Development: Update server dependencies (#10061)

build.gradle

@@ -418,7 +418,7 @@ dependencies {
     implementation "org.springframework.security:spring-security-oauth2-core:${spring_security_version}"
     implementation "org.springframework.security:spring-security-oauth2-client:${spring_security_version}"
     // use newest version of nimbus-jose-jwt to avoid security issues through outdated dependencies
-    implementation "com.nimbusds:nimbus-jose-jwt:9.47"
+    implementation "com.nimbusds:nimbus-jose-jwt:9.48"
 
     implementation "org.springframework.security:spring-security-oauth2-jose:${spring_security_version}"
     implementation "org.springframework.security:spring-security-crypto:${spring_security_version}"
@@ -532,7 +532,7 @@ dependencies {
     testImplementation "io.github.classgraph:classgraph:4.8.179"
     testImplementation "org.awaitility:awaitility:4.2.2"
     testImplementation "org.apache.maven.shared:maven-invoker:3.3.0"
-    testImplementation "org.gradle:gradle-tooling-api:8.11.1"
+    testImplementation "org.gradle:gradle-tooling-api:8.12"
     testImplementation "org.apache.maven.surefire:surefire-report-parser:3.5.2"
     testImplementation "com.opencsv:opencsv:5.9"
     testImplementation("io.zonky.test:embedded-database-spring-test:2.6.0") {

docker/mysql.yml

@@ -5,7 +5,7 @@
 services:
     mysql:
         container_name: artemis-mysql
-        image: docker.io/library/mysql:9.0.1
+        image: docker.io/library/mysql:9.1.0
         pull_policy: if_not_present
         volumes:
             - artemis-mysql-data:/var/lib/mysql

docker/nginx.yml

@@ -6,7 +6,7 @@ services:
     nginx:
         # nginx setup based on artemis prod ansible repository
         container_name: artemis-nginx
-        image: docker.io/library/nginx:1.26
+        image: docker.io/library/nginx:1.27.3-alpine-slim
         pull_policy: if_not_present
         volumes:
             - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro

docker/nginx/nginx.conf

@@ -1,4 +1,4 @@
-# default config /etc/nginx/nginx.conf from the nginx:1.26 docker image
+# default config /etc/nginx/nginx.conf from the nginx:1.27.3-alpine-slim docker image
 # comment specific Artemis changes!
 
 user  nginx;

docker/postgres.yml

@@ -5,7 +5,7 @@
 services:
     postgres:
         container_name: artemis-postgres
-        image: docker.io/library/postgres:17.0-alpine
+        image: docker.io/library/postgres:17.2-alpine
         pull_policy: if_not_present
         user: postgres
         command: ["postgres", "-c", "max_connections=10000"]

docs/admin/database.rst

@@ -42,7 +42,7 @@ Migrating MySQL Data to PostgreSQL
         ---
         services:
             mysql:
-                image: docker.io/library/mysql:9.0.1
+                image: docker.io/library/mysql:9.1.0
                 environment:
                     - MYSQL_DATABASE=Artemis
                     - MYSQL_ALLOW_EMPTY_PASSWORD=yes
@@ -59,7 +59,7 @@ Migrating MySQL Data to PostgreSQL
                     - db-migration
 
             postgres:
-                image: docker.io/library/postgres:17.0
+                image: docker.io/library/postgres:17.2-alpine
                 environment:
                     - POSTGRES_USER=root
                     - POSTGRES_DB=Artemis

docs/dev/setup/docker-compose.rst

@@ -305,7 +305,7 @@ The ``docker-compose.yml`` file could look like this for an Artemis, Jenkins and
           - "traefik.http.services.artemis.loadbalancer.server.port=8080"
 
       artemis-db:
-        image: mysql:9
+        image: mysql:9.1.0
         container_name: "mysql"
         restart: unless-stopped
         volumes:

gradle.properties

@@ -7,7 +7,7 @@ npm_version=10.9.0
 
 # Dependency versions
 jhipster_dependencies_version=8.7.2
-spring_boot_version=3.4.0
+spring_boot_version=3.4.1
 spring_framework_version=6.2.1
 spring_cloud_version=4.2.0
 spring_security_version=6.4.2
@@ -31,7 +31,7 @@ slf4j_version=2.0.16
 sentry_version=7.19.0
 liquibase_version=4.30.0
 docker_java_version=3.4.1
-logback_version=1.5.14
+logback_version=1.5.15
 java_parser_version=3.26.2
 byte_buddy_version=1.15.11
 netty_version=4.1.115.Final
@@ -48,7 +48,7 @@ testcontainer_version=1.20.4
 # gradle plugin version
 gradle_node_plugin_version=7.1.0
 apt_plugin_version=0.21
-liquibase_plugin_version=2.1.1
+liquibase_plugin_version=2.2.2
 modernizer_plugin_version=1.10.0
 
 org.gradle.jvmargs=-Xmx2g -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8 -Duser.country=US -Duser.language=en \

src/main/java/de/tum/cit/aet/artemis/core/config/SecurityConfiguration.java

@@ -165,7 +165,7 @@ public RoleHierarchy roleHierarchy() {
      * @throws Exception If an error occurs during the configuration process.
      */
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http, SecurityProblemSupport securityProblemSupport) throws Exception {
+    public SecurityFilterChain securityFilterChain(HttpSecurity http, SecurityProblemSupport securityProblemSupport) throws Exception {
         // @formatter:off
         http
             // Disables CSRF (Cross-Site Request Forgery) protection; useful in stateless APIs where the token management is unnecessary.
@@ -187,7 +187,7 @@ public SecurityFilterChain filterChain(HttpSecurity http, SecurityProblemSupport
                 // Disables HTTP Strict Transport Security as it is managed at the reverse proxy level (typically nginx).
                 .httpStrictTransportSecurity((HeadersConfigurer.HstsConfig::disable))
                 // Defines Permissions Policy to restrict what features the browser is allowed to use.
-                .permissionsPolicy(permissions -> permissions.policy("camera=(), fullscreen=(*), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=()")))
+                .permissionsPolicyHeader(permissions -> permissions.policy("camera=(), fullscreen=(*), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=()")))
             // Configures sessions to be stateless; appropriate for REST APIs where no session is required.
             .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
             // Configures authorization for various URL patterns. The patterns are considered in order.

src/main/java/de/tum/cit/aet/artemis/core/config/websocket/WebsocketSecurityConfiguration.java

@@ -2,34 +2,41 @@
 
 import static de.tum.cit.aet.artemis.core.config.Constants.PROFILE_CORE;
 
-import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
-import org.springframework.messaging.Message;
 import org.springframework.messaging.simp.SimpMessageType;
-import org.springframework.security.authorization.AuthorizationManager;
-import org.springframework.security.config.annotation.web.socket.EnableWebSocketSecurity;
-import org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager;
+import org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry;
+import org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer;
 
 import de.tum.cit.aet.artemis.core.security.Role;
 
 @Profile(PROFILE_CORE)
 @Configuration
-@EnableWebSocketSecurity
-public class WebsocketSecurityConfiguration {
+// NOTE: due to an issue in Spring Security, we had to use the old "deprecated" way with extending AbstractSecurityWebSocketMessageBrokerConfigurer
+// https://github.com/spring-projects/spring-security/issues/16299
+// As soon as this issue was addressed in a future Spring Framework / Spring Security, we can switch to the new way by using @EnableWebSocketSecurity again
+// @EnableWebSocketSecurity
+public class WebsocketSecurityConfiguration extends AbstractSecurityWebSocketMessageBrokerConfigurer {
 
-    @Bean
-    AuthorizationManager<Message<?>> authorizationManager(MessageMatcherDelegatingAuthorizationManager.Builder messages) {
-        messages.nullDestMatcher().authenticated().simpDestMatchers("/topic").hasAuthority(Role.ADMIN.getAuthority())
-                // matches any destination that starts with /topic/
-                // (i.e. cannot send messages directly to /topic/)
-                // (i.e. cannot subscribe to /topic/messages/* to get messages sent to
-                // /topic/messages-user<id>)
-                .simpDestMatchers("/topic/**").authenticated()
-                // message types other than MESSAGE and SUBSCRIBE
-                .simpTypeMatchers(SimpMessageType.MESSAGE, SimpMessageType.SUBSCRIBE).denyAll()
-                // catch all
-                .anyMessage().denyAll();
-        return messages.build();
+    @Override
+    protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
+        // @formatter:off
+        messages
+            .nullDestMatcher()
+            .authenticated()
+            // matches any destination that starts with /topic/
+            // (i.e. cannot send messages directly to /topic/)
+            // (i.e. cannot subscribe to /topic/messages/* to get messages sent to
+            // /topic/messages-user<id>)
+            .simpDestMatchers("/topic")
+                .hasAuthority(Role.ADMIN.getAuthority())
+            .simpDestMatchers("/topic/**")
+                .authenticated()
+            // message types other than MESSAGE and SUBSCRIBE
+            .simpTypeMatchers(SimpMessageType.MESSAGE, SimpMessageType.SUBSCRIBE).denyAll()
+            // catch all
+                .anyMessage()
+                .denyAll();
+        // @formatter:on
     }
 }

src/main/kubernetes/artemis/statefulsets/artemis-mysql.yml

@@ -31,7 +31,7 @@ spec:
         envFrom:
         - configMapRef:
             name: artemis-mysql
-        image: mysql:9.0.1
+        image: mysql:9.1.0
         imagePullPolicy: IfNotPresent
         name: artemis-mysql
         ports:

src/test/resources/config/application.yml

@@ -192,7 +192,7 @@ zonky:
             type: H2  # Alternatives: H2 / MYSQL / POSTGRES
             postgres:
                 docker:
-                    image: "postgres:17.0-alpine"
+                    image: "postgres:17.2-alpine"
                     tmpfs:
                         enabled: true
                 server:
@@ -215,7 +215,7 @@ zonky:
                         max_parallel_maintenance_workers: 4
             mysql:
                 docker:
-                    image: "mysql:9.0.1"
+                    image: "mysql:9.1.0"
                     tmpfs:
                         enabled: true