本次升级源自一次安全漏洞提醒:
Spring Security 身份认证绕过漏洞 (CVE-2022-22978),现将漏洞相关详情下发,如系统使用了受影响版本软件,请参照处置建议及时完成处理。
【风险名称】
Spring Security 身份认证绕过漏洞 (CVE-2022-22978)
【风险等级】
高危
【风险验证】
受影响版本:
Spring Security 5.5.x < 5.5.7
Spring Security 5.6.x < 5.6.4
Spring Security 其他低版本同样受影响
安全版本:
Spring Security 5.5.x >= 5.5.7
Spring Security 5.6.x >= 5.6.4
项目用着spring-security4.1, 也是受到了该漏洞的影响. 知道从4.x跳到5.x这种大版本提升肯定会有不少坑, 但是安全问题不可忽视, 虽然是旧项目也要升级,还要得比较急.
本着能省则省的心理, 那就先单独升级一下spring-security吧.
从
<!-- <spring-security.version>4.1.0.RELEASE</spring-security.version>-->
<spring-security.version>5.5.8</spring-security.version>升级了版本, 重新 maven reimport项目, clean&compile试试.
列举几个版本不兼容的错误(吐槽下IDEA的编译错误提醒没eclipse友好, 一次编译提示一个):
程序包org.springframework.security.authentication.encoding不存在
居然就一个Md5PasswordEncoder不存在错误. 修正后就编译打包通过了. 那就运行看看.
测试运行时如愿报错, 还比较不友好.
[WARNING] Failed startup of context o.e.j.m.p.JettyWebAppContext@296e281a{dxx-framework,/dxxframework,file:///D:/IdeaWorkSpace2022/dxx-framework-parent/dxx-framework/src/main/webapp/,UNAVAILABLE}{file:///D:/IdeaWorkSpace2022/dxx-framework-parent/dxx-framework/src/main/webapp/}
java.lang.NoSuchMethodError: org.springframework.util.Assert.state(ZLjava/util/function/Supplier;)V
at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.registerFilter (AbstractSecurityWebApplicationInitializer.java:195)
at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain (AbstractSecurityWebApplicationInitializer.java:140)
at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.onStartup (AbstractSecurityWebApplicationInitializer.java:115)
at org.springframework.web.SpringServletContainerInitializer.onStartup (SpringServletContainerInitializer.java:169)
at org.eclipse.jetty.plus.annotation.ContainerInitializer.callStartup (ContainerInitializer.java:145)org.springframework.util.Assert.state
AbstractSecurityWebApplicationInitializer.registerFilter
AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain
看几个报错的源码接口和实现都有, 感觉还是jar包冲突(欢迎指正, 重新配置了一番spring-security后无果, 也不想调整4.x版本的源码再重新打包), 那就升级spring试试.
Spring-security5.5.8是依赖spring5.3.2的, 省事失败, 那就升级吧.
<!-- <spring.version>4.3.30.RELEASE</spring.version>-->
<spring.version>5.3.20</spring.version>熟悉的编译报错继续铺面而来, 修复过程省略, 挑几个分享下:
com.dxx.config.web.PropertyEditorRegistrarImpl不是抽象的, 并且未覆盖org.springframework.web.bind.support.WebBindingInitializer中的抽象方法initBinder(org.springframework.web.bind.WebDataBinder)
无法将类 org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport中的方法 requestMappingHandlerMapping应用到给定类型;
旧代码:
@Bean(name="requestMappingHandlerMapping") public RequestMappingHandlerMapping requestMappingHandlerMapping() { logger.info("RequestMappingHandlerMapping"); return super.requestMappingHandlerMapping(); } 新代码: @Override @Bean(name="requestMappingHandlerMapping") @Primary public RequestMappingHandlerMapping requestMappingHandlerMapping( @Qualifier("mvcContentNegotiationManager") ContentNegotiationManager contentNegotiationManager, @Qualifier("mvcConversionService") FormattingConversionService conversionService, @Qualifier("mvcResourceUrlProvider") ResourceUrlProvider resourceUrlProvider) { // Must be @Primary for MvcUriComponentsBuilder to work return super.requestMappingHandlerMapping(contentNegotiationManager, conversionService, resourceUrlProvider); }
经过简(fan)单(za)的Spring5.x 适应性调整后, 项目又编译通过了,
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.681 s
[INFO] Finished at: 2022-06-01T10:40:45+08:00
[INFO] ------------------------------------------------------------------------
感觉又可以了, 跑一下!
但是, 但是这个词又冒了出来..
10:42:51.071 [main] ERROR com.dxx.platform.security.support.EnvRecourceInitializer - 系统初始化资源角色菜单失败!Could not open Hibernate Session for transaction; nested exception is java.lang.NoSuchMethodError: org.hibernate.Session.unwrap(Ljava/lang/Class;)Ljava/lang/Object;
[INFO] Initializing Spring DispatcherServlet 'dispatcher'
看来是Hibernate的集成跟Spring版本有依赖关系, SSH的SS都升了..也不差最后一个H了.
Hibernate用着的是5.1版本, 倒没说有跟Spring有依赖.
估计是Spring的orm mapping接口依赖有要求, 翻了一下资料,没翻到, 无意中看了下源码. Spring 5.3兼容的是hiberante5.2/5.3/5.4. JPA的话推荐使用5.3/5.4, 既然5.1报错, 那就直接升级到5.4的最新版本吧(找的方法不太对..耗费好多时间,隐藏太深,还不如先盲猜).
**
* {@link FactoryBean} that creates a Hibernate {@link SessionFactory}. This is the usual
* way to set up a shared Hibernate SessionFactory in a Spring application context; the
* SessionFactory can then be passed to data access objects via dependency injection.
*
* <p>Compatible with Hibernate 5.2/5.3/5.4, as of Spring 5.3.
* This Hibernate-specific {@code LocalSessionFactoryBean} can be an immediate alternative
* to {@link org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean} for common
* JPA purposes: In particular with Hibernate 5.3/5.4, the Hibernate {@code SessionFactory}
* will natively expose the JPA {@code EntityManagerFactory} interface as well, and
* Hibernate {@code BeanContainer} integration will be registered out of the box.
* In combination with {@link HibernateTransactionManager}, this naturally allows for
* mixing JPA access code with native Hibernate access code within the same transaction.
*
* @author Juergen Hoeller
* @since 4.2
* @see #setDataSource
* @see #setPackagesToScan
* @see HibernateTransactionManager
* @see LocalSessionFactoryBuilder
* @see org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean
*/
public class LocalSessionFactoryBean
升级Hibernate到最新能支持的版本.
<!-- <hibernate.version>5.1.0.Final</hibernate.version>-->
<hibernate.version>5.4.33.Final</hibernate.version>编译通过,测试运行一下,登录成功..CRUD成功. 喜闻乐见..
至此, 三大框架升级完毕...不对, 给Spring security升级一下版本这个小问题解决.
