5.2 changes to https:// scheme in xsi:schemaLocation break local XSD resolution

[cbollmeyer]

Obviously, the schemaLocation Urls required for XML config files were changed to https:// in 5.2.0 and http:// definitions are no longer resolved locallly, but are loaded from the internet. This fails ofc if the server has no internet connection.

Actual Behavior

As described above. We had an issue with a customer complaining that our Spring Security-based web app didn't start anymore after upgrading to Spring Security 5.2. The server had no internet connection. The logs contained long stack traces mentioning springframework.org could not be found, among a lot of other validation issues because of a missing XSD file. The only change we had made was altering the Spring Security version from 5.1.6 to 5.2. Apparently, that led Spring to make remote resolution attempts now. Reverting back to 5.1.6 temporarily solved the issue, so our configuration was not at fault.

Looking further into that issue, I checked this file which IMHO contains the mappings for the URLs that are intercepted for local resolution:

https://github.com/spring-projects/spring-security/blob/master/config/src/main/resources/META-INF/spring.schemas

As you can see, the top 2 entries contain https:// Urls now. In our code, we had the definitions that have worked for years and still do, except for machines without internet access (boilerplate XML prolog omitted here) :

xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

Due to the new https:// mapping, the last Url gets resolved remotely, as local resolution fails.

Changing the last entry to

https://www.springframework.org/schema/security/spring-security.xsd">

(mind the 's') made things work again \o/. I didn't find anything in the documentation, but deem this to be a pitfall that's hard to overcome. Did cost us a day to find out.

Expected Behavior

If possible, the resolver should also intercept Urls with classic http:// mappings, as that's what to be found in legacy code all over the world.

Configuration

See above, XML config ofc. I'm obviously hindered from posting the entire config file for, well, security and compliance reasons :-)

Version

Spring Security 5.2.0.RELEASE. The affected subproject is spring-security-config.

Sample

see above.

[cbollmeyer]

Thinking about it, adding just this line

http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-5.2.xsd

to the mappings in

https://github.com/spring-projects/spring-security/blob/master/config/src/main/resources/META-INF/spring.schemas

should be enough to ensure bot the old (http) mappings and new https:// ones work correctly and use the latest 5.2 XSDs without attempting remote calls.

[quaff]

I hit the same problem, and created PR #7623

[rwinch]

Closing this as a duplicate of gh-7623