Across standard module changes

In general most modules have breaking changes regarding Spring Data repositories, where single instance queries will now always return Optional.

Extension modules

Some modules are now considered "extension" modules and no longer start their own ApplicationContext. Instead they only extend the configuration of other modules.

This reduces some general overhead but will break existing code depending on these modules having been fully bootstrapped.

The following modules no longer start their own module ApplicationContext:


  • some properties (default-timeout) have been changed of type, a duration is now sometimes required (eg. 5s instead of 5)


Most security configurations that used Spring Boot 1.5 defaults (for example Actuator) will need to be reviewed.

  • SpringSecurityWebConfigurer and SpringSecurityWebConfigurerAdapter have been replaced by a single AcrossWebSecurityConfigurer interface

    • modules can still provide either AcrossWebSecurityConfigurer or directly WebSecurityConfigurerAdapter, with the former being the preferred option for simple security configurations

  • SecurityPrincipal infrastructure changes:

    • an Authentication no longer holds the actual SecurityPrincipal but only the SecurityPrincipalId

      • CurrentSecurityPrincipalProxy.getPrincipal(Class<? extends SecurityPrincipal>) will still correctly return the actual SecurityPrincipal

      • use of @AuthenticationPrincipal can be replaced with @CurrentSecurityPrincipal instead of @AuthenticationPrincipal

    • CurrentSecurityPrincipalProxy.isAuthenticated() now returns false with an anonymous authentication

  • Spring Boot no longer applies custom security to any endpoint, meaning that you will now have to manually apply the security you want by providing your own configurations

  • if there is no WebSecurityConfigurerAdapter (or AcrossWebSecurityConfigurer the default Spring security adapter will secure everything

    • if you have SpringSecurityModule but do not want to have security applied, you should manually add a configuration that ignores everything

  • Password encoding features have been modified, if you want to specify in memory users with a default password, you probably have to migrate your old code and prefix the password with {noop} to avoid a no PasswordEncoder exception

DebugWebModule has a new controller available under Across > Security > Security filters which lists the registered security filter chains.


Mostly Spring Data related changes. In previous version a Sort could be null whereas now a Sort.unsorted() is used in Spring Data. According changes in EntityModule have been done, passing null as a Sort should be avoided.


  • Renamed UserDetailsOAuth2AuthenticationSerializer to SecurityPrincipalIdOAuth2AuthenticationSerializer


Device specific Thymeleaf view resolving only works with the .html extension out of the box. The previous .thtml extension is no longer supported.

Spring Mobile is no longer part of Spring Platform Cairo, this indicates the project is probably not as much up-to-date as other Spring projects and its future might be uncertain.