency baseline.
Changes:
- Bump Spring Boot parent to 4.0.6 across Java samples; switch
spring-dotenvto the Boot-4-specificspringboot4-dotenv5.1.0. - Fix test compilation under Boot 4 by importing
AutoConfigureMockMvcfrom its new package and addingspring-boot-webmvc-testas a test dependency. - Update the SAML sample for Spring Security 7 by migrating
OpenSaml4AuthenticationProvider→OpenSaml5AuthenticationProviderand replacing the removedAntPathRequestMatcherusage.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| snippets.json | Updates reported lib_version values for the Java snippets and also adjusts the iOS AppAuth-iOS version metadata. |
| samples/java/login-auth-code/pom.xml | Bumps Boot parent, swaps dotenv artifact, adds spring-boot-webmvc-test, bumps keytool plugin. |
| samples/java/login-auth-code/src/test/java/com/secureauth/quickstart/ApplicationTests.java | Updates AutoConfigureMockMvc import to Boot 4 location. |
| samples/java/token-refresh/pom.xml | Bumps Boot parent, swaps dotenv artifact, adds spring-boot-webmvc-test, bumps keytool plugin. |
| samples/java/token-refresh/src/test/java/com/secureauth/quickstart/ApplicationTests.java | Updates AutoConfigureMockMvc import to Boot 4 location. |
| samples/java/saml-sp-login/pom.xml | Bumps Boot parent, swaps dotenv artifact, adds spring-boot-webmvc-test, bumps keytool plugin. |
| samples/java/saml-sp-login/src/main/java/com/secureauth/quickstart/Application.java | Migrates to OpenSaml5AuthenticationProvider and replaces AntPathRequestMatcher with PathPatternRequestMatcher. |
| samples/java/saml-sp-login/src/test/java/com/secureauth/quickstart/ApplicationTests.java | Updates AutoConfigureMockMvc import to Boot 4 location. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
plandzwojczak-sa
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the 3 Java samples (
login-auth-code,token-refresh,saml-sp-login) onto the latest GA versions of every dep. The Spring Boot 3.4 → 4.0 jump pulls Spring Framework 6 → 7 and Spring Security 6 → 7 as transitive consequences; this PR includes the small code changes those needed.Bumps
spring-boot-starter-parentorg.codehaus.mojo:keytool-maven-pluginme.paulschwarz:spring-dotenvspringboot4-dotenv5.1.0 (v5 split by Boot version)Code changes
All 3 samples (
ApplicationTests.java)AutoConfigureMockMvcmoved out ofspring-boot-test-autoconfigureinto a new dedicated modulespring-boot-webmvc-test(added as test-scope dep) and its package changed:org.springframework.boot.test.autoconfigure.web.servlet→org.springframework.boot.webmvc.test.autoconfigure.saml-sp-login(Application.java) — Spring Security 7 dropped two things we used:OpenSaml4AuthenticationProvider→OpenSaml5AuthenticationProvider. Same API surface (createDefaultResponseValidator,createDefaultAssertionValidatorWithParameters,setResponseValidator,setAssertionValidator), just renamed.org.springframework.security.web.util.matcher.AntPathRequestMatcherwas removed. Replaced withPathPatternRequestMatcher.withDefaults().matcher("/logout")fromo.s.s.web.servlet.util.matcher..matcher(path)without an explicit HTTP method matches any method, preserving the existing "GET on /logout works" behavior.🤖 Generated with Claude Code