OWASP · commjoen · Feb 23, 2026 · Feb 23, 2026 · Feb 26, 2026 · Feb 26, 2026
@@ -30,8 +30,8 @@ wrongsecrets/
 
 ## Technology Stack
 
-- **Framework**: Spring Boot 3.5.x
-- **Java Version**: 23 (configured in pom.xml)
+- **Framework**: Spring Boot 4.0.x
+- **Java Version**: 25 (configured in pom.xml)
 - **Build Tool**: Maven (use `./mvnw`)
 - **Testing**: JUnit 5, Spring Boot Test
 - **Container**: Docker + Kubernetes

@@ -6,5 +6,5 @@ Please consult the [readme](./README.md), [Contributing](./CONTRIBUTING.md), [Co
 For further reference, please consider the following sections:
 
 * [Official Apache Maven documentation](https://maven.apache.org/guides/index.html)
-* [Spring Boot Maven Plugin Reference Guide](https://docs.spring.io/spring-boot/docs/2.3.4.RELEASE/maven-plugin/reference/html/)
-* [Create an OCI image](https://docs.spring.io/spring-boot/docs/2.3.4.RELEASE/maven-plugin/reference/html/#build-image)
+* [Spring Boot Maven Plugin Reference Guide](https://docs.spring.io/spring-boot/docs/4.0.3/maven-plugin/reference/html/)
+* [Create an OCI image](https://docs.spring.io/spring-boot/docs/4.0.3/maven-plugin/reference/html/#build-image)
@@ -63,7 +63,7 @@ src/test/java/org/owasp/wrongsecrets/
 ### Maven → Docker Workflow
 
 1. **Maven Build** (`pom.xml`)
-   - Spring Boot 3.x application
+   - Spring Boot 4.x application
    - Dependencies managed through Spring Boot parent POM
    - Plugins: AsciiDoctor, Checkstyle, PMD, SpotBugs
 
@@ -137,7 +137,7 @@ src/test/java/org/owasp/wrongsecrets/
 
 ### Prerequisites
 
-- Java 21+
+- Java 25+
 - Maven 3.8+
 - Docker
 - Node.js (for frontend dependencies)

@@ -5,7 +5,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.5.10</version>
+    <version>4.0.3</version>
     <!-- lookup parent from repository -->
   </parent>
 
@@ -48,7 +48,7 @@
     <asciidoctorj.version>3.0.1</asciidoctorj.version>
     <aws.sdk.version>2.40.9</aws.sdk.version>
     <bootstrap.version>5.3.8</bootstrap.version>
-    <com.azure.spring.version>6.0.0</com.azure.spring.version>
+    <com.azure.spring.version>7.0.0</com.azure.spring.version>
     <cyclonedx.core.version>11.0.1</cyclonedx.core.version>
     <datatables.version>2.3.7</datatables.version>
     <dependency-check-maven.version>12.1.9</dependency-check-maven.version>
@@ -64,9 +64,9 @@
     <maven-compiler-plugin.version>3.15.0</maven-compiler-plugin.version>
     <maven.compiler.proc>full</maven.compiler.proc>
     <maven.compiler.target>25</maven.compiler.target>
-    <spring.cloud-version>2025.0.0</spring.cloud-version>
-    <spring.security.version>6.2.3</spring.security.version>
+    <spring.cloud-version>2025.1.1</spring.cloud-version>
     <system-stubs-jupiter.version>2.1.8</system-stubs-jupiter.version>
+    <testcontainers.version>1.21.4</testcontainers.version>
     <thymeleaf-extras-springsecurity6.version>3.1.3.RELEASE</thymeleaf-extras-springsecurity6.version>
     <thymeleaf.layout.version>3.4.0</thymeleaf.layout.version>
   </properties>
@@ -147,17 +147,14 @@
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-config</artifactId>
-      <version>${spring-security.version}</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-web</artifactId>
-      <version>${spring-security.version}</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-test</artifactId>
-      <version>${spring-security.version}</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -264,7 +261,7 @@
     <dependency>
       <groupId>org.springdoc</groupId>
       <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
-      <version>2.8.15</version>
+      <version>3.0.1</version>
     </dependency>
     <dependency>
       <groupId>com.azure.spring</groupId>
@@ -277,6 +274,12 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-test-autoconfigure</artifactId>
+      <scope>test</scope>
+    </dependency>
+
     <dependency>
       <groupId>uk.org.webcompere</groupId>
       <artifactId>system-stubs-jupiter</artifactId>
@@ -323,7 +326,7 @@
     <dependency>
       <groupId>org.springframework.vault</groupId>
       <artifactId>spring-vault-core</artifactId>
-      <version>3.2.0</version>
+      <version>4.0.1</version>
     </dependency>
   </dependencies>
 
@@ -543,8 +546,8 @@
         <artifactId>maven-compiler-plugin</artifactId>
         <version>${maven-compiler-plugin.version}</version>
         <configuration>
-          <source>23</source>
-          <target>23</target>
+          <source>25</source>
+          <target>25</target>
         </configuration>
       </plugin>
       <plugin>

@@ -1,13 +1,12 @@
 package org.owasp.wrongsecrets;
 
 import io.swagger.v3.oas.annotations.Operation;
-import org.springframework.boot.web.servlet.error.ErrorController;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 
 /** Controller used to generate content for the error page. */
 @Controller
-public class SecretsErrorController implements ErrorController {
+public class SecretsErrorController {
 
   @GetMapping("/error")
   @Operation(summary = "Returns data for the error page")

@@ -59,11 +59,11 @@ <h5 class="alert-heading">🎯 Learning Objectives</h5>
                         <li>(The MIT License (MIT)) Microsoft Azure Java JSON Library (com.azure:azure-json:1.5.0 - https://github.com/Azure/azure-sdk-for-java)</li>
                         <li>(The MIT License (MIT)) Microsoft Azure client library for KeyVault Secrets (com.azure:azure-security-keyvault-secrets:4.10.2 - https://github.com/Azure/azure-sdk-for-java)</li>
                         <li>(The MIT License (MIT)) Microsoft Azure Java XML Library (com.azure:azure-xml:1.2.0 - https://github.com/Azure/azure-sdk-for-java)</li>
-                        <li>(The MIT License (MIT)) Spring Cloud Azure AutoConfigure (com.azure.spring:spring-cloud-azure-autoconfigure:6.0.0 - https://microsoft.github.io/spring-cloud-azure)</li>
-                        <li>(The MIT License (MIT)) Spring Cloud Azure Core (com.azure.spring:spring-cloud-azure-core:6.0.0 - https://microsoft.github.io/spring-cloud-azure)</li>
-                        <li>(The MIT License (MIT)) Spring Cloud Azure Service (com.azure.spring:spring-cloud-azure-service:6.0.0 - https://microsoft.github.io/spring-cloud-azure)</li>
-                        <li>(The MIT License (MIT)) Spring Cloud Azure Starter (com.azure.spring:spring-cloud-azure-starter:6.0.0 - https://microsoft.github.io/spring-cloud-azure)</li>
-                        <li>(The MIT License (MIT)) Spring Cloud Azure Starter Key Vault Secrets (com.azure.spring:spring-cloud-azure-starter-keyvault-secrets:6.0.0 - https://microsoft.github.io/spring-cloud-azure)</li>
+                        <li>(The MIT License (MIT)) Spring Cloud Azure AutoConfigure (com.azure.spring:spring-cloud-azure-autoconfigure:7.0.0 - https://microsoft.github.io/spring-cloud-azure)</li>
+                        <li>(The MIT License (MIT)) Spring Cloud Azure Core (com.azure.spring:spring-cloud-azure-core:7.0.0 - https://microsoft.github.io/spring-cloud-azure)</li>
+                        <li>(The MIT License (MIT)) Spring Cloud Azure Service (com.azure.spring:spring-cloud-azure-service:7.0.0 - https://microsoft.github.io/spring-cloud-azure)</li>
+                        <li>(The MIT License (MIT)) Spring Cloud Azure Starter (com.azure.spring:spring-cloud-azure-starter:7.0.0 - https://microsoft.github.io/spring-cloud-azure)</li>
+                        <li>(The MIT License (MIT)) Spring Cloud Azure Starter Key Vault Secrets (com.azure.spring:spring-cloud-azure-starter-keyvault-secrets:7.0.0 - https://microsoft.github.io/spring-cloud-azure)</li>
                         <li>(The Apache Software License, Version 2.0) Simple XML (safe) (com.carrotsearch.thirdparty:simple-xml-safe:2.7.1 - https://github.com/dweiss/simplexml)</li>
                         <li>(3-Clause BSD License) MinLog (com.esotericsoftware:minlog:1.3.1 - https://github.com/EsotericSoftware/minlog)</li>
                         <li>(Apache License, Version 2.0) Internet Time Utility (com.ethlo.time:itu:1.14.0 - https://github.com/ethlo/itu)</li>

@@ -6,15 +6,11 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 import org.junit.jupiter.api.Test;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.owasp.wrongsecrets.testutil.MockMvcTestSupport;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.test.web.servlet.MockMvc;
 
 @SpringBootTest
-@AutoConfigureMockMvc
-class AboutControllerTests {
-  @Autowired private MockMvc mvc;
+class AboutControllerTests extends MockMvcTestSupport {
 
   @Test
   void shouldGetAbout() throws Exception {

@@ -6,16 +6,11 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 import org.junit.jupiter.api.Test;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.owasp.wrongsecrets.testutil.MockMvcTestSupport;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.test.web.servlet.MockMvc;
 
 @SpringBootTest
-@AutoConfigureMockMvc
-class ChallengeAPiControllerTest {
-
-  @Autowired private MockMvc mvc;
+class ChallengeAPiControllerTest extends MockMvcTestSupport {
 
   public ChallengeAPiControllerTest() {}
 

@@ -8,18 +8,13 @@
 
 import org.junit.jupiter.api.Test;
 import org.owasp.wrongsecrets.challenges.Spoiler;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.owasp.wrongsecrets.testutil.MockMvcTestSupport;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.test.web.servlet.MockMvc;
 
 @SpringBootTest(
     properties = {"K8S_ENV=DOCKER"},
     classes = WrongSecretsApplication.class)
-@AutoConfigureMockMvc
-class ChallengesControllerTest {
-
-  @Autowired private MockMvc mvc;
+class ChallengesControllerTest extends MockMvcTestSupport {
 
   @Test
   void startingChallengeShouldClearCorrectOrIncorrectMessage() throws Exception {

@@ -28,5 +28,5 @@ public class CodingRuleTest {
           .areNotDeclaredIn(CypressIntegrationTest.class)
           .should()
           .beAnnotatedWith(LocalServerPort.class)
-          .because("we use AutoConfigureMockMvc for testing");
+          .because("we use MockMvcTestSupport for testing");
 }
@@ -7,17 +7,12 @@
 
 import org.junit.jupiter.api.Test;
 import org.owasp.wrongsecrets.challenges.docker.WrongSecretsConstants;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.owasp.wrongsecrets.testutil.MockMvcTestSupport;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 @SpringBootTest(properties = {"K8S_ENV=docker"})
-@AutoConfigureMockMvc
-class SecretLeakageControllerTest {
-
-  @Autowired private MockMvc mockMvc;
+class SecretLeakageControllerTest extends MockMvcTestSupport {
 
   @Test
   void spoil1() throws Exception {
@@ -30,7 +25,7 @@ void solveChallenge1() throws Exception {
   }
 
   private void solveChallenge(String endpoint, String solution) throws Exception {
-    this.mockMvc
+    this.mvc
         .perform(
             MockMvcRequestBuilders.post(endpoint)
                 .param("solution", solution)
@@ -41,7 +36,7 @@ private void solveChallenge(String endpoint, String solution) throws Exception {
   }
 
   private void testSpoil(String endpoint, String solution) throws Exception {
-    this.mockMvc
+    this.mvc
         .perform(MockMvcRequestBuilders.get(endpoint))
         .andExpect(status().isOk())
         .andExpect(content().string(containsString(solution)));

@@ -6,16 +6,11 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 import org.junit.jupiter.api.Test;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.owasp.wrongsecrets.testutil.MockMvcTestSupport;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.test.web.servlet.MockMvc;
 
 @SpringBootTest
-@AutoConfigureMockMvc
-class SecretsErrorControllerTest {
-
-  @Autowired private MockMvc mvc;
+class SecretsErrorControllerTest extends MockMvcTestSupport {
 
   @Test
   void shouldReturnErrorPage() throws Exception {

@@ -7,21 +7,18 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 import org.junit.jupiter.api.Test;
+import org.owasp.wrongsecrets.testutil.MockMvcTestSupport;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.Import;
 import org.springframework.http.MediaType;
-import org.springframework.test.web.servlet.MockMvc;
 
 @SpringBootTest(
     webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
     properties = {"K8S_ENV=k8s"})
 @Import(ConventionPortMapper.class)
-@AutoConfigureMockMvc
-class SecurityConfigTest {
+class SecurityConfigTest extends MockMvcTestSupport {
 
-  @Autowired private MockMvc mvc;
   @Autowired private BasicAuthentication challenge37BasicAuth;
 
   @Test