前言
目前项目上扫描出一些 Java 依赖的代码漏洞,需要对现有依赖版本升级,记录一下遇到的问题。
<spring-boot.version>2.3.2.RELEASE</spring-boot.version> <spring-cloud.version>Hoxton.SR9</spring-cloud.version> <spring-cloud-alibaba.version>2.2.6.RELEASE</spring-cloud-alibaba.version>
升级到
<spring-boot.version>2.7.18</spring-boot.version> <spring-cloud.version>2021.0.8</spring-cloud.version> <spring-cloud-alibaba.version>2021.0.5.0</spring-cloud-alibaba.version>
2.7.18 版本的 Spring Boot 支持 JDK 8 ,再往后需要 JDK 17 了。
启动报错记录
1. Nacos 字样报错信息
Add a spring.config.import=nacos: property to your configuration.
解决方法,增加依赖
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-bootstrap</artifactId> </dependency>
2. spring-data-commons 相关类找不到
org/springframework/data/repository/core/support/RepositoryMethodInvocationListener
解决方法,增加依赖
<dependency> <groupId>org.springframework.data</groupId> <artifactId>spring-data-commons</artifactId> <!--默认版本没效果2.7.18 可能是依赖下载问题--> <version>2.7.18</version> </dependency>
3. 不再提供默认负载均衡
nested exception is java.lang.IllegalStateException: No Feign Client for loadBalancing defined. Did you forget to include spring-cloud-starter-loadbalancer?
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-loadbalancer</artifactId> </dependency>
4. 默认不支持循环依赖
Relying upon circular references is discouraged and they are prohibited by default. Update your application to remove the dependency cycle between beans. As a last resort, it may be possible to break the cycle automatically by setting spring.main.allow-circular-references to true.
解决,开启循环依赖
spring: main: allow-circular-references: true
5. thymeleaf 相关类找不到
java.lang.ClassNotFoundException: org.thymeleaf.util.VersionUtils
版本冲突导致,统一thymeleaf版本
6. swagger2 相关报错
Failed to start bean ‘documentationPluginsBootstrapper’; nested exception is java.lang.NullPointerException
Swagger2 bug导致
解决:增加配置
@Bean public static BeanPostProcessor springfoxHandlerProviderBeanPostProcessor() { return new BeanPostProcessor() { @Override public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException { if (bean instanceof WebMvcRequestHandlerProvider) { customizeSpringfoxHandlerMappings(getHandlerMappings(bean)); } return bean; } private <T extends RequestMappingInfoHandlerMapping> void customizeSpringfoxHandlerMappings(List<T> mappings) { List<T> copy = mappings.stream() .filter(mapping -> mapping.getPatternParser() == null) .collect(Collectors.toList()); mappings.clear(); mappings.addAll(copy); } @SuppressWarnings("unchecked") private List<RequestMappingInfoHandlerMapping> getHandlerMappings(Object bean) { try { Field field = ReflectionUtils.findField(bean.getClass(), "handlerMappings"); field.setAccessible(true); return (List<RequestMappingInfoHandlerMapping>) field.get(bean); } catch (IllegalArgumentException | IllegalAccessException e) { throw new IllegalStateException(e); } } }; }
配置过时
1. ResourceProperties
Spring Boot 2.4.0版本之后已作废,2.6.0版本被移除
org.springframework.boot.autoconfigure.web.ResourceProperties
2. StringUtils
commons-lang 升级到 commons-lang3
3. 单元测试注解
@BeforeEach 代替 @Before
4. 数组转集合
CollectionUtils.arrayToList(key)
替换为
Arrays.asList
5. Hystrix
Spring Cloud 2020 以后就不再支持 Hystrix
建议替换为 Sentinel。
仍要使用 Hystrix 的话,相关 yaml 配置和启用注解有变化。
Spring Security OAuth2
目前使用的版本是2.2.5,也是最后一个版本
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-oauth2</artifactId> <version>2.2.5.RELEASE</version> </dependency>
Spring Boot 升级后,会有问题,需要对相关依赖版本进行降版本,降到5.3以下,
但之前 Spring Security 有个漏洞需要升级到 5.5.7 。
所以目前解决的方法是自己搭建认证服务,不使用 OAuth2
Spring Authorization Server 学习一下。
Spring Security OAuth 已不再维护,官网链接也已删除