简单几步实现将Spring security4.x升级到5.x
作者:it夜猫who
本次升级源自一次安全漏洞提醒
Spring Security 身份认证绕过漏洞 (CVE-2022-22978),现将漏洞相关详情下发,如系统使用了受影响版本软件,请参照处置建议及时完成处理。
【风险名称】
Spring Security 身份认证绕过漏洞 (CVE-2022-22978)
【风险等级】
高危
【风险验证】
受影响版本:
Spring Security 5.5.x < 5.5.7
Spring Security 5.6.x < 5.6.4
Spring Security 其他低版本同样受影响
安全版本:
Spring Security 5.5.x >= 5.5.7
Spring Security 5.6.x >= 5.6.4
项目用着spring-security4.1, 也是受到了该漏洞的影响. 知道从4.x跳到5.x这种大版本提升肯定会有不少坑, 但是安全问题不可忽视, 虽然是旧项目也要升级,还要得比较急.
本着能省则省的心理, 那就先单独升级一下spring-security吧.
从
<!--<spring-security.version>4.1.0.RELEASE</spring-security.version>--> <spring-security.version>5.5.8</spring-security.version>
升级了版本
重新 maven reimport项目, clean&compile试试.
列举几个版本不兼容的错误(吐槽下IDEA的编译错误提醒没eclipse友好,一次编译提示一个):
程序包org.springframework.security.authentication.encoding不存在
居然就一个Md5PasswordEncoder不存在错误. 修正后就编译打包通过了. 那就运行看看.
测试运行时如愿报错,还比较不友好.
[WARNING] Failed startup of context o.e.j.m.p.JettyWebAppContext@296e281a{dxx-framework,/dxxframework,file:///D:/IdeaWorkSpace2022/dxx-framework-parent/dxx-framework/src/main/webapp/,UNAVAILABLE}{file:///D:/IdeaWorkSpace2022/dxx-framework-parent/dxx-framework/src/main/webapp/}
java.lang.NoSuchMethodError: org.springframework.util.Assert.state(ZLjava/util/function/Supplier;)V
at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.registerFilter (AbstractSecurityWebApplicationInitializer.java:195)
at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain (AbstractSecurityWebApplicationInitializer.java:140)
at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.onStartup (AbstractSecurityWebApplicationInitializer.java:115)
at org.springframework.web.SpringServletContainerInitializer.onStartup (SpringServletContainerInitializer.java:169)
at org.eclipse.jetty.plus.annotation.ContainerInitializer.callStartup (ContainerInitializer.java:145)
org.springframework.util.Assert.state
AbstractSecurityWebApplicationInitializer.registerFilter
AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain
看几个报错的源码接口和实现都有
感觉还是jar包冲突(欢迎指正,重新配置了一番spring-security后无果,也不想调整4.x版本的源码再重新打包),那就升级spring试试.
Spring-security5.5.8是依赖spring5.3.2的,省事失败,那就升级吧.
<!--<spring.version>4.3.30.RELEASE</spring.version>--> <spring.version>5.3.20</spring.version>
熟悉的编译报错继续铺面而来,修复过程省略,挑几个分享下:
com.dxx.config.web.PropertyEditorRegistrarImpl不是抽象的,并且未覆盖org.springframework.web.bind.support.WebBindingInitializer中的抽象方法initBinder(org.springframework.web.bind.WebDataBinder)
无法将类 org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport中的方法 requestMappingHandlerMapping应用到给定类型;
- 旧代码:
@Bean(name="requestMappingHandlerMapping") public RequestMappingHandlerMapping requestMappingHandlerMapping() { logger.info("RequestMappingHandlerMapping"); return super.requestMappingHandlerMapping(); }
- 新代码:
@Override @Bean(name="requestMappingHandlerMapping") @Primary public RequestMappingHandlerMapping requestMappingHandlerMapping( @Qualifier("mvcContentNegotiationManager") ContentNegotiationManager contentNegotiationManager, @Qualifier("mvcConversionService") FormattingConversionService conversionService, @Qualifier("mvcResourceUrlProvider") ResourceUrlProvider resourceUrlProvider) { // Must be @Primary for MvcUriComponentsBuilder to work return super.requestMappingHandlerMapping(contentNegotiationManager, conversionService, resourceUrlProvider); }
经过简(fan)单(za)的Spring5.x 适应性调整后, 项目又编译通过了,
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.681 s
[INFO] Finished at: 2022-06-01T10:40:45+08:00
[INFO] ------------------------------------------------------------------------
感觉又可以了,跑一下!
但是,但是这个词又冒了出来..
10:42:51.071 [main] ERROR com.dxx.platform.security.support.EnvRecourceInitializer - 系统初始化资源角色菜单失败!Could not open Hibernate Session for transaction; nested exception is java.lang.NoSuchMethodError: org.hibernate.Session.unwrap(Ljava/lang/Class;)Ljava/lang/Object;
[INFO] Initializing Spring DispatcherServlet 'dispatcher'
看来是Hibernate的集成跟Spring版本有依赖关系,SSH的SS都升了..也不差最后一个H了.
Hibernate用着的是5.1版本,倒没说有跟Spring有依赖.
估计是Spring的orm mapping接口依赖有要求,翻了一下资料,没翻到,无意中看了下源码.
Spring 5.3兼容的是hiberante5.2/5.3/5.4. JPA的话推荐使用5.3/5.4,既然5.1报错,那就直接升级到5.4的最新版本吧(找的方法不太对.. 耗费好多时间,隐藏太深,还不如先盲猜).
** * {@link FactoryBean} that creates a Hibernate {@link SessionFactory}. This is the usual * way to set up a shared Hibernate SessionFactory in a Spring application context; the * SessionFactory can then be passed to data access objects via dependency injection. * * <p>Compatible with Hibernate 5.2/5.3/5.4, as of Spring 5.3. * This Hibernate-specific {@code LocalSessionFactoryBean} can be an immediate alternative * to {@link org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean} for common * JPA purposes: In particular with Hibernate 5.3/5.4, the Hibernate {@code SessionFactory} * will natively expose the JPA {@code EntityManagerFactory} interface as well, and * Hibernate {@code BeanContainer} integration will be registered out of the box. * In combination with {@link HibernateTransactionManager}, this naturally allows for * mixing JPA access code with native Hibernate access code within the same transaction. * * @author Juergen Hoeller * @since 4.2 * @see #setDataSource * @see #setPackagesToScan * @see HibernateTransactionManager * @see LocalSessionFactoryBuilder * @see org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean */ public class LocalSessionFactoryBean
升级Hibernate到最新能支持的版本
<!--<hibernate.version>5.1.0.Final</hibernate.version>--> <hibernate.version>5.4.33.Final</hibernate.version>
编译通过,测试运行一下,登录成功.. CRUD成功. 喜闻乐见..
总结
至此,三大框架升级完毕... 不对,给Spring security升级一下版本这个小问题解决。
以上为个人经验,希望能给大家一个参考,也希望大家多多支持脚本之家。