Dependency Upgrade in Policy Framework

Owned by Liam Fallon
Last updated: Feb 22, 2023
1 min read

We should move to:

  • Java 17

  • Spring 6

  • Springboot 3

This page captures the dependency upgrade situation in the Policy Framework during the London development

Version in Policy Framework

Current Version

latest Version

Version in Policy Framework

Current Version

latest Version

org.glassfish.jaxb:jaxb-runtime:2.3.8

org.glassfish.jaxb:jaxb-runtime:4.0.2

Needs Jakarta types/annotations

org.hibernate:hibernate-core:5.6.15.Final

org.hibernate:hibernate-core:6.1.7.Final

Needs Spring 6

jakarta.validation:jakarta.validation-api:2.0.2

jakarta.validation:jakarta.validation-api:3.0.2



javax.xml.bind:jaxb-api:2.3.1

jakarta.xml.bind:jakarta.xml.bind-api:4.0.0

Last update to javax was in 2018

javax.servlet:javax.servlet-api:4.0.1

jakarta.servlet:jakarta.servlet-api:6.0.0

Last update to javax was in 2018

javax.ws.rs:javax.ws.rs-api:2.1.1

jakarta.ws.rs:jakarta.ws.rs-api:3.1.0

Last update to javax was in 2018

org.glassfish.jersey.core:jersey-server:2.38

org.glassfish.jersey.core:jersey-server:3.1.1

Also other Jersey dependencies, needs Jakarta types/annotations

org.eclipse.jetty:jetty-http:10.0.13

org.eclipse.jetty:jetty-http:11.0.13

Also other Jetty dependencies, needs Jakarta types/annotations, no longer supports Swagger servlet, downgrade from oparent in Policy Framework

ch.qos.logback:logback-core:1.2.11

ch.qos.logback:logback-core:1.4.5

Needs Springboot 3, downgraded from oparent in Policy Framework

org.slf4j:slf4j-api:1.7.36

org.slf4j:slf4j-api:2.0.6

Needs Springboot 3

org.springframework:spring-core:5.3.25

org.springframework:spring-core:6.0.4

Also other Spring dependencies, needs Java 17, downgraded from oparent in Policy Framework

org.springframework.security:spring-security-test:5.8.1

org.springframework.security:spring-security-test:6.0.1

Needs Spring 6

org.springframework.boot:spring-boot-starter-web:2.7.8

org.springframework.boot:spring-boot-starter-web:3.0.2

Also other Springboot dependencies

org.apache.tomcat.embed:tomcat-embed-core:9.0.71

org.apache.tomcat.embed:tomcat-embed-core:10.1.5

Needs Spring 6 and Springboot 3, downgraded from oparent in Policy Framework

Issues

  • The main issue is the move from javax. to jakarta. for all the REST annotations and types. This causes widespread but trivial code changes in most components.

  • The removal of the Swagger servlet is not an issue from a functional point of view because we ahve switched to an OpenAPI first approach in London. However, there are some minor code changed in policy/common endpoints and in components that use policy/common endpoints to remove this functionality

  • We can't step the version of the logging dependencies because the new version of those dependencies does not work with Springboot 2

  • The new versions of hibernate and tomcat do not work with Spring 5 and Springboot 2

  • The main blocker is policy/xacml-pdp and the javax XML bind libraries. The com.att.research:xacml-pdp dependency uses javax XML binding. If this dependency was updated, then all the other work for updating can be done in the Policy Framework.