升级Spring Security版本
项目中使用的是5.7.6 版本,存在 Spring Security 身份认证绕过漏洞(CVE-2023-34034),故建议升级到 5.6.12、5.7.10、5.8.5、6.0.5、6.1.2 及以上版本。
由于本次设计多个项目,有些项目直接修改pom文件中的版本号即可
<properties>
<spring-security.version>5.7.10</spring-security.version>
</properties>
但是有一个项目,修改之后报错:
23-08-28.14:48:01.980 [main ] WARN AnnotationConfigReactiveWebServerApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.reactive.WebFluxSecurityConfiguration': Unsatisfied dependency expressed through method 'setSecurityWebFilterChains' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'securityWebFilterChain' defined in class path resource [com/x5dtech/gateway/config/SpringSecurityConfig.class]: Unsatisfied dependency expressed through method 'securityWebFilterChain' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.annotation.web.reactive.HttpSecurityConfiguration.httpSecurity' defined in class path resource [org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.config.web.server.ServerHttpSecurity]: Factory method 'httpSecurity' threw exception; nested exception is java.lang.NoSuchMethodError: org.springframework.web.util.pattern.PathPatternParser.initFullPathPattern(Ljava/lang/String;)Ljava/lang/String;
23-08-28.14:48:02.009 [main ] INFO StandardService - Stopping service [Tomcat]
23-08-28.14:48:02.036 [main ] INFO ConditionEvaluationReportLoggingListener -
Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
23-08-28.14:48:02.084 [main ] WARN FailureAnalyzers - FailureAnalyzers [org.springframework.boot.autoconfigure.jooq.NoDslContextBeanFailureAnalyzer,org.springframework.boot.autoconfigure.diagnostics.analyzer.NoSuchBeanDefinitionFailureAnalyzer,org.springframework.boot.autoconfigure.jdbc.DataSourceBeanCreationFailureAnalyzer,org.springframework.boot.autoconfigure.r2dbc.ConnectionFactoryBeanCreationFailureAnalyzer] implement BeanFactoryAware or EnvironmentAware. Support for these interfaces on FailureAnalyzers is deprecated, and will be removed in a future release. Instead provide a constructor that accepts BeanFactory or Environment parameters.
23-08-28.14:48:02.109 [main ] ERROR LoggingFailureAnalysisReporter -
***************************
APPLICATION FAILED TO START
***************************
Description:
An attempt was made to call a method that does not exist. The attempt was made from the following location:
org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher.parse(PathPatternParserServerWebExchangeMatcher.java:71)
The following method did not exist:
org.springframework.web.util.pattern.PathPatternParser.initFullPathPattern(Ljava/lang/String;)Ljava/lang/String;
The calling method's class, org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher, was loaded from the following location:
jar:file:/D:/apache-maven-3.6.3-bin/repository/org/springframework/security/spring-security-web/5.7.10/spring-security-web-5.7.10.jar!/org/springframework/security/web/server/util/matcher/PathPatternParserServerWebExchangeMatcher.class
The called method's class, org.springframework.web.util.pattern.PathPatternParser, is available from the following locations:
jar:file:/D:/apache-maven-3.6.3-bin/repository/org/springframework/spring-web/5.3.18/spring-web-5.3.18.jar!/org/springframework/web/util/pattern/PathPatternParser.class
The called method's class hierarchy was loaded from the following locations:
org.springframework.web.util.pattern.PathPatternParser: file:/D:/apache-maven-3.6.3-bin/repository/org/springframework/spring-web/5.3.18/spring-web-5.3.18.jar
Action:
Correct the classpath of your application so that it contains compatible versions of the classes org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher and org.springframework.web.util.pattern.PathPatternParser
根据错误日志分析:
-
找不到方法
org.springframework.web.util.pattern.PathPatternParser.initFullPathPattern(Ljava/lang/String;)Ljava/lang/String;
,该方法被org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher
类调用。 -
org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher
类来自于spring-security-web-5.7.10.jar
,而找不到所需方法的类org.springframework.web.util.pattern.PathPatternParser
来自于spring-web-5.3.18.jar
。
所以确认spring-security-web
和 spring-web
这两个依赖项的版本兼容有问题。
springboot 2.7.14或2.7.15对应的spring-security
版本是5.7.10,再查看springboot
2.7.14对应的spring-web
版本为5.3.29,pom中添加:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>5.3.29</version>
</dependency>
重启项目,解决!
注:springboot版本对应其他依赖可通过:https://docs.spring.io/spring-boot/docs/2.7.14/reference/htmlsingle/#getting-started 网址查询,网址中的2.7.14对应要查询的springboot版本,进去之后ctrl + f 搜索要查找的依赖。