I am using the below actuator dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
with spring boot 2,
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.5.RELEASE</version>
</parent>
Any comments on the fortify related vulnerabilities, or do we have any justifications for getting a false-positive regarding fortify issue.
I suspect that the issue is being raised by Fortify not because of spring-boot-starter-actuator itself but its transitive dependency on Jackson which contains a deserialization of untrusted data vulnerability. However, for an application to be vulnerable a non-default, and probably quite unusual, set of circumstances have to be true. You can learn more about those circumstances in this blog post from Jackson's author. Spring Boot's Actuator does not enable polymorphic type handling so, if the Fortify warning is due to Jackson, it is a false positive.
The vulnerability has been fixed in Jackson 2.9.7 by blocking certain classes from polymorphic deserialisation. Spring Boot 2.0.6 and 2.1.0 use Jackson 2.9.7 by default.
Related
I am trying to get a basic Vaadin22 app running with Spring MVC and Spring Security. The vaadin docs seem to allude that this is possible,
If an application is based on Spring Boot, this mechanism can be enabled by using a set of annotations and with minimum Spring Security configurations. However, it is also possible to use it in Vaadin Spring applications that are not based on Spring Boot, with some extra configurations.
I have started with skeleton-starter-flow v22, forked to here and added basic Spring integration (see here). I have then attempted to add Spring Security.
I initially extended Vaadin's VaadinWebSecurityConfigurerAdapter (see here), but when I run the app it fails because there are missing autowired dependencies.
Next, I forced some component scanning to detect the missing dependencies (see here), but now there is a ClassNotFoundException because there is a dependency on the Spring Boot class, ServletRegistrationBean
Finally, I abandoned Vaadin's VaadinWebSecurityConfigurerAdapter and instead extended Spring's WebSecurityConfigurerAdapter (see here). Now the app runs, but I am not seeing the default login screen that Spring is supposed to provide by default.
Any assistance greatly appreciated.
Note: The app can be run using,
mvn jetty:run
So it seems that Vaadin's VaadinWebSecurityConfigurerAdapter is intended for use with Spring Boot (which I'm trying to avoid). In order to get basic Spring Security working, I extended Spring's WebSecurityConfigurerAdapter instead, but I was missing an implementation of Spring's AbstractSecurityWebApplicationInitializer which registers the appropriate security filter. See here for the working solution.
The problem with this, is that I will not get Vaadin's View-Based Access Control. In order to get this, I will need to start using/migrating functionality from VaadinWebSecurityConfigurerAdapter.
I search inside spring-Kafka for interactive query and I did not find it.
On the other side, I find such a service in spring-cloud-stream-binder-kafka.
At the end spring-cloud-stream-binder-Kafka should depend on the core spring-Kafka and not the
opposite.
Please note I know it is easy to write such a service but my concern for two things:
a) why this feature does not exist in spring Kafka core?
b) why the common features not inherited from spring-Kafka core?
kafka-streams is an optional dependency in spring-kafka because not everybody wants it. Just add the jar to your dependencies.
Which version of Spring Boot will (or does) officially support Servlet 4 spec? Where can one see the new features that come with it documented?
Thank you.
Spring Framework 5 supports the Servlet 4 spec (see SPR-12674).
Not a lot of new features related to that, really. You can now inject a PushBuilder as a controller method argument if it is available (HTTP/2 enabled, supported by the client, etc).
Note that you need to use a Servlet 4 based container to use those features (see SPR-15593), or you'll need to fall back on container specific APIs which have been available for quite a while now.
Spring Framework does the job here, so there isn't anything special scheduled for now in Spring Boot 2.0; don't hesitate to open enhancement requests on the dedicated issue tracker if you've got ideas.
I am not sure whether I am asking correct question or not.
Is Quartz (org.springframework.scheduling.quartz) and spring scheduler(org.springframework.core.task.TaskExecutor;) is different?
Yes, they are different.
TaskExecutor is a spring abstraction, while Quartz is an implementation of the Spring Abstraction using Quartz Scheduler.
See more details on spring documentation:
http://docs.spring.io/spring/docs/4.0.0.RELEASE/spring-framework-reference/htmlsingle/#scheduling
I was looking for proper way how to recieve active/logged in user. I use Spring Security 3.1 with the same version of Spring MVC.
The whole idea is based on this topic which was more commented in the article :
#ActiveUser annotation from the article
I completely follow the instructions but I still get this kind of error :
No default constructor found; nested exception is java.lang.NoSuchMethodException: org.springframework.security.core.userdetails.User.<init>()]
In my applicationContext.xml I have those three annotations which were not directly proposed by the author of
<context:annotation-config />
<context:component-scan base-package="my.package.*" />
<mvc:annotation-driven />
What could cause this kind of problem?
After hours of searching on internet I found out how should I solve the problem. As it might be useful for others I offer solution.
This kind of problem has in Spring 3.1(which I use) different solution than in Spring 3.0(for which the mentioned tutorial was ment). Great article about the problem was presented here : enter link description here