Core Migration — POM upgrade, javax→jakarta namespace, and Spring Security 6 refactor

[devin-ai-integration]

Summary

Migrates the UserFront module from Java 8 / Spring Boot 1.5.4 to Java 17 / Spring Boot 3.2.12. This is ticket COG-500 — the foundational migration that must land before COG-501 through COG-504.

Changes (14 files):

A) POM / Build Configuration (UserFront/pom.xml)

• spring-boot-starter-parent 1.5.4.RELEASE → 3.2.12
• java.version 1.8 → 17
• mysql-connector-java → mysql-connector-j (new artifact coordinates)

B) javax.persistence → jakarta.persistence (9 domain files)

• User.java, PrimaryAccount.java, SavingsAccount.java, PrimaryTransaction.java, SavingsTransaction.java, Appointment.java, Recipient.java, UserRole.java, Role.java
• Pure import replacement — no logic changes

C) javax.servlet → jakarta.servlet (RequestFilter.java)

• 7 servlet imports updated — no logic changes

D) Spring Security 6 Refactor (SecurityConfig.java)

• Removed extends WebSecurityConfigurerAdapter (removed in Spring Security 6)
• Converted configure(HttpSecurity) → @Bean SecurityFilterChain filterChain(HttpSecurity)
• Replaced configureGlobal(AuthenticationManagerBuilder) → @Bean DaoAuthenticationProvider
• antMatchers() → requestMatchers()
• authorizeRequests() → authorizeHttpRequests() with lambda DSL
• @EnableGlobalMethodSecurity → @EnableMethodSecurity
• Switched from field injection to constructor injection for UserSecurityService

E) Spring Data JPA compatibility (AppointmentServiceImpl.java)

• findOne(id) → findById(id).orElse(null) (API removed in Spring Data 2.x)

F) Test migration (UserFrontApplicationTests.java)

• JUnit 4 → JUnit 5 (@RunWith(SpringRunner.class) removed, org.junit.Test → org.junit.jupiter.api.Test)

Verified

• mvn compile passes with zero errors (37 source files)

Review & Testing Checklist for Human

• SecurityConfig behavior: Verify login/logout flow works correctly — the security config was fully rewritten from WebSecurityConfigurerAdapter to SecurityFilterChain bean pattern. Check that public matchers (/, /signup, /css/**, etc.) are accessible without auth, and protected routes redirect to login.
• DaoAuthenticationProvider wiring: Confirm the UserSecurityService + BCryptPasswordEncoder are correctly picked up by the authentication provider bean. Test login with existing credentials.
• application.properties compatibility: This PR does NOT update application.properties (deferred to COG-503). Before starting the app, verify that Hibernate dialect (MySQL5Dialect) and deprecated properties (testWhileIdle, validationQuery) don't cause startup failures.
• Run full test suite: mvn test in UserFront/ directory. The single contextLoads test requires a MySQL database connection — it may need application.properties updates (COG-503) to pass.

Notes

• The GenerationType.AUTO strategy is kept as-is. Hibernate 6 may change its behavior for MySQL (defaulting to sequence instead of identity). If ID generation issues appear during runtime testing (COG-504), switching to GenerationType.IDENTITY would be the fix.
• One additional file modified beyond the ticket scope: AppointmentServiceImpl.java — the findOne() API was removed in Spring Data JPA 2.x, so this was a required fix for compilation.

Link to Devin session: https://app.devin.ai/sessions/73857032729e415ca1fcf25a5b2af8c1
Requested by: @stephencornwell

---

Devin Review

Status	Commit
⚪ Not started	—

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring