Migrate to Spring Boot 3.3.6 with Java 21

[devin-ai-integration]

Summary

Migrates the UserFront/ module from Spring Boot 1.5.4 (Java 8) to Spring Boot 3.3.6 (Java 21). This is a major version jump spanning two major Spring Boot generations.

Key changes:

• pom.xml: Spring Boot 1.5.4 → 3.3.6, Java 1.8 → 21, removed redundant spring-boot-starter-jdbc, replaced mysql:mysql-connector-java with com.mysql:mysql-connector-j
• javax → jakarta: All 9 domain entities, Role, UserRole, and RequestFilter migrated from javax.persistence.* / javax.servlet.* to jakarta.persistence.* / jakarta.servlet.*
• SecurityConfig: Full rewrite — removed deprecated WebSecurityConfigurerAdapter, switched to SecurityFilterChain bean with lambda DSL, @EnableGlobalMethodSecurity → @EnableMethodSecurity, uses DaoAuthenticationProvider bean instead of configureGlobal
• application.properties: MySQL5Dialect → MySQLDialect, deprecated pool config replaced with Hikari equivalent, added ?serverTimezone=UTC
• AppointmentServiceImpl: findOne(id) → findById(id).orElse(null) (Spring Data JPA 3.x API)
• Test migration: UserFrontApplicationTests migrated from JUnit 4 (org.junit.Test, @RunWith(SpringRunner.class)) to JUnit 5 Jupiter (org.junit.jupiter.api.Test, no runner needed)

Compilation verified with mvn clean compile — passes cleanly on Java 21. No runtime testing was performed — the app requires a MySQL database which was not available in the build environment.

Review & Testing Checklist for Human

• SecurityConfig behavioral parity (highest risk): The rewrite fundamentally changes how auth is wired (DaoAuthenticationProvider bean + SecurityFilterChain vs. WebSecurityConfigurerAdapter.configureGlobal). Verify login, logout, remember-me, and public URL access all work as before.
• rememberMe now explicitly uses userSecurityService: The old config called .rememberMe() with no explicit UserDetailsService. The new config passes it explicitly. Verify remember-me cookies still work correctly — this is a behavioral change, not just a syntactic one.
• Runtime compatibility across the 1.5 → 3.3 jump: This skips Spring Boot 2.x entirely. Compile-time checks passed, but there may be runtime behavioral differences in auto-configuration, property binding, or Hibernate 6.x schema generation (ddl-auto=update) that only surface with a live database.
• findById().orElse(null) in AppointmentServiceImpl: confirmAppointment() does not null-check the result before calling setConfirmed(). Pre-existing issue, but now more visible — consider whether this should throw instead.

Recommended test plan: Stand up a local MySQL onlinebanking database, run mvn spring-boot:run with Java 21, and walk through: user signup → login → deposit → transfer → view statements → schedule appointment → admin confirm appointment → logout. Verify remember-me works by closing and reopening the browser.

Notes

• The spring-boot-starter-jdbc removal is safe since spring-boot-starter-data-jpa transitively includes it.
• Hardcoded DB credentials in application.properties are pre-existing and not introduced by this PR.
• No CI checks are configured on this repo, so there are no automated gates beyond the local compile verification.

Link to Devin session: https://app.devin.ai/sessions/d17b25b94f7842f3b59493f194ed2e0d
Requested by: @davidmitev-eng

---

Devin Review

Status	Commit
⚪ Not started	—

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring