Migrate from Java 11 + Spring Boot 2.6.3 to Java 21 + Spring Boot 3.2.5

[devin-ai-integration]

Summary

Full migration from Java 11 / Spring Boot 2.6.3 to Java 21 / Spring Boot 3.2.5. All 68 existing tests pass after migration.

Key changes:

• Build tooling: Gradle wrapper 7.4 → 8.7, Java source/target 11 → 21
• Spring Boot: 2.6.3 → 3.2.5 (includes Spring Security 6.x, Spring Framework 6.1)
• Jakarta EE: All javax.validation.* / javax.servlet.* imports → jakarta.* across 21 files
• Spring Security: Removed WebSecurityConfigurerAdapter (deleted in Security 6); replaced with SecurityFilterChain bean using lambda DSL and requestMatchers instead of antMatchers
• JJWT: 0.11.2 → 0.12.5 — migrated to new builder API (subject(), expiration(), parser().verifyWith(), parseSignedClaims(), getPayload()) and removed deprecated SignatureAlgorithm enum
• DGS GraphQL: Plugin 5.0.6 → 6.2.1, starter changed from graphql-dgs-spring-boot-starter:4.9.21 to graphql-dgs-spring-graphql-starter:8.5.0. Exception handler migrated from sync onException to async handleException (returns CompletableFuture)
• PageInfo: Replaced graphql.relay.DefaultPageInfo with DGS-generated io.spring.graphql.types.PageInfo in both datafetchers to fix type incompatibility
• Other deps: MyBatis starter 2.2.2 → 3.0.3, REST Assured 4.5.1 → 5.4.0, sqlite-jdbc 3.36 → 3.45, joda-time 2.10 → 2.12
• Config: Added spring.graphql.schema.inspection.enabled=false to work around Spring GraphQL's strict Relay Connection type validation
• Test fix: Lengthened JJWT test secret key to meet HS512's 64-byte minimum enforced by JJWT 0.12.x

Review & Testing Checklist for Human

• Verify WebSecurityConfig authorization rules are equivalent — the migration from antMatchers/authorizeRequests to requestMatchers/authorizeHttpRequests can have subtle path-matching differences. Confirm that /graphql, /graphiql, public GET endpoints, and auth-required endpoints behave identically to before.
• Assess spring.graphql.schema.inspection.enabled=false — this was needed because the custom ArticlesConnection/CommentsConnection types don't follow the standard Relay Connection spec that Spring GraphQL expects. Verify this is acceptable vs restructuring the schema.
• Verify production jwt.secret length — JJWT 0.12.x enforces a minimum 64-byte key for HS512. The secret in application.properties appears long enough (~88 chars) but any environment-specific override must also meet this requirement.
• Test the DGS starter swap (graphql-dgs-spring-boot-starter → graphql-dgs-spring-graphql-starter) — this changes the underlying GraphQL integration layer. Run the app and hit GraphQL endpoints to verify queries/mutations work end-to-end.
• Run ./gradlew bootRun and exercise the REST API and GraphQL endpoints to validate runtime behavior beyond unit tests.

Notes

• The gradlew script diff is large but is entirely auto-generated by ./gradlew wrapper --gradle-version 8.7 — no manual changes.
• joda-time is retained (upgraded to 2.12.7) rather than replaced with java.time to minimize scope of this migration.
• The generateJava task config changed from tasks.named('generateJava') to top-level generateJava {} block to match DGS codegen plugin 6.x API.

Link to Devin session: https://app.devin.ai/sessions/86a0b2d6068844588f2fff8a184c206f
Requested by: @choikh0423

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.