In a recent security alert, referenced here, I see there might be security concerns with Vaadin 7 because of a jsoup vulnerability. Because of other factors, I cannot upgrade. So I thought about just including the jsoup directly in my project. So before it was included indirectly via vaadin-server, now it is included directly, and the version vaadin-server references is "omitted for conflict with 1.14.2". Is this a safe way to address this security concern?
I am using Vaadin 7.7.17 and maven.
I ask largely because Vaadin did not offer this as a possible solution, so I assumed it would fail. But since maven is showing no error, I am worried I am missing something that will only show up in some strange runtime behavior.
Here is the dependency tree built via mvn dependency:tree. First of all, the original version, stripped down:
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] | +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] | | +- org.w3c.css:sac:jar:1.3:compile
[INFO] | | \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] | +- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] | \- org.jsoup:jsoup:jar:1.8.3:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] | \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] | \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.758 s
[INFO] Finished at: 2021-10-27T18:59:19-04:00
[INFO] ------------------------------------------------------------------------
And now the new version, stripped down:
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] | +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] | | +- org.w3c.css:sac:jar:1.3:compile
[INFO] | | \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] | \- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] | \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] | \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] \- org.jsoup:jsoup:jar:1.14.2:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.285 s
[INFO] Finished at: 2021-10-27T18:56:01-04:00
[INFO] ------------------------------------------------------------------------
Just noting here. There is no actual problem in Vaadin 7 itself that would be impacted due potential Jsoup vulnerability in question. The dependency was updated to a newer version more in purpose to enforce application developers to use the newer version. Newer version of the Jsoup had some API changes that needed small code changes in Vaadin 7. If your application is not using Jsoup in the way that the vulnerability is not exposed, then the upgrade is not absolutely mandatory. Also reminding that Vaadin 7 versions newer than 7.7.17 require commercial license for extended support.
Related
I have imported a maven project in an IntelliJ Idea. Everything seems fine but when no dependencies are found.
I have already tried to reimport the project. tried restarting IntelliJ. mvn Dependency:tree command shows all the dependency available in the pom.
mvn dependency:tree
[INFO] Scanning for projects...
[INFO] gitflow-incremental-builder is disabled.
[INFO]
[INFO] ---------------------< com.baeldung:cascade-type >----------------------
[INFO] Building cascade-type 1.0.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) # cascade-type ---
[INFO] com.baeldung:cascade-type:jar:1.0.0-SNAPSHOT
[INFO] +- org.hibernate:hibernate-core:jar:5.3.7.Final:compile
[INFO] | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile
[INFO] | +- javax.persistence:javax.persistence-api:jar:2.2:compile
[INFO] | +- org.javassist:javassist:jar:3.23.1-GA:compile
[INFO] | +- net.bytebuddy:byte-buddy:jar:1.8.17:compile
[INFO] | +- antlr:antlr:jar:2.7.7:compile
[INFO] | +- org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:jar:1.1.1.Final:compile
[INFO] | +- org.jboss:jandex:jar:2.0.5.Final:compile
[INFO] | +- com.fasterxml:classmate:jar:1.3.4:compile
[INFO] | +- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] | +- org.dom4j:dom4j:jar:2.1.1:compile
[INFO] | \- org.hibernate.common:hibernate-commons-annotations:jar:5.0.4.Final:compile
[INFO] +- org.assertj:assertj-core:jar:3.8.0:test
[INFO] +- com.h2database:h2:jar:1.4.197:compile
[INFO] +- org.hibernate:hibernate-validator:jar:5.3.3.Final:compile
[INFO] | \- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] +- javax.el:javax.el-api:jar:2.2.5:compile
[INFO] +- org.glassfish:javax.el:jar:3.0.1-b08:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.21:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.1.7:compile
[INFO] +- ch.qos.logback:logback-core:jar:1.1.7:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.21:compile
[INFO] +- junit:junit:jar:4.12:test
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.4.2:test
[INFO] | +- org.apiguardian:apiguardian-api:jar:1.0.0:test
[INFO] | \- org.junit.platform:junit-platform-engine:jar:1.4.2:test
[INFO] +- org.junit.jupiter:junit-jupiter-params:jar:5.4.2:test
[INFO] +- org.junit.jupiter:junit-jupiter-api:jar:5.4.2:test
[INFO] | +- org.opentest4j:opentest4j:jar:1.1.1:test
[INFO] | \- org.junit.platform:junit-platform-commons:jar:1.4.2:test
[INFO] +- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.hamcrest:hamcrest-library:jar:1.3:test
[INFO] +- org.hamcrest:hamcrest-all:jar:1.3:test
[INFO] +- org.mockito:mockito-core:jar:2.21.0:test
[INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.8.15:test
[INFO] | \- org.objenesis:objenesis:jar:2.6:test
[INFO] \- org.apache.maven.surefire:surefire-logger-api:jar:2.22.0:test
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.583 s
[INFO] Finished at: 2019-05-25T13:52:34+02:00
I am not able to use any classes from any of dependency. Any help would be appreciated.
Good day!
I have maven multimodule project. Contains war,jar and ear modules. When I try to start local Tomcat (web module exploded), got the following error:
Possible root causes include a too low setting for -Xss and illegal
cyclic inheritance dependencies. The class hierarchy being processed
was
[org.bouncycastle.asn1.ASN1EncodableVector->org.bouncycastle.asn1.DEREncodableVector->org.bouncycastle.asn1.ASN1EncodableVector]
I have read this question Avoid cyclic reference inheritance in grails
and found two version of jar: org.bouncycastle:bcprov-jdk15on:jar and org.bouncycastle:bcprov-jdk14:jar
but still cannot understand how to solve the issue..
Thank you in advance!
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # desktop-app ---
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building arm-data-entry 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] Failed to retrieve plugin descriptor for org.codehaus.mojo:gwt-maven-plugin:${gwt.version}: Plugin org.codehau
s.mojo:gwt-maven-plugin:${gwt.version} or one of its dependencies could not be resolved: Failed to read artifact descrip
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # arm-data-entry ---
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building sea-print 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] Failed to retrieve plugin descriptor for org.codehaus.mojo:gwt-maven-plugin:${gwt.version}: Plugin org.codehau
s.mojo:gwt-maven-plugin:${gwt.version} or one of its dependencies could not be resolved: Failed to read artifact descrip
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # sea-print ---
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building setup-docs 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] Failed to retrieve plugin descriptor for org.codehaus.mojo:gwt-maven-plugin:${gwt.version}: Plugin org.codehau
s.mojo:gwt-maven-plugin:${gwt.version} or one of its dependencies could not be resolved: Failed to read artifact descrip
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # setup-docs ---
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building pdf-cuter 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] Failed to retrieve plugin descriptor for org.codehaus.mojo:gwt-maven-plugin:${gwt.version}: Plugin org.codehau
s.mojo:gwt-maven-plugin:${gwt.version} or one of its dependencies could not be resolved: Failed to read artifact descrip
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # pdf-cuter ---
[INFO] ru.my-company.ea.old:pdf-cuter:jar:1.0.30-SNAPSHOT
[INFO] \- org.icepdf.os:icepdf-core:jar:6.1.2:compile
[INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.54:compile
[INFO] +- org.bouncycastle:bcprov-ext-jdk15on:jar:1.54:compile
[INFO] \- org.bouncycastle:bcpkix-jdk15on:jar:1.54:compile
[INFO] \- (org.bouncycastle:bcprov-jdk15on:jar:1.54:compile - omitted for duplicate)
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building sea-web 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # sea-web ---
[INFO] ru.my-company.ea.old:sea-web:war:1.0.30-SNAPSHOT
[INFO] +- ru.my-company.ea.old:pdf-cuter:jar:1.0.30-SNAPSHOT:compile
[INFO] | \- org.icepdf.os:icepdf-core:jar:6.1.2:compile
[INFO] | +- org.bouncycastle:bcprov-jdk15on:jar:1.54:compile
[INFO] | +- org.bouncycastle:bcprov-ext-jdk15on:jar:1.54:compile
[INFO] | \- org.bouncycastle:bcpkix-jdk15on:jar:1.54:compile
[INFO] | \- (org.bouncycastle:bcprov-jdk15on:jar:1.54:compile - omitted for duplicate)
[INFO] \- net.sf.jasperreports:jasperreports:jar:4.7.1:compile
[INFO] \- com.lowagie:itext:jar:2.1.7:compile
[INFO] \- org.bouncycastle:bctsp-jdk14:jar:1.38:compile
[INFO] +- org.bouncycastle:bcprov-jdk14:jar:1.38:compile
[INFO] \- org.bouncycastle:bcmail-jdk14:jar:1.38:compile
[INFO] \- (org.bouncycastle:bcprov-jdk14:jar:1.38:compile - omitted for duplicate)
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building the-ear 1.0.30-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] Failed to retrieve plugin descriptor for org.codehaus.mojo:gwt-maven-plugin:${gwt.version}: Plugin org.codehau
s.mojo:gwt-maven-plugin:${gwt.version} or one of its dependencies could not be resolved: Failed to read artifact descrip
tor for org.codehaus.mojo:gwt-maven-plugin:jar:${gwt.version}
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) # the-ear ---
[INFO] ru.my-company.ea.old:the-ear:ear:1.0.30-SNAPSHOT
[INFO] \- net.sf.jasperreports:jasperreports:jar:4.7.1:compile
[INFO] \- com.lowagie:itext:jar:2.1.7:compile
[INFO] \- org.bouncycastle:bctsp-jdk14:jar:1.38:compile
[INFO] +- org.bouncycastle:bcprov-jdk14:jar:1.38:compile
[INFO] \- org.bouncycastle:bcmail-jdk14:jar:1.38:compile
[INFO] \- (org.bouncycastle:bcprov-jdk14:jar:1.38:compile - omitted for duplicate)
[INFO] ------------------------------------------------------------------------
........
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.698 s
[INFO] Finished at: 2018-09-07T11:26:32+05:00
[INFO] Final Memory: 21M/226M
[INFO] ------------------------------------------------------------------------
D:\Projects\sea-eclipse>
I have trouble understanding the behaviour of the depencendy:tree output. When running the plugin on a higher module, I am missing vital information from modules it depends on. But when I run the plugin on the lower module I can see the depencendies. Here is an example to show the problem (names changed):
mvn -pl foo:bar-application dependency:tree -Dincludes=foo:*
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building bar-application 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # bar-application ---
[INFO] foo:bar-application:ear:0.0.1-SNAPSHOT
[INFO] +- foo:bar-business:ejb:0.0.1-SNAPSHOT:compile
[INFO] | +- foo:common-util:jar:0.0.1-SNAPSHOT:compile
...
[INFO] +- foo:bar-web:war:0.0.1-SNAPSHOT:compile
[INFO] \- foo:common-logging:jar:0.0.1-SNAPSHOT:compile
[INFO] ------------------------------------------------------------------------
The tree shows a depencendy to bar-web, but only one further depencendy from bar-web to other projects (common-logging).
But bar-web has far more dependencies:
mvn -pl foo:bar-web dependency:tree -Dincludes=foo:*
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building bar-web 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # bar-web ---
[INFO] foo:bar-web:war:0.0.1-SNAPSHOT
[INFO] +- foo:common-logging:jar:0.0.1-SNAPSHOT:compile
[INFO] +- foo:culprit-business-client:jar:0.0.1-SNAPSHOT:compile
...
[INFO] +- foo:common-rest:jar:0.0.1-SNAPSHOT:compile
[INFO] | \- foo:config-business-client:jar:0.0.1-SNAPSHOT:compile
[INFO] \- foo:bar-business:jar:0.0.1-SNAPSHOT:provided
[INFO] \- foo:some-client:jar:0.0.1-SNAPSHOT:provided
[INFO] ------------------------------------------------------------------------
Why are the other dependencies not shown when inspecting bar-application? It took me a while of searching to find the culprit.
Im a using
mvn --version
Apache Maven 3.0.5
mvn dependency:tree
shows you the effective dependencies, as in where your actual dependencies come from.
mvn dependency:tree -Dverbose
will show you all transitive dependencies including the reasonwhy they are excluded
A WAR includes its dependencies inside the archive, that's why Maven does not propagate them transitively to other artifacts depending on the WAR artifact.
I have a standalone spring app that contains mainly aspecj aspects and few other spring managed beans and bundled in a jar with maven-assembly plugin with all the spring dependencies bundled inside the jar and added to weblogic classpath.
the goal is to have he aspects inside the library woven into all the running applications inside weblogic in run time using aspectJ agent.
The problem is that when I add my jar file in the classpath and restart the server I get ClassNotFoundException when the existing web app is deployed.
I know it is not a jar file not in the lib folder, since the app deploys fine without my jar file in classpath.
Note: I also get classNotFoundException when I just drop the spring jar files in the domain/lib folder.
Can you shade some light on why the running applications are impacted by my spring based library?
Please see stacktrace below: i m pretty sure javax.validation.ValidatorFactory is in the validation-api inside the WEB-INF\lib folder. as i only get this exception when I add my custom jar file to weblogic classpath.
Caused By: org.springframework.beans.factory.CannotLoadBeanClassException: Error loading class [org.springframework.validation.beanvalidation.LocalValidatorFactoryBean] for bean with name 'jsr303Validator' defined in ServletContext resource [/WEB-INF/config/webmvc-config.xml]: problem with class file or dependent class; nested exception is java.lang.NoClassDefFoundError: javax/validation/ValidatorFactory
at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1272)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:578)
at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1338)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:356)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:335)
at org.springframework.beans.factory.BeanFactoryUtils.beanNamesForTypeIncludingAncestors(BeanFactoryUtils.java:187)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:895)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:853)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:768)
at org.s
Caused By: java.lang.ClassNotFoundException: javax.validation.ValidatorFactory
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClassCond(ClassLoader.java:631)
at java.lang.ClassLoader.defineClass(ClassLoader.java:615)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
at java
Here is the dependency tree of my WAR file.
[INFO] [dependency:tree {execution: default-cli}]
[INFO] com.company.project:eCom4jWeb:war:1.0.0-SNAPSHOT
[INFO] +- com.company.project:eCom4jCore:jar:1.0.0-SNAPSHOT:compile
[INFO] | +- org.springframework:spring-jdbc:jar:3.1.2.RELEASE:compile
[INFO] | +- org.hsqldb:com.springsource.org.hsqldb:jar:1.8.0.9:runtime
[INFO] | +- mysql:mysql-connector-java:jar:5.1.9:compile
[INFO] | +- org.hibernate:com.springsource.org.hibernate:jar:3.3.2.GA:compile
[INFO] | | +- net.sourceforge.cglib:com.springsource.net.sf.cglib:jar:2.2.0:compile
[INFO] | | +- org.antlr:com.springsource.antlr:jar:2.7.6:compile
[INFO] | | +- org.apache.commons:com.springsource.org.apache.commons.collections:jar:3.2.1:compile
[INFO] | | +- org.dom4j:com.springsource.org.dom4j:jar:1.6.1:compile
[INFO] | | +- org.jboss.javassist:com.springsource.javassist:jar:3.9.0.GA:compile
[INFO] | | \- org.objectweb.asm:com.springsource.org.objectweb.asm:jar:1.5.3:compile
[INFO] | +- org.hibernate:com.springsource.org.hibernate.annotations:jar:3.4.0.GA:compile
[INFO] | | \- org.hibernate:com.springsource.org.hibernate.annotations.common:jar:3.3.0.ga:compile
[INFO] | +- org.hibernate:hibernate-validator:jar:4.2.0.Final:compile
[INFO] | | +- javax.validation:validation-api:jar:1.0.0.GA:compile
[INFO] | | \- org.slf4j:slf4j-api:jar:1.6.1:compile
[INFO] | +- javax.transaction:com.springsource.javax.transaction:jar:1.1.0:compile
[INFO] | +- commons-beanutils:commons-beanutils:jar:1.8.3:compile
[INFO] | +- net.sf.dozer:dozer:jar:5.3.1:compile
[INFO] | \- org.apache.xmlbeans:xmlbeans:jar:2.4.0:runtime
[INFO] | \- stax:stax-api:jar:1.0.1:runtime
[INFO] +- com.company.project:eCom4jWS:jar:1.0.0-SNAPSHOT:compile
[INFO] | +- com.company.project:eCom4jRemixDomain:jar:1.0.0-SNAPSHOT:compile
[INFO] | | \- org.jvnet.jaxb2_commons:jaxb2-basics-runtime:jar:0.6.2:compile
[INFO] | \- org.springframework:spring-oxm:jar:3.1.2.RELEASE:compile
[INFO] +- javax.servlet:jstl:jar:1.2:compile
[INFO] +- org.springframework.security:spring-security-web:jar:3.1.2.RELEASE:compile
[INFO] | \- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.springframework.security:spring-security-taglibs:jar:3.1.2.RELEASE:compile
[INFO] | \- org.springframework.security:spring-security-acl:jar:3.1.2.RELEASE:compile
[INFO] +- org.springframework:spring-webmvc:jar:3.1.2.RELEASE:compile
[INFO] | +- org.springframework:spring-asm:jar:3.1.2.RELEASE:compile
[INFO] | \- org.springframework:spring-context-support:jar:3.1.2.RELEASE:compile
[INFO] +- javax.servlet:servlet-api:jar:2.5:provided
[INFO] +- org.springframework:spring-beans:jar:3.1.2.RELEASE:compile
[INFO] +- org.springframework.webflow:spring-binding:jar:2.2.1.RELEASE:compile
[INFO] +- org.springframework.webflow:spring-js:jar:2.2.1.RELEASE:compile
[INFO] | \- org.springframework.webflow:spring-js-resources:jar:2.2.1.RELEASE:compile
[INFO] +- org.springframework.webflow:spring-webflow:jar:2.2.1.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:3.1.2.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-core:jar:3.1.2.RELEASE:compile
[INFO] +- org.springframework:spring-tx:jar:3.1.2.RELEASE:compile
[INFO] +- org.springframework:spring-web:jar:3.1.2.RELEASE:compile
[INFO] +- org.springframework:spring-aop:jar:3.1.2.RELEASE:compile
[INFO] +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] +- org.springframework:spring-core:jar:3.1.2.RELEASE:compile
[INFO] +- org.springframework:spring-orm:jar:3.1.2.RELEASE:compile
[INFO] +- org.springframework:spring-context:jar:3.1.2.RELEASE:compile
[INFO] +- javax.el:el-api:jar:1.0:provided
[INFO] +- org.jboss.el:com.springsource.org.jboss.el:jar:2.0.0.GA:compile
[INFO] +- org.apache.tiles:tiles-core:jar:2.1.4:compile
[INFO] | +- commons-digester:commons-digester:jar:1.8.1:compile
[INFO] | \- commons-logging:commons-logging-api:jar:1.1:compile
[INFO] +- org.apache.tiles:tiles-jsp:jar:2.1.4:compile
[INFO] +- org.apache.tiles:tiles-api:jar:2.1.4:compile
[INFO] +- org.apache.tiles:tiles-servlet:jar:2.1.4:compile
[INFO] +- org.springframework:spring-test:jar:3.1.2.RELEASE:test
[INFO] +- org.springframework:spring-expression:jar:3.1.2.RELEASE:compile
[INFO] +- org.springframework:spring-test-mvc:jar:1.0.0.BUILD-SNAPSHOT:test
[INFO] +- org.powermock:powermock-module-junit4:jar:1.4.12:test
[INFO] | \- org.powermock:powermock-module-junit4-common:jar:1.4.12:test
[INFO] | +- org.powermock:powermock-core:jar:1.4.12:test
[INFO] | | \- org.javassist:javassist:jar:3.16.1-GA:test
[INFO] | \- org.powermock:powermock-reflect:jar:1.4.12:test
[INFO] +- org.powermock:powermock-api-easymock:jar:1.4.12:test
[INFO] | \- org.powermock:powermock-api-support:jar:1.4.12:test
[INFO] +- org.codehaus.jackson:jackson-mapper-asl:jar:1.5.3:compile
[INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.5.3:compile
[INFO] +- com.jayway.jsonpath:json-path:jar:0.8.1:test
[INFO] | \- net.minidev:json-smart:jar:1.1.1:test
[INFO] +- org.aspectj:com.springsource.org.aspectj.weaver:jar:1.6.8.RELEASE:compile
[INFO] +- org.slf4j:com.springsource.slf4j.api:jar:1.5.6:compile
[INFO] +- org.slf4j:com.springsource.slf4j.org.apache.commons.logging:jar:1.5.6:runtime
[INFO] +- org.slf4j:com.springsource.slf4j.log4j:jar:1.5.6:runtime
[INFO] +- org.apache.log4j:com.springsource.org.apache.log4j:jar:1.2.15:compile
[INFO] +- org.apache.commons:com.springsource.org.apache.commons.dbcp:jar:1.2.2.osgi:runtime
[INFO] +- org.apache.commons:com.springsource.org.apache.commons.pool:jar:1.5.3:runtime
[INFO] +- org.hamcrest:hamcrest-all:jar:1.3:compile
[INFO] +- junit:junit:jar:4.8.1:test (scope not updated to compile)
[INFO] +- org.easymock:easymock:jar:3.1:test
[INFO] | +- cglib:cglib-nodep:jar:2.2.2:test
[INFO] | \- org.objenesis:objenesis:jar:1.2:test
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- org.apache.struts:struts2-core:jar:2.2.1:compile
[INFO] | +- org.apache.struts.xwork:xwork-core:jar:2.2.1:compile
[INFO] | +- org.freemarker:freemarker:jar:2.3.16:compile
[INFO] | +- ognl:ognl:jar:3.0:compile
[INFO] | +- commons-fileupload:commons-fileupload:jar:1.2.1:compile
[INFO] | +- commons-io:commons-io:jar:1.3.2:compile
[INFO] | \- com.sun:tools:jar:1.5.0:system
[INFO] +- org.apache.struts:struts2-tiles-plugin:jar:2.2.1:compile
[INFO] +- org.apache.struts:struts2-spring-plugin:jar:2.2.1:compile
[INFO] +- javax.mail:mail:jar:1.4:compile
[INFO] | \- javax.activation:activation:jar:1.1:compile
[INFO] \- net.tanesha.recaptcha4j:recaptcha4j:jar:0.0.7:compile
[INFO] -------
Thanks
If you are using maven to build your jar, try to build your jar file with the dependencies embedded and test it, the below link can help you to do so:
How can I create an executable JAR with dependencies using Maven?
The dependency tree shows:
two versions of commons-logging: 1.1 and 1.1.1
two versions of slf4j: 1.5.6 and 1.6.1
javax.transaction has scoped compiled instead of provided
various versions of Hibernate artifacts from different sources org.hibernate:com.springsource.org.hibernate:jar:3.3.2.GA:compile org.hibernate:com.springsource.org.hibernate.annotations:jar:3.4.0.GA:compile org.hibernate:hibernate-validator:jar:4.2.0.Final:compile
As ClassLoader loads resources without any determined or predefined order, adding a jar file may have changed this order and class conflicts are now visible - either inside the EAR/WAR itself or between the application server and the application.
It is not obvious to point the conflict source with information provided but it is probably org.hibernate:hibernate-validator and you should align its version with core package, so 3.3.2.GA from com.springsource too.
To get the diagnostic clear, run WebLogic JVM with -verbose:class option and look at stderr output. The latest loaded resources before the failure and log of previously loaded related classes are the best clues to eliminate such a conflict created by packaging.
If conflict comes from a application server package and you cannot align to that same version, WebLogic allows you to set class loading filtering by package to force your own version to be loaded. Please refer to section Using a Filtering Classloader from classloading documentation.
It sounds like a Jar Hell... If you have different versions of the same jar, your container only loads the first one... now, imagine if it loads version 5 of jar 1, and version 2 of the dependent jar 2 (but the correct was version 5 too)... and can get a big crash in your system... to prevent it, some container just don't load none versions, and give some messages like ClassNotFoundException.
Is there a generally-accepted notation to allow a representation of dependencies, inheritance and module aggregation for Maven Projects?
I haven't spent a lot of time looking, but nothing had immediately jumped out at me.
I've seen with the notation used in Sonatype's Complete Reference (eg. Figure 3.5. Enterprise Multi-module vs. Inheritance), but would prefer something that doesn't rely on colour to convey semantics.
I've been using UML-like syntax which shows a project "aggregating" (diamond symbol) the projects listed in it's <modules> section, UML inheritance for parent-child relationships and a broken-line with arrow to show dependency.
Are there better ideas out there?
For dependency diagrams, the convention is to use the output of dependency:tree
i.e.
[user:maven-test]$ mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building maven-test 1.0
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) # maven-test ---
[INFO] maven-test:maven-test:jar:1.0
[INFO] +- junit:junit:jar:3.8.1:test
[INFO] +- com.sun.jersey:jersey-json:jar:1.9.1:compile
[INFO] | +- org.codehaus.jettison:jettison:jar:1.1:compile
[INFO] | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | +- com.sun.xml.bind:jaxb-impl:jar:2.2.3-1:compile
[INFO] | | \- javax.xml.bind:jaxb-api:jar:2.2.2:compile
[INFO] | | +- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] | | \- javax.activation:activation:jar:1.1:compile
[INFO] | +- org.codehaus.jackson:jackson-core-asl:jar:1.8.3:compile
[INFO] | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.8.3:compile
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO] | +- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO] | \- com.sun.jersey:jersey-core:jar:1.9.1:compile
[INFO] +- com.sun.jersey:jersey-server:jar:1.14:compile
[INFO] | \- asm:asm:jar:3.1:compile
[INFO] \- com.sun.jersey:jersey-client:jar:1.14:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
It turns out that this plugin can output to a visual graph.
See: Maven Dependency Plugin - Output type.
If you are using IntelliJ IDEA, it has a built in Maven dependency graph as well.