ADR-004: Migrate to Spring Boot 3.x

Decision Analysis and Resolution: Spring Boot Version Migration

Created by: SW360 Architecture Team
Original Decision: 2024
Reformatted: April 2026
Status: Accepted
Estimated read time: 10 minutes

Table of Contents

  1. Background
  2. Goal
  3. Key Principles
  4. Key Inputs, Assumptions and Restrictions
  5. Options Analysis
  6. Criteria for Making a Decision
  7. Final Decision
  8. Migration Effort
  9. Contributors

Background

SW360’s REST API was built on Spring Boot 2.x with Spring Security 5.x. Several factors drove the need to evaluate migration:

  1. End of Life: Spring Boot 2.x reached end of commercial support in November 2024
  2. Security Updates: Spring Security 6.x includes important security improvements
  3. Java Evolution: Spring Boot 3.x fully supports Java 21 features (virtual threads, records)
  4. Jakarta EE: Industry migration from javax.* to jakarta.* namespace
  5. Dependency Ecosystem: Many libraries dropping Spring Boot 2.x support

Migration Scope:

  • Spring Boot 2.7.x → 3.5.x
  • Spring Security 5.x → 6.5.x
  • Java 11 → Java 21
  • javax.* → jakarta.*

Goal

The goal of this decision analysis is to:

  1. Determine whether to migrate SW360 REST API to Spring Boot 3.x
  2. Evaluate migration effort versus staying on unsupported version
  3. Identify risks and mitigation strategies
  4. Plan migration phases if proceeding

Key Principles

#PrincipleDescription
1Security FirstSupported platforms with active security patches
2Long-term ViabilityChoose the path with longest support horizon
3Developer ExperienceModern tooling, language features
4Minimal DisruptionMaintain API compatibility for clients
5Incremental MigrationPhased approach to reduce risk

Key Inputs, Assumptions and Restrictions

TypeDescription
InputSpring Boot 2.x end of support: November 2024
InputSpring Boot 3.x requires Java 17+ (Java 21 recommended)
InputJakarta EE namespace change (javax.*jakarta.*) is breaking
AssumptionClient applications can adapt to any API changes
AssumptionDevelopment team can allocate time for migration
RestrictionMust maintain backward compatibility for REST API contracts
RestrictionAll dependencies must support Spring Boot 3.x

Options Analysis

Option 1 - Stay on Spring Boot 2.7.x

Summary

Continue using Spring Boot 2.7.x indefinitely, accepting that security patches and updates will no longer be provided. Monitor for critical vulnerabilities and patch manually if necessary.

Conceptual View

graph TB
    subgraph SB2["Spring Boot 2.7.x (EOL)"]
        direction TB
        A1["+ Spring Security 5.x"]
        A2["+ Java 11/17"]
        A3["+ javax.* namespace"]
        A4["- No security patches after Nov 2024"]
        A5["- Shrinking dependency compatibility"]
    end

Impact / Changes Required

  • No code changes required
  • Monitor security advisories manually
  • Fork and patch dependencies if vulnerabilities discovered
  • Accept increasing technical debt

SWOT Analysis

CategoryAnalysis
Strengths1. Zero migration effort
2. No risk of regression
3. Stable, known platform
4. Development can focus on features
Weaknesses1. No security patches after Nov 2024
2. Growing technical debt
3. Dependencies dropping support
4. Java 11 becoming outdated
5. Developer experience degrading
Opportunities1. Delay costs until absolutely necessary
Threats1. Critical security vulnerability with no patch
2. Compliance failures in security audits
3. Increasing migration cost over time
4. Developer retention issues

Option 2 - Migrate to Spring Boot 3.x

Summary

Migrate SW360 REST API to Spring Boot 3.5.x with Java 21, including the namespace migration from javax.* to jakarta.* and Spring Security configuration updates.

Conceptual View

graph TB
    subgraph SB3["Spring Boot 3.5.x (Active)"]
        direction TB
        B1["+ Spring Security 6.5.x"]
        B2["+ Java 21 (virtual threads, records)"]
        B3["+ jakarta.* namespace"]
        B4["+ Active security patches"]
        B5["+ Modern ecosystem support"]
    end

Impact / Changes Required

  • Namespace migration: javax.*jakarta.*
  • Spring Security configuration rewrite
  • OpenAPI/SpringDoc version upgrade
  • Test updates for new APIs
  • Full regression testing

SWOT Analysis

CategoryAnalysis
Strengths1. Active security patches
2. Java 21 features (virtual threads, records)
3. Modern OAuth2 resource server
4. Ecosystem alignment
5. Long-term support horizon
Weaknesses1. Significant migration effort
2. Breaking changes require code updates
3. Testing overhead
4. Some dependencies may need replacement
5. Learning curve for new APIs
Opportunities1. Adopt Java 21 features for performance
2. Modernize security configuration
3. Clean up deprecated APIs
4. Attract developers with modern stack
Threats1. Regression bugs from migration
2. Dependency incompatibilities
3. Timeline pressure
4. Hidden breaking changes

Option 3 - Alternative Framework Migration

Summary

Instead of migrating Spring Boot versions, consider migrating to an alternative framework such as Quarkus, Micronaut, or Helidon that offers native compilation and modern features.

Conceptual View

graph TB
    subgraph QM["Quarkus / Micronaut"]
        direction TB
        C1["+ Native compilation (GraalVM)"]
        C2["+ Fast startup, low memory"]
        C3["+ Modern reactive programming"]
        C4["- Complete rewrite required"]
        C5["- Different programming model"]
    end

Impact / Changes Required

  • Complete REST API rewrite
  • New annotations, dependency injection
  • Different testing frameworks
  • Team retraining

SWOT Analysis

CategoryAnalysis
Strengths1. Native compilation option
2. Faster startup, lower memory
3. Cloud-native design
4. Modern reactive patterns
Weaknesses1. Complete rewrite required
2. Team unfamiliar with framework
3. Smaller ecosystem than Spring
4. Breaks all existing integrations
5. Massive timeline and cost
Opportunities1. Cloud/serverless optimization
2. Performance improvements
Threats1. Project timeline unacceptable
2. Risk of bugs in rewrite
3. Loss of Spring ecosystem
4. Team morale from massive change

Criteria for Making a Decision

T-Shirt Sizing Scale

T-Shirt SizeNumeric ValueMeaning
XS1.0Worst for this aspect
S2.5Poor
S-M3.75Below Average
M5.0Average
M-L6.25Above Average
L7.5Good
L-XL8.75Very Good
XL10.0Best for this aspect

Weighted Evaluation Matrix

CriteriaDescriptionWeightStay on 2.7Migrate to 3.xAlternative
RatingScoreRatingScoreRatingScore
Security PatchesActive vulnerability fixes10XS10.0XL100.0L-XL87.5
Long-term SupportYears of maintenance ahead9XS9.0L-XL78.75L67.5
Migration EffortDevelopment time required8XL80.0M40.0XS8.0
Risk of RegressionBreaking existing functionality8XL80.0M-L50.0XS8.0
Java 21 FeaturesVirtual threads, records, etc.7XS7.0XL70.0XL70.0
Ecosystem SupportLibrary compatibility8S-M30.0L-XL70.0M40.0
Developer ExperienceModern tooling, debugging7M35.0L-XL61.25L52.5
Team FamiliarityKnowledge of platform7XL70.0L52.5S17.5
ComplianceSecurity audit requirements8S20.0XL80.0L-XL70.0
PerformanceRuntime efficiency6M30.0L45.0XL60.0
TOTAL371.0647.5481.0

Score Summary

RankOptionTotal ScoreRecommendation
🥇 1Migrate to Spring Boot 3.x647.5SELECTED
🥈 2Alternative Framework481.0❌ Too risky, complete rewrite
🥉 3Stay on Spring Boot 2.7.x371.0❌ Security risk unacceptable

Final Decision

Selected Option: Migrate to Spring Boot 3.5.x with Java 21

Rationale

Migration to Spring Boot 3.x was selected based on:

  1. Highest Weighted Score (647.5) - Best balance of effort versus benefit

  2. Security Patches (XL) - Critical requirement:

    • Active vulnerability fixes
    • Compliance audit requirements
    • CVE response SLA

  3. Long-term Support (L-XL) - Spring Boot 3.x will be maintained for years

  4. Java 21 Features (XL) - Significant improvements:

    • Virtual threads for improved scalability
    • Records for cleaner data classes
    • Pattern matching for cleaner code
    • Better garbage collection

  5. Ecosystem Alignment (L-XL) - Libraries are migrating to Jakarta EE

Migration Effort

Effort Estimation by Area

AreaEffortNotes
Namespace migrationMediumjavax.*jakarta.* (largely automated)
Security configurationHighNew DSL, authorization changes
OpenAPI/SpringDocMediumVersion upgrade, annotation changes
Test updatesMediumMockMvc, security test changes
Dependency updatesMediumSome libraries need replacement
Regression testingHighFull API test cycle

Key Code Changes

1. Namespace Migration

// Before (Spring Boot 2.x)
import javax.servlet.http.HttpServletRequest;
import javax.validation.Valid;

// After (Spring Boot 3.x)
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;

2. Security Configuration

// Before (Spring Boot 2.x)
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/api/**").authenticated()
            .and()
            .oauth2ResourceServer().jwt();
    }
}

// After (Spring Boot 3.x)
@Configuration
public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/**").authenticated()
            )
            .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
        return http.build();
    }
}

3. OpenAPI/SpringDoc

<!-- Before -->
<artifactId>springdoc-openapi-ui</artifactId>
<version>1.x</version>

<!-- After -->
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<version>2.x</version>

Version Matrix

ComponentBeforeAfter
Spring Boot2.7.x3.5.x
Spring Security5.8.x6.5.x
Java11/1721
Tomcat9.x11.x
Servlet Spec4.0 (javax)6.0 (jakarta)
SpringDoc1.x2.x

Review Triggers

This decision should be revisited if:

  • Spring Boot 4.x is released with significant benefits
  • Critical dependency incompatibility is discovered
  • Performance regression is unacceptable

Contributors

NameRoleContribution
SW360 Architecture TeamDecision MakersTechnical analysis
Development TeamImplementersMigration effort, testing
Security TeamStakeholdersCompliance requirements

Consequences Summary

Positive

  • ✅ Supported platform—active security patches and updates
  • ✅ Java 21 features—records, virtual threads, better performance
  • ✅ Modern OAuth2—improved resource server configuration
  • ✅ Better tooling—latest IDE support and debugging
  • ✅ Dependency updates—access to latest library versions
  • ✅ Compliance—meets security audit requirements

Negative

  • ⚠️ Breaking changes—significant code modifications required
  • ⚠️ Testing effort—full regression testing needed
  • ⚠️ Learning curve—new security configuration patterns
  • ⚠️ Compatibility—some older libraries may not support Spring Boot 3

Technical Debt Addressed

  • Removed deprecated APIs
  • Modernized security configuration
  • Updated to supported Java LTS version

Revision History

VersionDateAuthorChanges
1.02024Architecture TeamInitial decision
2.0April 2026Bibhuti Bhusan DashReformatted to DAR/SWOT template
Last modified May 18, 2026: feat(authorization): support multi-issuers (01abdfe)