Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spring-security.xsd removed #2803

Open
pgneogeo opened this issue Feb 23, 2023 · 2 comments
Open

spring-security.xsd removed #2803

pgneogeo opened this issue Feb 23, 2023 · 2 comments

Comments

@pgneogeo
Copy link

Context

Describe the bug

How to reproduce

Here is my docker-compose.yml

---
  version: "2.4"
  services:
    print01:
      image: camptocamp/mapfish_print:3.29
      restart: always

Actual results

The container can not start.

11:27:28.510 [localhost-startStop-1] WARN  o.s.b.f.xml.XmlBeanDefinitionReader - Ignored XML validation warning
org.xml.sax.SAXParseException: schema_reference.4: Failed to read schema document 'http://www.springframework.org/schema/security/spring-security.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>.
[…]
11:27:28.614 [localhost-startStop-1] ERROR o.s.web.context.ContextLoader - Context initialization failed
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 15 in XML document from class path resource [mapfish-spring-security.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 15; columnNumber: 40; cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'http-firewall'.

Workaround
I just found that http://www.springframework.org/schema/security/spring-security.xsd does not exists anymore.
C.F. https://web.archive.org/web/20230218090058/http://www.springframework.org/schema/security/
It existed on 2023-02-18 and was at that time identical to spring-security-5.7.xsd
But on startup, it failed, asking for 5.2.

My solution was to mount a modified version of /mapfish-spring-security.xml to point to an existing xsd version :

---
  version: "2.4"
  services:
    print01:
      image: camptocamp/mapfish_print:3.29
      restart: always
    volumes:
        - ./mapfish-spring-security.xml:/usr/local/tomcat/webapps/ROOT/WEB-INF/classes/mapfish-spring-security.xml:ro

And the mapfish-spring-security.xml I put is identical to core/src/main/resources/mapfish-spring-security.xml with the version set to 5.2 :

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns="http://www.springframework.org/schema/security"
             xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-5.2.xsd">

    <!-- needed to allow double slashes in the URLs -->
    <beans:bean id="httpFirewall" class="org.springframework.security.web.firewall.DefaultHttpFirewall">
        <beans:property name="allowUrlEncodedSlash" value="true"/>
    </beans:bean>

    <http-firewall ref="httpFirewall"/>

    <http use-expressions="true">
        <!-- in order to get a challenge (for capabilities for example) you need to use the print/sec/* urls -->
        <csrf disabled="true"/>
        <intercept-url pattern="/sec/print/**" requires-channel="https" access="isAuthenticated()"/>
        <intercept-url pattern="/**" access="permitAll()"/>
        <http-basic/>
        <anonymous/>
    </http>

    <!--
        This authentication manager is not authenticating anything.
        See https://docs.spring.io/spring-security/site/docs/5.1.3.RELEASE/reference/htmlsingle/#ns-config
        for some help
    -->
    <beans:bean name="org.springframework.security.authenticationManager"
                class="org.mapfish.print.servlet.NoOpAuthenticationManager"/>
</beans:beans>

Maybe instead of pointing on distant files, those xsd files could be integrated in the solution.
@sbrunner
Copy link
Member

I succeeded in reproducing only with the relay old 3.22 version :-(
Did I miss something?

@pgneogeo
Copy link
Author

We were indeed in 3.22 but upgraded to 3.29 for our tests and to be able to open a ticker up to date.
We still have the problem with the latest docker image.

I have not validated the version of mapfish print used in the image, but the image was that one : https://hub.docker.com/layers/camptocamp/mapfish_print/3.29/images/sha256-64f57772e48915437e1525b462cadd9faf39fe5f2d111dc327aa31ea40462c2b?context=explore

Note : if I pass the latest mapfish-spring-security.xml in any XML validator tool, it fails too, for example I used this one : https://www.freeformatter.com/xml-validator-xsd.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sbrunner @pgneogeo