From 74b93a19f62fbf5c317dae60ff22576127cbaa7c Mon Sep 17 00:00:00 2001
From: Robert Winch <362503+rwinch@users.noreply.github.com>
Date: Fri, 16 Jan 2026 16:53:53 -0600
Subject: [PATCH] Externalize java-toolchain configuration

We should not use subprojects to perform configuration becaause it
does not allow for lazy loading and it can cause ordering problems.
In this case, the toolchain was not being used but instead it was
using the JAVA_HOME.

By splitting the configuration into a plugin and applying it to each
project it fixes the toolchain configuration
---
 build.gradle                                  | 25 -------------
 .../convention/SpringModulePlugin.groovy      |  1 +
 .../src/main/groovy/java-toolchain.gradle     | 36 +++++++++++++++++++
 docs/spring-security-docs.gradle              |  1 +
 .../spring-security-itest-context.gradle      |  1 +
 web/spring-security-web.gradle                |  3 +-
 6 files changed, 40 insertions(+), 27 deletions(-)
 create mode 100644 buildSrc/src/main/groovy/java-toolchain.gradle

diff --git a/build.gradle b/build.gradle
index 33a1ae068e..227fc50f9c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -46,31 +46,6 @@ springRelease {
 	replaceSnapshotVersionInReferenceDocUrl = true
 }
 
-def toolchainVersion() {
-	if (project.hasProperty('testToolchain')) {
-		return project.property('testToolchain').toString().toInteger()
-	}
-	return 17
-}
-
-subprojects {
-	java {
-		toolchain {
-			languageVersion = JavaLanguageVersion.of(toolchainVersion())
-		}
-	}
-	kotlin {
-		jvmToolchain {
-			languageVersion = JavaLanguageVersion.of(17)
-		}
-	}
-	tasks.withType(JavaCompile).configureEach {
-		options.encoding = "UTF-8"
-		options.compilerArgs.add("-parameters")
-		options.release.set(17)
-	}
-}
-
 allprojects {
 	if (!['spring-security-bom', 'spring-security-docs'].contains(project.name)) {
 		apply plugin: 'io.spring.javaformat'
diff --git a/buildSrc/src/main/groovy/io/spring/gradle/convention/SpringModulePlugin.groovy b/buildSrc/src/main/groovy/io/spring/gradle/convention/SpringModulePlugin.groovy
index f7fb5ce2f2..190250810f 100644
--- a/buildSrc/src/main/groovy/io/spring/gradle/convention/SpringModulePlugin.groovy
+++ b/buildSrc/src/main/groovy/io/spring/gradle/convention/SpringModulePlugin.groovy
@@ -35,6 +35,7 @@ class SpringModulePlugin extends AbstractSpringJavaPlugin {
 		pluginManager.apply(SpringMavenPlugin.class);
 		pluginManager.apply(CheckClasspathForProhibitedDependenciesPlugin.class);
 		pluginManager.apply("io.spring.convention.jacoco");
+		pluginManager.apply("java-toolchain");
 
 		def deployArtifacts = project.task("deployArtifacts")
 		deployArtifacts.group = 'Deploy tasks'
diff --git a/buildSrc/src/main/groovy/java-toolchain.gradle b/buildSrc/src/main/groovy/java-toolchain.gradle
new file mode 100644
index 0000000000..ae50ef8379
--- /dev/null
+++ b/buildSrc/src/main/groovy/java-toolchain.gradle
@@ -0,0 +1,36 @@
+import org.jetbrains.kotlin.gradle.dsl.JvmTarget
+import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
+
+def toolchainVersion() {
+	if (project.hasProperty('testToolchain')) {
+		return project.property('testToolchain').toString().toInteger()
+	}
+	return 17
+}
+
+java {
+	toolchain {
+		languageVersion = JavaLanguageVersion.of(toolchainVersion())
+	}
+}
+
+tasks.withType(JavaCompile).configureEach {
+	options.encoding = "UTF-8"
+	options.compilerArgs.add("-parameters")
+	options.release = 17
+}
+
+pluginManager.withPlugin("org.jetbrains.kotlin.jvm") {
+	kotlin {
+		jvmToolchain {
+			languageVersion = JavaLanguageVersion.of(toolchainVersion())
+		}
+	}
+
+	tasks.withType(KotlinCompile).configureEach {
+		compilerOptions {
+			javaParameters = true
+			jvmTarget.set(JvmTarget.JVM_17)
+		}
+	}
+}
diff --git a/docs/spring-security-docs.gradle b/docs/spring-security-docs.gradle
index db88c19fdc..4b5ca50153 100644
--- a/docs/spring-security-docs.gradle
+++ b/docs/spring-security-docs.gradle
@@ -3,6 +3,7 @@ plugins {
 	id 'io.spring.antora.generate-antora-yml' version '0.0.1'
 	id 'io.spring.convention.repository'
 	id 'security-kotlin'
+	id 'java-toolchain'
 }
 
 apply plugin: 'io.spring.convention.docs'
diff --git a/itest/context/spring-security-itest-context.gradle b/itest/context/spring-security-itest-context.gradle
index 23064eaf72..7ff02d8388 100644
--- a/itest/context/spring-security-itest-context.gradle
+++ b/itest/context/spring-security-itest-context.gradle
@@ -1,4 +1,5 @@
 apply plugin: 'io.spring.convention.spring-test'
+apply plugin: 'java-toolchain'
 
 dependencies {
 	implementation platform(project(":spring-security-dependencies"))
diff --git a/web/spring-security-web.gradle b/web/spring-security-web.gradle
index 40604b1a30..f481abad67 100644
--- a/web/spring-security-web.gradle
+++ b/web/spring-security-web.gradle
@@ -1,9 +1,8 @@
 plugins {
+	id 'io.spring.convention.spring-module'
 	id 'security-nullability'
 }
 
-apply plugin: 'io.spring.convention.spring-module'
-
 configurations {
 	javascript {
 		canBeConsumed = false