本次升級源自一次安全漏洞提醒

Spring Security 身份認(rèn)證繞過漏洞 (CVE-2022-22978)，現(xiàn)將漏洞相關(guān)詳情下發(fā)，如系統(tǒng)使用了受影響版本軟件，請參照處置建議及時完成處理。
【風(fēng)險名稱】
Spring Security 身份認(rèn)證繞過漏洞 (CVE-2022-22978)
【風(fēng)險等級】
高危
【風(fēng)險驗證】
受影響版本：
Spring Security 5.5.x < 5.5.7
Spring Security 5.6.x < 5.6.4
Spring Security 其他低版本同樣受影響
安全版本：
Spring Security 5.5.x >= 5.5.7
Spring Security 5.6.x >= 5.6.4

項目用著spring-security4.1, 也是受到了該漏洞的影響. 知道從4.x跳到5.x這種大版本提升肯定會有不少坑, 但是安全問題不可忽視, 雖然是舊項目也要升級,還要得比較急.

本著能省則省的心理, 那就先單獨升級一下spring-security吧.

從

<!--<spring-security.version>4.1.0.RELEASE</spring-security.version>-->
<spring-security.version>5.5.8</spring-security.version>

升級了版本

重新 maven reimport項目, clean&compile試試.

列舉幾個版本不兼容的錯誤(吐槽下IDEA的編譯錯誤提醒沒eclipse友好，一次編譯提示一個)：

程序包org.springframework.security.authentication.encoding不存在

居然就一個Md5PasswordEncoder不存在錯誤. 修正后就編譯打包通過了. 那就運行看看.

測試運行時如愿報錯，還比較不友好.

[WARNING] Failed startup of context o.e.j.m.p.JettyWebAppContext@296e281a{dxx-framework,/dxxframework,file:///D:/IdeaWorkSpace2022/dxx-framework-parent/dxx-framework/src/main/webapp/,UNAVAILABLE}{file:///D:/IdeaWorkSpace2022/dxx-framework-parent/dxx-framework/src/main/webapp/}
java.lang.NoSuchMethodError: org.springframework.util.Assert.state(ZLjava/util/function/Supplier;)V
    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.registerFilter (AbstractSecurityWebApplicationInitializer.java:195)
    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain (AbstractSecurityWebApplicationInitializer.java:140)
    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.onStartup (AbstractSecurityWebApplicationInitializer.java:115)
    at org.springframework.web.SpringServletContainerInitializer.onStartup (SpringServletContainerInitializer.java:169)
    at org.eclipse.jetty.plus.annotation.ContainerInitializer.callStartup (ContainerInitializer.java:145)

org.springframework.util.Assert.state

AbstractSecurityWebApplicationInitializer.registerFilter

AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain

看幾個報錯的源碼接口和實現(xiàn)都有

感覺還是jar包沖突(歡迎指正，重新配置了一番spring-security后無果，也不想調(diào)整4.x版本的源碼再重新打包)，那就升級spring試試.

Spring-security5.5.8是依賴spring5.3.2的，省事失敗，那就升級吧.

<!--<spring.version>4.3.30.RELEASE</spring.version>-->
<spring.version>5.3.20</spring.version>

熟悉的編譯報錯繼續(xù)鋪面而來，修復(fù)過程省略，挑幾個分享下：

com.dxx.config.web.PropertyEditorRegistrarImpl不是抽象的，并且未覆蓋org.springframework.web.bind.support.WebBindingInitializer中的抽象方法initBinder(org.springframework.web.bind.WebDataBinder)

無法將類 org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport中的方法 requestMappingHandlerMapping應(yīng)用到給定類型;

• 舊代碼：

@Bean(name="requestMappingHandlerMapping")
public RequestMappingHandlerMapping requestMappingHandlerMapping() {
       logger.info("RequestMappingHandlerMapping");
   
   return super.requestMappingHandlerMapping();
}

• 新代碼：

@Override
@Bean(name="requestMappingHandlerMapping")
@Primary
public RequestMappingHandlerMapping requestMappingHandlerMapping(
      @Qualifier("mvcContentNegotiationManager") ContentNegotiationManager contentNegotiationManager,
      @Qualifier("mvcConversionService") FormattingConversionService conversionService,
      @Qualifier("mvcResourceUrlProvider") ResourceUrlProvider resourceUrlProvider) {
   // Must be @Primary for MvcUriComponentsBuilder to work
   return super.requestMappingHandlerMapping(contentNegotiationManager, conversionService,
         resourceUrlProvider);
}

經(jīng)過簡(fan)單(za)的Spring5.x 適應(yīng)性調(diào)整后, 項目又編譯通過了,

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.681 s
[INFO] Finished at: 2022-06-01T10:40:45+08:00
[INFO] ------------------------------------------------------------------------

感覺又可以了，跑一下!

但是，但是這個詞又冒了出來..

10:42:51.071 [main] ERROR com.dxx.platform.security.support.EnvRecourceInitializer - 系統(tǒng)初始化資源角色菜單失敗!Could not open Hibernate Session for transaction; nested exception is java.lang.NoSuchMethodError: org.hibernate.Session.unwrap(Ljava/lang/Class;)Ljava/lang/Object;
[INFO] Initializing Spring DispatcherServlet 'dispatcher'

看來是Hibernate的集成跟Spring版本有依賴關(guān)系，SSH的SS都升了..也不差最后一個H了.

Hibernate用著的是5.1版本，倒沒說有跟Spring有依賴.

估計是Spring的orm mapping接口依賴有要求，翻了一下資料，沒翻到，無意中看了下源碼.

Spring 5.3兼容的是hiberante5.2/5.3/5.4. JPA的話推薦使用5.3/5.4，既然5.1報錯，那就直接升級到5.4的最新版本吧(找的方法不太對.. 耗費好多時間，隱藏太深，還不如先盲猜).

**
 * {@link FactoryBean} that creates a Hibernate {@link SessionFactory}. This is the usual
 * way to set up a shared Hibernate SessionFactory in a Spring application context; the
 * SessionFactory can then be passed to data access objects via dependency injection.
 *
 * <p>Compatible with Hibernate 5.2/5.3/5.4, as of Spring 5.3.
 * This Hibernate-specific {@code LocalSessionFactoryBean} can be an immediate alternative
 * to {@link org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean} for common
 * JPA purposes: In particular with Hibernate 5.3/5.4, the Hibernate {@code SessionFactory}
 * will natively expose the JPA {@code EntityManagerFactory} interface as well, and
 * Hibernate {@code BeanContainer} integration will be registered out of the box.
 * In combination with {@link HibernateTransactionManager}, this naturally allows for
 * mixing JPA access code with native Hibernate access code within the same transaction.
 *
 * @author Juergen Hoeller
 * @since 4.2
 * @see #setDataSource
 * @see #setPackagesToScan
 * @see HibernateTransactionManager
 * @see LocalSessionFactoryBuilder
 * @see org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean
 */
public class LocalSessionFactoryBean

升級Hibernate到最新能支持的版本

<!--<hibernate.version>5.1.0.Final</hibernate.version>-->
<hibernate.version>5.4.33.Final</hibernate.version>

編譯通過，測試運行一下，登錄成功.. CRUD成功. 喜聞樂見..

總結(jié)

至此，三大框架升級完畢... 不對，給Spring security升級一下版本這個小問題解決。

以上為個人經(jīng)驗，希望能給大家一個參考，也希望大家多多支持腳本之家。

最新評論