Upgrade to Spring Framework 6.2.0-M4

Closes gh-15266

config/spring-security-config.gradle

@@ -65,7 +65,7 @@ dependencies {
 	testImplementation 'jakarta.websocket:jakarta.websocket-api'
 	testImplementation 'jakarta.websocket:jakarta.websocket-client-api'
 	testImplementation 'ldapsdk:ldapsdk:4.1'
-	testImplementation('net.sourceforge.htmlunit:htmlunit') {
+	testImplementation('org.htmlunit:htmlunit') {
 		exclude group: 'commons-logging', module: 'commons-logging'
 		exclude group: 'xml-apis', module: 'xml-apis'
 	}
@@ -80,7 +80,7 @@ dependencies {
 	testImplementation "org.hibernate.orm:hibernate-core"
 	testImplementation 'org.hsqldb:hsqldb'
 	testImplementation 'org.mockito:mockito-core'
-	testImplementation('org.seleniumhq.selenium:htmlunit-driver') {
+	testImplementation('org.seleniumhq.selenium:htmlunit3-driver') {
 		exclude group: 'commons-logging', module: 'commons-logging'
 		exclude group: 'xml-apis', module: 'xml-apis'
 	}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFirewallTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
 package org.springframework.security.config.annotation.web.configurers;
 
 import jakarta.servlet.http.HttpServletRequest;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -52,6 +53,7 @@ public class NamespaceHttpFirewallTests {
 	MockMvc mvc;
 
 	@Test
+	@Disabled("MockMvc uses UriComponentsBuilder::fromUriString which was changed in https://github.com/spring-projects/spring-framework/issues/32513")
 	public void requestWhenPathContainsDoubleDotsThenBehaviorMatchesNamespace() throws Exception {
 		this.rule.register(HttpFirewallConfig.class).autowire();
 		this.mvc.perform(get("/public/../private/")).andExpect(status().isBadRequest());

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurerTests.java

@@ -25,7 +25,6 @@
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
-import com.gargoylesoftware.htmlunit.util.UrlUtils;
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
@@ -41,6 +40,7 @@
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
 import okhttp3.mockwebserver.RecordedRequest;
+import org.htmlunit.util.UrlUtils;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 

config/src/test/java/org/springframework/security/config/http/AccessDeniedConfigTests.java

@@ -18,13 +18,13 @@
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
-import org.eclipse.jetty.http.HttpStatus;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
@@ -71,7 +71,7 @@ public void configureWhenAccessDeniedHandlerIsMissingLeadingSlashThenException()
 	@WithMockUser
 	public void configureWhenAccessDeniedHandlerRefThenAutowire() throws Exception {
 		this.spring.configLocations(this.xml("AccessDeniedHandler")).autowire();
-		this.mvc.perform(get("/")).andExpect(status().is(HttpStatus.GONE_410));
+		this.mvc.perform(get("/")).andExpect(status().is(HttpStatus.GONE.value()));
 	}
 
 	@Test
@@ -90,7 +90,7 @@ public static class GoneAccessDeniedHandler implements AccessDeniedHandler {
 		@Override
 		public void handle(HttpServletRequest request, HttpServletResponse response,
 				AccessDeniedException accessDeniedException) {
-			response.setStatus(HttpStatus.GONE_410);
+			response.setStatus(HttpStatus.GONE.value());
 		}
 
 	}

config/src/test/java/org/springframework/security/config/http/CsrfConfigTests.java

@@ -22,12 +22,12 @@
 import jakarta.servlet.Filter;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
-import org.eclipse.jetty.http.HttpStatus;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.access.AccessDeniedException;
@@ -566,7 +566,7 @@ private static class TeapotAccessDeniedHandler implements AccessDeniedHandler {
 		@Override
 		public void handle(HttpServletRequest request, HttpServletResponse response,
 				AccessDeniedException accessDeniedException) {
-			response.setStatus(HttpStatus.IM_A_TEAPOT_418);
+			response.setStatus(HttpStatus.I_AM_A_TEAPOT.value());
 		}
 
 	}

config/src/test/java/org/springframework/security/config/web/server/OidcLogoutSpecTests.java

@@ -26,7 +26,6 @@
 import java.util.List;
 import java.util.Map;
 
-import com.gargoylesoftware.htmlunit.util.UrlUtils;
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
@@ -40,6 +39,7 @@
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
 import okhttp3.mockwebserver.RecordedRequest;
+import org.htmlunit.util.UrlUtils;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import reactor.core.publisher.Mono;

config/src/test/java/org/springframework/security/htmlunit/server/HtmlUnitWebTestClient.java

@@ -24,10 +24,11 @@
 import java.util.Set;
 import java.util.StringTokenizer;
 
-import com.gargoylesoftware.htmlunit.FormEncodingType;
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.WebRequest;
-import com.gargoylesoftware.htmlunit.util.NameValuePair;
+import org.htmlunit.FormEncodingType;
+import org.htmlunit.WebClient;
+import org.htmlunit.WebRequest;
+import org.htmlunit.util.Cookie;
+import org.htmlunit.util.NameValuePair;
 import reactor.core.publisher.Mono;
 
 import org.springframework.http.HttpMethod;
@@ -117,8 +118,8 @@ private void cookies(WebTestClient.RequestBodySpec request, WebRequest webReques
 				request.cookie(cookieName, cookieValue);
 			}
 		}
-		Set<com.gargoylesoftware.htmlunit.util.Cookie> managedCookies = this.webClient.getCookies(webRequest.getUrl());
-		for (com.gargoylesoftware.htmlunit.util.Cookie cookie : managedCookies) {
+		Set<Cookie> managedCookies = this.webClient.getCookies(webRequest.getUrl());
+		for (Cookie cookie : managedCookies) {
 			request.cookie(cookie.getName(), cookie.getValue());
 		}
 	}

config/src/test/java/org/springframework/security/htmlunit/server/MockWebResponseBuilder.java

@@ -20,10 +20,10 @@
 import java.util.ArrayList;
 import java.util.List;
 
-import com.gargoylesoftware.htmlunit.WebRequest;
-import com.gargoylesoftware.htmlunit.WebResponse;
-import com.gargoylesoftware.htmlunit.WebResponseData;
-import com.gargoylesoftware.htmlunit.util.NameValuePair;
+import org.htmlunit.WebRequest;
+import org.htmlunit.WebResponse;
+import org.htmlunit.WebResponseData;
+import org.htmlunit.util.NameValuePair;
 
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;

config/src/test/java/org/springframework/security/htmlunit/server/WebTestClientHtmlUnitDriverBuilder.java

@@ -16,8 +16,8 @@
 
 package org.springframework.security.htmlunit.server;
 
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.WebConnection;
+import org.htmlunit.WebClient;
+import org.htmlunit.WebConnection;
 import org.openqa.selenium.WebDriver;
 
 import org.springframework.test.web.reactive.server.WebTestClient;

config/src/test/java/org/springframework/security/htmlunit/server/WebTestClientWebConnection.java

@@ -18,10 +18,10 @@
 
 import java.io.IOException;
 
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.WebConnection;
-import com.gargoylesoftware.htmlunit.WebRequest;
-import com.gargoylesoftware.htmlunit.WebResponse;
+import org.htmlunit.WebClient;
+import org.htmlunit.WebConnection;
+import org.htmlunit.WebRequest;
+import org.htmlunit.WebResponse;
 
 import org.springframework.lang.Nullable;
 import org.springframework.test.web.reactive.server.FluxExchangeResult;

dependencies/spring-security-dependencies.gradle

@@ -47,6 +47,7 @@ dependencies {
 		api libs.jakarta.websocket.jakarta.websocket.client.api
 		api libs.ldapsdk
 		api libs.net.sourceforge.htmlunit
+		api libs.org.htmlunit.htmlunit
 		api libs.org.apache.directory.server.apacheds.entry
 		api libs.org.apache.directory.server.apacheds.core
 		api libs.org.apache.directory.server.apacheds.protocol.ldap

gradle/libs.versions.toml

@@ -13,7 +13,7 @@ org-jetbrains-kotlin = "1.9.24"
 org-jetbrains-kotlinx = "1.8.1"
 org-mockito = "5.11.0"
 org-opensaml = "4.3.2"
-org-springframework = "6.1.9"
+org-springframework = "6.2.0-M4"
 
 [libraries]
 ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.6"
@@ -46,6 +46,7 @@ jakarta-websocket-jakarta-websocket-client-api = { module = "jakarta.websocket:j
 jakarta-xml-bind-jakarta-xml-bind-api = "jakarta.xml.bind:jakarta.xml.bind-api:4.0.2"
 ldapsdk = "ldapsdk:ldapsdk:4.1"
 net-sourceforge-htmlunit = "net.sourceforge.htmlunit:htmlunit:2.70.0"
+org-htmlunit-htmlunit = "org.htmlunit:htmlunit:4.1.0"
 org-apache-directory-server-apacheds-core = { module = "org.apache.directory.server:apacheds-core", version.ref = "org-apache-directory-server" }
 org-apache-directory-server-apacheds-entry = { module = "org.apache.directory.server:apacheds-core-entry", version.ref = "org-apache-directory-server" }
 org-apache-directory-server-apacheds-protocol-ldap = { module = "org.apache.directory.server:apacheds-protocol-ldap", version.ref = "org-apache-directory-server" }
@@ -78,8 +79,8 @@ org-opensaml-opensaml-core = { module = "org.opensaml:opensaml-core", version.re
 org-opensaml-opensaml-saml-api = { module = "org.opensaml:opensaml-saml-api", version.ref = "org-opensaml" }
 org-opensaml-opensaml-saml-impl = { module = "org.opensaml:opensaml-saml-impl", version.ref = "org-opensaml" }
 org-python-jython = { module = "org.python:jython", version = "2.5.3" }
-org-seleniumhq-selenium-htmlunit-driver = "org.seleniumhq.selenium:htmlunit-driver:2.70.0"
-org-seleniumhq-selenium-selenium-java = "org.seleniumhq.selenium:selenium-java:3.141.59"
+org-seleniumhq-selenium-htmlunit-driver = "org.seleniumhq.selenium:htmlunit3-driver:4.20.0"
+org-seleniumhq-selenium-selenium-java = "org.seleniumhq.selenium:selenium-java:4.20.0"
 org-seleniumhq-selenium-selenium-support = "org.seleniumhq.selenium:selenium-support:3.141.59"
 org-skyscreamer-jsonassert = "org.skyscreamer:jsonassert:1.5.1"
 org-slf4j-log4j-over-slf4j = "org.slf4j:log4j-over-slf4j:1.7.36"

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/http/OAuth2ErrorResponseErrorHandler.java

@@ -54,7 +54,7 @@ public boolean hasError(ClientHttpResponse response) throws IOException {
 
 	@Override
 	public void handleError(ClientHttpResponse response) throws IOException {
-		if (HttpStatus.BAD_REQUEST.value() != response.getRawStatusCode()) {
+		if (HttpStatus.BAD_REQUEST.value() != response.getStatusCode().value()) {
 			this.defaultErrorHandler.handleError(response);
 		}
 		// A Bearer Token Error may be in the WWW-Authenticate response header

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClientTests.java

@@ -120,7 +120,7 @@ public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenReturnAcce
 		assertThat(recordedRequest.getMethod()).isEqualTo(HttpMethod.POST.toString());
 		assertThat(recordedRequest.getHeader(HttpHeaders.ACCEPT)).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
 		assertThat(recordedRequest.getHeader(HttpHeaders.CONTENT_TYPE))
-			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8");
+			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 		String formParameters = recordedRequest.getBody().readUtf8();
 		assertThat(formParameters).contains("grant_type=password");
 		assertThat(formParameters).contains("username=user1");
@@ -155,7 +155,7 @@ public void getTokenResponseWhenSuccessResponseIncludesScopeThenReturnAccessToke
 		assertThat(recordedRequest.getMethod()).isEqualTo(HttpMethod.POST.toString());
 		assertThat(recordedRequest.getHeader(HttpHeaders.ACCEPT)).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
 		assertThat(recordedRequest.getHeader(HttpHeaders.CONTENT_TYPE))
-			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8");
+			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 		String formParameters = recordedRequest.getBody().readUtf8();
 		assertThat(formParameters).contains("grant_type=password");
 		assertThat(formParameters).contains("username=user1");

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/WebClientReactiveRefreshTokenTokenResponseClientTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -124,7 +124,7 @@ public void getTokenResponseWhenSuccessResponseThenReturnAccessTokenResponse() t
 		assertThat(recordedRequest.getMethod()).isEqualTo(HttpMethod.POST.toString());
 		assertThat(recordedRequest.getHeader(HttpHeaders.ACCEPT)).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
 		assertThat(recordedRequest.getHeader(HttpHeaders.CONTENT_TYPE))
-			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8");
+			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 		assertThat(recordedRequest.getHeader(HttpHeaders.AUTHORIZATION)).startsWith("Basic ");
 		String formParameters = recordedRequest.getBody().readUtf8();
 		assertThat(formParameters).contains("grant_type=refresh_token");

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/WebClientReactiveTokenExchangeTokenResponseClientTests.java

@@ -190,7 +190,7 @@ public void getTokenResponseWhenSuccessResponseThenReturnAccessTokenResponse() t
 		assertThat(recordedRequest.getMethod()).isEqualTo(HttpMethod.POST.toString());
 		assertThat(recordedRequest.getHeader(HttpHeaders.ACCEPT)).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
 		assertThat(recordedRequest.getHeader(HttpHeaders.CONTENT_TYPE))
-			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8");
+			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 		String formParameters = recordedRequest.getBody().readUtf8();
 		// @formatter:off
 		assertThat(formParameters).contains(
@@ -230,7 +230,7 @@ public void getTokenResponseWhenSubjectTokenIsJwtThenSubjectTokenTypeIsJwt() thr
 		assertThat(recordedRequest.getMethod()).isEqualTo(HttpMethod.POST.toString());
 		assertThat(recordedRequest.getHeader(HttpHeaders.ACCEPT)).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
 		assertThat(recordedRequest.getHeader(HttpHeaders.CONTENT_TYPE))
-			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8");
+			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 		String formParameters = recordedRequest.getBody().readUtf8();
 		// @formatter:off
 		assertThat(formParameters).contains(
@@ -270,7 +270,7 @@ public void getTokenResponseWhenActorTokenIsNotNullThenActorParametersAreSent()
 		assertThat(recordedRequest.getMethod()).isEqualTo(HttpMethod.POST.toString());
 		assertThat(recordedRequest.getHeader(HttpHeaders.ACCEPT)).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
 		assertThat(recordedRequest.getHeader(HttpHeaders.CONTENT_TYPE))
-			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8");
+			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 		String formParameters = recordedRequest.getBody().readUtf8();
 		// @formatter:off
 		assertThat(formParameters).contains(
@@ -312,7 +312,7 @@ public void getTokenResponseWhenActorTokenIsJwtThenActorTokenTypeIsJwt() throws
 		assertThat(recordedRequest.getMethod()).isEqualTo(HttpMethod.POST.toString());
 		assertThat(recordedRequest.getHeader(HttpHeaders.ACCEPT)).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
 		assertThat(recordedRequest.getHeader(HttpHeaders.CONTENT_TYPE))
-			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8");
+			.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 		String formParameters = recordedRequest.getBody().readUtf8();
 		// @formatter:off
 		assertThat(formParameters).contains(

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/http/OAuth2ErrorResponseErrorHandlerTests.java

@@ -118,17 +118,12 @@ private CustomMockClientHttpResponse(byte[] content, int statusCode) {
 
 		@Override
 		public HttpStatus getStatusCode() throws IOException {
-			return HttpStatus.valueOf(getRawStatusCode());
-		}
-
-		@Override
-		public int getRawStatusCode() {
-			return this.statusCode;
+			return HttpStatus.valueOf(this.statusCode);
 		}
 
 		@Override
 		public String getStatusText() throws IOException {
-			HttpStatus httpStatus = HttpStatus.resolve(this.statusCode);
+			HttpStatus httpStatus = HttpStatus.valueOf(this.statusCode);
 			return (httpStatus != null) ? httpStatus.getReasonPhrase() : "";
 		}
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java

@@ -38,8 +38,10 @@
 import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
+import org.springframework.web.util.InvalidUrlException;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.assertj.core.api.Assertions.entry;
 
@@ -255,17 +257,14 @@ public void resolveWhenAuthorizationRequestIncludesPort443ThenExpandedRedirectUr
 	}
 
 	@Test
-	public void resolveWhenAuthorizationRequestHasNoPortThenExpandedRedirectUriWithExtraVarsExcludesPort() {
+	public void resolveWhenAuthorizationRequestHasNoPortThenInvalidUrlException() {
 		ClientRegistration clientRegistration = this.fineRedirectUriTemplateRegistration;
 		String requestUri = this.authorizationRequestBaseUri + "/" + clientRegistration.getRegistrationId();
 		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
 		request.setScheme("https");
 		request.setServerPort(-1);
 		request.setServletPath(requestUri);
-		OAuth2AuthorizationRequest authorizationRequest = this.resolver.resolve(request);
-		assertThat(authorizationRequest.getRedirectUri()).isNotEqualTo(clientRegistration.getRedirectUri());
-		assertThat(authorizationRequest.getRedirectUri())
-			.isEqualTo("https://localhost/login/oauth2/code/" + clientRegistration.getRegistrationId());
+		assertThatExceptionOfType(InvalidUrlException.class).isThrownBy(() -> this.resolver.resolve(request));
 	}
 
 	// gh-5520