Upgrade Spring Boot 2.0.2 → 2.7.18, add Spring Security, fix insecure HTTP URLs

[devin-ai-integration]

Summary

Three changes in this PR:

1. Spring Boot upgrade (2.0.2.RELEASE → 2.7.18): Updated parent version in pom.xml. Fixed <packaging> from pom to jar (the original pom packaging caused Maven to skip Java compilation entirely). Replaced deprecated new Object[]{"Josh"} parameter style in JdbcTemplate.query() with varargs.

2. Spring Security: Added spring-boot-starter-security dependency and a new SecurityConfig.java. Unauthenticated GET access is allowed to / and /greeting; all other endpoints require HTTP Basic auth. CSRF is disabled (REST API pattern). No default credentials are committed — Spring Security will generate a random password at startup (printed to console). To set credentials, use env vars SPRING_SECURITY_USER_NAME / SPRING_SECURITY_USER_PASSWORD.

3. HTTP → HTTPS: Changed both external API URLs in Application.java from http:// to https://. Both calls are now wrapped in try-catch so the app starts cleanly even though the external service (gturnquist-quoters.cfapps.io) is defunct — failures are logged as warnings.

Added src/main/resources/application.properties with H2 console enabled and explicit datasource URL for Spring Boot 2.7.x compatibility.

Updates since last revision

• Fixed the second HTTP URL in run(RestTemplate) that was missed in the first commit
• Wrapped both external quote service calls in try-catch to prevent startup failure (the service is offline and was causing UnknownHostException → app crash)

Review & Testing Checklist for Human

• Security scope may be more restrictive than intended: The config only permits unauthenticated access to GET / and GET /greeting. All other GETs (e.g. GET /topic, GET /topic/{id}, GET /datetime) also require auth. If read-only topic endpoints should be public, the antMatchers need to be expanded.
• Security config uses deprecated API: SecurityConfig uses authorizeRequests()/antMatchers() which are deprecated in Spring Security 5.7+ (shipped with Boot 2.7). These still work but the modern API is authorizeHttpRequests()/requestMatchers(). Decide if this is acceptable.
• No default credentials committed: The user instructions called for admin/changeme in application.properties but these were omitted because the commit security scanner blocked them. Credentials must be provided via environment variables at runtime.
• Packaging change from pom → jar: This was necessary to make Maven actually compile the source code. Verify this doesn't conflict with any existing build/CI expectations.
• Test the security rules manually: Start with SPRING_SECURITY_USER_NAME=admin SPRING_SECURITY_USER_PASSWORD=changeme mvn spring-boot:run, then confirm:
  • GET / → 200 without credentials
  • POST /topic → 401 without credentials
  • POST /topic with Basic Auth (admin:changeme) → 200

Notes

• The spring-boot-properties-migrator dependency (already present) is kept to help surface any deprecated property warnings at runtime. It can be removed once migration is fully verified.
• The external quote service (gturnquist-quoters.cfapps.io) is offline. The try-catch wrappers log warnings but allow the app to start and serve requests normally.
• No tests exist in the repo, so verification must be manual.
• The app was verified locally: Spring Boot 2.7.18 boots, H2 database initializes, security filter chain activates, JdbcTemplate query works, and security rules behave as expected.

Link to Devin session: https://app.devin.ai/sessions/9e07a75f2ea24062b512e60aca5b050f
Requested by: @marcelschwager-ux

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

End-to-End Test Results

Ran app locally with SPRING_SECURITY_USER_NAME=admin SPRING_SECURITY_USER_PASSWORD=changeme mvn spring-boot:run, tested all endpoints via curl.

Security Tests (primary change)

Test	Expected	Actual	Result
GET / no auth	200	200	PASSED
GET /topic no auth	401	401	PASSED
POST /topic no auth	401	401	PASSED
PUT /topic/test no auth	401	401	PASSED
DELETE /topic/test no auth	401	401	PASSED
GET /topic with admin:changeme	200	200	PASSED
POST /topic with admin:changeme	200	200	PASSED
GET /topic/security-test with auth	200 + body	200, {"id":"security-test",...}	PASSED
GET /topic with admin:wrongpassword	401	401	PASSED
GET /topic with nobody:changeme	401	401	PASSED

Spring Boot 2.7.18 Upgrade

• Startup banner: Spring Boot :: (v2.7.18) — confirmed not 2.0.2
• Started Application in 1.79 seconds — boots successfully
• H2 console: H2 console available at '/h2-console'. Database available at 'jdbc:h2:mem:testdb'
• JdbcTemplate varargs fix works: Customer{id=3, firstName='Josh', lastName='Bloch'} and Customer{id=4, firstName='Josh', lastName='Long'}

HTTPS + try-catch fix

• Both external calls use https:// (not http://)
• App logs WARN: Could not reach external quote service instead of crashing
• App stays running after the warning

Note: GET /greeting returns 404 because GreetingController maps to / not /greeting. The SecurityConfig permits /greeting but no controller serves that path — not a bug, just an unused permit rule.

Devin session