-
Notifications
You must be signed in to change notification settings - Fork 40.7k
Spring Boot 2.0 Migration Guide
This document is meant to help you migrate your application to Spring Boot 2.0 by providing thematic sections that mirror the developer guide.
Before you start the upgrade, make sure to upgrade to the latest 1.5.x available version. This will make sure that you are building against the most recent dependencies of that line.
The move to Spring Boot 2 will upgrade a number of dependencies and might require work on your end. You can review dependency management for 1.5.x with dependency management for 2.0.x to asses how your project is affected.
You may also use dependencies that are not managed by Spring Boot (e.g. Spring Cloud). As your project defines an explicit version for those, you need first to identify the compatible version before upgrading.
Any user-configuration that your project defines might need to be reviewed on upgrade. If this can be replaced by use of standard auto-configuration, do it so before upgrading.
Spring Boot 2.0 requires Java 8 or later. Java 6 and 7 are no longer supported. It also requires Spring Framework 5.0.
Once you have reviewed the state of your project and its dependencies, upgrade to the latest maintenance release of Spring Boot 2.0. In particular, do not upgrade to Spring Boot 2.0.0.RELEASE as a number of issues have been reported and fixed.
We also recommend to upgrade in phases and not in one jump to the latest GA: first upgrade to 2.0, then 2.1, etc.
With Spring Boot 2.0, many configuration properties were renamed/removed and developers need to update their application.properties/application.yml accordingly.
To help you with that, Spring Boot ships a new spring-boot-properties-migrator module.
Once added as a dependency to your project, this will not only analyze your application’s environment and print diagnostics at startup, but also temporarily migrate properties at runtime for you.
This is a must have during your application migration:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-properties-migrator</artifactId>
<scope>runtime</scope>
</dependency>runtime("org.springframework.boot:spring-boot-properties-migrator")|
Note
|
Once you’re done with the migration, please make sure to remove this module from your project’s dependencies. |
If you wish to look into specifics, here’s a curated list of resources - otherwise, proceed to the next sections:
The plugin configuration attributes that are exposed as properties now all start with a spring-boot prefix for consistency and to avoid clashes with other plugins.
For instance, the following command enables the prod profile using the command line:
mvn spring-boot:run -Dspring-boot.run.profiles=prod
Custom include/exclude patterns have been aligned to latest Surefire’s defaults. If you were relying on ours, update your plugin configuration accordingly. They used to be as follows:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<includes>
<include>**/*Tests.java</include>
<include>**/*Test.java</include>
</includes>
<excludes>
<exclude>**/Abstract*.java</exclude>
</excludes>
</configuration>
</plugin>|
Tip
|
If you are using JUnit 5, you should upgrade Surefire to 2.22.0.
|
Spring Boot’s Gradle plugin has been largely rewritten to enable a number of significant improvements. You can read more about the plugin’s capabilities in its reference and api documentation.
Spring Boot’s Gradle plugin no longer automatically applies the dependency management plugin. Instead, Spring Boot’s plugin now reacts to the dependency management plugin being applied by importing the correct version of the spring-boot-dependencies BOM. This gives you more control over how and when dependency management is configured.
For most applications applying the dependency management plugin will be sufficient:
apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management' // <-- add this to your build.gradle|
Note
|
The dependency management plugin remains a transitive dependency of spring-boot-gradle-plugin so there’s no need for it to be listed as a classpath dependency in your buildscript configuration. |
The bootRepackage task has been replaced with bootJar and bootWar tasks for building executable jars and wars respectively. The jar and war tasks are no longer involved.
Spring Boot now uses CGLIB proxying by default, including for the AOP support.
If you need interface-based proxy, you’ll need to set the spring.aop.proxy-target-class to false.
Spring Boot applications can now operate in more modes so spring.main.web-environment property is now deprecated in favor of spring.main.web-application-type that provides more control.
If you want to make sure an application doesn’t start a web server you’d have to change the property to:
spring.main.web-application-type=none|
Tip
|
there is also a setWebApplicationType on SpringApplication if you want to do that programmatically.
|
We’ve added a new event, ApplicationStartedEvent.
ApplicationStartedEvent is sent after the context has been refreshed but before any application and command-line runners have been called.
ApplicationReadyEvent is sent after any application and command-line runners have been called.
It indicates that the application is ready to service requests.
See the updated reference documentation.
The rules related to relaxed binding have been tightened
This new relaxed bindings as several advantages:
-
There is no need to worry about the structure of the key in
@ConditionalOnProperty: you must now use the canonical format (acme.my-propertyand notacme.myProperty), the supported relaxed variants will work transparently. If you were using theprefixattribute you can now simply put the full key using thenameorvalueattributes. -
RelaxedPropertyResolveris no longer available as theEnvironmenttakes care of that automatically:env.getProperty("com.foo.my-bar")will find acom.foo.myBarproperty.
The org.springframework.boot.bind package is no longer available and is replaced by the new relaxed binding infrastructure.
In particular, RelaxedDataBinder and friends have been replaced with a new Binder API.
The following samples binds MyProperties from the app.acme prefix.
MyProperties target = Binder.get(environment)
.bind("app.acme", MyProperties.class)
.orElse(null);As relaxed binding is now built-in, you can request any property without having to care about the case as long as it’s using one of the supported formats:
FlagType flagType = Binder.get(environment)
.bind("acme.app.my-flag", FlagType.class)
.orElse(FlagType.DEFAULT);While binding on static properties (using a static getter and setter pair) works in Spring Boot 1.x, we never really intended to provide such feature and it is no longer possible as of Spring Boot 2.
It is now mandatory that your @ConfigurationProperties object is annotated with @Validated if you want to turn on validation.
The behavior of the spring.config.location configuration has been fixed; it previously added a location to the list of default ones, now it replaces the default locations.
If you were relying on the way it was handled previously, you should now use spring.config.additional-location instead.
In order to support reactive use cases, the embedded containers package structure has been refactored quite extensively.
EmbeddedServletContainer has been renamed to WebServer and the org.springframework.boot.context.embedded package has been relocated to org.springframework.boot.web.server. Correspondingly, EmbeddedServletContainerCustomizer has been renamed to WebServerFactoryCustomizer.
For example, if you were customizing the embedded Tomcat container using the TomcatEmbeddedServletContainerFactory callback interface, you should now use TomcatServletWebServerFactory and if you were using an EmbeddedServletContainerCustomizer bean, you should now use a WebServerFactoryCustomizer<TomcatServletWebServerFactory> bean.
A number of server.* properties that are Servlet-specific have moved to server.servlet:
| Old property | New property |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Previously several Spring Boot starters were transitively depending on Spring MVC with spring-boot-starter-web.
With the new support of Spring WebFlux, spring-boot-starter-mustache, spring-boot-starter-freemarker and spring-boot-starter-thymeleaf are not depending on it anymore.
It is the developer’s responsibility to choose and add spring-boot-starter-web or spring-boot-starter-webflux.
Spring Boot 2 uses Thymeleaf 3 which has its own migration guide.
In previous version of Spring Boot, the Thymeleaf starter included the thymeleaf-layout-dialect dependency previously. Since Thymeleaf 3.0 now offers a native way to implement layouts, we removed that mandatory dependency and leave this choice up to you. If your application is relying on the layout-dialect project, please add it explicitly as a dependency.
In 2.0, we’ve flipped a Jackson configuration default to write JSR-310 dates as ISO-8601 strings.
If you wish to return to the previous behavior, you can add spring.jackson.serialization.write-dates-as-timestamps=true to your configuration.
A new spring-boot-starter-json starter gathers the necessary bits to read and write JSON.
It provides not only jackson-databind but also useful modules when working with Java8: jackson-datatype-jdk8, jackson-datatype-jsr310 and jackson-module-parameter-names.
If you were manually depending on those modules, you can now depend on this new starter instead.
We’ve decided to change the default for suffix path matching in Spring MVC applications (see #11105). This feature is not enabled by default anymore, following a best practice documented in Spring Framework.
If your application expects requests like "GET /projects/spring-boot.json" to be mapped to @GetMapping("/projects/spring-boot") mappings, this change is affecting you.
For more information about this and how to mitigate that change, check out the reference documentation about path matching and content negotiation in Spring Boot.
The default dispatcher types for a Servlet Filter are now DipatcherType.REQUEST; this aligns Spring Boot’s default with the Servlet specification’s default.
If you wish to map a filter to other dispatcher types, please register your Filter using a FilterRegistrationBean.
|
Note
|
Spring Security and Spring Session filters are configured for ASYNC, ERROR, and REQUEST dispatcher types.
|
The requestFactory(ClientHttpRequestFactory) method has been replaced by a new requestFactory(Supplier<ClientHttpRequestFactory> requestFactorySupplier) method.
The use of a Supplier allows every template produced by the builder to use its own request factory, thereby avoiding side-effects that can be caused by sharing a factory.
See #11255.
Spring Boot 1.x used and provided dependency management for org.webjars:webjars-locator. webjars-locator is a "poorly named library … that wraps the webjars-locator-core project".
Dependencies on org.webjars:webjars-locator should be updated to use org.webjars:webjars-locator-core instead.
If you have customized the registration of the DispatcherServlet, by providing a ServletRegistrationBean named dispatcherServletRegistration, you must also provide a DispatcherServletPath bean so that other components can be aware of the dispatcher servlet’s path. One way to do so is to provide a DispatcherServletRegistrationBean, which implements DispatcherServletPath rather than a ServletRegistrationBean when customizing the registration.
|
Tip
|
This section provides a summary of the changes to security in Spring Boot 2. If you want to know more, refer to the Security migration use cases wiki page. |
Spring Boot 2 greatly simplifies the default security configuration and makes adding custom security easy.
Rather than having several security-related auto-configurations, Spring Boot now has a single behavior that backs off as soon as you add your own WebSecurityConfigurerAdapter.
You are affected if you were using any of the following properties:
security.basic.authorize-mode
security.basic.enabled
security.basic.path
security.basic.realm
security.enable-csrf
security.headers.cache
security.headers.content-security-policy
security.headers.content-security-policy-mode
security.headers.content-type
security.headers.frame
security.headers.hsts
security.headers.xss
security.ignored
security.require-ssl
security.sessionsTo learn about these changes in more detail, refer to the Security migration use cases wiki page.
The security auto-configuration no longer exposes options and uses Spring Security defaults as much as possible. One noticeable side effect of that is the use of Spring Security’s content negotiation for authorization (form login).
Spring Boot 2.0 doesn’t deviate too much from Spring Security’s defaults, as a result of which some of the endpoints that bypassed Spring Security in Spring Boot 1.5 are now secure by default. These include the error endpoint and paths to static resources such as /css/**, /js/**, /images/**, /webjars/**, /**/favicon.ico. If you want to open these up, you need to explicitly configure that.
Spring Boot configures a single user with a generated password, by default.
The user can be configured using properties under spring.security.user.*. To customize the user further or add other users, you will have to expose a UserDetailsService bean instead.
This sample demonstrates how to do it.
To disable default user creation, provide a bean of type AuthenticationManager, AuthenticationProvider or UserDetailsService.
|
Note
|
Autowiring an AuthenticationManagerBuilder into a method in a configuration class does not disable creation of the default user.
|
If you want to expose Spring Security’s AuthenticationManager as a bean, override the authenticationManagerBean method on your WebSecurityConfigurerAdapter and annotate it with @Bean.
Functionality from the Spring Security OAuth project is being migrated to core Spring Security. Dependency management is no longer provided for that dependency and Spring Boot 2 provides OAuth 2.0 client support via Spring Security 5.
If you depend on Spring Security OAuth features that have not yet been migrated, you will need to add a dependency on an additional jar, check the documentation for more details. We’re also continuing to support Spring Boot 1.5 so older applications can continue to use that until an upgrade path is provided.
There is no longer a separate security auto-configuration for the Actuator (management.security.* property are gone).
The sensitive flag of each endpoint is also gone to make things more explicit in the security configuration.
If you were relying to this behavior, you need to create or adapt your security configuration to secure endpoints with the role of your choice.
For instance, assuming the following config
endpoints.flyway.sensitive=false
endpoints.info.sensitive=true
management.security.roles=MY_ADMINhttp
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "flyway")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("MY_ADMIN")
...Note that in 2.x, health and info are enabled by default (with health details not shown by default).
To be consistent with those new defaults, health has been added to the first matcher.
Spring Data Kay renamed a number of its CRUD repository methods. Application code calling the renamed methods will have to be updated. To ease the migration, you may want to consider using a custom CrudRepository sub-interface that declares deprecated default methods that use the old names and delegate to the equivalent newly named method. Marking the default methods has deprecated will help to ensure that the migration is not forgotten.
The default connection pool has switched from Tomcat to HikariCP.
If you used spring.datasource.type to force the use of Hikari in a Tomcat-based application, you can now remove that override.
In particular, if you had such setup:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-jdbc</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.zaxxer</groupId>
<artifactId>HikariCP</artifactId>
</dependency>you can now replace it with:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>From now on, applications that don’t explicitly enable spring.jpa.open-in-view will get a WARN message during startup.
While this behavior is a friendly default, this can lead to issues if you’re not fully aware of what’s that doing for you.
This message makes sure that you understand that database queries may be performed during view rendering.
If you’re fine with that, you can configure explicitly this property to silence the warning message.
In Spring Boot 1.x, some users were extending from HibernateJpaAutoConfiguration to apply advanced customizations to the auto-configured EntityManagerFactory.
To prevent such faulty use case from happening, it is no longer possible to extend from it in Spring Boot 2.
To support those use cases, you can now define a HibernatePropertiesCustomizer bean that gives you full control over Hibernate properties, including the ability to register Hibernate interceptor declared as beans in the context.
Flyway configuration keys were moved to the spring namespace (i.e. spring.flyway)
Upgrading to Spring Boot 2 will upgrade Flyway from 3.x to 5.x.
To make sure that the schema upgrade goes smoothly, please follow the following instructions:
If you experience a checksum error on upgrading the schema (i.e. FlywayException: Validate failed. Migration Checksum mismatch), invoking repair could help as show in the following example
@Bean
public FlywayMigrationStrategy repairStrategy() {
return flyway -> {
flyway.repair();
flyway.migrate();
};
}|
Tip
|
Alternatively, this blog post by @wimdeblauwe provides a different approach that saves the two step upgrade. |
Basic DataSource initialization is now only enabled for embedded data sources and will switch off as soon as you’re using a production database.
The new spring.datasource.initialization-mode (replacing spring.datasource.initialize) offers more control.
Lettuce is now used instead of Jedis as the Redis driver when you use spring-boot-starter-data-redis. If you are using higher level Spring Data constructs you should find that the change is transparent.
We still support Jedis. Switch dependencies if you prefer Jedis by excluding io.lettuce:lettuce-core and adding redis.clients:jedis instead.
Connection pooling is optional and, if you are using it, you now need to add commons-pool2 yourself as Lettuce, contrary to Jedis, does not bring it transitively.
Elasticsearch has been upgraded to 5.4+. In line with Elastic’s announcement that embedded Elasticsearch is no longer supported, auto-configuration of a NodeClient has been removed.
A TransportClient can be auto-configured by using spring.data.elasticsearch.cluster-nodes to provide the addresses of one or more nodes to connect to.
It is no longer possible to auto-configure both a general HazelcastInstance and a dedicated HazelcastInstance for caching. As a result, the spring.cache.hazelcast.config property is no longer available.
The Redis CacheManager implementation has been reworked significantly, make sure to review the reference documentation.
Mockito 1.x is no longer supported for @MockBean and @SpyBean.
If you don’t use spring-boot-starter-test to manage your dependencies you should upgrade to Mockito 2.x.
|
Note
|
See also What’s new in Mockito 2 |
ConditionalOnBean is now using a logical AND rather than an OR for candidate beans. If you need to keep a condition where any of the target beans are present, consider using a AnyNestedCondition as shown in the following example:
class ThisOrThatCondition extends AnyNestedCondition {
ThisOrThatCondition() {
super(ConfigurationPhase.REGISTER_BEAN);
}
@ConditionalOnBean(This.class)
static class ThisCondition {
}
@ConditionalOnBean(That.class)
static class ThatCondition {
}
}Spring Boot 2 brings important changes to the actuator, both internal and user-facing, please check the updated section in the reference guide and the new Actuator API documentation.
You should expect changes in the programming model, configuration keys and the response format of some endpoints. Actuator is now natively supported on Spring MVC, Spring WebFlux and Jersey.
The code of the Actuator has been split in two modules: the existing spring-boot-actuator and a new spring-boot-actuator-autoconfigure.
If you were importing the actuator using its original module (spring-boot-actuator), please consider using the spring-boot-starter-actuator starter instead.
Endpoints infrastructure key have been harmonized:
| Old property | New property |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
All endpoints have moved to /actuator by default.
We fixed the meaning of management.server.servlet.context-path: it is now the endpoint management equivalent of server.servlet.context-path (only active when management.server.port is set).
Additionally, you can also set the base path for the management endpoints with a new, separate property: management.endpoints.web.base-path.
For example, if you’ve set management.server.servlet.context-path=/management and management.endpoints.web.base-path=/application, you’ll be able to reach the health endpoint at the following path: /management/application/health.
If you want to restore the behavior of 1.x (i.e. having /health instead of /actuator/health), set the following property:
management.endpoints.web.base-path=/To make an actuator endpoint available via HTTP, it needs to be both enabled and exposed. By default:
-
Only the
/healthand/infoendpoints are exposed, regardless of Spring Security being present and configured in your application. -
All endpoints but
/shutdownare enabled.
You can expose all endpoints as follows:
management.endpoints.web.exposure.include=*You can explicitly enable the /shutdown endpoint with:
management.endpoint.shutdown.enabled=trueTo expose all (enabled) web endpoints but the env endpoint:
management.endpoints.web.exposure.include=*
management.endpoints.web.exposure.exclude=env| 1.x Endpoint | Changes |
|---|---|
|
No longer available. There is, however, a mapping available at the root of |
|
The |
|
Renamed to |
|
No longer available (the API documentation is part of the published documentation now) |
|
Rather than relying on the |
|
Renamed to |
Endpoint properties have changed as follows:
-
endpoints.<id>.enabledhas moved tomanagement.endpoint.<id>.enabled -
endpoints.<id>.idhas no replacement (the id of an endpoint is no longer configurable) -
endpoints.<id>.sensitivehas no replacement (See Actuator Security) -
endpoints.<id>.pathhas moved tomanagement.endpoints.web.path-mapping.<id>
The JSON format has changed to now properly include information about context hierarchies, multiple DispatcherServlets, deployed Servlets and Servlet filters.
See #9979 for more details.
The relevant section of the Actuator API documentation provides a sample document.
The structure of the response has been refined to reflect the endpoint’s focus on tracing HTTP request-response exchanges. More details about the endpoint and its response structure can be found in the relevant section of the Actuator API documentation.
If you have custom actuator endpoints, please check out the dedicated blog post. The team also wrote a wiki page that describes how to migrate your existing Actuator endpoints to the new infrastructure.
Spring Boot’s own metrics have been replaced with support, including auto-configuration, for Micrometer and dimensional metrics.
If your Spring Boot 2.0 application already depends on Actuator, Micrometer is already here and auto-configured.
If you wish to export metrics to an external registry like Prometheus, Atlas or Datadog, Micrometer provides dependencies for many registries; you can then configure your application with spring.metrics.* properties to export to a particular registry.
For more on this, check out the Micrometer documentation about Spring Boot 2.0.
Instead of injecting CounterService or GaugeService instances in your application code, you can create various metrics by:
-
Injecting a
MeterRegistryand calling methods on it. -
Directly calling static methods like
Counter featureCounter = Metrics.counter("feature");.
Micrometer brings many interesting features - check out the core concepts behind Micrometer and the specifics about Spring Boot integration.
You can plug existing Spring Boot 1.5 applications in the same metrics infrastructure by using the Micrometer Legacy support.
As the Spring Loaded project has been moved to the attic, its support in Spring Boot has been removed. We advise to use Devtools instead.
The support for tunnelling remote debugging over HTTP has been removed from Devtools.
The following features are no longer available:
-
CRaSH support
-
Auto-configuration and dependency management for Spring Mobile.
-
Auto-configuration and dependency management for Spring Social. Please check the Spring Social project for more details.
-
Dependency management for
commons-digester. -
Test support in the CLI (i.e.
spring test)
The minimum supported version of the following libraries has changed:
-
Elasticsearch 5.6
-
Gradle 4
-
Hibernate 5.2
-
Jetty 9.4
-
Spring Framework 5
-
Spring Security 5
-
Spring Integration 5 (see also their migration guide)
-
Tomcat 8.5