-
Notifications
You must be signed in to change notification settings - Fork 6.1k
http://www.springframework.org/schema/security/spring-security.xsd is gone!? #8104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
This seems to break startup of all our applications. That is something we need to investigate, but could the XSD maybe be fixed urgently in the meantime? |
Apparently this was already fixed in #7623, so only Spring Security 5.2.0 and 5.2.1 are broken in this regard. |
I confirm that it breaks build of all our applications too. |
I took the liberty to add that file back in our schemas (linking to the latest available schema) for now. |
we had the same problem with: |
My apologies for the hiccup - there's a step in our release process that's easy to miss. I'll leave this ticket open to investigate the possibility of simplifying that step. @qeepcologne will you please confirm that you can reach the @FelixJongleur42, @tadamczak, and @MikeN123 are you able to reach |
Yes, works for us now. Will also be upgrading to Spring Sec 5.2.2. soon to make sure it uses the XSD in the JAR. |
This issue has broken us because we rely on getting the xsd files from your Internet location. Whoever put it back after deleting it changed the definition of the password-encoder element. It is different than the xsd's for 5.2 and 5.3 that are in https://github.com/spring-projects/spring-security/blob/master/config/src/main/resources/org/springframework/security/config/spring-security-5.2.xsd. Where did this come from and is this they type of thing we can expect in the future? |
thanks, the file (http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd) is downloadable. |
Why was the password-encoder definition changed in http://www.springframework.org/schema/security/spring-security.xsd? |
This is the XML fragment that started failing after last night's schema fiasco.
Any thoughts as to why? Have we been misusing it all this time? Thanks |
Just my two cents, but as an interim solution it may be better to put up an non versioned file that is more backwards compatible not to break any applications that depend on it during runtime? Probably even the 4.0? (Well, the one that was up two days ago) |
@dc-oe good questions, and sorry to hear about the trouble you are having. The If you are pointing to the hosted version of If you are dependent on a specific hosted version of the XSD, e.g. |
Thanks. Here is what happened. When we updated to 5.2, from 4.x, we went with the versionless schema. However, we used http: instead of https: and didn’t realize this was causing us to retrieve the schemas from the Internet. It also caused us to miss this change in our XML.
This just so happened on the day we were making our go/no go decision on releasing this version. Final testing in India noticed when the schemas went missing, and then we noticed when the updated schema went up. Due to this glitch, we caught something before our customers did, so it actually was a bit of luck that this happened.
Dave
From: Josh Cummings <[email protected]>
Sent: Friday, March 13, 2020 8:04 PM
To: spring-projects/spring-security <[email protected]>
Cc: David Cleary <[email protected]>; Mention <[email protected]>
Subject: Re: [spring-projects/spring-security] http://www.springframework.org/schema/security/spring-security.xsd is gone!? (#8104)
@dc-oe<https://github.com/dc-oe> good questions, and sorry to hear about the trouble you are having.
The spring-security.xsd hosted at springframework.org was stale, being symlinked to a 4.x version. During the release, the symlink was removed, but it's now correctly pointing to the latest 5.x version of the XSD. Since it's a major version change, there may be some non-passive changes.
If you are pointing to the web version of spring-security.xsd, that's effectively stating that you are okay with getting the latest version of the XSD. It sounds like that's not actually what you are wanting.
If you are dependent on a specific version of the XSD, e.g. spring-security-4.2.xsd, it would be best to specify that in your application.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#8104 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AI473R7LMQT3LJ7LPW2ZDXDRHLCYJANCNFSM4LGGT33Q>.
|
@dc-oe Glad to hear that it worked out, and that you got the benefit of moving to |
I've created spring-gradle-plugins/spring-build-conventions#81 so that Spring Security can ensure the |
As a result of #8091 !?
The text was updated successfully, but these errors were encountered: