> ## Documentation Index
> Fetch the complete documentation index at: https://docs.activeviam.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Migration guide

This page explains the changes required to migrate to the stated version of Atoti CVA Risk Capital.

## Migrate to 5.1.3

No migration needed.

## Migrate to 5.1.2

No migration needed.

## Migrate to 5.1.1

No migration needed.

### Breaking changes

None.

### Summary

* **Bug fixes**: This release fixes some known issues.

## Migrate to 5.1.0

Upgrading from version *5.0.0*, see [Atoti CVA Risk Capital 5.1.0 Release
Notes](./release-notes).

Atoti CVA Risk Capital uses Atoti Server 6.0.9 and Atoti UI 5.1.x.
For new features and fixes included in these releases, please see the [Atoti UI documentation](/data-visualization/atoti-ui/5.1/)
and [Atoti UI Migration Notes](/data-visualization/atoti-ui/5.1/docs/changelog), and the [release notes for Atoti Server](https://docs.activeviam.com/products/atoti/server/6.0.9/docs/release/changelog/index.).

For clients licensed to use ActiveMonitor, a skeleton module based on
version 6.0.9 is included with the Atoti CVA Risk Capital 5.1.0 release.

### Headline announcement

* **Spring Security upgrade** : We have upgraded Spring Security to version 5.8.7 to resolve vulnerabilities and prepare for the upgrade to Spring Security 6.0 (via Spring Boot 3).
* **Java 17** : Java 17 is now required to run Atoti CVA Risk Capital.
* **Swagger UI** : Swagger UI is available at \{base.url}/swagger-ui/index.html. This will display some REST endpoints exposed by Atoti CVA Risk Capital. It can be enabled/disabled by setting property swagger.enable to `true`/`false`.
* **Common Parent POM**: The Atoti CVA Risk Capital module now inherits third-party plugin versions from the Common Parent POM version 1.2.0, in line with other solutions.
* **Incremental Measures**: Incremental measures have been added to Atoti CVA Risk Capital.

#### Spring security upgrade

We have upgraded to Spring Security 5.8.7. To do so, we override the version of Spring Security in Spring Boot by importing the `common-dependencies-bom` version
1.2.0 into the parent pom file. The `common-dependencies-bom` overrides the Spring Security version using [Spring’s migration guide](https://docs.spring.io/spring-security/reference/5.8/migration/index.).

You will eventually need to migrate your own custom security configuration(s) in preparation for
Spring Security 6.0. We have upgraded our out-of-the-box security configurations to help in this migration.

<Note>
  We recommend using your own custom security configuration(s) and referring to the out-of-the-box security configuration
  provided only as a sample.
</Note>

The default security users and roles have not changed, only the way we implement the security. We have done so by making the following changes:

##### [Stop using `WebSecurityConfigurerAdapter`](https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#_stop_using_websecurityconfigureradapter)

We have replaced instances of `WebSecurityConfigurerAdapter` with `SecurityFilterChain` beans.

##### [Use the new `requestMatchers` methods](https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#use-new-requestmatchers)

In [Authorize Http Requests](https://docs.spring.io/spring-security/reference/5.8/servlet/authorization/authorize-http-requests.), we have replaced invocations of `http.authorizeHttpRequests((authz) -> authz.antMatchers(...))` with `http.authorizeHttpRequests((authz) -> authz.requestMatchers(...))`.

##### [Use the new securityMatchers methods](https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#use-new-security-matchers)

We have replaced invocations of `http.antMatchers(...)` with `http.securityMatchers(...)`.

As an example of the previous changes, the configuration for accessing the endpoint which exposes the JWT token changed from:

```java theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
    public static abstract class AJwtSecurityConfigurer extends WebSecurityConfigurerAdapter {

    @Autowired
    protected ApplicationContext context;

    @Autowired
    @Qualifier(BASIC_AUTH_BEAN_NAME)
    protected AuthenticationEntryPoint authenticationEntryPoint;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .antMatcher(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**")
                // As of Spring Security 4.0, CSRF protection is enabled by default.
                .csrf().disable()
                // Configure CORS
                .cors().and()
                .authorizeRequests()
                .antMatchers("/**").hasAnyAuthority(APP_ROLE__USER)
                .and()
                .httpBasic().authenticationEntryPoint(authenticationEntryPoint);
    }
}
```

to

```java theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
@Bean
@Order(3)
protected SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
        return http
        // CSRF and CORS
        .csrf(AbstractHttpConfigurer::disable)
        .cors(Customizer.withDefaults())

        .securityMatcher(mvc.pattern(url(JwtRestServiceConfig.REST_API_URL_PREFIX + "/**")))
        .authorizeHttpRequests(auth -> auth
        .requestMatchers(mvc.pattern(HttpMethod.OPTIONS, "**")).permitAll()
        .anyRequest().hasAnyAuthority(APP_ROLE__USER))
        .httpBasic(basic -> basic.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
        .build();
        }
```

##### Removed imports of `ActivePivotRemotingServicesConfig`

This class imports `org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter`, which may (if used) expose access to [CVE-2016-1000027 in the Spring-web project](https://github.com/spring-projects/spring-framework/issues/24434).

#### Java 17

To run Atoti CVA Risk Capital using Java 17, the following needs to be added to the JVM options:

```commandline theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
--add-opens java.base/java.util.concurrent=ALL-UNNAMED
```

See the [Atoti Server documentation](https://docs.activeviam.com/products/atoti/server/6.0.9/docs/configuration/java17/) for more details.

#### Common parent POM

The Common Parent POM version 1.2.0 is now a parent of Atoti CVA Risk Capital. This parent merely defines plugin management and is used by other solutions.
The following dependency versions are now managed by this parent instead of by Atoti CVA Risk Capital:

<table><thead><tr><th>Dependency</th><th>Version</th></tr></thead><tbody><tr><td>exec-maven-plugin</td><td>3.1.0</td></tr><tr><td>lifecycle-mapping</td><td>1.0.0</td></tr><tr><td>maven-assembly-plugin</td><td>3.6.0</td></tr><tr><td>maven-clean-plugin</td><td>3.3.1</td></tr><tr><td>maven-compiler-plugin</td><td>3.11.0</td></tr><tr><td>maven-dependency-plugin</td><td>3.6.0</td></tr><tr><td>maven-deploy-plugin</td><td>3.1.1</td></tr><tr><td>maven-enforcer-plugin</td><td>3.3.0</td></tr><tr><td>maven-jar-plugin</td><td>3.3.0</td></tr><tr><td>maven-javadoc-plugin</td><td>3.5.0</td></tr><tr><td>maven-resources-plugin</td><td>3.3.1</td></tr><tr><td>maven-source-plugin</td><td>3.3.0</td></tr><tr><td>maven-surefire-plugin</td><td>3.1.2</td></tr><tr><td>maven-war-plugin</td><td>3.4.0</td></tr><tr><td>sonar-maven-plugin</td><td>3.9.1.2184</td></tr><tr><td>spring-boot-maven-plugin</td><td>2.7.16</td></tr></tbody></table>

### Input file formats

No changes.

### Configuration files

#### Files modified

##### [cvarc.properties](../../../configuration/cvarc-properties)

New properties:

<table><thead><tr><th>Property Name</th><th>Comment</th><th>Value</th></tr></thead><tbody><tr><td>springdoc.swagger-ui.enabled</td><td>Set value to <code>true</code>/<code>false</code> to enable/disable Swagger UI. The value is <code>false</code> by default.</td><td>false</td></tr><tr><td>reference-levels.list</td><td>Sets the list of Levels for the Reference Level Context Value</td><td>\`\`</td></tr></tbody></table>

### Datastores

No changes.

### Cube schema

No changes.

### Measures

#### Incremental measures

The following measures now have incremental variations:

<table><thead><tr><th>Cube</th><th>Measure</th></tr></thead><tbody><tr><td>BA</td><td><a href="../../../cube/cvarc-ba">CVARC BA</a></td></tr><tr><td>BA</td><td><a href="../../../cube/k_full">K\_full</a></td></tr><tr><td>SA</td><td><a href="../../../cube/ccs-k-delta">CCS K Delta</a></td></tr><tr><td>SA</td><td><a href="../../../cube/comm-k-delta">COMM K Delta</a></td></tr><tr><td>SA</td><td><a href="../../../cube/comm-k-vega">COMM K Vega</a></td></tr><tr><td>SA</td><td><a href="../../../cube/cvarc-sa">CVARC SA</a></td></tr><tr><td>SA</td><td><a href="../../../cube/eq-k-delta">EQ K Delta</a></td></tr><tr><td>SA</td><td><a href="../../../cube/eq-k-vega">EQ K Vega</a></td></tr><tr><td>SA</td><td><a href="../../../cube/fx-k-delta">FX K Delta</a></td></tr><tr><td>SA</td><td><a href="../../../cube/fx-k-vega">FX K Vega</a></td></tr><tr><td>SA</td><td><a href="../../../cube/ir-k-delta">IR K Delta</a></td></tr><tr><td>SA</td><td><a href="../../../cube/ir-k-vega">IR K Vega</a></td></tr><tr><td>SA</td><td><a href="../../../cube/rcs-k-delta">RCS K Delta</a></td></tr><tr><td>SA</td><td><a href="../../../cube/rcs-k-vega">RCS K Vega</a></td></tr></tbody></table>
