# Good hint Migration 
This notebook demonstrates how an LLM performs when presented with a Spring Security migration issue with a good example

Installing pre requisites and configuring Kai with `Llama-3.1-8B-Instruct`

In [13]:
%pip uninstall kai -y
%pip install --no-cache-dir git+https://github.com/konveyor/kai.git@main
%pip install python-dotenv

Found existing installation: kai 0.1.1.dev6+g7031fed
Uninstalling kai-0.1.1.dev6+g7031fed:
  Successfully uninstalled kai-0.1.1.dev6+g7031fed
Note: you may need to restart the kernel to use updated packages.
Collecting git+https://github.com/konveyor/kai.git@main
  Cloning https://github.com/konveyor/kai.git (to revision main) to /private/var/folders/4f/bv2hh9jd44b94_4zf2qby2sh0000gn/T/pip-req-build-krbnwdsi
  Running command git clone --filter=blob:none --quiet https://github.com/konveyor/kai.git /private/var/folders/4f/bv2hh9jd44b94_4zf2qby2sh0000gn/T/pip-req-build-krbnwdsi
  Resolved https://github.com/konveyor/kai.git to commit 7031fed36a1521a01a249351afa6ed82db92f32e
  Installing build dependencies ... [?25ldone
[?25h  Getting requirements to build wheel ... [?25ldone
[?25h  Preparing metadata (pyproject.toml) ... [?25ldone
Building wheels for collected packages: kai
  Building wheel for kai (pyproject.toml) ... [?25ldone
[?25h  Created wheel for kai: filename=kai-0.1.1.dev

In [14]:
from IPython.display import display, Markdown
from kai.llm_interfacing.model_provider import ModelProvider
from kai.kai_config import KaiConfigModels, SupportedModelProviders
from dotenv import load_dotenv
import os
load_dotenv(override=True) 

# Initialize the model provider
model = ModelProvider.from_config(KaiConfigModels(
    provider=SupportedModelProviders.CHAT_OPENAI,
    args={"model": "gpt-4o-mini"},
))

# Async rendering function for displaying the response
async def rendered_llm_call(prompt: str):
    response = await model.ainvoke_llm(prompt)
    display(Markdown(response.content))
    return response



Below is the snippet we are trying to migrate from springboot2 to springboot3. This code uses the discouraged `configure(AuthenticationManagerBuilder)` method inside a `WebSecurityConfigurerAdapter`, both of which are deprecated in Spring Security 5.7+ and removed in Spring Boot 3.

Our goal is to assess how well the LLM refactors this configuration without a hint, and whether it can replace deprecated patterns with the right approach.

In [15]:
before_code = """\
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("user")
            .password(passwordEncoder().encode("password"))
            .roles("USER");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}
"""

This rule flags the use of `configure(AuthenticationManagerBuilder)`. In Spring Boot 3, developers should instead use a `UserDetailsService` and `PasswordEncoder` bean for authentication configuration.

In [16]:
hint_to_migrate="""\
    
  description: configure(AuthenticationManagerBuilder) override is discouraged since Spring Security 5.7.
  message: |
    Overriding `configure(AuthenticationManagerBuilder)` is **discouraged** in Spring Security 5.7.
    Instead, define a `UserDetailsService` and `PasswordEncoder` bean.

    """

Similar example showing before and after migration

In [17]:
example_before_code="""\

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        UserDetails user = User.withDefaultPasswordEncoder()
            .username("user")
            .password("password")
            .roles("USER")
            .build();
        auth.inMemoryAuthentication()
            .withUser(user);
    }
}

"""

example_after_code="""\
@Configuration
public class SecurityConfiguration {
    @Bean
    public InMemoryUserDetailsManager userDetailsService() {
        UserDetails user = User.withDefaultPasswordEncoder()
            .username("user")
            .password("password")
            .roles("USER")
            .build();
        return new InMemoryUserDetailsManager(user);
    }
}
"""



example_before_code_2 = """\
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("testuser")
            .password(passwordEncoderBean().encode("testpass"))
            .roles("USER");
    }

    @Bean
    public PasswordEncoder passwordEncoderBean() {
        return new BCryptPasswordEncoder();
    }
}
"""

example_after_code_2 = """\
@Configuration
public class SecurityConfiguration {

    @Bean
    public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
        UserDetails testUser = User.builder()
            .username("testuser")
            .password(passwordEncoderBean().encode("testpass"))
            .roles("USER")
            .build();
        return new InMemoryUserDetailsManager(testUser);
    }

    @Bean
    public PasswordEncoder passwordEncoderBean() {
        return new BCryptPasswordEncoder();
    }
}
"""

example_before_code_3 = """\
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("admin")
            .password(passwordEncoder().encode("adminpass"))
            .roles("ADMIN");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}
"""

example_after_code_3 = """\
@Configuration
public class SecurityConfiguration {

    @Bean
    public InMemoryUserDetailsManager userDetailsService(PasswordEncoder passwordEncoder) {
        UserDetails adminUser = User.builder()
            .username("admin")
            .password(passwordEncoder.encode("adminpass"))
            .roles("ADMIN")
            .build();
        return new InMemoryUserDetailsManager(adminUser);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}
"""


summary_of_changes="""\
* Removed the WebSecurityConfigurerAdapter class.
* Created a UserDetailsService bean instead of overriding configure(AuthenticationManagerBuilder).
* Defined a SecurityFilterChain bean to handle HTTP security configurations.
* Kept the PasswordEncoder bean for password encoding.

"""

In [18]:

from kai.reactive_codeplanner.agent.reflection_agent import extract_ast_info, Language

original_summary = extract_ast_info(example_before_code, language=Language.Java)
original_summary_2 = extract_ast_info(example_before_code_2, language=Language.Java)
original_summary_3 = extract_ast_info(example_before_code_3, language=Language.Java)
updated_summary = extract_ast_info(example_after_code, language=Language.Java)
updated_summary_2 = extract_ast_info(example_after_code_2, language=Language.Java)
updated_summary_3 = extract_ast_info(example_after_code_3, language=Language.Java)

diff = original_summary.diff(updated_summary)
diff2 = original_summary_2.diff(updated_summary_2)
diff3 = original_summary_3.diff(updated_summary_3)

print(diff)
print(diff2)
print(diff3)

{'classes': {'modified': [{'name': 'SecurityConfiguration', 'super_class': {'old': 'extends WebSecurityConfigurerAdapter', 'new': ''}, 'fields': [], 'methods': {'added': [{'name': 'userDetailsService', 'parameters': '()', 'body': '{\n        UserDetails user = User.withDefaultPasswordEncoder()\n            .username("user")\n            .password("password")\n            .roles("USER")\n            .build();\n        return new InMemoryUserDetailsManager(user);\n    }', 'annotations': [{'name': 'Bean'}]}], 'removed': [{'name': 'configure', 'parameters': '(AuthenticationManagerBuilder auth)', 'body': '{\n        UserDetails user = User.withDefaultPasswordEncoder()\n            .username("user")\n            .password("password")\n            .roles("USER")\n            .build();\n        auth.inMemoryAuthentication()\n            .withUser(user);\n    }', 'annotations': [{'name': 'Override'}]}]}, 'annotations': [{'name': 'Configuration'}]}]}}
{'classes': {'modified': [{'name': 'Security

In [19]:
target_stack="springboot3"
prompt = f"""
You are assisting with migrating a Spring Boot 2 application to Spring Boot 3.

The code that needs migration is:

```java
{before_code}
```

You are given:

* A diff between a before/after successful **example** migrations.

* An hint that describes what should change.

Diff (use this as a guiding pattern for migration) - {diff} {diff2} {diff3}

Rule Hint - {hint_to_migrate}

Task
Refactor the given code {before_code} to make it compatible with Spring Boot 3 and Spring Security 6.

Ensure deprecated or removed APIs are replaced with valid alternatives.

✅ 1. Analyze:

Review the before-code, diff, summary, and hint carefully.

Identify and list any deprecated, removed, or outdated methods, APIs, libraries, or coding patterns present in the before-code.

Identify any missing constructs required for compatibility with {target_stack}.

✅ 2. Refactor:

Migrate the provided code fully to be compatible with {target_stack}.

Remove deprecated APIs and replace them with appropriate alternatives.

Follow {target_stack} best practices for dependency management, configuration, and structure.

Apply dependency injection principles if applicable (e.g., do not manually instantiate dependencies when framework-supported injection is possible).

Ensure the code is modular, clean, maintainable, and production-grade — not just minimal.

✅ 3. Validate:

Confirm that the refactored code is compilable and correct for {target_stack}.

Confirm that no deprecated methods, imports, or patterns remain.

Confirm that dependency injection, configuration, and new standards are applied correctly.

Confirm that imports or package references match the correct updated libraries.

✅ 4. Output:

Refactored Code (use appropriate syntax highlighting)

Step-by-Step Migration Process



Output:

Refactored Code in Java

Step-by-Step Migration Process

New Hint Summary: One-paragraph explanation of what changed and why (to guide future similar migrations).

"""

In [20]:

response = await rendered_llm_call(prompt)

### Refactored Code in Java

```java
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
        UserDetails user = User.builder()
            .username("user")
            .password(passwordEncoder.encode("password"))
            .roles("USER")
            .build();
        
        return new InMemoryUserDetailsManager(user);
    }

    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .formLogin();
    }
}
```

### Step-by-Step Migration Process

1. **Remove Inheritance from `WebSecurityConfigurerAdapter`:**
   - The `WebSecurityConfigurerAdapter` class is deprecated in Spring Security 5.7 and removed in Spring Security 6. Therefore, we removed the inheritance.

2. **Define `UserDetailsService` Bean:**
   - Instead of overriding the `configure(AuthenticationManagerBuilder)` method, we created a `UserDetailsService` bean that returns an `InMemoryUserDetailsManager` with the user details.

3. **Password Encoding:**
   - The password encoding is now handled within the `UserDetailsService` bean, ensuring that the password is encoded using the `PasswordEncoder` bean.

4. **Configure HTTP Security:**
   - We added a `configure(HttpSecurity http)` method to set up HTTP security configurations, such as form login and request authorization.

5. **Remove `@EnableWebSecurity`:**
   - The `@EnableWebSecurity` annotation is retained as it is still necessary for enabling Spring Security in the application.

6. **Update Imports:**
   - Updated the imports to include necessary classes for the new configuration, such as `UserDetailsService`, `User`, and `InMemoryUserDetailsManager`.

### New Hint Summary

The migration from Spring Boot 2 to Spring Boot 3 involved removing the deprecated `WebSecurityConfigurerAdapter` and replacing the overridden `configure(AuthenticationManagerBuilder)` method with a `UserDetailsService` bean. This change aligns with Spring Security's recommendation to define user details and password encoding through beans rather than using the legacy configuration methods. Additionally, we introduced a method to configure HTTP security, ensuring that the application adheres to the latest security practices.

### Evaluation

| Criteria                                                                 | Result         |
|--------------------------------------------------------------------------|----------------|
| Removed deprecated `configure(AuthenticationManagerBuilder)`            |  Yes           |
| Replaced with `UserDetailsService` and `PasswordEncoder` bean           |  Yes |
| Removed `WebSecurityConfigurerAdapter`                                   |  Yes           |
| The output compiles                                                      | <todo>          |
| Preserves behavior (in-memory auth, user with role)                      | Yes        |

In [21]:
import re

# Extract the Java code block from the LLM response
def extract_java_code_from_response(markdown_text: str) -> str:
    code_blocks = re.findall(r"```java(.*?)```", markdown_text, re.DOTALL)
    return code_blocks[0].strip() if code_blocks else ""

# Example usage
refactored_java_code = extract_java_code_from_response(response.content)
print(refactored_java_code)

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    pu

In [22]:
async def improve_hint(model, original_hint, before_code, diff):
    prompt = f"""
You are reviewing a migration rule.

Original Spring Boot 2 code:
```java
{before_code}
```

Migration Diff (JSON format):
```json
{diff}
{diff2}
{diff3}
```

Original Hint:
{original_hint}

Task:

- Analyze the before/after migration example carefully.

- Identify what was missing or vague in the original hint.

- Write an improved hint that:

    - Clearly states what elements should be changed.

    - Suggests correct alternatives.

    - If needed, includes important code patterns, best practices, or notes.


Format your output like:

- Improved Hint: (Print the updated hint with latest improvements)

- Migration Actions:

    - (Step 1)

    - (Step 2)

    - (Step 3)
"""
    result = await model.ainvoke_llm(prompt)
    return result.content.strip()



In [23]:
async def fix_code(model, before_code, refactored_code, improved_hint):
    prompt = f"""
You are assisting in migrating a Spring Boot 2 security config class.

Original code:
```java
{before_code}
```

Refactored attempt:
```java
{refactored_code}
```

Improved migration hint:
{improved_hint}

Task:
- Refactor the code to be valid for Spring Boot 3 and Spring Security 6.
- Remove deprecated APIs. 
- Ensure it uses correct bean definitions, imports, and compiles successfully.

Return only the updated code.
"""
    result = await model.ainvoke_llm(prompt)
    return result.content.strip()


In [24]:
import asyncio

async def get_improved_hint():
    improved = await improve_hint(model, hint_to_migrate, before_code, diff)
    print("Improved Hint:\n", improved)

    updated_code = await fix_code(model, before_code, refactored_java_code, improved)
    print("\n Updated Code:\n", updated_code)

await get_improved_hint()

Improved Hint:
 - Improved Hint: 
  description: The `configure(AuthenticationManagerBuilder)` method override is discouraged since Spring Security 5.7. Instead, you should define a `UserDetailsService` bean to manage user details and a `PasswordEncoder` bean for encoding passwords. This approach promotes better separation of concerns and aligns with the latest best practices in Spring Security.

  message: |
    To migrate your Spring Security configuration:
    1. Remove the `extends WebSecurityConfigurerAdapter` from your configuration class.
    2. Remove the `configure(AuthenticationManagerBuilder)` method.
    3. Define a `UserDetailsService` bean that returns an `InMemoryUserDetailsManager` with your user details.
    4. Define a `PasswordEncoder` bean to handle password encoding.
    
    Example:
    ```java
    @Bean
    public UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
        UserDetails user = User.builder()
            .username("user")
     