I am doing an upgrade of all my dependencies of my spring-boot project but I cannot upgrade ognl dependency from version 3.1.12 (containing the vulnerability CVE-2020-15250) to the last version 3.3.3 because I use the process() function on org.thymeleaf.TemplateEngine and I have the following error if I try to force the version of ognl dependency to 3.3.3 in my pom.xml:
java.lang.NoClassDefFoundError: ognl/DefaultMemberAccess
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:468)
at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
at org.thymeleaf.standard.expression.OGNLVariableExpressionEvaluator.<clinit>(OGNLVariableExpressionEvaluator.java:76)
at org.thymeleaf.standard.StandardDialect.getVariableExpressionEvaluator(StandardDialect.java:179)
at org.thymeleaf.standard.StandardDialect.getExecutionAttributes(StandardDialect.java:393)
at org.thymeleaf.DialectSetConfiguration.build(DialectSetConfiguration.java:263)
at org.thymeleaf.EngineConfiguration.<init>(EngineConfiguration.java:123)
at org.thymeleaf.TemplateEngine.initialize(TemplateEngine.java:336)
at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1079)
at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1059)
at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1048)
It seems that in version 2.7.2 of spring-boot-starter-thymeleaf, the version 3.0.15.RELEASE of thymeleaf is used and this version try to use DefaultMemberAccess in ognl that is not available anymore after the version 3.2.1 of ognl according to what I saw.
I do not want to keep a dependency that have a vulnerability (ognl) but the version of thymeleaf in the last spring-boot version does not permit me to upgrade ognl because of that error.
Am I blocked for the upgrade or is it possible to do something please?
As #Andy Wilkinson said, the solution was to replace the new TemplateEngine() by new SpringTemplateEngine().
By doing that, OGNL seems to be useless because SpringTemplateEngine uses SpEL instead of OGNL if I understand.
Thank you for your help.
Related
We used KafkaEmbedded with spring-kafka-test 2.1.4.RELEASE earlier.
While upgrading spring-kafka-test to 2.4.13.RELEASE, we required to move from KafkaEmbedded to EmbeddedKafkaBroker. This is giving below error. We are using EmbeddedKafka annotation and spring boot starter parent version is 2.0.0.RELEASE, spring-kafka version is 2.1.4.RELEASE.
Tried different versions of spring-kafka-test.
java.lang.NoClassDefFoundError: org/springframework/core/log/LogAccessor
at org.springframework.kafka.test.EmbeddedKafkaBroker.<clinit>(EmbeddedKafkaBroker.java:92)
at org.springframework.kafka.test.context.EmbeddedKafkaContextCustomizer.customizeContext(EmbeddedKafkaContextCustomizer.java:71)
at org.springframework.boot.test.context.SpringBootContextLoader$ContextCustomizerAdapter.initialize(SpringBootContextLoader.java:336)
at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:626)
at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:366)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:325)
at org.springframework.boot.test.context.SpringBootContextLoader.loadContext(SpringBootContextLoader.java:138)
at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContextInternal(DefaultCacheAwareContextLoaderDelegate.java:99)
at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContext(DefaultCacheAwareContextLoaderDelegate.java:117)
at org.springframework.test.context.support.DefaultTestContext.getApplicationContext(DefaultTestContext.java:107)
at org.springframework.test.context.support.DependencyInjectionTestExecutionListener.injectDependencies(DependencyInjectionTestExecutionListener.java:117)
at org.springframework.test.context.support.DependencyInjectionTestExecutionListener.prepareTestInstance(DependencyInjectionTestExecutionListener.java:83)
at org.springframework.test.context.TestContextManager.prepareTestInstance(TestContextManager.java:242)
at org.springframework.test.context.testng.AbstractTestNGSpringContextTests.springTestContextPrepareTestInstance(AbstractTestNGSpringContextTests.java:145)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:85)
at org.testng.internal.Invoker.invokeConfigurationMethod(Invoker.java:510)
at org.testng.internal.Invoker.invokeConfigurations(Invoker.java:211)
at org.testng.internal.Invoker.invokeConfigurations(Invoker.java:138)
at org.testng.internal.TestMethodWorker.invokeBeforeClassMethods(TestMethodWorker.java:170)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:104)
at org.testng.TestRunner.privateRun(TestRunner.java:774)
at org.testng.TestRunner.run(TestRunner.java:624)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:359)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:354)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:312)
at org.testng.SuiteRunner.run(SuiteRunner.java:261)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1215)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1140)
at org.testng.TestNG.run(TestNG.java:1048)
at com.intellij.rt.testng.IDEARemoteTestNG.run(IDEARemoteTestNG.java:66)
at com.intellij.rt.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:109)
Caused by: java.lang.ClassNotFoundException: org.springframework.core.log.LogAccessor
at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
37 more
Your versions are mis-matched. Boot 2.0.x and Spring for Apache Kafka 2.4.x are no longer supported, but 2.4.x requires Boot 2.2.x or later. See the matrix on the project page:
https://spring.io/projects/spring-kafka#overview
Also see
https://spring.io/projects/spring-kafka#support
and
https://spring.io/projects/spring-boot#support
The current (OSS) supported Boot versions are 2.7.x and 3.0.x, and Spring for Apache Kafka 2.9.x and 3.0.x.
You also must use the same version for spring-kafka and spring-kafka-test; they cannot be different.
Since yesterday we have a problem on our spring boot project after clean install without change nothing of configuration of the maven files, libs or something else.
We did try to update version of pom's of SpringFrameWork and Spring boot to 1.5.4.Release.
The error that is show is:
Exception in thread "main" java.lang.NoClassDefFoundError: org/springframework/boot/context/properties/source/ConfigurationPropertySources
at org.springframework.cloud.client.HostInfoEnvironmentPostProcessor.getFirstNonLoopbackHostInfo(HostInfoEnvironmentPostProcessor.java:46)
at org.springframework.cloud.client.HostInfoEnvironmentPostProcessor.postProcessEnvironment(HostInfoEnvironmentPostProcessor.java:35)
at org.springframework.boot.context.config.ConfigFileApplicationListener.onApplicationEnvironmentPreparedEvent(ConfigFileApplicationListener.java:168)
at org.springframework.boot.context.config.ConfigFileApplicationListener.onApplicationEvent(ConfigFileApplicationListener.java:154)
at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:166)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:138)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:121)
at org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared(EventPublishingRunListener.java:68)
at org.springframework.boot.SpringApplicationRunListeners.environmentPrepared(SpringApplicationRunListeners.java:54)
at org.springframework.boot.SpringApplication.prepareEnvironment(SpringApplication.java:337)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:308)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1186)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1175)
at br.com.ibliss.auth.app.AuthServerApplication.main(AuthServerApplication.java:216)
Caused by: java.lang.ClassNotFoundException: org.springframework.boot.context.properties.source.ConfigurationPropertySources
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 14 more
According to ConfigurationPropertySources source, this class is around from version 2.0.0
Provides access to {#link ConfigurationPropertySource ConfigurationPropertySources}.
#author Phillip Webb
#since 2.0.0
You probably did not upgrade your spring boot version but actually downgrade.
When I'm trying to run the below code
#Override
public List<EventDetails> process(int event_status) throws EventDetailDataException {
String sql="select * from MicroServiceEventDetails where event_status=?";
List<EventDetails> EventDetailsList = template.query(sql, new BeanPropertyRowMapper<EventDetails>(EventDetails.class),new Object[] {event_status});
return EventDetailsList;
}
It throws the following exception and here's the error log:-
Apr 02, 2017 6:26:04 AM org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler handleError
SEVERE: Unexpected error occurred in scheduled task.
java.lang.NoSuchMethodError: org.springframework.core.convert.support.DefaultConversionService.getSharedInstance()Lorg/springframework/core/convert/ConversionService;
at org.springframework.jdbc.core.BeanPropertyRowMapper.<init>(BeanPropertyRowMapper.java:91)
at com.syntel.boot.dao.EventProcessDaoImpl.process(EventProcessDaoImpl.java:38)
at com.syntel.boot.services.EventDetailServiceImpl.process(EventDetailServiceImpl.java:73)
at com.syntel.boot.scheduler.microeventschudler.eventExcuter(microeventschudler.java:30)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:65)
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Maybe maven dependencies would be the reason i'm not sure, help?
I assume you are using Maven/Gradle, any build tool.
I was working on a spring MVC project and added LDAP functionality, however I added the LDAP jar dependency on the top of the dependency list in pom.xml and the jar version I used, utilized a lower version of spring core which did not have the ConversionService class. I identified this by back tracking to what was the most recent change to the Spring jar versions I made(i.e. added ldap libs) and using the Maven - Dependency hierarchy tab to identify what had changed. Once I removed the new dependency. did a clean, install, add the dependencies to the bottom of the list. The issue was fixed.
Your resolved dependencies should have the highest spring core version referenced on the column on the left. Any lower version should be omitted. In the screenshot, notice that spring core 4.3.9 is omitted for 4.3.4. Avoid this by adding the dependencies that use lower spring core versions below those which use higher versions.
Spring boot is using an older version of CrashHub (crashub.version in POM) that uses an old version of bouncycastle that using the class PemReader. This conflicts with the latest version of bouncycastle I am using in my application. Can you update Spring Boot or is there a work around I can do. Right now I get the exception below when I try to ssh into my application:
java.lang.NoClassDefFoundError: org/bouncycastle/openssl/PEMReader
at org.crsh.ssh.term.URLKeyPairProvider.loadKeys(URLKeyPairProvider.java:54)
at org.apache.sshd.common.keyprovider.AbstractKeyPairProvider.getKeyTypes(AbstractKeyPairProvider.java:53)
at org.apache.sshd.server.session.ServerSession.sendKexInit(ServerSession.java:127)
at org.apache.sshd.server.session.ServerSession.<init>(ServerSession.java:60)
at org.apache.sshd.server.session.SessionFactory.doCreateSession(SessionFactory.java:43)
at org.apache.sshd.common.session.AbstractSessionFactory.createSession(AbstractSessionFactory.java:38)
at org.apache.sshd.common.AbstractSessionIoHandler.sessionCreated(AbstractSessionIoHandler.java:36)
at org.apache.sshd.common.io.nio2.Nio2Acceptor$AcceptCompletionHandler.completed(Nio2Acceptor.java:128)
at org.apache.sshd.common.io.nio2.Nio2Acceptor$AcceptCompletionHandler.completed(Nio2Acceptor.java:109)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
at sun.nio.ch.Invoker$2.run(Invoker.java:218)
at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.openssl.PEMReader
at java.net.URLClassLoader$1.run(URLClassLoader.java:372)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:360)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at org.springframework.boot.loader.LaunchedURLClassLoader.doLoadClass(LaunchedURLClassLoader.java:170)
at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:136)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 15 common frames omitted
1.3.0 is the latest version of Crashub and that's the version that Spring Boot supports so there's nothing that can be done on the Spring Boot side of things. Assuming that you don't want to downgrade your Bouncycastle dependency, your only easy choice is to stop using Crashub.
A more involved alternative would be to fork Crashub and make the changes necessary for it to work with your desired version of Bouncycastle.
I have developed demo application using spring struct and hibernate and getting following error while running it.
java.lang.NoClassDefFoundError: org/springframework/core/AliasRegistry
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:621)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:2818)
at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:1159)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1647)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1526)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
at java.lang.Class.getDeclaredConstructors0(Native Method)
at java.lang.Class.privateGetDeclaredConstructors(Class.java:2389)
at java.lang.Class.getConstructor0(Class.java:2699)
at java.lang.Class.getDeclaredConstructor(Class.java:1985)
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:78)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:239)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:190)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4206)
through google i came to know that problem might be because of some version conflict of spring library
So following is the jar list, i added in my application.
commons-digester-2.0.jar
commons-beanutils-1.7.0.jar
commons-chain-1.2.jar
commons-collections-3.1.jar
spring-core-2.5.jar
javassist.jar
spring-jdbc-2.5.jar
spring-beans-2.5.6.jar
spring-context-2.5.jar
commons-logging-1.1.1.jar
hibernate3.jar
oro-2.0.8.jar
struts2-core-2.3.1.2.jar
hibernate-jpa-2.0-api-1.0.0.Final.jar
mysql-connector-java-5.1.13-bin.jar
antlr-2.7.2.jar
struts-tiles-1.3.10.jar
struts-taglib-1.3.10.jar
struts-extras-1.3.10.jar
com.springsource.org.dom4j-1.6.1.jar
commons-validator-1.3.1.jar
xwork-core-2.3.1.2.jar
commons-io-2.0.1.jar
hibernate-commons-annotations-3.2.0.Final.jar
spring-context-support-2.5.jar
spring-orm-2.5.jar
spring-tx-2.5.6.jar
spring-web-2.5.jar
spring-webmvc-struts-2.5.jar
Try to use same version for all Spring dependencies. Now you are using 2.5 and 2.5.6.
The jar file that own AliasRegistry is from spring-core-2.5.jar and from your libraries output, it seem you have that. I have once with mixed version 3 and version 2.5 of spring causing issue. But the exceptions are gone once the correct version are in place.
I have struts1.3 and hibernate, I will comment based on our difference and to see if this give you any help. But with my libraries placed in lib, hibernate works fine though. So here goes,
Get the same version for this.
commons-digester-2.0.jar
commons-beanutils-1.7.0.jar
which version of javassist.jar do you have? I have javassist-3.12.0.GA.jar
spring-beans-2.5.6.jar, try get exact version of spring-beans-2.5.jar
which exact version of hibernate3.jar do you have? I'm using hibernate-core-3.6.4.Final.jar
These are libraries for struts1, are you using these together with struts2?
struts-tiles-1.3.10.jar
struts-taglib-1.3.10.jar
struts-extras-1.3.10.jar
commons-validator-1.3.1.jar
these seem like packages from struts2 which is the one you are using, yes?
struts2-core-2.3.1.2.jar
xwork-core-2.3.1.2.jar
try to get the exact version of spring-tx, that is spring-tx-2.5.jar which is the same with the rest of spring jars.