Migration notes 5.1

This page explains the changes required to migrate to the stated version of Atoti CVA Risk Capital.

Migrate to 5.1.1

No migration needed.

Breaking changes

None.

Summary

• Bug fixes: This release fixes some known issues.

Migrate to 5.1.0

Upgrading from version 5.0.0, see Atoti CVA Risk Capital 5.1.0 Release Notes.

Atoti CVA Risk Capital uses Atoti Server 6.0.9 and Atoti UI 5.1.x. For new features and fixes included in these releases, please see the Atoti UI documentation and Atoti UI Migration Notes, and the release notes for Atoti Server.

For clients licensed to use ActiveMonitor, a skeleton module based on version 6.0.9 is included with the Atoti CVA Risk Capital 5.1.0 release.

Headline announcement

• Spring Security upgrade : We have upgraded Spring Security to version 5.8.7 to resolve vulnerabilities and prepare for the upgrade to Spring Security 6.0 (via Spring Boot 3).
• Java 17 : Java 17 is now required to run Atoti CVA Risk Capital.
• Swagger UI : Swagger UI is available at {base.url}/swagger-ui/index.html. This will display some REST endpoints exposed by Atoti CVA Risk Capital. It can be enabled/disabled by setting property swagger.enable to true/false.
• Common Parent POM: The Atoti CVA Risk Capital module now inherits third-party plugin versions from the Common Parent POM version 1.2.0, in line with other solutions.
• Incremental Measures: Incremental measures have been added to Atoti CVA Risk Capital.

Spring Security Upgrade

We have upgraded to Spring Security 5.8.7. To do so, we override the version of Spring Security in Spring Boot by importing the common-dependencies-bom version 1.2.0 into the parent pom file. The common-dependencies-bom overrides the Spring Security version using Spring’s migration guide.

You will eventually need to migrate your own custom security configuration(s) in preparation for Spring Security 6.0. We have upgraded our out-of-the-box security configurations to help in this migration.

The default security users and roles have not changed, only the way we implement the security. We have done so by making the following changes:

Stop Using WebSecurityConfigurerAdapter

We have replaced instances of WebSecurityConfigurerAdapter with SecurityFilterChain beans.

Use the new requestMatchers methods

In Authorize Http Requests, we have replaced invocations of http.authorizeHttpRequests((authz) -> authz.antMatchers(...)) with http.authorizeHttpRequests((authz) -> authz.requestMatchers(...)).

Use the new securityMatchers methods

We have replaced invocations of http.antMatchers(...) with http.securityMatchers(...).

As an example of the previous changes, the configuration for accessing the endpoint which exposes the JWT token changed from:

    public static abstract class AJwtSecurityConfigurer extends WebSecurityConfigurerAdapter {

    @Autowired
    protected ApplicationContext context;

    @Autowired
    @Qualifier(BASIC_AUTH_BEAN_NAME)
    protected AuthenticationEntryPoint authenticationEntryPoint;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .antMatcher(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**")
                // As of Spring Security 4.0, CSRF protection is enabled by default.
                .csrf().disable()
                // Configure CORS
                .cors().and()
                .authorizeRequests()
                .antMatchers("/**").hasAnyAuthority(APP_ROLE__USER)
                .and()
                .httpBasic().authenticationEntryPoint(authenticationEntryPoint);
    }
}

to

@Bean
@Order(3)
protected SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
        return http
        // CSRF and CORS
        .csrf(AbstractHttpConfigurer::disable)
        .cors(Customizer.withDefaults())

        .securityMatcher(mvc.pattern(url(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**")))
        .authorizeHttpRequests(auth -> auth
        .requestMatchers(mvc.pattern(HttpMethod.OPTIONS, "**")).permitAll()
        .anyRequest().hasAnyAuthority(APP_ROLE__USER))
        .httpBasic(basic -> basic.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
        .build();
        }

Removed imports of ActivePivotRemotingServicesConfig

This class imports org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter, which may (if used) expose access to CVE-2016-1000027 in the Spring-web project.

Java 17

To run Atoti CVA Risk Capital using Java 17, the following needs to be added to the JVM options:

--add-opens java.base/java.util.concurrent=ALL-UNNAMED

See the Atoti Server documentation for more details.

Common Parent POM

The Common Parent POM version 1.2.0 is now a parent of Atoti CVA Risk Capital. This parent merely defines plugin management and is used by other solutions. The following dependency versions are now managed by this parent instead of by Atoti CVA Risk Capital:

Input file formats

No changes.

Configuration files

Files Modified

cvarc.properties

New properties:

Datastores

No changes.

Cube schema

No changes.

Measures

Incremental Measures

The following measures now have incremental variations: