Spring Security Upgrade to Version 5.5.7, 5.6.4 or Above to Startup Error (Version incompatibility)

1. Background

Version comparison detection principle: check whether the current system version of spring-security-web is within the scope of the vulnerability version|version comparison detection results: – spring-security-web
Current installed version: 5.2.1.RELEASE
Need to upgrade to 5.5.7, 5.6.4 and above, because the pom can not find a direct reference to the location, so add the following dependencies to spring-security-web version forced to upgrade to 5.5.7

    <!-- Fix spring-security-web version vulnerability -->

An error is reported during startup. The error contents are as follows:



An attempt was made to call a method that does not exist. The attempt was made from the following location:


The following method did not exist:


The method's class, org.springframework.util.Assert, is available from the following locations:


It was loaded from the following location:


2. Analysis of the cause

Theoretically, spring-security-web is introduced in a jar, and the version of spring-security-web is changed separately, resulting in the incompatibility of the supporting code in this jar.

3. Solutions

Upgrade spring-boot-dependencies from 2.1.17.RELEASE to 2.2.2.RELEASE
            <! -- SpringBoot dependency configuration-->
<!--                <version>2.1.17.RELEASE</version>-->
Just use the 5.5.7 mandatory override of spring-security-web at the end of the pom
        <! -- Fix spring-security-web version vulnerability -->

4. solution ideas:
Because a separate change in the version of spring-security-web, resulting in this jar incompatible with the code caused by the problem, so the primary problem need to find spring-security-web by which jar introduced

4.1 Query the Maven project to find out which dependency the jar package is introduced by
Use mvn dependency:tree directly to see the complete dependency tree of the project.

    Command format
mvn dependency:tree -Dverbose -Dincludes=Content to be queried(groupId:artifactId)

-dependency:tree:Indicates a tree-like display.
-Dverbose:Indicates that all references can be displayed, including those that are ignored because of multiple reference duplicates.
-Dincludes: you can formulate query conditions

The groupId and artifactId of spring-security-web are:

groupId: org.springframework.security
artifactId: spring-security-web
so the command is as below:
mvn dependency:tree -Dverbose -Dincludes=org.springframework.security:spring-security-web

4.2 The dependency hierarchy after execution in the idea’s Teminal is shown in the figure below

4.3spring-security-web is introduced by spring-boot-starter-security
spring-security-web is introduced by spring-boot-starter-security, version 2.1.17.RELEASE, search spring-boot-starter-security and find that it uses spring-boot- RELEASE.pom version

4.3spring-boot-starter-security version is the version that inherits spring-boot-dependencies
In the global search spring-boot-dependencies version, found really is 2.1.17.RELEASE, so far, all the dependency levels are found, that began to guess, is not spring-boot-dependencies version is too low, spring-security-web version is too high incompatible, spring-security-web version can not be adjusted down, can only upgrade the version of spring-boot-dependencies, in the maven repository to find the version of spring-boot-dependencies, level by level test, found 2.2.2. The problem is solved.

Read More: