Skip to content

http://www.springframework.org/schema/security/spring-security.xsd is gone!? #8104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
FelixJongleur42 opened this issue Mar 12, 2020 · 16 comments
Assignees
Labels
in: config An issue in spring-security-config

Comments

@FelixJongleur42
Copy link

As a result of #8091 !?

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 12, 2020
@MikeN123
Copy link
Contributor

This seems to break startup of all our applications. That is something we need to investigate, but could the XSD maybe be fixed urgently in the meantime?

@MikeN123
Copy link
Contributor

Apparently this was already fixed in #7623, so only Spring Security 5.2.0 and 5.2.1 are broken in this regard.

@tadamczak
Copy link

I confirm that it breaks build of all our applications too.

@bclozel
Copy link
Member

bclozel commented Mar 12, 2020

I took the liberty to add that file back in our schemas (linking to the latest available schema) for now.
I'll let the Spring Security team handle specifics for this issue.
Thanks

@qeepcologne
Copy link

qeepcologne commented Mar 12, 2020

we had the same problem with:
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
and had to host the file on our own website as emergency hotfix - there is no https version, and i cannot find the file via directotry listing @ http://www.springframework.org/schema/
We use spring-security 5.3.0.RELEASE + spring-security-oauth2 2.4.0.RELEASE.

@jzheaux jzheaux self-assigned this Mar 12, 2020
@jzheaux jzheaux added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 12, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Mar 12, 2020

My apologies for the hiccup - there's a step in our release process that's easy to miss. I'll leave this ticket open to investigate the possibility of simplifying that step.

@qeepcologne will you please confirm that you can reach the spring-security-oauth2-2.0.xsd now?

@FelixJongleur42, @tadamczak, and @MikeN123 are you able to reach spring-security.xsd?

@MikeN123
Copy link
Contributor

Yes, works for us now. Will also be upgrading to Spring Sec 5.2.2. soon to make sure it uses the XSD in the JAR.

@dc-oe
Copy link

dc-oe commented Mar 12, 2020

This issue has broken us because we rely on getting the xsd files from your Internet location. Whoever put it back after deleting it changed the definition of the password-encoder element. It is different than the xsd's for 5.2 and 5.3 that are in https://github.com/spring-projects/spring-security/blob/master/config/src/main/resources/org/springframework/security/config/spring-security-5.2.xsd. Where did this come from and is this they type of thing we can expect in the future?

@qeepcologne
Copy link

thanks, the file (http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd) is downloadable.

@dc-oe
Copy link

dc-oe commented Mar 12, 2020

Why was the password-encoder definition changed in http://www.springframework.org/schema/security/spring-security.xsd?

@dc-oe
Copy link

dc-oe commented Mar 12, 2020

This is the XML fragment that started failing after last night's schema fiasco.

    <authentication-provider>
        <password-encoder ref="sha256passwordEncoder">
            <salt-source user-property="username" />
        </password-encoder>

Any thoughts as to why? Have we been misusing it all this time?

Thanks

@FelixJongleur42
Copy link
Author

Just my two cents, but as an interim solution it may be better to put up an non versioned file that is more backwards compatible not to break any applications that depend on it during runtime? Probably even the 4.0? (Well, the one that was up two days ago)

@jzheaux
Copy link
Contributor

jzheaux commented Mar 14, 2020

@dc-oe good questions, and sorry to hear about the trouble you are having.

The spring-security.xsd hosted at springframework.org was stale, being symlinked to a 4.x version. During the release, the symlink was removed, but it's now correctly pointing to the latest 5.x version of the XSD. Since it's a major version change, there may be some non-passive changes.

If you are pointing to the hosted version of spring-security.xsd, that's effectively stating that you are okay with getting the latest version of the XSD. It sounds like that's not actually what you are wanting.

If you are dependent on a specific hosted version of the XSD, e.g. spring-security-4.2.xsd, it would be best to specify that in your application.

@dc-oe
Copy link

dc-oe commented Mar 15, 2020 via email

@jzheaux
Copy link
Contributor

jzheaux commented Mar 17, 2020

@dc-oe Glad to hear that it worked out, and that you got the benefit of moving to https:// for it.

@jzheaux
Copy link
Contributor

jzheaux commented Mar 17, 2020

I've created spring-gradle-plugins/spring-build-conventions#81 so that Spring Security can ensure the spring-security-oauth schema files are in the correct place.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: config An issue in spring-security-config
Projects
None yet
Development

No branches or pull requests

8 participants