[3.3] Add dubbo-spring6-security plugin by splitting dubbo-spring-security

[zrlw]

What is the purpose of the change?

#15491
split dubbo-spring-security to two plugins, the original one for spring5, the new one - dubbo-spring6-security - for spring6.

Checklist

• Make sure there is a GitHub_issue field for the change.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Write necessary unit-test to verify your logic correction. If the new feature or significant change is committed, please remember to add sample in dubbo samples project.
• Make sure gitHub actions can pass. Why the workflow is failing and how to fix it?

[Copilot]

Pull Request Overview

This PR splits the existing Spring 5 security plugin into two modules by introducing a dedicated Spring 6 security plugin (dubbo-spring6-security), relocates Spring 6–specific Jackson registrations into SPI-based customizers, and refactors mixins and POMs accordingly.

• Introduce dubbo-spring6-security module with its own Maven setup, dependencies, and tests
• Move Spring 6 Jackson module registrations out of the Spring 5 plugin into a new OAuth2ObjectMapperCodecCustomer SPI
• Update RegisteredClientMixin to use concrete ClientSettings/TokenSettings and adjust parent and child POMs

Reviewed Changes

Copilot reviewed 11 out of 20 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pom.xml	Add new dubbo-spring6-security module and spring-security-6.version property
dubbo-plugin/dubbo-spring6-security/src/test/resources/log4j2-test.xml	Add log4j2 test configuration for the Spring 6 plugin
dubbo-plugin/dubbo-spring6-security/src/test/resources/dubbo-test.xml	Add Spring XML test config for the Spring 6 plugin
dubbo-plugin/dubbo-spring6-security/src/test/java/.../DeserializationTest.java	Add deserialization tests for Spring 6 security types
dubbo-plugin/dubbo-spring6-security/src/main/resources/.../ObjectMapperCodecCustomer	Register the Spring 6 SPI customizer for Jackson via Dubbo internal metadata
dubbo-plugin/dubbo-spring6-security/src/main/java/.../OAuth2ObjectMapperCodecCustomer.java	Implement ObjectMapperCodecCustomer to register Spring 6 security Jackson modules
dubbo-plugin/dubbo-spring6-security/src/main/java/.../RegisteredClientMixin.java	Update mixin constructor to accept ClientSettings and TokenSettings instead of raw Object types
dubbo-plugin/dubbo-spring6-security/pom.xml	Define Maven coordinates and dependencies for the new Spring 6 security plugin
dubbo-plugin/dubbo-spring-security/src/test/java/.../ObjectMapperCodecTest.java	Mark test mapper field final in the Spring 5 plugin
dubbo-plugin/dubbo-spring-security/src/main/java/.../ObjectMapperCodec.java	Remove direct registration of Spring 6 Jackson modules from the Spring 5 plugin
dubbo-plugin/dubbo-spring-security/pom.xml	Remove Spring 6 OAuth2 server deps and related properties from the Spring 5 plugin POM

Comments suppressed due to low confidence (2)

dubbo-plugin/dubbo-spring6-security/src/test/java/org/apache/dubbo/spring/security/oauth2/DeserializationTest.java:79

• Consider asserting specific properties of the deserialized object (e.g., token value or principal name) for stronger test validation instead of only checking not-null.

        Assertions.assertNotNull(deserialize);

dubbo-plugin/dubbo-spring-security/src/main/java/org/apache/dubbo/spring/security/jackson/ObjectMapperCodec.java:101

• Removing the registration of OAuth2SecurityModule and SecurityJackson2Modules here disables support for serializing Spring Security types in the Spring 5 plugin (and will break existing tests such as ObjectMapperCodecTest). Consider conditionally registering these modules only for Spring 6 or preserving legacy registration for Spring 5.

    private void registerDefaultModule() {

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 88.88889% with 1 line in your changes missing coverage. Please review.

Project coverage is 60.91%. Comparing base (a0b6e47) to head (37139d5).
Report is 2 commits behind head on 3.3.

Files with missing lines	Patch %	Lines
.../spring/security/oauth2/RegisteredClientMixin.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##                3.3   #15494      +/-   ##
============================================
  Coverage     60.91%   60.91%              
- Complexity       12    11458   +11446     
============================================
  Files          1898     1908      +10     
  Lines         86477    86665     +188     
  Branches      12965    12987      +22     
============================================
+ Hits          52678    52793     +115     
- Misses        28358    28414      +56     
- Partials       5441     5458      +17     

Flag	Coverage Δ
integration-tests-java17	32.96% <0.00%> (-0.08%)	⬇️
integration-tests-java8	33.05% <0.00%> (-0.08%)	⬇️
samples-tests-java17	31.27% <88.88%> (-0.18%)	⬇️
samples-tests-java8	29.29% <0.00%> (+0.04%)	⬆️
unit-tests	58.87% <88.88%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[zrlw]

@wzkris