Migration notes 5.1
This page explains the changes required to migrate to the stated version of Atoti CVA Risk Capital.
Migrate to 5.1.2
No migration needed.
Migrate to 5.1.1
No migration needed.
Breaking changes
None.
Summary
- Bug fixes: This release fixes some known issues.
Migrate to 5.1.0
Upgrading from version 5.0.0, see Atoti CVA Risk Capital 5.1.0 Release Notes.
Atoti CVA Risk Capital uses Atoti Server 6.0.9 and Atoti UI 5.1.x. For new features and fixes included in these releases, please see the Atoti UI documentation and Atoti UI Migration Notes, and the release notes for Atoti Server.
For clients licensed to use ActiveMonitor, a skeleton module based on version 6.0.9 is included with the Atoti CVA Risk Capital 5.1.0 release.
Headline announcement
- Spring Security upgrade : We have upgraded Spring Security to version 5.8.7 to resolve vulnerabilities and prepare for the upgrade to Spring Security 6.0 (via Spring Boot 3).
- Java 17 : Java 17 is now required to run Atoti CVA Risk Capital.
- Swagger UI : Swagger UI is available at {base.url}/swagger-ui/index.html. This will display some REST endpoints exposed by Atoti CVA Risk Capital. It can be enabled/disabled by setting property swagger.enable to
true
/false
. - Common Parent POM: The Atoti CVA Risk Capital module now inherits third-party plugin versions from the Common Parent POM version 1.2.0, in line with other solutions.
- Incremental Measures: Incremental measures have been added to Atoti CVA Risk Capital.
Spring Security Upgrade
We have upgraded to Spring Security 5.8.7. To do so, we override the version of Spring Security in Spring Boot by importing the common-dependencies-bom
version
1.2.0 into the parent pom file. The common-dependencies-bom
overrides the Spring Security version using Spring’s migration guide.
You will eventually need to migrate your own custom security configuration(s) in preparation for Spring Security 6.0. We have upgraded our out-of-the-box security configurations to help in this migration.
note
We recommend using your own custom security configuration(s) and referring to the out-of-the-box security configuration provided only as a sample.
The default security users and roles have not changed, only the way we implement the security. We have done so by making the following changes:
Stop Using WebSecurityConfigurerAdapter
We have replaced instances of WebSecurityConfigurerAdapter
with SecurityFilterChain
beans.
Use the new requestMatchers
methods
In Authorize Http Requests, we have replaced invocations of http.authorizeHttpRequests((authz) -> authz.antMatchers(...))
with http.authorizeHttpRequests((authz) -> authz.requestMatchers(...))
.
Use the new securityMatchers methods
We have replaced invocations of http.antMatchers(...)
with http.securityMatchers(...)
.
As an example of the previous changes, the configuration for accessing the endpoint which exposes the JWT token changed from:
public static abstract class AJwtSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Autowired
protected ApplicationContext context;
@Autowired
@Qualifier(BASIC_AUTH_BEAN_NAME)
protected AuthenticationEntryPoint authenticationEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**")
// As of Spring Security 4.0, CSRF protection is enabled by default.
.csrf().disable()
// Configure CORS
.cors().and()
.authorizeRequests()
.antMatchers("/**").hasAnyAuthority(APP_ROLE__USER)
.and()
.httpBasic().authenticationEntryPoint(authenticationEntryPoint);
}
}
to
@Bean
@Order(3)
protected SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
return http
// CSRF and CORS
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults())
.securityMatcher(mvc.pattern(url(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**")))
.authorizeHttpRequests(auth -> auth
.requestMatchers(mvc.pattern(HttpMethod.OPTIONS, "**")).permitAll()
.anyRequest().hasAnyAuthority(APP_ROLE__USER))
.httpBasic(basic -> basic.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
.build();
}
Removed imports of ActivePivotRemotingServicesConfig
This class imports org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter
, which may (if used) expose access to CVE-2016-1000027 in the Spring-web project.
Java 17
To run Atoti CVA Risk Capital using Java 17, the following needs to be added to the JVM options:
--add-opens java.base/java.util.concurrent=ALL-UNNAMED
See the Atoti Server documentation for more details.
Common Parent POM
The Common Parent POM version 1.2.0 is now a parent of Atoti CVA Risk Capital. This parent merely defines plugin management and is used by other solutions. The following dependency versions are now managed by this parent instead of by Atoti CVA Risk Capital:
Dependency | Version |
---|---|
exec-maven-plugin | 3.1.0 |
lifecycle-mapping | 1.0.0 |
maven-assembly-plugin | 3.6.0 |
maven-clean-plugin | 3.3.1 |
maven-compiler-plugin | 3.11.0 |
maven-dependency-plugin | 3.6.0 |
maven-deploy-plugin | 3.1.1 |
maven-enforcer-plugin | 3.3.0 |
maven-jar-plugin | 3.3.0 |
maven-javadoc-plugin | 3.5.0 |
maven-resources-plugin | 3.3.1 |
maven-source-plugin | 3.3.0 |
maven-surefire-plugin | 3.1.2 |
maven-war-plugin | 3.4.0 |
sonar-maven-plugin | 3.9.1.2184 |
spring-boot-maven-plugin | 2.7.16 |
Input file formats
No changes.
Configuration files
Files Modified
cvarc.properties
New properties:
Property Name | Comment | Value |
---|---|---|
springdoc.swagger-ui.enabled | Set value to true /false to enable/disable Swagger UI. The value is false by default. |
false |
reference-levels.list | Sets the list of Levels for the Reference Level Context Value | `` |
Datastores
No changes.
Cube schema
No changes.
Measures
Incremental Measures
The following measures now have incremental variations:
Cube | Measure |
---|---|
BA | CVARC BA |
BA | K_full |
SA | CCS K Delta |
SA | COMM K Delta |
SA | COMM K Vega |
SA | CVARC SA |
SA | EQ K Delta |
SA | EQ K Vega |
SA | FX K Delta |
SA | FX K Vega |
SA | IR K Delta |
SA | IR K Vega |
SA | RCS K Delta |
SA | RCS K Vega |