Back

@kerfuffle Which aspect? Any pointers to documentation you used?

@codesmell Managing transitive dependencies that I didn't know depend on old stuff was one challenge.

The biggest challenge was making build & runtime work, only to find that any request I did resulted in a 403. That was the start of a journey through an elusive filterchain into the depths of #SpringSecurity and how it's (not) set up in this particular case.

Just reading https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide and https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-6.x helped, but also https://docs.spring.io/spring-security/reference/5.8.0/migration/index.html and https://docs.spring.io/spring-security/reference/6.0.0/migration/index.html

@kerfuffle thx for the warning. Not looking forward to a similar exercise.

@kerfuffle i just went from "not excited" to "somewhat afraid".

Again, thanks for the warning. This seems like something we'd have to do pretty carefully.

@codesmell You could look at OpenRewrite or Spring Boot Migrator to help you out.

I used IntelliJ Refactor -> Migrate Packages & Classes -> Java EE to Jakarta EE, which did a lot of heavy lifting, and also IntelliJ's Gradle Dependency Analyzer helped find some hidden Javax dependencies.

Stuff like that might mean you can take smaller steps before you take on the task of migrating Spring Security.

@kerfuffle yep, the OpenRewrite route would be interesting for the boring stuff.

@codesmell Yup. It's pretty smooth sailing until you bump into an ancient little library that takes care of some obscure concern that turns out to not have a compatible upgrade and thus needs to be replaced, requiring you to first understand why it's there. Fun times.