Describe the bug
After updating spring-security-test from v5.7.5 to v5.8.0, the application doesn't start anymore. The reason for that is:
java.lang.NoClassDefFoundError: org/springframework/security/core/context/DeferredSecurityContext
From what I see, this is a class which was introduced recently. So I would assume that dependencies are clashing.
But even with using Spring Boot 2.7.6, it still fails. And from the release notes, I also don't see what dependency update could be responsible for that.
This update actually breaks every project where I use this dependency.
To Reproduce The stacktrace I get only calls one of our classes with the following contents:
@Profile("disableAuthorization")
@Configuration
public class DisableAuthorizationWebSecurityConfig {
@Bean
protected SecurityFilterChain configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**")
.permitAll();
return http.build(); // <-- This line is in the stacktrace.
}
}
Full stacktrace: spring-security-test-problem_original-stacktrace.log
When I remove that method / bean, I get the same exception with a slightly different stacktrace: spring-security-test-problem_other-stacktrace.log
Used dependencies of one project where it fails now:
Expected behavior I expect the application to start after the update.
Sample I will provide a minimal reproducible sample if needed since I think it might be simple problem.
Comment From: marcusdacoregio
Hi @DManstrator, did you override the version only for the spring-security-test artifact? I don't think that will work because DeferredSecurityContext is from spring-security-core and you would have to bump the core version as well.
You didn't share how you have overridden the Spring Security version, but with Maven it would look something like this:
<properties>
<spring-security.version>5.8.0</spring-security.version>
</properties>
And in Gradle:
ext['spring-security.version'] = '5.8.0'
Comment From: DManstrator
Thanks for the quick reply, Marcus.
I checked the dependency tree, we use spring-security-core only via. spring-boot-starter-oauth2-client.
[INFO] +- org.springframework.boot:spring-boot-starter-oauth2-client:jar:2.7.6:compile
[INFO] | +- org.springframework.security:spring-security-config:jar:5.7.5:compile
[INFO] | +- org.springframework.security:spring-security-core:jar:5.7.5:compile
I just added the spring-security-test dependency to the project, I didn't add spring-security-core itself.
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>5.8.0</version>
<scope>test</scope>
</dependency>
When I get you correct it's kinda required to both add spring-security-core and spring-security-test to the project (and use the same version for both). Is this the case?
Comment From: marcusdacoregio
The way that you are overriding the dependency only changes it for spring-security-test, try adding the property to the pom.xml as I mentioned above.
It's kinda strange that you have the test dependency but not the core, what are you testing then if you do not have Spring Security itself? Don't you have the spring-boot-starter-security dependency?
Comment From: DManstrator
The way that you are overriding the dependency only changes it for
spring-security-test, try adding the property to thepom.xmlas I mentioned above.
I am aware of that but just by adding that property, it won't use spring-security-core v5.8.0 automatically either. I tested it explicitly.
As said, I don't have spring-security-core defined explicitly. I use it via. spring-boot-starter-oauth2-client which includes spring-security-core (see dependency tree above). However, the latest Spring Boot 2 version (2.7.6) provides spring-security-core in v5.7.5, not v5.8.0.
If I would use spring-boot-starter-security, it would be the very same problem since its latest version also uses spring-security-core in v5.7.5. See MVN Repository -> Compile Dependencies.
From what I see there are two possible solutions:
- Waiting for another Spring Boot update which uses spring-security-core in v5.8.0.
- Explicitly adding spring-security-core in v5.8.0.
Or do you have any other idea?
Comment From: marcusdacoregio
There is no planned Spring Boot 2.8 release. The Spring Security 5.8 version is aimed to facilitate migration to 6, therefore users have to explicitly opt for it.
I tried adding the property and it works for me:
<properties>
<spring-security.version>5.8.0</spring-security.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
See this image with the dependencies:
Can you review it and make sure you are adding the property to the right place?
Comment From: DManstrator
This does not compile for me at all without providing versions for the dependencies.
Could not find artifact org.springframework.boot:spring-boot-starter-oauth2-client:pom:unknown in ... Could not find artifact org.springframework.security:spring-security-test:pom:unknown in ...
Do you perhaps have spring boot set as the parent? That would also explain why the propertiy works.
I have the following:
<properties>
[...]
<spring-security.version>5.8.0</spring-security.version>
<spring.boot.version>2.7.6</spring.boot.version>
[...]
</properties>
[...]
<dependencies>
[...]
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
<version>${spring.boot.version}</version>
</dependency>
[...]
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>${spring-security.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
But then spring-boot-starter-oauth2-client still provides spring-security-core in v5.7.5.
Comment From: marcusdacoregio
Do you perhaps have spring boot set as the parent? That would also explain why the propertiy works.
Yes, I do. That's the problem then, you have to manage the dependencies yourself, otherwise, you are gonna have conflicts between those versions.
I am closing this as solved but feel free to continue the discussion.