SpringBoot Deploying Spring Boot 3.1.5 to Tomcat

Unable to deploy Spring Boot Application 3.1.5 into Tomcat 10.1.14 with JDK 17.0.8. (Spring Security 6.1.5) I got this error :

2023-11-17T11:47:01.223+02:00  WARN 903 --- [alina-utility-1] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChains' parameter 0: Error creating bean with name 'filterChain' defined in class path resource [com/example/project/authentication/config/SecurityConfiguration.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'filterChain' threw exception with message: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).

When I downgraded the Spring Boot Version to 3.1.1 (Spring Security 6.1.1), the deployment done successfully with same code and Security Configuration.

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        final AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
        authenticationManagerBuilder.userDetailsService(myUserDetailsService).passwordEncoder(encoder());
        final AuthenticationManager authenticationManager = authenticationManagerBuilder.build();
        http
                .csrf((csrf) -> csrf.disable())
                .cors(cors -> withDefaults())
                .authorizeHttpRequests((authorizeHttpRequests) ->
                        authorizeHttpRequests
                                .requestMatchers("api/v2/dashboard/**").hasRole("USER")
                                .anyRequest().permitAll()
                )
                .formLogin(withDefaults())
                .authenticationManager(authenticationManager)
                .exceptionHandling((exceptionHandling) ->
                        exceptionHandling
                                .accessDeniedHandler(jwtAccessDeniedHandler).authenticationEntryPoint(jwtAuthenticationEntryPoint))
                .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);
        return http.build();
    }

Comment From: wilkinsona

This is due to changes made in Spring Security to address CVE-2023-34035 and is out of Spring Boot's control. If reading the mitigation section of the CVE does not help, please open a Spring Security issue.

Comment From: Ugleethyn

Thanks for fast answer. Post added in Spring Security's Repo. (Already read the CVE-2023-34035)