Spring Security spring-security 5.8.5 is not compatible with spring-boot 2.7.13

Since spring-security 5.8.5 org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher uses org.springframework.web.util.pattern.PathPatternParser.initFullPathPattern method that was introduced in spring-web 5.3.29. However spring-boot 2.7.13 is pinned (through spring-boot-starter-web or spring-boot-starter-webflux) to spring-web of 5.3.28.

Trying to run spring-boot 2.7.13 with spring-security 5.8.5 results in the following:

***************************
APPLICATION FAILED TO START
***************************

Description:

An attempt was made to call a method that does not exist. The attempt was made from the following location:

    org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher.parse(PathPatternParserServerWebExchangeMatcher.java:71)

The following method did not exist:


    'java.lang.String org.springframework.web.util.pattern.PathPatternParser.initFullPathPattern(java.lang.String)'

The calling method's class, org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher, was loaded from the following location:

    jar:file:/C:/user/.m2/repository/org/springframework/security/spring-security-web/5.8.5/spring-security-web-5.8.5.jar!/org/springframework/security/web/server/util/matcher/PathPatternParserServerWebExchangeMatcher.class   

The called method's class, org.springframework.web.util.pattern.PathPatternParser, is available from the following locations:

    jar:file:/C:/user/.m2/repository/org/springframework/spring-web/5.3.28/spring-web-5.3.28.jar!/org/springframework/web/util/pattern/PathPatternParser.class

The called method's class hierarchy was loaded from the following locations:

    org.springframework.web.util.pattern.PathPatternParser: file:/C:/user/.m2/repository/org/springframework/spring-web/5.3.28/spring-web-5.3.28.jar

The workaround for me is to either use spring-security in version 5.8.4 or force to use spring-web in version 5.3.29

Comment From: marcusdacoregio

Hi @ldrag, thanks for the report.

That version contains a fix for a CVE which needs Spring Framework 5.3.29. Spring Boot 2.7.14 will be released this Thursday which includes the updated versions. As a workaround, you can override the Spring Framework version until Spring Boot 2.7.14 is released as you are doing with Spring Security.