|
| 1 | +## [4.0.0] - 2025-12-14 |
| 2 | +### Features |
| 3 | +- Spring Boot 4.0 and Spring Security 7 enablement |
| 4 | + - Updated security configuration to align with Spring Security 7: |
| 5 | + - Removed deprecated DefaultWebSecurityExpressionHandler and SecurityExpressionHandler<FilterInvocation> bean. |
| 6 | + - MethodSecurityExpressionHandler is now a static bean with RoleHierarchy parameter injection (recommended Spring Security 7 pattern), ensuring method-level security honors role hierarchy. |
| 7 | +- Profile update endpoint simplified |
| 8 | + - Added UserProfileUpdateDto with validation: |
| 9 | + - Fields: firstName and lastName only, both @NotBlank and @Size(max = 50). |
| 10 | + - Updated POST /user/updateUser to accept UserProfileUpdateDto (no longer requires email/password/matchingPassword), allowing users to update their names without password validation friction. |
| 11 | + |
| 12 | +### Fixes |
| 13 | +- Corrected test expectations for registration validation |
| 14 | + - Updated unit tests to expect 400 Bad Request (not 500) when required registration fields (email/password) are missing, aligning tests with validation behavior. |
| 15 | + |
| 16 | +### Breaking Changes |
| 17 | +- Minimum Java version is now 21 |
| 18 | + - Gradle toolchain updated from Java 17 to Java 21 to meet Spring Boot 4 requirements. Consumers must build and run with JDK 21+. |
| 19 | +- Spring Security 7 behavior changes |
| 20 | + - All security URL patterns must start with a leading slash (/) in configuration and custom security matchers (e.g., user.security.unprotectedURIs, requestMatchers()). |
| 21 | + - Deprecated methods removed in Security 7 (e.g., antMatchers(), authorizeRequests())—use authorizeHttpRequests() with requestMatchers(). |
| 22 | +- Security bean changes |
| 23 | + - Removed the webExpressionHandler bean (DefaultWebSecurityExpressionHandler). If downstream applications relied on this bean, they should migrate to the new pattern using RoleHierarchy with method security expressions. |
| 24 | +- Test package relocations (affects consumers’ test code on Spring Boot 4) |
| 25 | + - Test annotations moved to new modular packages: |
| 26 | + - @AutoConfigureMockMvc → org.springframework.boot.webmvc.test.autoconfigure |
| 27 | + - @WebMvcTest → org.springframework.boot.webmvc.test.autoconfigure |
| 28 | + - @DataJpaTest / @AutoConfigureDataJpa → org.springframework.boot.data.jpa.test.autoconfigure |
| 29 | + - @AutoConfigureTestDatabase → org.springframework.boot.jdbc.test.autoconfigure |
| 30 | + - @EntityScan → org.springframework.boot.persistence.autoconfigure |
| 31 | + |
| 32 | +### Refactoring |
| 33 | +- Security configuration cleanup for Spring Security 7 |
| 34 | + - Removed deprecated imports and beans, and updated MethodSecurityExpressionHandler bean declaration to static with RoleHierarchy injection, reducing bean wiring fragility and aligning with current best practices. |
| 35 | + |
| 36 | +### Documentation |
| 37 | +- Added a comprehensive Migration Guide (MIGRATION.md) |
| 38 | + - Covers Java 21 requirement, Spring Security 7 changes (URL patterns, API removals), test infrastructure modularization, Jackson 3 notes, API changes (profile update DTO), troubleshooting, and a compatibility matrix. |
| 39 | +- README refresh for Spring Boot 4.0 |
| 40 | + - New installation section for Boot 4.0 with Maven/Gradle snippets. |
| 41 | + - Version compatibility table (Spring Boot, framework version, Java, Spring Security). |
| 42 | + - Key changes section (Java 21, Security 7, Jackson 3, modular test infrastructure). |
| 43 | + - Required test dependencies listed for Boot 4. |
| 44 | + - Quick Start prerequisites updated, and links to Migration Guide added. |
| 45 | + |
| 46 | +### Testing |
| 47 | +- Test infrastructure updated for Spring Boot 4 |
| 48 | + - Switched imports to new modular test annotation packages. |
| 49 | + - Added Spring Boot 4 modular test starters: |
| 50 | + - spring-boot-starter-data-jpa-test |
| 51 | + - spring-boot-webmvc-test |
| 52 | + - spring-boot-jdbc-test |
| 53 | +- Expanded unit test coverage for profile updates |
| 54 | + - Updated UserAPIUnitTest to use UserProfileUpdateDto. |
| 55 | + - Added validation tests for blank/null fields and length constraints; verified acceptance at max valid length. |
| 56 | + - Added org.hibernate.validator:hibernate-validator to test scope to exercise bean validation. |
| 57 | + - Adjusted CSRF test expectations and commentary to reflect standalone MockMvc limitations (actual CSRF should be covered by integration tests). |
| 58 | +- Test dependency bump |
| 59 | + - GreenMail test dependency updated to 2.1.8 for SMTP testing. |
| 60 | + |
| 61 | +### Other Changes |
| 62 | +- Dependency and build updates |
| 63 | + - Spring Boot upgraded to 4.0.0. |
| 64 | + - org.apache.commons:commons-text bumped from 1.14.0 to 1.15.0. |
| 65 | + - spring-retry pinned to 2.0.12 (compileOnly and test) for compatibility. |
| 66 | + - com.vanniktech.maven.publish plugin upgraded from 0.34.0 to 0.35.0. |
| 67 | + - Clarified that thymeleaf-extras-springsecurity6 is compatible with Spring Security 7; no springsecurity7 artifact exists yet. |
| 68 | + - Project version bumped to 4.0.0-SNAPSHOT. |
| 69 | +- CI/Automation |
| 70 | + - GitHub Action for Claude Code Review now uses ANTHROPIC_API_KEY instead of CLAUDE_CODE_OAUTH_TOKEN and has proper write permissions to comment on PRs and issues. |
| 71 | + |
1 | 72 | ## [3.5.1] - 2025-10-26 |
2 | 73 | ### Features |
3 | 74 | - New password reset endpoint: /user/savePassword |
|
0 commit comments