Version comparison detection principle: check whether the current system version of spring-security-web is within the scope of the vulnerability version|version comparison detection results: – spring-security-web
Current installed version: 5.2.1.RELEASE
Need to upgrade to 5.5.7, 5.6.4 and above, because the pom can not find a direct reference to the location, so add the following dependencies to spring-security-web version forced to upgrade to 5.5.7
<!-- Fix spring-security-web version vulnerability -->
An error is reported during startup. The error contents are as follows:
APPLICATION FAILED TO START
An attempt was made to call a method that does not exist. The attempt was made from the following location:
The following method did not exist:
The method's class, org.springframework.util.Assert, is available from the following locations:
It was loaded from the following location:
2. Analysis of the cause
Theoretically, spring-security-web is introduced in a jar, and the version of spring-security-web is changed separately, resulting in the incompatibility of the supporting code in this jar.
Upgrade spring-boot-dependencies from 2.1.17.RELEASE to 2.2.2.RELEASE
<! -- SpringBoot dependency configuration-->
Just use the 5.5.7 mandatory override of spring-security-web at the end of the pom
<! -- Fix spring-security-web version vulnerability -->
4. solution ideas:
Because a separate change in the version of spring-security-web, resulting in this jar incompatible with the code caused by the problem, so the primary problem need to find spring-security-web by which jar introduced
4.1 Query the Maven project to find out which dependency the jar package is introduced by
Use mvn dependency:tree directly to see the complete dependency tree of the project.
mvn dependency:tree -Dverbose -Dincludes=Content to be queried(groupId:artifactId)
-dependency:tree：Indicates a tree-like display.
-Dverbose：Indicates that all references can be displayed, including those that are ignored because of multiple reference duplicates.
-Dincludes: you can formulate query conditions
The groupId and artifactId of spring-security-web are:
so the command is as below:
mvn dependency:tree -Dverbose -Dincludes=org.springframework.security:spring-security-web
4.2 The dependency hierarchy after execution in the idea’s Teminal is shown in the figure below
4.3spring-security-web is introduced by spring-boot-starter-security
spring-security-web is introduced by spring-boot-starter-security, version 2.1.17.RELEASE, search spring-boot-starter-security and find that it uses spring-boot- RELEASE.pom version
4.3spring-boot-starter-security version is the version that inherits spring-boot-dependencies
In the global search spring-boot-dependencies version, found really is 2.1.17.RELEASE, so far, all the dependency levels are found, that began to guess, is not spring-boot-dependencies version is too low, spring-security-web version is too high incompatible, spring-security-web version can not be adjusted down, can only upgrade the version of spring-boot-dependencies, in the maven repository to find the version of spring-boot-dependencies, level by level test, found 2.2.2. The problem is solved.