Modernize: Java 17 + Spring Boot 3.2 + Jakarta EE + Spring Security 6

[devin-ai-integration]

Summary

Upgrades the stack from Java 11 / Spring Boot 2.6 to Java 17 / Spring Boot 3.2. Completed across six committed phases:

1. Java 17 + Gradle 8.5 — bumped sourceCompatibility/targetCompatibility to 17, Gradle wrapper to 8.5, spotless to 6.25.0.
2. Joda-Time → java.time.Instant — replaced org.joda.time.DateTime across 21 files (domain entities, DTOs, DateTimeCursor, DateTimeHandler, Jackson serializer, GraphQL datafetchers, tests). Joda dependency removed.
3. Spring Boot 3.2 / Jakarta / Security 6:
   • build.gradle: Spring Boot 3.2.5, dependency-management 1.1.4, MyBatis 3.0.3, DGS 8.5.0 (+ codegen 6.2.1), Flyway pinned to 9.22.3 (last version with community SQLite support), JJWT 0.12.5, SQLite 3.45.1.0, rest-assured 5.4.0.
   • javax.servlet.* / javax.validation.* → jakarta.* (javax.crypto kept as-is, it's JDK).
   • WebSecurityConfig: full rewrite from WebSecurityConfigurerAdapter to SecurityFilterChain bean with the new lambda DSL. Route rules preserved 1:1.
   • CustomizeExceptionHandler.handleMethodArgumentNotValid: HttpStatus → HttpStatusCode.
   • DefaultJwtService: rewritten for JJWT 0.12.x (Keys.hmacShaKeyFor, .subject()/.expiration(), Jwts.parser().verifyWith(...).parseSignedClaims(...)).
   • ArticleDatafetcher/CommentDatafetcher: switched from graphql.relay.PageInfo/DefaultPageInfo to the DGS-generated io.spring.graphql.types.PageInfo.
   • GraphQLCustomizeExceptionHandler: onException → handleException returning CompletableFuture<DataFetcherExceptionHandlerResult>.
4. Test updates — DefaultJwtServiceTest secret extended to 64 chars; expired-token test rewritten to generate the token programmatically (the old hardcoded token was signed by the previous JJWT version and is no longer a valid expiry test in isolation).
5. New test coverage — DateTimeCursorTest, DateTimeHandlerTest, JacksonCustomizationsTest.
6. Spotless applied.

./gradlew clean test passes locally.

Review & Testing Checklist for Human

This is a wide-reaching upgrade — please do not rely on green CI alone.

• Boot the app end-to-end (./gradlew bootRun). I did not verify runtime startup, only compile + unit/integration tests. In particular, confirm Flyway migrations apply against SQLite and the schema is created.
• JWT secret length: Keys.hmacShaKeyFor throws WeakKeyException if jwt.secret is < 32 bytes (HS256) / 64 bytes (HS512). Check whatever application.properties is used in deployment has a long-enough secret, and note that all previously issued tokens become invalid because the old SignatureAlgorithm.HS512 + SecretKeySpec(bytes) path is gone.
• WebSecurityConfig route rules — compare old antMatchers chain vs. new requestMatchers chain; confirm no endpoint that was protected is now permitAll and vice-versa. Particular scrutiny on /articles/feed (authenticated) vs /articles/** GET (public) ordering.
• Timestamp serialization format change: old path used ISODateTimeFormat.dateTime().withZoneUTC() which always emits 3 fractional digits (e.g. 2024-01-15T12:34:56.789Z). New path uses DateTimeFormatter.ISO_INSTANT which omits fractional seconds when zero and uses variable precision otherwise. If any API consumer parses a strict format, this is a breaking change. ArticleApiTest was updated to the new format, but external clients weren't.
• GraphQL PageInfo: DGS 8 generates its own io.spring.graphql.types.PageInfo. Exercise /graphql queries that use articlesConnection/feed/comments pagination and confirm cursors still round-trip correctly.
• Flyway 9.22.3 pin: Spring Boot 3.2's BOM wants a newer Flyway that dropped community SQLite support. Verify the pin holds (./gradlew dependencies | grep flyway) and that migrations run on a fresh DB.

Notes

• No application.properties/application.yml is checked into the repo; I did not create one. If one is injected at deploy time, nothing here changes that contract, but jwt.secret length must be validated there (see checklist).
• MockBean imports were left on org.springframework.boot.test.mock.mockito.MockBean — still valid (deprecated but functional) in Boot 3.2.x; migrating to @MockitoBean is only required at 3.4+.
• Suppressed deprecation warnings from Gradle itself are unrelated to source and will surface again on a future Gradle 9 bump.

Link to Devin session: https://app.devin.ai/sessions/f95d9a0043c3470b930fb59f2e50b454
Requested by: @SachetCognition

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.