upgrade (#2)

* Update GAE 1.9.63

Fixes: spring-projectsgh-5277

* Update Spring Boot 2.0.1.RELEASE

Fixes: spring-projectsgh-5278

# Conflicts:
#	gradle.properties

* Update to nimbus-jose-jwt:5.10

Fixes: spring-projectsgh-5279

* Update to oauth2-oidc-sdk:5.61

Fixes: spring-projectsgh-5280

* Update to javax.servlet-api:4.0.1

Fixes: spring-projectsgh-5281

* Update to aspectj 1.9.1

Fixes: spring-projectsgh-5282

* Update to htmlunit:2.30

Fixes: spring-projectsgh-5283

* Update to mockito-core:2.18.3

Fixes: spring-projectsgh-5284

* Update to selenium 3.11.0

Fixes: spring-projectsgh-5289

* Update to Spring Framework 5.0.6.BUILD-SNAPSHOT

Issue: spring-projectsgh-5290

# Conflicts:
#	gradle/dependency-management.gradle

* Add update-dependencies.sh

Fixes: spring-projectsgh-5276

* Improve PasswordEncoder deprecated notices

Fixes: spring-projectsgh-5296

* NimbusUserInfoResponseClient sets Accept header to JSON

Fixes spring-projectsgh-5294

* Add test NimbusUserInfoResponseClient sets Accept header to JSON

Issue spring-projectsgh-5294

* Improve ClaimAccessor getClaimAsInstant

Fixes spring-projectsgh-5250

* Fix incorrect explanation for customizing query on JdbcDaoImpl

Author: YuchangLi

core/src/main/java/org/springframework/security/core/userdetails/User.java

@@ -326,6 +326,8 @@ public static UserBuilder builder() {
 	 * @deprecated Using this method is not considered safe for production, but is
 	 * acceptable for demos and getting started. For production purposes, ensure the
 	 * password is encoded externally. See the method Javadoc for additional details.
+	 * There are no plans to remove this support. It is deprecated to indicate
+	 * that this is considered insecure for production purposes.
 	 */
 	@Deprecated
 	public static UserBuilder withDefaultPasswordEncoder() {

core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java

@@ -302,7 +302,7 @@ protected UserDetails createUserDetails(String username,
 	 * Allows the default query string used to retrieve authorities based on username to
 	 * be overridden, if default table or column names need to be changed. The default
 	 * query is {@link #DEF_AUTHORITIES_BY_USERNAME_QUERY}; when modifying this query,
-	 * ensure that all returned columns are mapped back to the same column names as in the
+	 * ensure that all returned columns are mapped back to the same column positions as in the
 	 * default query.
 	 *
 	 * @param queryString The SQL query string to set
@@ -320,7 +320,7 @@ protected String getAuthoritiesByUsernameQuery() {
 	 * username to be overridden, if default table or column names need to be changed. The
 	 * default query is {@link #DEF_GROUP_AUTHORITIES_BY_USERNAME_QUERY}; when modifying
 	 * this query, ensure that all returned columns are mapped back to the same column
-	 * names as in the default query.
+	 * positions as in the default query.
 	 *
 	 * @param queryString The SQL query string to set
 	 */
@@ -370,7 +370,7 @@ protected boolean isUsernameBasedPrimaryKey() {
 	 * Allows the default query string used to retrieve users based on username to be
 	 * overridden, if default table or column names need to be changed. The default query
 	 * is {@link #DEF_USERS_BY_USERNAME_QUERY}; when modifying this query, ensure that all
-	 * returned columns are mapped back to the same column names as in the default query.
+	 * returned columns are mapped back to the same column positions as in the default query.
 	 * If the 'enabled' column does not exist in the source database, a permanent true
 	 * value for this column may be returned by using a query similar to
 	 *

crypto/src/main/java/org/springframework/security/crypto/password/LdapShaPasswordEncoder.java

@@ -39,7 +39,8 @@
  * @deprecated Digest based password encoding is not considered secure. Instead use an
  * adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or
  * SCryptPasswordEncoder. Even better use {@link DelegatingPasswordEncoder} which supports
- * password upgrades.
+ * password upgrades. There are no plans to remove this support. It is deprecated to indicate
+ * that this is a legacy implementation and using it is considered insecure.
  */
 @Deprecated
 public class LdapShaPasswordEncoder implements PasswordEncoder {

crypto/src/main/java/org/springframework/security/crypto/password/Md4PasswordEncoder.java

@@ -73,7 +73,8 @@
  * @deprecated Digest based password encoding is not considered secure. Instead use an
  * adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or
  * SCryptPasswordEncoder. Even better use {@link DelegatingPasswordEncoder} which supports
- * password upgrades.
+ * password upgrades. There are no plans to remove this support. It is deprecated to indicate
+ * that this is a legacy implementation and using it is considered insecure.
  */
 @Deprecated
 public class Md4PasswordEncoder implements PasswordEncoder {

crypto/src/main/java/org/springframework/security/crypto/password/MessageDigestPasswordEncoder.java

@@ -76,7 +76,8 @@
  * @deprecated Digest based password encoding is not considered secure. Instead use an
  * adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or
  * SCryptPasswordEncoder. Even better use {@link DelegatingPasswordEncoder} which supports
- * password upgrades.
+ * password upgrades. There are no plans to remove this support. It is deprecated to indicate
+ * that this is a legacy implementation and using it is considered insecure.
  */
 @Deprecated
 public class MessageDigestPasswordEncoder implements PasswordEncoder {

crypto/src/main/java/org/springframework/security/crypto/password/StandardPasswordEncoder.java

@@ -41,9 +41,10 @@
  * @author Keith Donald
  * @author Luke Taylor
  * @deprecated Digest based password encoding is not considered secure. Instead use an
- * adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or
+ * adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or
  * SCryptPasswordEncoder. Even better use {@link DelegatingPasswordEncoder} which supports
- * password upgrades.
+ * password upgrades. There are no plans to remove this support. It is deprecated to indicate
+ * that this is a legacy implementation and using it is considered insecure.
  */
 @Deprecated
 public final class StandardPasswordEncoder implements PasswordEncoder {

gradle.properties

@@ -1,3 +1,3 @@
-gaeVersion=1.9.62
-springBootVersion=2.0.0.RELEASE
+gaeVersion=1.9.63
+springBootVersion=2.0.1.RELEASE
 version=5.1.0.BUILD-SNAPSHOT

gradle/dependency-management.gradle

@@ -3,7 +3,7 @@ if (!project.hasProperty('reactorVersion')) {
 }
 
 if (!project.hasProperty('springVersion')) {
-	ext.springVersion = '5.0.4.RELEASE'
+	ext.springVersion = '5.0.6.BUILD-SNAPSHOT'
 }
 
 if (!project.hasProperty('springDataVersion')) {
@@ -45,7 +45,7 @@ dependencyManagement {
 		dependency 'com.fasterxml.jackson.core:jackson-databind:2.9.5'
 		dependency 'com.fasterxml:classmate:1.3.4'
 		dependency 'com.github.stephenc.jcip:jcip-annotations:1.0-1'
-		dependency 'com.google.appengine:appengine-api-1.0-sdk:1.9.62'
+		dependency 'com.google.appengine:appengine-api-1.0-sdk:1.9.63'
 		dependency 'com.google.appengine:appengine-api-labs:1.9.63'
 		dependency 'com.google.appengine:appengine-api-stubs:1.9.63'
 		dependency 'com.google.appengine:appengine-testing:1.9.63'
@@ -54,8 +54,8 @@ dependencyManagement {
 		dependency 'com.google.guava:guava:20.0'
 		dependency 'com.google.inject:guice:3.0'
 		dependency 'com.nimbusds:lang-tag:1.4.3'
-		dependency 'com.nimbusds:nimbus-jose-jwt:5.9'
-		dependency 'com.nimbusds:oauth2-oidc-sdk:5.57'
+		dependency 'com.nimbusds:nimbus-jose-jwt:5.10'
+		dependency 'com.nimbusds:oauth2-oidc-sdk:5.61'
 		dependency 'com.squareup.okhttp3:okhttp:3.9.0'
 		dependency 'com.squareup.okio:okio:1.13.0'
 		dependency 'com.sun.xml.bind:jaxb-core:2.3.0'
@@ -76,7 +76,7 @@ dependencyManagement {
 		dependency 'javax.mail:mail:1.4.7'
 		dependency 'javax.servlet.jsp.jstl:javax.servlet.jsp.jstl-api:1.2.1'
 		dependency 'javax.servlet.jsp:javax.servlet.jsp-api:2.3.2-b02'
-		dependency 'javax.servlet:javax.servlet-api:4.0.0'
+		dependency 'javax.servlet:javax.servlet-api:4.0.1'
 		dependency 'javax.validation:validation-api:2.0.1.Final'
 		dependency 'javax.xml.bind:jaxb-api:2.3.0'
 		dependency 'junit:junit:4.12'
@@ -89,7 +89,7 @@ dependencyManagement {
 		dependency 'net.sf.ehcache:ehcache:2.10.4'
 		dependency 'net.sourceforge.cssparser:cssparser:0.9.24'
 		dependency 'net.sourceforge.htmlunit:htmlunit-core-js:2.28'
-		dependency 'net.sourceforge.htmlunit:htmlunit:2.29'
+		dependency 'net.sourceforge.htmlunit:htmlunit:2.30'
 		dependency 'net.sourceforge.htmlunit:neko-htmlunit:2.28'
 		dependency 'net.sourceforge.nekohtml:nekohtml:1.9.22'
 		dependency 'nz.net.ultraq.thymeleaf:thymeleaf-expression-processor:1.1.3'
@@ -142,9 +142,9 @@ dependencyManagement {
 		dependency 'org.apache.tomcat.embed:tomcat-embed-logging-log4j:8.0.44'
 		dependency 'org.apache.tomcat.embed:tomcat-embed-websocket:8.5.23'
 		dependency 'org.apache.tomcat:tomcat-annotations-api:8.5.23'
-		dependency 'org.aspectj:aspectjrt:1.9.0.RC2'
-		dependency 'org.aspectj:aspectjtools:1.9.0.RC2'
-		dependency 'org.aspectj:aspectjweaver:1.8.13'
+		dependency 'org.aspectj:aspectjrt:1.9.1'
+		dependency 'org.aspectj:aspectjtools:1.9.1'
+		dependency 'org.aspectj:aspectjweaver:1.9.1'
 		dependency 'org.assertj:assertj-core:3.9.1'
 		dependency 'org.attoparser:attoparser:2.0.4.RELEASE'
 		dependency 'org.bouncycastle:bcpkix-jdk15on:1.59'
@@ -181,15 +181,15 @@ dependencyManagement {
 		dependency 'org.jboss.logging:jboss-logging:3.3.1.Final'
 		dependency 'org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:1.0.1.Final'
 		dependency 'org.jboss:jandex:2.0.3.Final'
-		dependency 'org.mockito:mockito-core:2.17.0'
+		dependency 'org.mockito:mockito-core:2.18.3'
 		dependency 'org.objenesis:objenesis:2.6'
 		dependency 'org.openid4java:openid4java-nodeps:0.9.6'
 		dependency 'org.ow2.asm:asm:6.0'
 		dependency 'org.reactivestreams:reactive-streams:1.0.1'
-		dependency 'org.seleniumhq.selenium:htmlunit-driver:2.29.2'
+		dependency 'org.seleniumhq.selenium:htmlunit-driver:2.30.0'
 		dependency 'org.seleniumhq.selenium:selenium-api:3.8.1'
-		dependency 'org.seleniumhq.selenium:selenium-java:3.9.1'
-		dependency 'org.seleniumhq.selenium:selenium-support:3.9.1'
+		dependency 'org.seleniumhq.selenium:selenium-java:3.11.0'
+		dependency 'org.seleniumhq.selenium:selenium-support:3.11.0'
 		dependency 'org.skyscreamer:jsonassert:1.5.0'
 		dependency 'org.slf4j:jcl-over-slf4j:1.7.25'
 		dependency 'org.slf4j:jul-to-slf4j:1.7.25'

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/NimbusUserInfoResponseClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 import com.nimbusds.openid.connect.sdk.UserInfoRequest;
 import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
 import org.springframework.http.client.AbstractClientHttpResponse;
 import org.springframework.http.client.ClientHttpResponse;
 import org.springframework.http.converter.GenericHttpMessageConverter;
@@ -84,6 +85,7 @@ private ClientHttpResponse getUserInfoResponse(ClientRegistration clientRegistra
 
 		UserInfoRequest userInfoRequest = new UserInfoRequest(userInfoUri, accessToken);
 		HTTPRequest httpRequest = userInfoRequest.toHTTPRequest();
+		httpRequest.setAccept(MediaType.APPLICATION_JSON_VALUE);
 		httpRequest.setConnectTimeout(30000);
 		httpRequest.setReadTimeout(30000);
 		HTTPResponse httpResponse;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/NimbusUserInfoResponseClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 import com.nimbusds.openid.connect.sdk.UserInfoRequest;
 import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
 import org.springframework.http.client.AbstractClientHttpResponse;
 import org.springframework.http.client.ClientHttpResponse;
 import org.springframework.http.converter.GenericHttpMessageConverter;
@@ -81,6 +82,7 @@ private ClientHttpResponse getUserInfoResponse(ClientRegistration clientRegistra
 
 		UserInfoRequest userInfoRequest = new UserInfoRequest(userInfoUri, accessToken);
 		HTTPRequest httpRequest = userInfoRequest.toHTTPRequest();
+		httpRequest.setAccept(MediaType.APPLICATION_JSON_VALUE);
 		httpRequest.setConnectTimeout(30000);
 		httpRequest.setReadTimeout(30000);
 		HTTPResponse httpResponse;