Migration notes 5.1

This page explains the changes required to migrate to the stated version of Atoti CVA Risk Capital.

Migrate to 5.1.1

No migration needed.

Breaking changes



  • Bug fixes: This release fixes some known issues.

Migrate to 5.1.0

Upgrading from version 5.0.0, see Atoti CVA Risk Capital 5.1.0 Release Notes.

Atoti CVA Risk Capital uses Atoti Server 6.0.9 and Atoti UI 5.1.x. For new features and fixes included in these releases, please see the Atoti UI documentation and Atoti UI Migration Notes, and the release notes for Atoti Server.

For clients licensed to use ActiveMonitor, a skeleton module based on version 6.0.9 is included with the Atoti CVA Risk Capital 5.1.0 release.

Headline announcement

  • Spring Security upgrade : We have upgraded Spring Security to version 5.8.7 to resolve vulnerabilities and prepare for the upgrade to Spring Security 6.0 (via Spring Boot 3).
  • Java 17 : Java 17 is now required to run Atoti CVA Risk Capital.
  • Swagger UI : Swagger UI is available at {base.url}/swagger-ui/index.html. This will display some REST endpoints exposed by Atoti CVA Risk Capital. It can be enabled/disabled by setting property swagger.enable to true/false.
  • Common Parent POM: The Atoti CVA Risk Capital module now inherits third-party plugin versions from the Common Parent POM version 1.2.0, in line with other solutions.
  • Incremental Measures: Incremental measures have been added to Atoti CVA Risk Capital.

Spring Security Upgrade

We have upgraded to Spring Security 5.8.7. To do so, we override the version of Spring Security in Spring Boot by importing the common-dependencies-bom version 1.2.0 into the parent pom file. The common-dependencies-bom overrides the Spring Security version using Spring’s migration guide.

You will eventually need to migrate your own custom security configuration(s) in preparation for Spring Security 6.0. We have upgraded our out-of-the-box security configurations to help in this migration.


We recommend using your own custom security configuration(s) and referring to the out-of-the-box security configuration provided only as a sample.

The default security users and roles have not changed, only the way we implement the security. We have done so by making the following changes:

Stop Using WebSecurityConfigurerAdapter

We have replaced instances of WebSecurityConfigurerAdapter with SecurityFilterChain beans.

Use the new requestMatchers methods

In Authorize Http Requests, we have replaced invocations of http.authorizeHttpRequests((authz) -> authz.antMatchers(...)) with http.authorizeHttpRequests((authz) -> authz.requestMatchers(...)).

Use the new securityMatchers methods

We have replaced invocations of http.antMatchers(...) with http.securityMatchers(...).

As an example of the previous changes, the configuration for accessing the endpoint which exposes the JWT token changed from:

    public static abstract class AJwtSecurityConfigurer extends WebSecurityConfigurerAdapter {

    protected ApplicationContext context;

    protected AuthenticationEntryPoint authenticationEntryPoint;

    protected void configure(HttpSecurity http) throws Exception {
                .antMatcher(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**")
                // As of Spring Security 4.0, CSRF protection is enabled by default.
                // Configure CORS


protected SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
        return http
        // CSRF and CORS

        .securityMatcher(mvc.pattern(url(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**")))
        .authorizeHttpRequests(auth -> auth
        .requestMatchers(mvc.pattern(HttpMethod.OPTIONS, "**")).permitAll()
        .httpBasic(basic -> basic.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
Removed imports of ActivePivotRemotingServicesConfig

This class imports org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter, which may (if used) expose access to CVE-2016-1000027 in the Spring-web project.

Java 17

To run Atoti CVA Risk Capital using Java 17, the following needs to be added to the JVM options:

--add-opens java.base/java.util.concurrent=ALL-UNNAMED

See the Atoti Server documentation for more details.

Common Parent POM

The Common Parent POM version 1.2.0 is now a parent of Atoti CVA Risk Capital. This parent merely defines plugin management and is used by other solutions. The following dependency versions are now managed by this parent instead of by Atoti CVA Risk Capital:

Dependency Version
exec-maven-plugin 3.1.0
lifecycle-mapping 1.0.0
maven-assembly-plugin 3.6.0
maven-clean-plugin 3.3.1
maven-compiler-plugin 3.11.0
maven-dependency-plugin 3.6.0
maven-deploy-plugin 3.1.1
maven-enforcer-plugin 3.3.0
maven-jar-plugin 3.3.0
maven-javadoc-plugin 3.5.0
maven-resources-plugin 3.3.1
maven-source-plugin 3.3.0
maven-surefire-plugin 3.1.2
maven-war-plugin 3.4.0
spring-boot-maven-plugin 2.7.16

Input file formats

No changes.

Configuration files

Files Modified


New properties:

Property Name Comment Value
springdoc.swagger-ui.enabled Set value to true/false to enable/disable Swagger UI. The value is false by default. false
reference-levels.list Sets the list of Levels for the Reference Level Context Value ``


No changes.

Cube schema

No changes.


Incremental Measures

The following measures now have incremental variations:

Cube Measure
BA K_full
SA CCS K Delta
SA EQ K Delta
SA EQ K Vega
SA FX K Delta
SA FX K Vega
SA IR K Delta
SA IR K Vega
SA RCS K Delta