Update spring-boot version to 3.1.2 (jhipster#22933)

* Use MvcRequestMatcher in SecurityFilterChain

See https://spring.io/security/cve-2023-34035

* Update spring-boot version to 3.1.2

* Update hibernate version to 6.2.6.Final

* replace mariadb with mysql at reactive samples

* fix to swagger-ui

* fix jdlSamples variable

---------

Co-authored-by: Marcelo Shima <[email protected]>

.blueprint/generate-sample/support/generate-sample.js

@@ -71,8 +71,7 @@ export const generateSample = async (
   }
 
   if (jdlSamples) {
-    const jdlSamples = jdlSamples.split(',');
-    for (const jdlSample of jdlSamples) {
+    for (const jdlSample of jdlSamples.split(',')) {
       if (existsSync(join(jdlSamplesFolder, jdlSample))) {
         cpSync(join(jdlSamplesFolder, jdlSample), destProjectFolder, { recursive: true });
       } else {

generators/client/templates/src/main/webapp/swagger-ui/index.html.ejs

@@ -78,7 +78,7 @@
         };
 <%_ } _%>
 
-        const baseUrl = serverBaseUri + 'v3/api-docs';
+        const baseUrl = 'v3/api-docs';
         let urls;
 <%_ if (!applicationTypeMonolith && serviceDiscoveryAny) { _%>
 
@@ -121,9 +121,9 @@
         if (!urls || urls.length === 0) {
           const response = await axios.get('/management/jhiopenapigroups', axiosConfig);
           if (Array.isArray(response.data)) {
-            urls = response.data.map(({ group, description }) => ({ name: description, url: `${baseUrl}/${group}` }));
+            urls = response.data.map(({ group, description }) => ({ name: description, url: `${serverBaseUri}${baseUrl}/${group}` }));
           } else {
-            urls = [{ name: 'default', url: baseUrl }];
+            urls = [{ name: 'default', url: `${serverBaseUri}${baseUrl}` }];
           }
         }
         console.log(`Swagger urls`, urls);

generators/generator-constants.mts

@@ -32,13 +32,12 @@ export const javaDependencies: Record<string, string> = {
   /**
    * spring-boot version should match the one managed by https://mvnrepository.com/artifact/tech.jhipster/jhipster-dependencies/JHIPSTER_DEPENDENCIES_VERSION
    */
-  'spring-boot': '3.1.1',
+  'spring-boot': '3.1.2',
   /*
    * hibernate version should match the one managed by https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies/SPRING_BOOT_VERSION
    * Required due to hibernate-jpamodelgen annotation processor.
    */
-  // TODO update to spring-boot provided version. Refer to https://github.com/jhipster/generator-jhipster/issues/22579
-  hibernate: '6.2.5.Final', // Should be 6.2.5.Final
+  hibernate: '6.2.6.Final',
   /*
    * cassandra driver version should match the one managed by https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies/SPRING_BOOT_VERSION
    * Required due to java-driver-mapper-processor annotation processor.

generators/server/templates/src/main/java/package/config/SecurityConfiguration_imperative.java.ejs

@@ -21,6 +21,10 @@ package <%= packageName %>.config;
 import <%= packageName %>.security.*;
 import tech.jhipster.config.JHipsterProperties;
 
+<%_ if (authenticationTypeSession || devDatabaseTypeH2Any) { _%>
+import static org.springframework.security.web.util.matcher.AntPathRequestMatcher.antMatcher;
+
+<%_ } _%>
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 <%_ if (authenticationTypeOauth2) { _%>
@@ -81,9 +85,6 @@ import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.authentication.RememberMeServices;
   <%_ } _%>
 <%_ } _%>
-<%_ if (authenticationTypeSession || devDatabaseTypeH2Any) { _%>
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-<%_ } _%>
 <%_ if (authenticationUsesCsrf && !applicationTypeMicroservice) { _%>
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
@@ -103,6 +104,8 @@ import <%= packageName %>.security.oauth2.CustomClaimConverter;
 <%_ if(!skipClient) { _%>
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
 <%_ } _%>
+import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
+import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
 <%_ if (authenticationTypeOauth2 || !applicationTypeMicroservice) { _%>
 import static org.springframework.security.config.Customizer.withDefaults;
@@ -145,7 +148,7 @@ public class SecurityConfiguration {
 <%_ } _%>
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
         http
 <%_ if (!applicationTypeMicroservice) { _%>
             .cors(withDefaults())
@@ -178,39 +181,39 @@ public class SecurityConfiguration {
                 // prettier-ignore
                 authz
 <%_ if (!skipClient) { _%>
-                    .requestMatchers("/", "/index.html", "/*.js", "/*.map", "/*.css").permitAll()
-                    .requestMatchers("/*.ico", "/*.png", "/*.svg", "/*.webapp").permitAll()
-                    .requestMatchers("/app/**").permitAll()
-                    .requestMatchers("/i18n/**").permitAll()
-                    .requestMatchers("/content/**").permitAll()
-                    .requestMatchers("/swagger-ui/**").permitAll()
+                    .requestMatchers(mvc.pattern("/index.html"), mvc.pattern("/*.js"), mvc.pattern("/*.map"), mvc.pattern("/*.css")).permitAll()
+                    .requestMatchers(mvc.pattern("/*.ico"), mvc.pattern("/*.png"), mvc.pattern("/*.svg"), mvc.pattern("/*.webapp")).permitAll()
+                    .requestMatchers(mvc.pattern("/app/**")).permitAll()
+                    .requestMatchers(mvc.pattern("/i18n/**")).permitAll()
+                    .requestMatchers(mvc.pattern("/content/**")).permitAll()
+                    .requestMatchers(mvc.pattern("/swagger-ui/**")).permitAll()
 <%_ } _%>
 <%_ if (authenticationTypeJwt) { _%>
-                    .requestMatchers(HttpMethod.POST, "/api/authenticate").permitAll()
-                    .requestMatchers(HttpMethod.GET, "/api/authenticate").permitAll()
+                    .requestMatchers(mvc.pattern(HttpMethod.POST, "/api/authenticate")).permitAll()
+                    .requestMatchers(mvc.pattern(HttpMethod.GET, "/api/authenticate")).permitAll()
 <%_ } else { _%>
-                    .requestMatchers("/api/authenticate").permitAll()
+                    .requestMatchers(mvc.pattern("/api/authenticate")).permitAll()
 <%_ } _%>
 <%_ if (generateUserManagement) { _%>
-                    .requestMatchers("/api/register").permitAll()
-                    .requestMatchers("/api/activate").permitAll()
-                    .requestMatchers("/api/account/reset-password/init").permitAll()
-                    .requestMatchers("/api/account/reset-password/finish").permitAll()
+                    .requestMatchers(mvc.pattern("/api/register")).permitAll()
+                    .requestMatchers(mvc.pattern("/api/activate")).permitAll()
+                    .requestMatchers(mvc.pattern("/api/account/reset-password/init")).permitAll()
+                    .requestMatchers(mvc.pattern("/api/account/reset-password/finish")).permitAll()
 <%_ } _%>
 <%_ if (authenticationTypeOauth2) { _%>
-                    .requestMatchers("/api/auth-info").permitAll()
+                    .requestMatchers(mvc.pattern("/api/auth-info")).permitAll()
 <%_ } _%>
-                    .requestMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                    .requestMatchers("/api/**").authenticated()
+                    .requestMatchers(mvc.pattern("/api/admin/**")).hasAuthority(AuthoritiesConstants.ADMIN)
+                    .requestMatchers(mvc.pattern("/api/**")).authenticated()
 <%_ if (communicationSpringWebsocket) { _%>
-                    .requestMatchers("/websocket/**").authenticated()
-<%_ } _%>
-                    .requestMatchers("/v3/api-docs/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                    .requestMatchers("/management/health").permitAll()
-                    .requestMatchers("/management/health/**").permitAll()
-                    .requestMatchers("/management/info").permitAll()
-                    .requestMatchers("/management/prometheus").permitAll()
-                    .requestMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN))
+                    .requestMatchers(mvc.pattern("/websocket/**")).authenticated()
+<%_ } _%>
+                    .requestMatchers(mvc.pattern("/v3/api-docs/**")).hasAuthority(AuthoritiesConstants.ADMIN)
+                    .requestMatchers(mvc.pattern("/management/health")).permitAll()
+                    .requestMatchers(mvc.pattern("/management/health/**")).permitAll()
+                    .requestMatchers(mvc.pattern("/management/info")).permitAll()
+                    .requestMatchers(mvc.pattern("/management/prometheus")).permitAll()
+                    .requestMatchers(mvc.pattern("/management/**")).hasAuthority(AuthoritiesConstants.ADMIN))
 <%_ if (authenticationTypeSession) { _%>
   <%_ if (generateUserManagement) { _%>
             .rememberMe(rememberMe ->
@@ -225,9 +228,9 @@ public class SecurityConfiguration {
                     new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
                     new OrRequestMatcher(
   <%_ if (communicationSpringWebsocket) { _%>
-                        new AntPathRequestMatcher("/websocket/**"),
+                        antMatcher("/websocket/**"),
   <%_ } _%>
-                        new AntPathRequestMatcher("/api/**")
+                        antMatcher("/api/**")
                     )
                 )
             )
@@ -261,13 +264,18 @@ public class SecurityConfiguration {
         if (env.acceptsProfiles(Profiles.of(JHipsterConstants.SPRING_PROFILE_DEVELOPMENT))) {
             http
   <%_ if (authenticationUsesCsrf && !applicationTypeMicroservice) { _%>
-                .csrf(csrf -> csrf.ignoringRequestMatchers(AntPathRequestMatcher.antMatcher("/h2-console/**")))
+                .csrf(csrf -> csrf.ignoringRequestMatchers(antMatcher("/h2-console/**")))
   <%_ } _%>
-                .authorizeHttpRequests(authz -> authz.requestMatchers(AntPathRequestMatcher.antMatcher("/h2-console/**")).permitAll());
+                .authorizeHttpRequests(authz -> authz.requestMatchers(antMatcher("/h2-console/**")).permitAll());
         }
 <%_ } _%>
         return http.build();
     }
+
+    @Bean
+    MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) {
+        return new MvcRequestMatcher.Builder(introspector);
+    }
 <%_ if (authenticationTypeOauth2) { _%>
 
     Converter<Jwt, AbstractAuthenticationToken> authenticationConverter() {

generators/server/templates/src/main/java/package/config/SecurityJwtConfiguration.java.ejs

@@ -60,6 +60,8 @@ public class SecurityJwtConfiguration {
                     .doOnError(e -> {
                         if (e.getMessage().contains("Jwt expired at")) {
                             metersService.trackTokenExpired();
+                        } else if (e.getMessage().contains("Failed to validate the token")) {
+                            metersService.trackTokenInvalidSignature();        
                         }
                     });
             } catch (Exception e) {

generators/server/templates/src/main/resources/config/application.yml.ejs

@@ -378,8 +378,8 @@ jhipster:
   mail:
     from: <%= baseName %>@localhost
   api-docs:
-    default-include-pattern: ${server.servlet.context-path:}/api/**
-    management-include-pattern: ${server.servlet.context-path:}/management/**
+    default-include-pattern: /api/**
+    management-include-pattern: /management/**
     title: <%= humanizedBaseName %> API
     description: <%= humanizedBaseName %> API documentation
     version: 0.0.1

generators/server/templates/src/test/java/package/config/JHipsterBlockHoundIntegration.java.ejs

@@ -32,11 +32,12 @@ public class JHipsterBlockHoundIntegration implements BlockHoundIntegration {
         builder.allowBlockingCallsInside("com.github.couchmove.repository.CouchbaseRepositoryImpl", "lambda$query$2");
         builder.allowBlockingCallsInside("com.github.couchmove.repository.CouchbaseRepositoryImpl", "lambda$importFtsIndex$1");
 <%_ } _%>
-<%_ if (prodDatabaseTypeMysql || prodDatabaseTypeMariadb) { _%>
+<%_ if (prodDatabaseTypeMariadb) { _%>
         builder.allowBlockingCallsInside("org.mariadb.r2dbc.message.client.HandshakeResponse", "writeConnectAttributes");
         builder.allowBlockingCallsInside("org.mariadb.r2dbc.client.MariadbPacketDecoder", "decode");
+        builder.allowBlockingCallsInside("org.mariadb.r2dbc.client.SimpleClient", "lambda$receive$18");
 <%_ } _%>
-<%_ if (devDatabaseTypeMssql || prodDatabaseTypeMssql) { _%>
+<%_ if (prodDatabaseTypeMssql) { _%>
         builder.allowBlockingCallsInside("io.r2dbc.mssql.client.ssl.TdsSslHandler", "createSslHandler");
 <%_ } _%>
 <%_ if (searchEngineElasticsearch) { _%>

test-integration/jdl-samples/ms-mf-react-eureka-oauth2-mariadb-infinispan/blog-store.jdl

@@ -27,7 +27,8 @@ application {
     creationTimestamp 1617901618886
     jwtSecretKey "ZjY4MTM4YjI5YzMwZjhjYjI2OTNkNTRjMWQ5Y2Q0Y2YwOWNmZTE2NzRmYzU3NTMwM2NjOTE3MTllOTM3MWRkMzcyYTljMjVmNmQ0Y2MxOTUzODc0MDhhMTlkMDIxMzI2YzQzZDM2ZDE3MmQ3NjVkODk3OTVmYzljYTQyZDNmMTQ="
     packageName com.okta.developer.gateway
-    prodDatabaseType mariadb
+    // TODO switch to mariadb
+    prodDatabaseType mysql
     serviceDiscoveryType eureka
     testFrameworks [cypress]
     microfrontends [blog, notification]
@@ -89,7 +90,8 @@ application {
     entitySuffix Entity
     jwtSecretKey "ZjY4MTM4YjI5YzMwZjhjYjI2OTNkNTRjMWQ5Y2Q0Y2YwOWNmZTE2NzRmYzU3NTMwM2NjOTE3MTllOTM3MWRkMzcyYTljMjVmNmQ0Y2MxOTUzODc0MDhhMTlkMDIxMzI2YzQzZDM2ZDE3MmQ3NjVkODk3OTVmYzljYTQyZDNmMTQ="
     packageName com.okta.developer.notification
-    prodDatabaseType mariadb
+    // TODO switch to mariadb
+    prodDatabaseType mysql
     reactive true
     serverPort 8083
     serviceDiscoveryType eureka