我要评论前言
目前项目上扫描出一些 java 依赖的代码漏洞,需要对现有依赖版本升级,记录一下遇到的问题。
<spring-boot.version>2.3.2.release</spring-boot.version>
<spring-cloud.version>hoxton.sr9</spring-cloud.version>
<spring-cloud-alibaba.version>2.2.6.release</spring-cloud-alibaba.version>
升级到
<spring-boot.version>2.7.18</spring-boot.version>
<spring-cloud.version>2021.0.8</spring-cloud.version>
<spring-cloud-alibaba.version>2021.0.5.0</spring-cloud-alibaba.version>
2.7.18 版本的 spring boot 支持 jdk 8 ,再往后需要 jdk 17 了。
启动报错记录
1. nacos 字样报错信息
add a spring.config.import=nacos: property to your configuration.
解决方法,增加依赖
<dependency>
<groupid>org.springframework.cloud</groupid>
<artifactid>spring-cloud-starter-bootstrap</artifactid>
</dependency>
2. spring-data-commons 相关类找不到
org/springframework/data/repository/core/support/repositorymethodinvocationlistener
解决方法,增加依赖
<dependency>
<groupid>org.springframework.data</groupid>
<artifactid>spring-data-commons</artifactid>
<!--默认版本没效果2.7.18 可能是依赖下载问题-->
<version>2.7.18</version>
</dependency>
3. 不再提供默认负载均衡
nested exception is java.lang.illegalstateexception: no feign client for loadbalancing defined. did you forget to include spring-cloud-starter-loadbalancer?
<dependency>
<groupid>org.springframework.cloud</groupid>
<artifactid>spring-cloud-loadbalancer</artifactid>
</dependency>
4. 默认不支持循环依赖
relying upon circular references is discouraged and they are prohibited by default. update your application to remove the dependency cycle between beans. as a last resort, it may be possible to break the cycle automatically by setting spring.main.allow-circular-references to true.
解决,开启循环依赖
spring:
main:
allow-circular-references: true
5. thymeleaf 相关类找不到
java.lang.classnotfoundexception: org.thymeleaf.util.versionutils
版本冲突导致,统一thymeleaf版本
6. swagger2 相关报错
failed to start bean ‘documentationpluginsbootstrapper’; nested exception is java.lang.nullpointerexception
swagger2 bug导致
解决:增加配置
@bean
public static beanpostprocessor springfoxhandlerproviderbeanpostprocessor() {
return new beanpostprocessor() {
@override
public object postprocessafterinitialization(object bean, string beanname) throws beansexception {
if (bean instanceof webmvcrequesthandlerprovider) {
customizespringfoxhandlermappings(gethandlermappings(bean));
}
return bean;
}
private <t extends requestmappinginfohandlermapping> void customizespringfoxhandlermappings(list<t> mappings) {
list<t> copy = mappings.stream()
.filter(mapping -> mapping.getpatternparser() == null)
.collect(collectors.tolist());
mappings.clear();
mappings.addall(copy);
}
@suppresswarnings("unchecked")
private list<requestmappinginfohandlermapping> gethandlermappings(object bean) {
try {
field field = reflectionutils.findfield(bean.getclass(), "handlermappings");
field.setaccessible(true);
return (list<requestmappinginfohandlermapping>) field.get(bean);
} catch (illegalargumentexception | illegalaccessexception e) {
throw new illegalstateexception(e);
}
}
};
}
配置过时
1. resourceproperties
spring boot 2.4.0版本之后已作废,2.6.0版本被移除
org.springframework.boot.autoconfigure.web.resourceproperties
2. stringutils
commons-lang 升级到 commons-lang3
3. 单元测试注解
@beforeeach 代替 @before
4. 数组转集合
collectionutils.arraytolist(key)
替换为
arrays.aslist
5. hystrix
spring cloud 2020 以后就不再支持 hystrix
建议替换为 sentinel。
仍要使用 hystrix 的话,相关 yaml 配置和启用注解有变化。
spring security oauth2
目前使用的版本是2.2.5,也是最后一个版本
<dependency>
<groupid>org.springframework.cloud</groupid>
<artifactid>spring-cloud-starter-oauth2</artifactid>
<version>2.2.5.release</version>
</dependency>
spring boot 升级后,会有问题,需要对相关依赖版本进行降版本,降到5.3以下,
但之前 spring security 有个漏洞需要升级到 5.5.7 。
所以目前解决的方法是自己搭建认证服务,不使用 oauth2
发表评论