SecureAuthCorp · ksroda-sa · May 13, 2026 · May 6, 2026 · May 6, 2026 · May 13, 2026
@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.4.1</version>
+        <version>4.0.6</version>
         <relativePath/>
     </parent>
 
@@ -35,15 +35,22 @@
         </dependency>
         <dependency>
             <groupId>me.paulschwarz</groupId>
-            <artifactId>spring-dotenv</artifactId>
-            <version>4.0.0</version>
+            <artifactId>springboot4-dotenv</artifactId>
+            <version>5.1.0</version>
         </dependency>
 
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
             <scope>test</scope>
         </dependency>
+        <!-- Spring Boot 4.0 split AutoConfigureMockMvc into a separate module
+             (spring-boot-webmvc-test) that's not pulled by spring-boot-starter-test. -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-webmvc-test</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-test</artifactId>
@@ -60,7 +67,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>keytool-maven-plugin</artifactId>
-                <version>1.7</version>
+                <version>2.0.2</version>
                 <executions>
                     <execution>
                         <id>generate-dev-keystore</id>

@@ -6,7 +6,7 @@
 
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.4.1</version>
+        <version>4.0.6</version>
         <relativePath/>
     </parent>
 
@@ -44,15 +44,22 @@
         </dependency>
         <dependency>
             <groupId>me.paulschwarz</groupId>
-            <artifactId>spring-dotenv</artifactId>
-            <version>4.0.0</version>
+            <artifactId>springboot4-dotenv</artifactId>
+            <version>5.1.0</version>
         </dependency>
 
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
             <scope>test</scope>
         </dependency>
+        <!-- Spring Boot 4.0 split AutoConfigureMockMvc into a separate module
+             (spring-boot-webmvc-test) that's not pulled by spring-boot-starter-test. -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-webmvc-test</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-test</artifactId>
@@ -69,7 +76,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>keytool-maven-plugin</artifactId>
-                <version>1.7</version>
+                <version>2.0.2</version>
                 <executions>
                     <execution>
                         <id>generate-dev-keystore</id>

@@ -23,7 +23,7 @@
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
 import org.springframework.security.saml2.core.Saml2ResponseValidatorResult;
 import org.springframework.security.saml2.core.Saml2X509Credential;
-import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
+import org.springframework.security.saml2.provider.service.authentication.OpenSaml5AuthenticationProvider;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -101,9 +101,9 @@ static class SecurityConfig {
 
         @Bean
         SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-            OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
-            Converter<OpenSaml4AuthenticationProvider.ResponseToken, Saml2ResponseValidatorResult> defaultValidator =
-                    OpenSaml4AuthenticationProvider.createDefaultResponseValidator();
+            OpenSaml5AuthenticationProvider provider = new OpenSaml5AuthenticationProvider();
+            Converter<OpenSaml5AuthenticationProvider.ResponseToken, Saml2ResponseValidatorResult> defaultValidator =
+                    OpenSaml5AuthenticationProvider.createDefaultResponseValidator();
             provider.setResponseValidator(token -> {
                 Saml2ResponseValidatorResult result = defaultValidator.convert(token);
                 List<Saml2Error> filtered = result.getErrors().stream()
@@ -138,7 +138,7 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     }
                 }
                 final String expectedInResponseTo = assertionInResponseTo;
-                return OpenSaml4AuthenticationProvider.createDefaultAssertionValidatorWithParameters(
+                return OpenSaml5AuthenticationProvider.createDefaultAssertionValidatorWithParameters(
                         params -> {
                             params.put(
                                     org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters.SC_CHECK_ADDRESS,
@@ -162,7 +162,9 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     // requires POST + CSRF; for a quickstart we let a simple <a href="/logout">
                     // link work directly).
                     .logout(l -> l
-                            .logoutRequestMatcher(new org.springframework.security.web.util.matcher.AntPathRequestMatcher("/logout"))
+                            // Spring Security 7 dropped AntPathRequestMatcher; PathPatternRequestMatcher
+                            // is the replacement. `.matcher(path)` (no HTTP method) matches any method.
+                            .logoutRequestMatcher(org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.withDefaults().matcher("/logout"))
                             .logoutSuccessUrl("/"))
                     // Disable CSRF for the demo. SAML2 ACS endpoint is already exempt by the
                     // framework; this just removes the requirement on /logout. Production apps

@@ -10,7 +10,7 @@
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.4.1</version>
+        <version>4.0.6</version>
         <relativePath/>
     </parent>
 
@@ -35,15 +35,22 @@
         </dependency>
         <dependency>
             <groupId>me.paulschwarz</groupId>
-            <artifactId>spring-dotenv</artifactId>
-            <version>4.0.0</version>
+            <artifactId>springboot4-dotenv</artifactId>
+            <version>5.1.0</version>
         </dependency>
 
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
             <scope>test</scope>
         </dependency>
+        <!-- Spring Boot 4.0 split AutoConfigureMockMvc into a separate module
+             (spring-boot-webmvc-test) that's not pulled by spring-boot-starter-test. -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-webmvc-test</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-test</artifactId>
@@ -60,7 +67,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>keytool-maven-plugin</artifactId>
-                <version>1.7</version>
+                <version>2.0.2</version>
                 <executions>
                     <execution>
                         <id>generate-dev-keystore</id>

@@ -10,7 +10,7 @@
 import org.mockito.ArgumentMatchers;
 import org.mockito.Mockito;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;