HttpSecurity and Spring Boot 3.0 incompatibility

Question

I switched Spring Boot version from 2.5.2 to 3.0.2 and did some refactors. But stuck in this problem. HttpSecurity addFilter() method requires javax.servlet.Filter, but Spring Boot 3.0 uses jakarta. How to solve this? The codes are from a Youtube tutorial, but for Spring Boot 2.5.2

Maven dependencies:

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.yaml</groupId>
            <artifactId>snakeyaml</artifactId>
            <version>2.0</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>com.mysql</groupId>
            <artifactId>mysql-connector-j</artifactId>
            <version>8.0.31</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>com.auth0</groupId>
            <artifactId>java-jwt</artifactId>
            <version>4.2.1</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>5.7.5</version>
        </dependency>
    </dependencies>

Due to transitive dependency vulnerability, snakeyaml version changed to 2.0

---

Screenshot added

Answer 1

If you intend to use Spring Boot3.x, then you can use the latest spring-cloud bom to manage the dependencies, like the following pom.xml, it will fix the conflict of javax.xxx between jakarta.xxx.

<parent>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-parent</artifactId>
        <!-- latest spring cloud version which supports spring boot3.x-->
        <version>2022.0.1</version>
    </parent>
    <groupId>your-groupId</groupId>
    <artifactId>your-artifactId</artifactId>
    <version>0.0.1-SNAPSHOT</version>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
        </dependency>

        <!-- other dependencies go below -->
    </dependencies>

but now you may have to deal with the code compatibility problem of spring-security, since you upgraded spring-security version to spring-security6.x, see spring-security6.x migration doc,there are many changes.

If you don't want to deal with the spring-security code compatibility problem, then you should downgrade the spring boot back to 2.x.