Migration guide - Atoti Hub

This page explains the changes required to migrate to the stated version of Atoti CVA Risk Capital.

Migrate to 5.1.3

No migration needed.

Migrate to 5.1.2

No migration needed.

Migrate to 5.1.1

No migration needed.

Breaking changes

None.

Summary

Bug fixes: This release fixes some known issues.

Migrate to 5.1.0

Upgrading from version 5.0.0, see Atoti CVA Risk Capital 5.1.0 Release Notes. Atoti CVA Risk Capital uses Atoti Server 6.0.9 and Atoti UI 5.1.x. For new features and fixes included in these releases, please see the Atoti UI documentation and Atoti UI Migration Notes, and the release notes for Atoti Server. For clients licensed to use ActiveMonitor, a skeleton module based on version 6.0.9 is included with the Atoti CVA Risk Capital 5.1.0 release.

Headline announcement

Spring Security upgrade : We have upgraded Spring Security to version 5.8.7 to resolve vulnerabilities and prepare for the upgrade to Spring Security 6.0 (via Spring Boot 3).
Java 17 : Java 17 is now required to run Atoti CVA Risk Capital.
Swagger UI : Swagger UI is available at {base.url}/swagger-ui/index.html. This will display some REST endpoints exposed by Atoti CVA Risk Capital. It can be enabled/disabled by setting property swagger.enable to true/false.
Common Parent POM: The Atoti CVA Risk Capital module now inherits third-party plugin versions from the Common Parent POM version 1.2.0, in line with other solutions.
Incremental Measures: Incremental measures have been added to Atoti CVA Risk Capital.

Spring security upgrade

We have upgraded to Spring Security 5.8.7. To do so, we override the version of Spring Security in Spring Boot by importing the common-dependencies-bom version 1.2.0 into the parent pom file. The common-dependencies-bom overrides the Spring Security version using Spring’s migration guide. You will eventually need to migrate your own custom security configuration(s) in preparation for Spring Security 6.0. We have upgraded our out-of-the-box security configurations to help in this migration.

We recommend using your own custom security configuration(s) and referring to the out-of-the-box security configuration provided only as a sample.

The default security users and roles have not changed, only the way we implement the security. We have done so by making the following changes:

Stop using `WebSecurityConfigurerAdapter`

We have replaced instances of WebSecurityConfigurerAdapter with SecurityFilterChain beans.

Use the new `requestMatchers` methods

In Authorize Http Requests, we have replaced invocations of http.authorizeHttpRequests((authz) -> authz.antMatchers(...)) with http.authorizeHttpRequests((authz) -> authz.requestMatchers(...)).

Use the new securityMatchers methods

We have replaced invocations of http.antMatchers(...) with http.securityMatchers(...). As an example of the previous changes, the configuration for accessing the endpoint which exposes the JWT token changed from:

    public static abstract class AJwtSecurityConfigurer extends WebSecurityConfigurerAdapter {

    @Autowired
    protected ApplicationContext context;

    @Autowired
    @Qualifier(BASIC_AUTH_BEAN_NAME)
    protected AuthenticationEntryPoint authenticationEntryPoint;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .antMatcher(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**")
                // As of Spring Security 4.0, CSRF protection is enabled by default.
                .csrf().disable()
                // Configure CORS
                .cors().and()
                .authorizeRequests()
                .antMatchers("/**").hasAnyAuthority(APP_ROLE__USER)
                .and()
                .httpBasic().authenticationEntryPoint(authenticationEntryPoint);
    }
}

@Bean
@Order(3)
protected SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
        return http
        // CSRF and CORS
        .csrf(AbstractHttpConfigurer::disable)
        .cors(Customizer.withDefaults())

        .securityMatcher(mvc.pattern(url(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**")))
        .authorizeHttpRequests(auth -> auth
        .requestMatchers(mvc.pattern(HttpMethod.OPTIONS, "**")).permitAll()
        .anyRequest().hasAnyAuthority(APP_ROLE__USER))
        .httpBasic(basic -> basic.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
        .build();
        }

Removed imports of `ActivePivotRemotingServicesConfig`

This class imports org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter, which may (if used) expose access to CVE-2016-1000027 in the Spring-web project.

Java 17

To run Atoti CVA Risk Capital using Java 17, the following needs to be added to the JVM options:

--add-opens java.base/java.util.concurrent=ALL-UNNAMED

See the Atoti Server documentation for more details.

Common parent POM

The Common Parent POM version 1.2.0 is now a parent of Atoti CVA Risk Capital. This parent merely defines plugin management and is used by other solutions. The following dependency versions are now managed by this parent instead of by Atoti CVA Risk Capital:

Dependency	Version
exec-maven-plugin	3.1.0
lifecycle-mapping	1.0.0
maven-assembly-plugin	3.6.0
maven-clean-plugin	3.3.1
maven-compiler-plugin	3.11.0
maven-dependency-plugin	3.6.0
maven-deploy-plugin	3.1.1
maven-enforcer-plugin	3.3.0
maven-jar-plugin	3.3.0
maven-javadoc-plugin	3.5.0
maven-resources-plugin	3.3.1
maven-source-plugin	3.3.0
maven-surefire-plugin	3.1.2
maven-war-plugin	3.4.0
sonar-maven-plugin	3.9.1.2184
spring-boot-maven-plugin	2.7.16

Input file formats

No changes.

Configuration files

Files modified

cvarc.properties

New properties:

Property Name	Comment	Value
springdoc.swagger-ui.enabled	Set value to `true`/`false` to enable/disable Swagger UI. The value is `false` by default.	false
reference-levels.list	Sets the list of Levels for the Reference Level Context Value	“

Datastores

No changes.

Cube schema

No changes.

Measures

Incremental measures

The following measures now have incremental variations:

Cube	Measure
BA	CVARC BA
BA	K_full
SA	CCS K Delta
SA	COMM K Delta
SA	COMM K Vega
SA	CVARC SA
SA	EQ K Delta
SA	EQ K Vega
SA	FX K Delta
SA	FX K Vega
SA	IR K Delta
SA	IR K Vega
SA	RCS K Delta
SA	RCS K Vega

Documentation Index

​Migrate to 5.1.3

​Migrate to 5.1.2

​Migrate to 5.1.1

​Breaking changes

​Summary

​Migrate to 5.1.0

​Headline announcement

​Spring security upgrade

Stop using WebSecurityConfigurerAdapter

Use the new requestMatchers methods

Use the new securityMatchers methods

Removed imports of ActivePivotRemotingServicesConfig

​Java 17

​Common parent POM

​Input file formats

​Configuration files

​Files modified

cvarc.properties

​Datastores

​Cube schema

​Measures

​Incremental measures

Migrate to 5.1.3

Migrate to 5.1.2

Migrate to 5.1.1

Breaking changes

Summary

Migrate to 5.1.0

Headline announcement

Spring security upgrade

Stop using `WebSecurityConfigurerAdapter`

Use the new `requestMatchers` methods

Removed imports of `ActivePivotRemotingServicesConfig`

Java 17

Common parent POM

Input file formats

Configuration files

Files modified

Datastores

Cube schema

Measures

Incremental measures