Recipe to Migrate Acegi Security to Spring Security

[CodexRaunak]

Issue #792
Added a scanning recipe to Migrate Acegi Security to Spring Security. It checks if acegi security is used as a dependency, if yes then it migrates it to Spring Security by using 2 visitors.

1. Java visitor - Which changes the type and packages.
2. Maven visitor - Which removes the acegi sercurity and adds spring security core and spring security config dependencies.

We need to make it a scanning recipe as the maven visitor was adding the spring security even when no acegi security is used (i.e no migration required).
Therefore we check first if acegi security is used then perform the migration or it will unnecessary add certain dependencies.

Testing done

Added test cases for the recipe, visitor and UpgradeNextMajorParentVersion.

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[CodexRaunak]

Would like a review on this.
I don't think it should be a top level recipe, it just performs migration.
Should I add it in UpgradeToRecommendCoreVersion, UpgradeToLatestJava11CoreVersion and UpgradeToLatestJava8CoreVersion?

[CodexRaunak]

UpdateBomTest.shouldUpdateToLatestIncrementalsWithoutMavenConfig is failing :(

[jonesbusy]

This is due to incremental cleanup project: https://repo.jenkins-ci.org/artifactory/incrementals/io/jenkins/tools/bom/

I will see how to fix the test (or disable it)

[jonesbusy]

This looks ok for me. But my concern is when I see

<dependency>
    <groupId>org.acegisecurity</groupId>
    <artifactId>acegi-security</artifactId>
    <version>1.0.7</version>
</dependency>

No plugin should declarare such dependency (like spring security) since it's provided by core.

So normally we just need to change package name and not touch dependency

@gounthar By any chance did you follow this rather old migration?

[CodexRaunak]

So normally we just need to change package name and not touch dependency

Then it doesn't need to be a scanning recipe, I made the required changes.
Also when applying it to bitbucket-oauth.
java -jar plugin-modernizer-cli/target/jenkins-plugin-modernizer-999999-SNAPSHOT.jar dry-run --plugins bitbucket-oauth --recipe UpgradeNextMajorParentVersion

I think it needs some more migration, like loadUserByUsername should be migrated to loadUserByUsername2.
And this getAuthorities() is using the array as a return type which was used in acegi security, the newer return type of getAuthorities() in org.springframework.security.authentication.AbstractAuthenticationToken is Collection<GrantedAuthority>.

[gounthar]

Basil made a few of them recently if that can help.
jenkinsci/gitlab-oauth-plugin#169
jenkinsci/github-oauth-plugin#285

[gounthar]

Thanks for this recipe.
It's still failing for me, but we're progressing.

2025-02-28T08:31:58.911Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [INFO] -------------------------------------------------------------
2025-02-28T08:31:58.912Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] COMPILATION ERROR :
2025-02-28T08:31:58.913Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [INFO] -------------------------------------------------------------
2025-02-28T08:31:58.913Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketAuthenticationToken.java:[33,31] getAuthorities() in org.jenkinsci.plugins.BitbucketAuthenticationToken cannot implement getAuthorities() in org.springframework.security.core.Authentication
2025-02-28T08:31:58.914Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker #   return type org.springframework.security.core.GrantedAuthority[] is not compatible with java.util.Collection<? extends org.springframework.security.core.GrantedAuthority>
2025-02-28T08:31:58.915Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketAuthenticationToken.java:[19,93] constructor AbstractAuthenticationToken in class org.springframework.security.authentication.AbstractAuthenticationToken cannot be applied to given types;
2025-02-28T08:31:58.915Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker #   required: java.util.Collection<? extends org.springframework.security.core.GrantedAuthority>
2025-02-28T08:31:58.916Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker #   found:    no arguments
2025-02-28T08:31:58.916Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker #   reason: actual and formal argument lists differ in length
2025-02-28T08:31:58.916Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketAuthenticationToken.java:[32,5] method does not override or implement a method from a supertype
2025-02-28T08:31:58.917Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/api/BitbucketUser.java:[11,8] org.jenkinsci.plugins.api.BitbucketUser is not abstract and does not override abstract method getAuthorities() in org.springframework.security.core.userdetails.UserDetails
2025-02-28T08:31:58.917Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/api/BitbucketUser.java:[22,31] getAuthorities() in org.jenkinsci.plugins.api.BitbucketUser cannot implement getAuthorities() in org.springframework.security.core.userdetails.UserDetails
2025-02-28T08:31:58.918Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker #   return type org.springframework.security.core.GrantedAuthority[] is not compatible with java.util.Collection<? extends org.springframework.security.core.GrantedAuthority>
2025-02-28T08:31:58.919Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/api/BitbucketUser.java:[21,5] method does not override or implement a method from a supertype
2025-02-28T08:31:58.919Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketSecurityRealm.java:[214,24] loadUserByUsername(java.lang.String) in org.jenkinsci.plugins.BitbucketSecurityRealm cannot override loadUserByUsername(java.lang.String) in hudson.security.SecurityRealm
2025-02-28T08:31:58.920Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker #   return type org.springframework.security.core.userdetails.UserDetails is not compatible with org.acegisecurity.userdetails.UserDetails
2025-02-28T08:31:58.920Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketSecurityRealm.java:[213,5] method does not override or implement a method from a supertype
2025-02-28T08:31:58.921Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketSecurityRealm.java:[223,109] incompatible types: org.acegisecurity.userdetails.UserDetails cannot be converted to org.springframework.security.core.userdetails.UserDetails
2025-02-28T08:31:58.921Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/api/BitbucketApiService.java:[130,41] incompatible types: inference variable T has incompatible bounds
2025-02-28T08:31:58.922Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker #     equality constraints: org.jenkinsci.plugins.api.BitbucketUser
2025-02-28T08:31:58.922Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker #     lower bounds: org.acegisecurity.userdetails.UserDetails,java.lang.Object
2025-02-28T08:31:58.923Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [INFO] 10 errors
2025-02-28T08:31:58.923Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [INFO] -------------------------------------------------------------
2025-02-28T08:31:58.923Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [INFO] ------------------------------------------------------------------------
2025-02-28T08:31:58.924Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [INFO] BUILD FAILURE
2025-02-28T08:31:58.924Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [INFO] ------------------------------------------------------------------------
2025-02-28T08:31:58.925Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [INFO] Total time:  4.516 s
2025-02-28T08:31:58.926Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [INFO] Finished at: 2025-02-28T09:31:58+01:00
2025-02-28T08:31:58.926Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [INFO] ------------------------------------------------------------------------
2025-02-28T08:31:58.927Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile (default-compile) on project bitbucket-oauth: Compilation failure: Compilation failure:
2025-02-28T08:31:58.927Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketAuthenticationToken.java:[33,31] getAuthorities() in org.jenkinsci.plugins.BitbucketAuthenticationToken cannot implement getAuthorities() in org.springframework.security.core.Authentication
2025-02-28T08:31:58.928Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR]   return type org.springframework.security.core.GrantedAuthority[] is not compatible with java.util.Collection<? extends org.springframework.security.core.GrantedAuthority>
2025-02-28T08:31:58.928Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketAuthenticationToken.java:[19,93] constructor AbstractAuthenticationToken in class org.springframework.security.authentication.AbstractAuthenticationToken cannot be applied to given types;
2025-02-28T08:31:58.929Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR]   required: java.util.Collection<? extends org.springframework.security.core.GrantedAuthority>
2025-02-28T08:31:58.929Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR]   found:    no arguments
2025-02-28T08:31:58.929Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR]   reason: actual and formal argument lists differ in length
2025-02-28T08:31:58.930Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketAuthenticationToken.java:[32,5] method does not override or implement a method from a supertype
2025-02-28T08:31:58.931Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/api/BitbucketUser.java:[11,8] org.jenkinsci.plugins.api.BitbucketUser is not abstract and does not override abstract method getAuthorities() in org.springframework.security.core.userdetails.UserDetails
2025-02-28T08:31:58.931Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/api/BitbucketUser.java:[22,31] getAuthorities() in org.jenkinsci.plugins.api.BitbucketUser cannot implement getAuthorities() in org.springframework.security.core.userdetails.UserDetails
2025-02-28T08:31:58.931Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR]   return type org.springframework.security.core.GrantedAuthority[] is not compatible with java.util.Collection<? extends org.springframework.security.core.GrantedAuthority>
2025-02-28T08:31:58.932Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/api/BitbucketUser.java:[21,5] method does not override or implement a method from a supertype
2025-02-28T08:31:58.932Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketSecurityRealm.java:[214,24] loadUserByUsername(java.lang.String) in org.jenkinsci.plugins.BitbucketSecurityRealm cannot override loadUserByUsername(java.lang.String) in hudson.security.SecurityRealm
2025-02-28T08:31:58.933Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR]   return type org.springframework.security.core.userdetails.UserDetails is not compatible with org.acegisecurity.userdetails.UserDetails
2025-02-28T08:31:58.933Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketSecurityRealm.java:[213,5] method does not override or implement a method from a supertype
2025-02-28T08:31:58.933Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/BitbucketSecurityRealm.java:[223,109] incompatible types: org.acegisecurity.userdetails.UserDetails cannot be converted to org.springframework.security.core.userdetails.UserDetails
2025-02-28T08:31:58.934Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] /home/poddingue/.cache/jenkins-plugin-modernizer-cli/bitbucket-oauth/sources/src/main/java/org/jenkinsci/plugins/api/BitbucketApiService.java:[130,41] incompatible types: inference variable T has incompatible bounds
2025-02-28T08:31:58.934Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR]     equality constraints: org.jenkinsci.plugins.api.BitbucketUser
2025-02-28T08:31:58.934Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR]     lower bounds: org.acegisecurity.userdetails.UserDetails,java.lang.Object
2025-02-28T08:31:58.935Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] -> [Help 1]
2025-02-28T08:31:58.935Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR]
2025-02-28T08:31:58.935Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
2025-02-28T08:31:58.936Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] Re-run Maven using the -X switch to enable full debug logging.
2025-02-28T08:31:58.936Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR]
2025-02-28T08:31:58.936Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] For more information about the errors and possible solutions, please read the following articles:
2025-02-28T08:31:58.937Z [INFO] [Thread=StreamPumper-systemOut] - i.j.t.p.core.impl.MavenInvoker # [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
2025-02-28T08:31:58.967Z [ERROR] [Thread=main] - i.j.t.p.core.impl.MavenInvoker # Build fail with code: 1