Issue
- There is a need to upgrade the application to Spring Framework 6 due to security vulnerabilities in Spring 5.x.
- Is Spring 6 compatible with Liferay DXP 7.4 or later patches?
- What is the exact version Liferay currently using for Spring?
- Can Spring 6 version be used on custom portlet which is running on top of the Liferay container?
- Confirm whether the upgrade of custom portlet with JDK 21 and Spring 6 is possible or not.
- Is it possible to upgrade to JDK21 with Liferay Q3 release? This is because javax.portlet.PortletRequest is being used in custom portlet and in JDK 21, javax.* is not present.
- Therefore, there will be a need to change this to jakarta* for all packages so in that case, the portletrequest is javax.portlet.PortletRequest that will be changed to jakarta.portlet.PortletRequest , which may throw class cast exception.
-
Confirm whether JDK21 can be used or not as per compatibility matrix 2024 q3, but it may break since the portletrequest class cast exception may occur.
Environment
- Liferay DXP [all versions]
Resolution
- As of now, usage of Spring 6 version would not be recommended since the Jakarta namespace is necessary for Spring 6.
- A spring 6 [portlet] war will require dependencies on jakartax.servlet.* that the Liferay runtime will not have, use, or be able to supply. The PortletMVC4Spring library that would need to create Spring portlet wars has not been updated to Spring 6 (because of the Jakarta namespace issues), so even Spring 6 portlet wars cannot be created.
- However at this time, Spring 6 can only be used in a Client Extension (CX) because those live outside of Liferay, so Spring 6 can work there.
- Moreover, if there is a need to upgrade the custom portlet with JDK 21 and Spring 6, currently this is not possible because the Liferay team is working to make the Jakarta namespaces, JDK 21, and Spring 6 compatible with Liferay. Upon successful completion of this process only, customers will be eligible to utilize Spring 6.
- Upgrading to JDK21 with Liferay Q3 release is possible wherein JDK 21 can be used and customers can still rely on the javax namespaces.
- JDK 21 requires Jakarta namespace but customers can still use Javax namespace.
- However, users cannot just change their code to jakartax.portlet.PortletRequest because it’s just an interface that is expected to receive an instance of, and the Liferay runtime is not possibly going to give an instance of this. Liferay will provide an instance of javax.portlet.PortletRequest.
- Moreover, if the users are connecting JDK 21 exclusively with the jakartax namespaces, it’s not like that at all.
- JDK21 can be used without incurring the jakartax namespace. For example, simply by targeting an earlier JDK while compiling, everything will work fine.
- Finally, as of now, the use of Spring 5, Java 21, and javax namespace is recommended for the current releases.
- Spring 6 and Jakarta both also require an application server major version upgrade as well (Tomcat 10.x, Jboss 8), which will come with DXP Jakarta upgrade next year.