开发者

简单几步实现将Spring security4.x升级到5.x

开发者 https://www.devze.com 2024-08-14 10:36 出处:网络 作者: it夜猫who
目录本次升级源自一次安全漏洞提醒升级了版本看几个报错的源码接口和实现都有升级Hibernate到最新能支持的版本总结本次升级源自一次安全漏洞提醒
目录
  • 本次升级源自一次安全漏洞提醒
  • 升级了版本
  • 看几个报错的源码接口和实现都有
  • 升级Hibernate到最新能支持的版本
  • 总结

本次升级源自一次安全漏洞提醒

Spring Security 身份认证绕过漏洞 (CVE-2022-22978),现将漏洞相关详情下发,如系统使用了受影响版本软件,请参照处置建议及时完成处理。

【风险名称】

Spring Security 身份认证绕过漏洞 (CVE-2022-22978)

【风险等级】

高危

【风险验证】

受影响版本:

Spring Security 5.5.x < 5.5.7

Spring Security 5.6.x < 5.6.4

SpriIsizBPng Security 其他低版本同样受影响

安全版本:

Spring Security 5.5.x >= 5.5.7

Spring Security 5.6.x >= 5.6.4

项目用着spring-security4.1, 也是受到了该漏洞的影响. 知道从4.x跳到5.x这种大版本提升肯定会有不少坑, 但是安全问题不可忽视, 虽然是旧项目也要升级,还要得比较急.

本着能省则省的心理, 那就先单独升级一下spring-security吧.

<!--<spring-security.version>4.1.0.RELEASE</spring-security.version>-->
<spring-security.version>5.5.8</spring-security.version>

升级了版本

重新 maven reimport项目, clean&compile试试.

列举几个版本不兼容的错误(吐槽下IDEA的编译错误提醒没eclipse友好,一次编译提示一个):

程序包org.springframework.security.authentication.encoding不存在

居然就一个Md5PasswordEncoder不存在错误. 修正后就编译打包通过了. 那就运行看看.

测试运行时如愿报错,还比较不友好.

[WARNING] Failed startup of context o.e.j.m.p.JettyWebAppContext@296e281a{dxx-framework,/dxxframework,file:///D:/IdeaWorkSpace2022/dxx-framework-parent/dxx-framework/src/main/webapp/,UNAVAILABLE}{file:///D:/IdeaWorkSpace2022/dxx-framework-parent/dxx-framework/src/main/webapp/}

Java.lang.NoSuchMethodError: org.springframework.util.Assert.state(ZLjava/util/function/Supplier;)V

    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.registerFilter (AbstractSecurityWebApplicationInitializer.java:195)

    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain (AbstractSecurityWebApplicationInitializer.java:140)

    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.onStartup (AbstractSecurityWebApplicationInitializer.java:115)

    at org.springframework.web.SpringServletContainerInitializer.onStartup (SpringServletContainerInitializer.java:169)

    at org.eclipse.jetty.plus.annotation.ContainerInitializer.callStartup (ContainerInitializer.java:145)

org.springframework.util.Assert.state

AbstractSecurityWebApplicationInitializer.registerFilter

AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain

看几个报错的源码接口和实现都有

感觉还是jar包冲突(欢迎指正,重新配置了一番spring-security后无果,也不想调整4.x版本的源码再重新打包),那就升级spring试试.

Spring-security5.5.8是依赖spring5.3.2的,省事失败,那就升级吧.

简单几步实现将Spring security4.x升级到5.x

<!--<spring.version>4.3.30.RELEASE</spring.version>-->
<spring.version>5.3.20</spring.version>

熟悉的编译报错继续铺面而来,修复过程省略,挑几个分享下:

com.dxx.config.web.PropertyEditorRegistrarImpl不是抽象的,并且未覆盖org.springframework.web.bind.support.WebBindingInitializer中的抽象方法initBinder(org.springframework.web.bind.WebDataBinder)

无法将类 org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport中的方法 requestMappingHandlerMapping应用到给定类型;

  • 旧代码:
@Bean(name="requestMappingHandlerMapping")
public RequestMappingHandlerMapping requestMappingHandlerMapping() {
       logger.info("RequestMappingHandlerMapping");
   
   return super.requestMappingHandlerMapping();
}
  • 新代码:
@Override
@Bean(name="requestMappingHandlerMapping")
@Primary
public RequestMappingHandlerMapping requestMappingHandlerMapping(
      @Qualifier("mvcContentNegotiationManager") ContentNegotiationManager contentNegotiationManager,
      @Qualifier("mvcConversionService") FormattingConversionService conversionService,
      @Qualifier("mvcResourceUrlProvider") ResourceUrlProvider resourceUrlProvider) {
   // Must be @Primary for MvcUriComponentsBuilder to work
   return super.requestMappingHandlerMapping(contentNegotiationManager, conversionService,
         resourceUrlProvider);
}

经过简(fan)单(za)的Spring5.x 适应性调整后, 项目又编译通过了,

[INFO] --------------------------------js----------------------------------------

[INFO] BUILD SUCCESS

[INFO] ------------------------------------------------------------------------

[INFO] Total time: 8.681 s

[INFO] Finished at: 2022-06-01T10:40:45+08:00

[INFO] ---------------------------------------------www.devze.com---------------------------

感觉又可以了,跑一下!

但是,但是这个词又冒了出来..

10:42:51.071 [main] ERROR com.dxx.platform.security.support.EnvRecourceInitializer - 系统初始化资源角色菜单失败!Could not open Hibernate Session for transaction; nested exception is java.lang.NoSuchMethodError: org.hibernate.Session.unwrap(Ljava/lang/Class;)Ljava/lang/Object;

[INFO] Initializing Spring DispatcherServlet 'dispatcher'

看来是Hibernate的集成跟Spring版本有依赖关系,SSH的SS都升了..也不差最后一个H了.

Hibernate用着的是5.1版本,倒没说有跟Spring有依赖.

简单几步实现将Spring security4.x升级到5.x

估计是Spring的orm mapping接口依赖有要求,翻了一下资料,没翻到,无意编程中看了下源码.

Spring 5.3兼容的是hiberante5.2/5.3/5.4. JPA的话推荐使用5.3/5.4,既然5.1报错,那就直接升级到5.4的最新版本吧(找的方法不太对.. 耗费好多时间,隐藏太深,还不如先盲猜).

**
 * {@link FactoryBean} that creates a Hibernate {@link SessionFactory}. This is the usual
 * way to set up a shared Hibernate SessionFactory in a Spring application context; the
 * SessionFactory can then be passed to data Access objects via dependency injection.
 *
 * <p>Compatible with Hibernate 5.2/5.3/5.4, as of Spring 5.3.
 * This Hibernate-specific {@code LocalSessionFactoryBean} can be an immediate alternative
 * to {@link org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean} for common
 * JPA purposes: In particular with Hibernate 5.3/5.4, the Hibernate {@code SessionFactory}
 * will natively expose the JPA {@code EntityManagerFactory} interface as well, and
 * Hibernate {@code BeanContainer} integration will be registered out of the box.
 * In combination with {@link HibernateTransactionManagephpr}, this naturally allows for
 * mixing JPA access code with native Hibernate access code within the same transaction.
 *
 * @author Juergen Hoeller
 * @since 4.2
 * @see #setDataSource
 * @see #setPackagesToScan
 * @see HibernateTransactionManager
 * @see LocalSessionFactoryBuilder
 * @see org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean
 */
public class LocalSessionFactoryBean

升级Hibernate到最新能支持的版本

<!--<hibernate.version>5.1.0.Final</hibernate.version>-->
<hibernate.version>5.4.33.Final</hibernate.version>

编译通过,测试运行一下,登录成功.. CRUD成功. 喜闻乐见..

简单几步实现将Spring security4.x升级到5.x

总结

至此,三大框架升级完毕... 不对,给Spring security升级一下版本这个小问题解决。

以上为个人经验,希望能给大家一个参考,也希望大家多多支持编程客栈(www.devze.com)。

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号