开发者

简单几步实现将Spring security4.x升级到5.x

目录
  • 本次升级源自一次安全漏洞提醒
  • 升级了版本
  • 看几个报错的源码接口和实现都有
  • 升级Hibernate到最新能支持的版本
  • 总结

本次升级源自一次安全漏洞提醒

Spring Security 身份认证绕过漏洞 (CVE-2022-22978),现将漏洞相关详情下发,如系统使用了受影响版本软件,请参照处置建议及时完成处理。

【风险名称】

Spring Security 身份认证绕过漏洞 (CVE-2022-22978)

【风险等级】

高危

【风险验证】

受影响版本:

Spring Security 5.5.x < 5.5.7

Spring Security 5.6.x < 5.6.4

SpriIsizBPng Security 其他低版本同样受影响

安全版本:

Spring Security 5.5.x >= 5.5.7

Spring Security 5.6.x >= 5.6.4

项目用着spring-security4.1, 也是受到了该漏洞的影响. 知道从4.x跳到5.x这种大版本提升肯定会有不少坑, 但是安全问题不可忽视, 虽然是旧项目也要升级,还要得比较急.

本着能省则省的心理, 那就先单独升级一下spring-security吧.

<!--<spring-security.version>4.1.0.RELEASE</spring-security.version>-->
<spring-security.version>5.5.8</spring-security.version>

升级了版本

重新 maven reimport项目, clean&compile试试.

列举几个版本不兼容的错误(吐槽下IDEA的编译错误提醒没eclipse友好,一次编译提示一个):

程序包org.springframework.security.authentication.encoding不存在

居然就一个Md5PasswordEncoder不存在错误. 修正后就编译打包通过了. 那就运行看看.

测试运行时如愿报错,还比较不友好.

[WARNING] Failed startup of context o.e.j.m.p.JettyWebAppContext@296e281a{dxx-framework,/dxxframework,file:///D:/IdeaWorkSpace2022/dxx-framework-parent/dxx-framework/src/main/webapp/,UNAVAILABLE}{file:///D:/IdeaWorkSpace2022/dxx-framework-parent/dxx-framework/src/main/webapp/}

Java.lang.NoSuchMethodError: org.springframework.util.Assert.state(ZLjava/util/function/Supplier;)V

    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.registerFilter (AbstractSecurityWebApplicationInitializer.java:195)

    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain (AbstractSecurityWebApplicationInitializer.java:140)

    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.onStartup (AbstractSecurityWebApplicationInitializer.java:115)

    at org.springframework.web.SpringServletContainerInitializer.onStartup (SpringServletContainerInitializer.java:169)

    at org.eclipse.jetty.plus.annotation.ContainerInitializer.callStartup (ContainerInitializer.java:145)

org.springframework.util.Assert.state

AbstractSecurityWebApplicationInitializer.registerFilter

AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain

看几个报错的源码接口和实现都有

感觉还是jar包冲突(欢迎指正,重新配置了一番spring-security后无果,也不想调整4.x版本的源码再重新打包),那就升级spring试试.

Spring-security5.5.8是依赖spring5.3.2的,省事失败,那就升级吧.

简单几步实现将Spring security4.x升级到5.x

<!--<spring.version>4.3.30.RELEASE</spring.version>-->
<spring.version>5.3.20</spring.version>

熟悉的编译报错继续铺面而来,修复过程省略,挑几个分享下:

com.dxx.config.web.PropertyEditorRegistrarImpl不是抽象的,并且未覆盖org.springframework.web.bind.support.WebBindingInitializer中的抽象方法initBinder(org.springframework.web.bind.WebDataBinder)

无法将类 org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport中的方法 requestMappingHandlerMapping应用到给定类型;

  • 旧代码:
@Bean(name="requestMappingHandlerMapping")
public RequestMappingHandlerMapping requestMappingHandlerMapping() {
       logger.info("RequestMappingHandlerMapping");
   
   return super.requestMappingHandlerMapping();
}
  • 新代码:
@Override
@Bean(name="requestMappingHandlerMapping")
@Primary
public RequestMappingHandlerMapping requestMappingHandlerMapping(
      @Qualifier("mvcContentNegotiationManager") ContentNegotiationManager contentNegotiationManager,
      @Qualifier("mvcConversionService") FormattingConversionService conversionService,
      @Qualifier("mvcResourceUrlProvider") ResourceUrlProvider resourceUrlProvider) {
   // Must be @Primary for MvcUriComponentsBuilder to work
   return super.requestMappingHandlerMapping(contentNegotiationManager, conversionService,
         resourceUrlProvider);
}

经过简(fan)单(za)的Spring5.x 适应性调整后, 项目又编译通过了,

[INFO] --------------------------------js----------------------------------------

[INFO] BUILD SUCCESS

[INFO] ------------------------------------------------------------------------

[INFO] Total time: 8.681 s

[INFO] Finished at: 2022-06-01T10:40:45+08:00

[INFO] ---------------------------------------------www.devze.com---------------------------

感觉又可以了,跑一下!

但是,但是这个词又冒了出来..

10:42:51.071 [main] ERROR com.dxx.platform.security.support.EnvRecourceInitializer - 系统初始化资源角色菜单失败!Could not open Hibernate Session for transaction; nested exception is java.lang.NoSuchMethodError: org.hibernate.Session.unwrap(Ljava/lang/Class;)Ljava/lang/Object;

[INFO] Initializing Spring DispatcherServlet 'dispatcher'

看来是Hibernate的集成跟Spring版本有依赖关系,SSH的SS都升了..也不差最后一个H了.

Hibernate用着的是5.1版本,倒没说有跟Spring有依赖.

简单几步实现将Spring security4.x升级到5.x

估计是Spring的orm mapping接口依赖有要求,翻了一下资料,没翻到,无意编程中看了下源码.

Spring 5.3兼容的是hiberante5.2/5.3/5.4. JPA的话推荐使用5.3/5.4,既然5.1报错,那就直接升级到5.4的最新版本吧(找的方法不太对.. 耗费好多时间,隐藏太深,还不如先盲猜).

**
 * {@link FactoryBean} that creates a Hibernate {@link SessionFactory}. This is the usual
 * way to set up a shared Hibernate SessionFactory in a Spring application context; the
 * SessionFactory can then be passed to data Access objects via dependency injection.
 *
 * <p>Compatible with Hibernate 5.2/5.3/5.4, as of Spring 5.3.
 * This Hibernate-specific {@code LocalSessionFactoryBean} can be an immediate alternative
 * to {@link org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean} for common
 * JPA purposes: In particular with Hibernate 5.3/5.4, the Hibernate {@code SessionFactory}
 * will natively expose the JPA {@code EntityManagerFactory} interface as well, and
 * Hibernate {@code BeanContainer} integration will be registered out of the box.
 * In combination with {@link HibernateTransactionManagephpr}, this naturally allows for
 * mixing JPA access code with native Hibernate access code within the same transaction.
 *
 * @author Juergen Hoeller
 * @since 4.2
 * @see #setDataSource
 * @see #setPackagesToScan
 * @see HibernateTransactionManager
 * @see LocalSessionFactoryBuilder
 * @see org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean
 */
public class LocalSessionFactoryBean

升级Hibernate到最新能支持的版本

<!--<hibernate.version>5.1.0.Final</hibernate.version>-->
<hibernate.version>5.4.33.Final</hibernate.version>

编译通过,测试运行一下,登录成功.. CRUD成功. 喜闻乐见..

简单几步实现将Spring security4.x升级到5.x

总结

至此,三大框架升级完毕... 不对,给Spring security升级一下版本这个小问题解决。

以上为个人经验,希望能给大家一个参考,也希望大家多多支持编程客栈(www.devze.com)。

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新开发

开发排行榜