Upgrade to Spring Security 5 framework

    From version 20.17.0, IJC uses Spring Security 5 framework, upgrading from version 3.2.9. With this change, there is a new schema version and schema upgrade necessary. There will be an automatic upgrade of the security configurations, but if the template was customized more heavily, it might need to be modified manually. The automatic upgrade will automatically do the following:

    • adjust the xsd schemas so that they versionless;

    • remove the deprecated usage of "ref local" and replace it with "ref bean";

    • adjust org.springframework.security.access.vote.AffirmativeBased beans;

    • adjust org.springframework.security.authentication.AnonymousAuthenticationProvider bean;

    • adjust org.springframework.security.authentication.ProviderManager beans;

    • remove and upgrade org.springframework.security.authentication.encoding.ShaPasswordEncoder beans (in Spring Security 5 there were significant changes in the password storage that can be checked here: https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released);

    • remove and upgrade org.springframework.security.authentication.encoding.PlaintextPasswordEncoder beans (in Spring Security 5 there were significant changes in the password storage that can be checked here: https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released);

    • remove all references to the deprecated salt beans;

    • adjust the hardcoded passwords (if they exist) to be prefixed with {noop};

    • adjust org.springframework.security.core.userdetails.memory.InMemoryDaoImpl bean.

    If there are changes that are not covered in the above list, manual migration will be needed. Most of the incompatible changes are between the versions 3 and 4 and the following guide should be followed: https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html.

    About the main changes in Spring Security 5 please review: https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released.

    Before the upgrade, making a temporary copy of your security configuration is recommended in case you need to restore it later.