From 35d103843b864b0a8113a0d21dc1b4ddea199d9a Mon Sep 17 00:00:00 2001
From: Robert Winch <362503+rwinch@users.noreply.github.com>
Date: Fri, 16 Jan 2026 16:53:53 -0600
Subject: [PATCH] Externalize java-toolchain configuration

We should not use subprojects to perform configuration becaause it
does not allow for lazy loading and it can cause ordering problems.
In this case, the toolchain was not being used but instead it was
using the JAVA_HOME.

By splitting the configuration into a plugin and applying it to each
project it fixes the toolchain configuration
---
 build.gradle                                  | 31 ----------------
 .../convention/SpringModulePlugin.groovy      |  1 +
 .../src/main/groovy/java-toolchain.gradle     | 36 +++++++++++++++++++
 docs/spring-security-docs.gradle              |  2 ++
 .../spring-security-itest-context.gradle      |  2 ++
 web/spring-security-web.gradle                |  3 +-
 6 files changed, 42 insertions(+), 33 deletions(-)
 create mode 100644 buildSrc/src/main/groovy/java-toolchain.gradle

diff --git a/build.gradle b/build.gradle
index acf92f6d59..daae9b0503 100644
--- a/build.gradle
+++ b/build.gradle
@@ -48,37 +48,6 @@ springRelease {
 	replaceSnapshotVersionInReferenceDocUrl = true
 }
 
-def toolchainVersion() {
-	if (project.hasProperty('testToolchain')) {
-		return project.property('testToolchain').toString().toInteger()
-	}
-	return 25
-}
-
-subprojects {
-	java {
-		toolchain {
-			languageVersion = JavaLanguageVersion.of(toolchainVersion())
-		}
-	}
-	kotlin {
-		jvmToolchain {
-			languageVersion = JavaLanguageVersion.of(toolchainVersion())
-		}
-	}
-	tasks.withType(JavaCompile).configureEach {
-		options.encoding = "UTF-8"
-		options.compilerArgs.add("-parameters")
-		options.release.set(17)
-	}
-	tasks.withType(KotlinCompile).configureEach {
-		compilerOptions {
-			javaParameters = true
-			jvmTarget.set(JvmTarget.JVM_17)
-		}
-	}
-}
-
 allprojects {
 	if (!['spring-security-bom', 'spring-security-docs'].contains(project.name)) {
 		apply plugin: 'io.spring.javaformat'
diff --git a/buildSrc/src/main/groovy/io/spring/gradle/convention/SpringModulePlugin.groovy b/buildSrc/src/main/groovy/io/spring/gradle/convention/SpringModulePlugin.groovy
index f7fb5ce2f2..190250810f 100644
--- a/buildSrc/src/main/groovy/io/spring/gradle/convention/SpringModulePlugin.groovy
+++ b/buildSrc/src/main/groovy/io/spring/gradle/convention/SpringModulePlugin.groovy
@@ -35,6 +35,7 @@ class SpringModulePlugin extends AbstractSpringJavaPlugin {
 		pluginManager.apply(SpringMavenPlugin.class);
 		pluginManager.apply(CheckClasspathForProhibitedDependenciesPlugin.class);
 		pluginManager.apply("io.spring.convention.jacoco");
+		pluginManager.apply("java-toolchain");
 
 		def deployArtifacts = project.task("deployArtifacts")
 		deployArtifacts.group = 'Deploy tasks'
diff --git a/buildSrc/src/main/groovy/java-toolchain.gradle b/buildSrc/src/main/groovy/java-toolchain.gradle
new file mode 100644
index 0000000000..2ccbf70799
--- /dev/null
+++ b/buildSrc/src/main/groovy/java-toolchain.gradle
@@ -0,0 +1,36 @@
+import org.jetbrains.kotlin.gradle.dsl.JvmTarget
+import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
+
+def toolchainVersion() {
+	if (project.hasProperty('testToolchain')) {
+		return project.property('testToolchain').toString().toInteger()
+	}
+	return 25
+}
+
+java {
+	toolchain {
+		languageVersion = JavaLanguageVersion.of(toolchainVersion())
+	}
+}
+
+tasks.withType(JavaCompile).configureEach {
+	options.encoding = "UTF-8"
+	options.compilerArgs.add("-parameters")
+	options.release = 17
+}
+
+pluginManager.withPlugin("org.jetbrains.kotlin.jvm") {
+	kotlin {
+		jvmToolchain {
+			languageVersion = JavaLanguageVersion.of(toolchainVersion())
+		}
+	}
+
+	tasks.withType(KotlinCompile).configureEach {
+		compilerOptions {
+			javaParameters = true
+			jvmTarget.set(JvmTarget.JVM_17)
+		}
+	}
+}
diff --git a/docs/spring-security-docs.gradle b/docs/spring-security-docs.gradle
index db88c19fdc..a0828e0e33 100644
--- a/docs/spring-security-docs.gradle
+++ b/docs/spring-security-docs.gradle
@@ -3,6 +3,8 @@ plugins {
 	id 'io.spring.antora.generate-antora-yml' version '0.0.1'
 	id 'io.spring.convention.repository'
 	id 'security-kotlin'
+	id 'java-toolchain'
+	id 'test-compile-target-jdk25'
 }
 
 apply plugin: 'io.spring.convention.docs'
diff --git a/itest/context/spring-security-itest-context.gradle b/itest/context/spring-security-itest-context.gradle
index 23064eaf72..483cbb451f 100644
--- a/itest/context/spring-security-itest-context.gradle
+++ b/itest/context/spring-security-itest-context.gradle
@@ -1,4 +1,6 @@
 apply plugin: 'io.spring.convention.spring-test'
+apply plugin: 'java-toolchain'
+apply plugin: 'test-compile-target-jdk25'
 
 dependencies {
 	implementation platform(project(":spring-security-dependencies"))
diff --git a/web/spring-security-web.gradle b/web/spring-security-web.gradle
index 2be598a34d..b44ec76f2a 100644
--- a/web/spring-security-web.gradle
+++ b/web/spring-security-web.gradle
@@ -1,11 +1,10 @@
 plugins {
+	id 'io.spring.convention.spring-module'
 	id 'security-nullability'
 	id 'javadoc-warnings-error'
 	id 'test-compile-target-jdk25'
 }
 
-apply plugin: 'io.spring.convention.spring-module'
-
 configurations {
 	javascript {
 		canBeConsumed = false