Recently, the project has been scanned for Spring Framework path traversal vulnerability (CVE-2024-38816). The customer asked for rectification and checked that springboot2 needs to be upgraded to 5.3.40. However, springboot2 seems to be unable to be upgraded soon, or it may not be upgraded anymore. Therefore, it was directly upgraded to 3. I thought that I had been a thousand years of jdk8, but springboot3 does not support jdk8. It seems that it will be broken. Therefore, I used the weekend to do an upgrade test and recorded it as follows:
The following is the relevant modification records for my upgrade of springboot2 to springboot3. For reference, your project may not necessarily use all the following. You can refer to the modification.
Main modifications
jdk upgrade
According to the requirements of springboot3, upgrade to jdk17 or jdk21. I am upgrading to jdk17 here.
spring-boot-starter-parent
spring-boot-starter-parent dependency version upgrade
Before upgrading
<parent> <groupId></groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.7.18</version> <relativePath /> <!-- lookup parent from repository --> </parent>
After upgrading
<parent> <groupId></groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>3.4.0</version> <relativePath /> <!-- lookup parent from repository --> </parent>
jdk source code encoding modification, change 1.8 to 17 or 21
Before modification
<build> <plugins> <plugin> <groupId></groupId> <artifactId>maven-compiler-plugin</artifactId> <configuration> <source>1.8</source> <target>1.8</target> </configuration> </plugin> </plugins> </build>
After modification
<build> <plugins> <plugin> <groupId></groupId> <artifactId>maven-compiler-plugin</artifactId> <configuration> <source>17</source> <target>17</target> </configuration> </plugin> </plugins> </build>
The .* related class cannot be found, and the dependency needs to be switched to
<!-- start --> <dependency> <groupId></groupId> <artifactId>-api</artifactId> </dependency> <!-- end -->
Also, modify all .* to .*
In addition, verification class related modifications are also made.*Modify to .*
mybatis-plus-boot-starter upgrade
mybatis-plus-boot-starter needs to be upgraded. If it is not upgraded, it may report Invalid value type for attribute ‘factoryBeanObjectType’: , you need to upgrade the dependency
Upgraded to:
mybatis-plus-spring-boot3-starter, I'm using 3.5.5
<!-- mybatis-plus start--> <dependency> <groupId></groupId> <artifactId>mybatis-plus-spring-boot3-starter</artifactId> <version>3.5.5</version> </dependency> <!-- mybatis-plus end-->
Redis modification
Need to add the configurationdata
Redis configuration needs to be modified: from the original. to .
After the modification, I restarted and found the following error:
Unable to make field private final byte[] accessible: module does not “opens ” to unnamed module @2bbaf4f0
The reason is that the redission version is relatively low, so I have no problem after upgrading the version
Previous version: <>3.12.5</>
Upgraded version: <>3.40.2</>
Swagger upgrade to springboot3
<>2.7.0</>
<!-- swagger3 start -->
<dependency>
<groupId></groupId>
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<version>${}</version>
</dependency>
<!-- swagger3 end -->Swagger3 is enabled by default to interface and doc access. If the above dependencies are introduced, it can be accessed through the following address (if the port is 8080, the context-path is /test)
http://localhost:8080/test/swagger-ui/ http://localhost:8080/test/v3/api-docs
Note: If it is necessary to disable in production environment, use the following configurations to disable ui and disable api-docs respectively.
springdoc:
swagger-ui:
enabled: true
api-docs:
enabled: trueOther modification reference
If Alibaba Druid data source is used, it is best to upgrade to a new version
I'm upgrading from 1.2.12 version of druid to 1.2.24
Note: I am using the programming monitoring configuration of Alibaba. The implementation classes of WebStatFilter and StatViewServlet need to be modified. If you are not using programming, you can ignore this step.
import ;
import ;
import ;
//Be careful not to forget to add the @ServletComponentScan annotation on , otherwise it will be 404.@WebFilter(
filterName = "druidWebStatFilter", urlPatterns = "/*",
initParams = { @WebInitParam(name = "exclusions", value = ",.html,.js,.gif,.jpg,.png,.css,.ico,/druid/*") // Ignore resources})
public class DruidStatFilter extends WebStatFilter {
}import ;
import ;
import ;
//Be careful not to forget to add the @ServletComponentScan annotation on , otherwise it will be 404.@WebServlet(urlPatterns="/druid/*",
initParams={
@WebInitParam(name="allow",value=""),// IP whitelist (no configuration or empty, all access is allowed) @WebInitParam(name="deny",value=""),// IP blacklist (dony takes precedence over allow when there is a common one) @WebInitParam(name="loginUsername",value="admin"),// username @WebInitParam(name="loginPassword",value="123456"),// password @WebInitParam(name="resetEnable",value="true")// Enable the "Reset All" function on HTML pages})
public class DruidStatViewServlet extends StatViewServlet {
private static final long serialVersionUID = -2688872071445249539L;
} LocalVariableTableParameterNameDiscoverer class not found
This class is not available in springboot3, so it needs to be modified to
This is the article about the modifications related to the process of upgrading springboot2 to springboot3. For more related content on upgrading springboot2 to springboot3, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!