From 102d5db75eb181ddd37eba2dc41e6ba270e44b85 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Tue, 24 Mar 2026 15:48:59 +0100
Subject: [PATCH 1/5] Update Spring Boot demo to 3.5.12 and fix SDK 0.103.0
 compatibility

Upgrade from Spring Boot 2.6.4 (79 CVEs) to 3.5.12 (0 CVEs):
- Java 1.8 -> 17, javax.servlet -> jakarta.servlet
- Add jackson-bom and commons-lang3 version overrides for remaining CVEs
- Remove unused jackson-datatype-jsr310 dependency and ObjectMapper bean
- Add CSRF disable for Spring Security 6.x compatibility
- Update customAppIntegration().create() to use request object
- Add explicit OIDC endpoint discovery and scope configuration
- Replace token display with authentication status indicator

Co-authored-by: Isaac
---
 examples/spring-boot-oauth-u2m-demo/pom.xml   | 14 +++++------
 .../src/main/java/com/databricks/sdk/App.java | 15 ++++--------
 .../com/databricks/sdk/RootController.java    | 24 +++++++++++--------
 .../src/main/resources/templates/index.html   |  2 +-
 4 files changed, 26 insertions(+), 29 deletions(-)

diff --git a/examples/spring-boot-oauth-u2m-demo/pom.xml b/examples/spring-boot-oauth-u2m-demo/pom.xml
index 79413706b..9bfcccc7a 100644
--- a/examples/spring-boot-oauth-u2m-demo/pom.xml
+++ b/examples/spring-boot-oauth-u2m-demo/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>2.6.4</version>
+    <version>3.5.12</version>
     <relativePath></relativePath>
   </parent>
 
@@ -17,8 +17,12 @@
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <maven.compiler.source>1.8</maven.compiler.source>
-    <maven.compiler.target>1.8</maven.compiler.target>
+    <maven.compiler.source>17</maven.compiler.source>
+    <maven.compiler.target>17</maven.compiler.target>
+    <!-- Override transitive dependency versions to fix known CVEs.
+         These can likely be removed when upgrading to a newer Spring Boot version. -->
+    <jackson-bom.version>2.21.2</jackson-bom.version>
+    <commons-lang3.version>3.18.0</commons-lang3.version>
   </properties>
 
   <dependencies>
@@ -39,9 +43,5 @@
       <artifactId>databricks-sdk-java</artifactId>
       <version>0.103.0</version>
     </dependency>
-    <dependency>
-      <groupId>com.fasterxml.jackson.datatype</groupId>
-      <artifactId>jackson-datatype-jsr310</artifactId>
-    </dependency>
   </dependencies>
 </project>
diff --git a/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java b/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java
index beb33d487..73ccd48c3 100644
--- a/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java
+++ b/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java
@@ -2,8 +2,6 @@
 
 import com.databricks.sdk.core.commons.CommonsHttpClient;
 import com.databricks.sdk.core.http.HttpClient;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
@@ -23,17 +21,12 @@ public HttpClient getHttpClient() {
         return new CommonsHttpClient.Builder().withTimeoutSeconds(30).build();
     }
 
-    @Bean
-    public ObjectMapper getObjectMapper() {
-        ObjectMapper m = new ObjectMapper();
-        m.registerModule(new JavaTimeModule());
-        return m;
-    }
-
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http.authorizeHttpRequests((requests) -> requests
-            .anyRequest().permitAll());
+        http
+            .csrf(csrf -> csrf.disable())
+            .authorizeHttpRequests(requests -> requests
+                .anyRequest().permitAll());
 
         return http.build();
     }
diff --git a/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/RootController.java b/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/RootController.java
index 4dc2fe994..fdadc04dc 100644
--- a/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/RootController.java
+++ b/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/RootController.java
@@ -4,12 +4,12 @@
 import com.databricks.sdk.core.http.HttpClient;
 import com.databricks.sdk.core.oauth.Consent;
 import com.databricks.sdk.core.oauth.OAuthClient;
+import com.databricks.sdk.core.oauth.OpenIDConnectEndpoints;
 import com.databricks.sdk.core.oauth.SessionCredentials;
 import com.databricks.sdk.service.compute.ClusterDetails;
 import com.databricks.sdk.service.compute.ListClustersRequest;
+import com.databricks.sdk.service.oauth2.CreateCustomAppIntegration;
 import com.databricks.sdk.service.oauth2.CreateCustomAppIntegrationOutput;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
@@ -18,10 +18,11 @@
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpSession;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -31,9 +32,6 @@ public class RootController {
   @Autowired
   private HttpClient hc;
 
-  @Autowired
-  private ObjectMapper mapper;
-
   // Initialized by initializeApp(). This should be initialized in a more Spring-friendly way.
   private OAuthClient client;
   // Initialized by callback(). This should be initialized in a more Spring-friendly way.
@@ -47,7 +45,7 @@ private String getRedirectUrl() {
   }
 
   @GetMapping("/")
-  public String index(HttpSession session, Model model) throws JsonProcessingException {
+  public String index(HttpSession session, Model model) {
     if (client != null) {
       model.addAttribute("clientId", client.getClientId());
       model.addAttribute("clientSecret", client.getClientSecret());
@@ -55,7 +53,7 @@ public String index(HttpSession session, Model model) throws JsonProcessingExcep
     }
     SessionCredentials sessionCreds = (SessionCredentials) session.getAttribute("sessionCreds");
     if (sessionCreds != null) {
-      model.addAttribute("sessionCreds", mapper.writeValueAsString(sessionCreds.getToken()));
+      model.addAttribute("authenticated", true);
     }
     return "index";
   }
@@ -70,12 +68,16 @@ public String initializeApp(
       @RequestParam(name="client_id") String clientId,
       @RequestParam(name="client_secret") String clientSecret,
       @RequestParam(name="hostname") String hostname) throws IOException {
+    DatabricksConfig config = new DatabricksConfig().setHost(hostname).setHttpClient(hc).resolve();
+    OpenIDConnectEndpoints oidcEndpoints = config.getOidcEndpoints();
     client = new OAuthClient.Builder()
         .withClientId(clientId)
         .withClientSecret(clientSecret)
         .withHost(hostname)
         .withRedirectUrl(getRedirectUrl())
         .withHttpClient(hc)
+        .withOpenIDConnectEndpoints(oidcEndpoints)
+        .withScopes(Arrays.asList("all-apis", "offline_access"))
         .build();
     return "redirect:/";
   }
@@ -104,13 +106,15 @@ public String makeNewApp(
         .setHttpClient(hc);
     AccountClient account = new AccountClient(c);
     CreateCustomAppIntegrationOutput result = account.customAppIntegration().create(
-        "java-sdk-demo", Collections.singletonList(getRedirectUrl()));
+        new CreateCustomAppIntegration()
+            .setName("java-sdk-demo")
+            .setRedirectUrls(Collections.singletonList(getRedirectUrl())));
 
     return initializeApp(result.getClientId(), result.getClientSecret(), hostname);
   }
 
   @GetMapping("/authenticate")
-  public String authenticate(HttpSession session, Model model) throws MalformedURLException, JsonProcessingException {
+  public String authenticate(HttpSession session, Model model) throws MalformedURLException {
     if (client == null) {
       model.addAttribute("authError", "Client is not yet initialized. Please login first.");
       return index(session, model);
diff --git a/examples/spring-boot-oauth-u2m-demo/src/main/resources/templates/index.html b/examples/spring-boot-oauth-u2m-demo/src/main/resources/templates/index.html
index 53db7e302..82c04705e 100644
--- a/examples/spring-boot-oauth-u2m-demo/src/main/resources/templates/index.html
+++ b/examples/spring-boot-oauth-u2m-demo/src/main/resources/templates/index.html
@@ -15,7 +15,7 @@ <h1>Consent</h1>
         <div th:if="${authError != null}">
             <span th:text="${authError}"></span>
         </div>
-        <p>session credentials: <span th:text="${sessionCreds}">Not authenticated</span></p>
+        <p>status: <span th:if="${authenticated}">Authenticated</span><span th:unless="${authenticated}">Not authenticated</span></p>
         <h1>APIs</h1>
         <a href="/list-clusters">List clusters</a>
     </body>

From 5afa94ea2a2972d8f694b6ec04e4350cbcb7f83d Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Tue, 24 Mar 2026 15:51:06 +0100
Subject: [PATCH 2/5] Simplify: use non-deprecated OIDC method, List.of,
 explicit auth attribute

Co-authored-by: Isaac
---
 .../main/java/com/databricks/sdk/RootController.java   | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/RootController.java b/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/RootController.java
index fdadc04dc..bb83f8466 100644
--- a/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/RootController.java
+++ b/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/RootController.java
@@ -22,7 +22,6 @@
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -51,10 +50,7 @@ public String index(HttpSession session, Model model) {
       model.addAttribute("clientSecret", client.getClientSecret());
       model.addAttribute("hostname", client.getHost());
     }
-    SessionCredentials sessionCreds = (SessionCredentials) session.getAttribute("sessionCreds");
-    if (sessionCreds != null) {
-      model.addAttribute("authenticated", true);
-    }
+    model.addAttribute("authenticated", session.getAttribute("sessionCreds") != null);
     return "index";
   }
 
@@ -69,7 +65,7 @@ public String initializeApp(
       @RequestParam(name="client_secret") String clientSecret,
       @RequestParam(name="hostname") String hostname) throws IOException {
     DatabricksConfig config = new DatabricksConfig().setHost(hostname).setHttpClient(hc).resolve();
-    OpenIDConnectEndpoints oidcEndpoints = config.getOidcEndpoints();
+    OpenIDConnectEndpoints oidcEndpoints = config.getDatabricksOidcEndpoints();
     client = new OAuthClient.Builder()
         .withClientId(clientId)
         .withClientSecret(clientSecret)
@@ -77,7 +73,7 @@ public String initializeApp(
         .withRedirectUrl(getRedirectUrl())
         .withHttpClient(hc)
         .withOpenIDConnectEndpoints(oidcEndpoints)
-        .withScopes(Arrays.asList("all-apis", "offline_access"))
+        .withScopes(List.of("all-apis", "offline_access"))
         .build();
     return "redirect:/";
   }

From 5179a19ac45c9a3b7c74f495b40aadcdbf429f78 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Fri, 27 Mar 2026 15:20:26 +0100
Subject: [PATCH 3/5] Remove unnecessary CSRF disable; Thymeleaf handles tokens
 automatically

Co-authored-by: Isaac
---
 .../src/main/java/com/databricks/sdk/App.java                 | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java b/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java
index 73ccd48c3..dbb100529 100644
--- a/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java
+++ b/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java
@@ -23,9 +23,7 @@ public HttpClient getHttpClient() {
 
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http
-            .csrf(csrf -> csrf.disable())
-            .authorizeHttpRequests(requests -> requests
+        http.authorizeHttpRequests(requests -> requests
                 .anyRequest().permitAll());
 
         return http.build();

From 59e5d7c874cfac7b125645c8356c73f0c2ab8fd3 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Fri, 27 Mar 2026 15:28:50 +0100
Subject: [PATCH 4/5] Revert securityFilterChain to match main branch

Co-authored-by: Isaac
---
 .../src/main/java/com/databricks/sdk/App.java                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java b/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java
index dbb100529..875de6e77 100644
--- a/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java
+++ b/examples/spring-boot-oauth-u2m-demo/src/main/java/com/databricks/sdk/App.java
@@ -23,8 +23,8 @@ public HttpClient getHttpClient() {
 
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http.authorizeHttpRequests(requests -> requests
-                .anyRequest().permitAll());
+        http.authorizeHttpRequests((requests) -> requests
+            .anyRequest().permitAll());
 
         return http.build();
     }

From ec5a9578339cc46fb3e05c732d403365d0acf23c Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Fri, 27 Mar 2026 15:31:47 +0100
Subject: [PATCH 5/5] Remove commons-lang3 version override; fixed by
 commons-configuration2 bump

Co-authored-by: Isaac
---
 examples/spring-boot-oauth-u2m-demo/pom.xml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/examples/spring-boot-oauth-u2m-demo/pom.xml b/examples/spring-boot-oauth-u2m-demo/pom.xml
index 9bfcccc7a..cf8d1d347 100644
--- a/examples/spring-boot-oauth-u2m-demo/pom.xml
+++ b/examples/spring-boot-oauth-u2m-demo/pom.xml
@@ -19,10 +19,9 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <maven.compiler.source>17</maven.compiler.source>
     <maven.compiler.target>17</maven.compiler.target>
-    <!-- Override transitive dependency versions to fix known CVEs.
-         These can likely be removed when upgrading to a newer Spring Boot version. -->
+    <!-- Override transitive dependency version to fix known CVE.
+         This can likely be removed when upgrading to a newer Spring Boot version. -->
     <jackson-bom.version>2.21.2</jackson-bom.version>
-    <commons-lang3.version>3.18.0</commons-lang3.version>
   </properties>
 
   <dependencies>