1. Background
Version comparison detection principle: check whether the current system version of spring-security-web is within the scope of the vulnerability version|version comparison detection results: – spring-security-web
Current installed version: 5.2.1.RELEASE
Need to upgrade to 5.5.7, 5.6.4 and above, because the pom can not find a direct reference to the location, so add the following dependencies to spring-security-web version forced to upgrade to 5.5.7
<!-- Fix spring-security-web version vulnerability -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.5.7</version>
</dependency>
An error is reported during startup. The error contents are as follows:
***************************
APPLICATION FAILED TO START
***************************
Description:
An attempt was made to call a method that does not exist. The attempt was made from the following location:
org.springframework.security.web.util.matcher.OrRequestMatcher.<init>(OrRequestMatcher.java:43)
The following method did not exist:
org.springframework.util.Assert.noNullElements(Ljava/util/Collection;Ljava/lang/String;)V
The method's class, org.springframework.util.Assert, is available from the following locations:
jar:file:/C:/Users/sutpc/.m2/repository/org/springframework/spring-core/5.1.18.RELEASE/spring-core-5.1.18.RELEASE.jar!/org/springframework/util/Assert.class
It was loaded from the following location:
file:/C:/Users/sutpc/.m2/repository/org/springframework/spring-core/5.1.18.RELEASE/spring-core-5.1.18.RELEASE.jar
2. Analysis of the cause
Theoretically, spring-security-web is introduced in a jar, and the version of spring-security-web is changed separately, resulting in the incompatibility of the supporting code in this jar.
3. Solutions
Upgrade spring-boot-dependencies from 2.1.17.RELEASE to 2.2.2.RELEASE
<! -- SpringBoot dependency configuration-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<!-- <version>2.1.17.RELEASE</version>-->
<version>2.2.2.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
Just use the 5.5.7 mandatory override of spring-security-web at the end of the pom
<! -- Fix spring-security-web version vulnerability -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.5.7</version>
</dependency>
4. solution ideas:
Because a separate change in the version of spring-security-web, resulting in this jar incompatible with the code caused by the problem, so the primary problem need to find spring-security-web by which jar introduced
4.1 Query the Maven project to find out which dependency the jar package is introduced by
Use mvn dependency:tree directly to see the complete dependency tree of the project.
- Command format
mvn dependency:tree -Dverbose -Dincludes=Content to be queried(groupId:artifactId)
-dependency:tree:Indicates a tree-like display.
-Dverbose:Indicates that all references can be displayed, including those that are ignored because of multiple reference duplicates.
-Dincludes: you can formulate query conditions
The groupId and artifactId of spring-security-web are:
groupId: org.springframework.security
artifactId: spring-security-web
so the command is as below:
mvn dependency:tree -Dverbose -Dincludes=org.springframework.security:spring-security-web
4.2 The dependency hierarchy after execution in the idea’s Teminal is shown in the figure below
4.3spring-security-web is introduced by spring-boot-starter-security
spring-security-web is introduced by spring-boot-starter-security, version 2.1.17.RELEASE, search spring-boot-starter-security and find that it uses spring-boot- RELEASE.pom version
4.3spring-boot-starter-security version is the version that inherits spring-boot-dependencies
In the global search spring-boot-dependencies version, found really is 2.1.17.RELEASE, so far, all the dependency levels are found, that began to guess, is not spring-boot-dependencies version is too low, spring-security-web version is too high incompatible, spring-security-web version can not be adjusted down, can only upgrade the version of spring-boot-dependencies, in the maven repository to find the version of spring-boot-dependencies, level by level test, found 2.2.2. The problem is solved.
Read More:
- How to Solve Spring integrate Seata startup error
- [Solved] ‘build.plugins.plugin.version‘ for org.springframework.boot:spring-boot-maven-plugin is missing.
- Idea create Maven project Error: [error] no longer supports source option 1.5. Please use version 1.6 or higher, and the idea reports an error: error: Java does not support the error of release version 5
- How to Solve Linux connecte to the old version of SQL Server Error
- serviceimpl inherits generic public impl startup error: ClassCastException (Mybatis-plus version Issue)
- [Solved] Error:Kotlin: Module was compiled with an incompatible version of Kotlin. The binary version of
- How to Solve EasyExcel3.0.5 Version Error
- spring cloud 2020 gateway Error 503 [How to Solve]
- [Solved] Failed to bind properties under ‘spring.servlet.multipart.file-size-threshold‘ to
- Springboot2.6X version integrate knife4j error [How to Solve]
- [Solved] spring boot integrated PageHelper Error
- How to Solve JD-GUI Start Error (Mac ARM Version)
- How to Solve Log4j 2.5 upgrade to 2.15 error
- IDEA-Error java error release version 5 not supported (How To Fix)
- How to Solve Java Runtime (class file version 53.0)ERROR
- Springboot uses Oracle database to report property ‘sqlsessionfactory’ or ‘sqlsessiontemplate’ are required
- [Solved] Docker Start Error: System.InvalidOperationException Failed to set version to docker-desktop exit code
- [Solved] Spring Cloud Use Ribbon Error: No instances available for XXX
- [Solved] Linux java -jar Start Project Error: Unsupported major.minor version 52.0
- [Solved] Spring Boot Startup Error: Failed to load property source from location ‘classpath:/application-dev.yml‘