From 275b87d32bd2fb4941a5cf9b40c44b6808c86cd3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dariusz=20Kaczy=C5=84ski?=
 <100694039+kaczynskid-sag@users.noreply.github.com>
Date: Fri, 8 Nov 2024 10:34:25 +0100
Subject: [PATCH] MTM-58822 Prepares for Spring Security 6.0 in MS-SDK

---
 ...0-0-microservices-sdk-pre-spring-boot-3.md | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 content/change-logs/application-enablement/cumulocity-1020-140-0-microservices-sdk-pre-spring-boot-3.md

diff --git a/content/change-logs/application-enablement/cumulocity-1020-140-0-microservices-sdk-pre-spring-boot-3.md b/content/change-logs/application-enablement/cumulocity-1020-140-0-microservices-sdk-pre-spring-boot-3.md
new file mode 100644
index 0000000000..02c31f9850
--- /dev/null
+++ b/content/change-logs/application-enablement/cumulocity-1020-140-0-microservices-sdk-pre-spring-boot-3.md
@@ -0,0 +1,21 @@
+---
+date: 2024-10-31
+title: Prepare to update Microservice SDK to Spring Boot 3  
+change_type:
+  - value: change-inv-3bw8e
+    label: Announcement
+product_area: Application enablement & solutions
+component:
+  - value: component-Sv2buFZ5l
+    label: Microservice SDK
+build_artifact:
+  - value: tc-QHwMfWtBk7
+    label: cumulocity
+version: 10.20.140.0
+ticket: MTM-58822
+---
+This is a follow-up on a recent [announcement](https://cumulocity.com/docs/change-logs/?change-type=.change-type-announcement%2C.change-type-api-change#cumulocity-undefined-microservices-sdk-spring-boot3-announcement) about migrating the Microservice SDK to Spring Boot 3.
+
+As a second step of this process, starting from version **10.20.140.0**, the Microservice SDK is now using Spring Security 5.8. This change enabled a migration preparing for Spring Security 6.0 to be performed in the Microservice SDK following [this migration guide](https://docs.spring.io/spring-security/reference/5.8/migration/index.html). We recommend all users of the Microservice SDK to also follow that guide when updating their applications using the updated version of the SDK.
+
+Note that following the changes in the <code>MethodSecurityExpressionHandler</code> configuration [described here](https://docs.spring.io/spring-security/reference/5.8/migration/servlet/authorization.html#_use_a_custom_bean_instead_of_subclassing_defaultmethodsecurityexpressionhandler), the methods provided by <code>com.cumulocity.microservice.security.service.SecurityExpressionService</code> that were previously configured using a custom <code>SecurityExpressionRoot</code> extension, are now available via an independent bean definition named <code>c8yAuthz</code>. This means that, for example, the expression <code>isCurrentTenantManagement()</code> will no longer resolve and needs to be prefixed by the bean name instead <code>@c8yAuthz.isCurrentTenantManagement()</code>. This allows customers to easily add their own security expression extensions, if needed.