I have the following in my Spring Boot application pom as per the documentation:
<dependencyManagement>
<dependencies>
<!-- Spring -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
I need to use use dependencyManagement and <scope>import</scope> because I need to use a standard corporate base pom.
However, it doesn't seem possible to exclude transitive dependencies of spring-boot-dependencies. In my particular case, Spring Boot 1.2.1.RELEASE is bringing in a version of Jetty that is too new with respect to some of my other <dependencies>. I tried using an <exclusion> of the form:
<dependencyManagement>
<dependencies>
<!-- Spring -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
<!-- Doesn't work -->
<exclusions>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</dependencyManagement>
using Maven 3.2.1's wildcard support, but it doesn't seem to take effect.
Is there a solution to this problem other than explicitly overriding all the Jetty dependencies? There are many Jetty libraries and that approach would be quite brittle. Furthermore, it appears I would need to do the same with Jetty's transitive dependencies as well.
According to the Spring Boot Maven Plugin 2.3.1.RELEASE documentation, to override individual dependencies, you need to add entries in the dependencyManagement section of your project before the spring-boot-dependencies entry.
<dependencyManagement>
<dependencies>
<!-- Your jetty version dependency -->
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>*</artifactId>
<version>${jetty.version}</version>
</dependency>
<!-- Spring -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Looks like this isn't possible with Maven import scope:
The import scope can be used to include dependency management
information from a remote POM into the current project. One of the
limitations of this is that it does not allow additional excludes to
be defined for a multi module project.
Likewise, there is a confirmation from the Spring Boot documentation:
If you have added spring-boot-dependencies in your own
dependencyManagement section with <scope>import</scope> you have to
redefine the artifact yourself [...].
Related
I am following a Springboot tutorial on a website I found. The site tells us to add various dependencies to our pom.xml file. I added the web and thymeleaf dependencies through the Spring Initializr. Hwoever, I realized that I forgot to add the security dependency. When I try to edit my code and add the security dependency by typing:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.projectreactor</groupId>
<artifactId>reactor-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
You should either inherit your project from spring-boot-starter-parent:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.7.RELEASE</version>
</parent>
The parent project provides the following features:
Java 1.8 as the default compiler level.
UTF-8 source encoding.
A Dependency Management section, inherited from the spring-boot-dependencies pom, that manages the versions of common dependencies. This dependency management lets you omit <version> tags for those dependencies when used in your own pom.
An execution of the repackage goal with a repackage execution id.
Sensible resource filtering.
Sensible plugin configuration (exec plugin, Git commit ID, and shade).
Sensible resource filtering for application.properties and application.yml including profile-specific files (for example, application-dev.properties and application-dev.yml)
Or use the spring-boot-dependencies BOM:
<dependencyManagement>
<dependencies>
<dependency>
<!-- Import dependency management from Spring Boot -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>2.1.7.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Using the BOM is the way to go when you would not like to inherit from the spring-boot-starter-parent POM. You may have your own corporate standard parent that you need to use or you may prefer to explicitly declare all your Maven configuration. You would still keep the benefit of the dependency management, but not the plugin management.
Both solutions will allow you to omit versions of Spring dependencies.
In my pom file i have the following:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>2.1.2.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
I use this because the project already have a parent pom.
I want to remove some of its dependencies such as:
<dependency>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
<version>6.4.3</version>
</dependency>
How do I do this?
spring-boot-dependencies does not add any dependency. It mostly consists out of a giant <dependencyManagement> block containing managed versions for several libraries. This allows you to use versions of libraries that are known to work properly with the given version of Spring boot.
That means that you no longer have to add the <version> to each dependency you define.
It also means that if you have a dependency upon elasticsearch, it certainly doesn't come from spring-boot-dependencies.
If your goal is to override one of the versions, you can, by manually adding <version> to your dependency.
Otherwise, you can usually exclude a dependency by using <exclusions>:
<dependency>
<groupId>com.xyz</groupId>
<artifactId>artifact-abc</artifactId>
<exclusions>
<exclusion>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
</exclusion>
</exclusions>
</dependency>
I have spring-boot-starter in my POM and versions are automatically resolved by Camden dependency management system.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Camden.SR6</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<!-- Spring Boot -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
</dependencies>
This gives me version 1.4.3.RELEASE of spring-boot-starter.
One of the jars spring boot starter includes automatically in the maven dependencies is logback-classic: 1.1.18
ch.qos.logback_logback-core version 1.1.8 has a vulnerability because of which I want to switch over to logback version 1.2
This vulnerability is explained in the link below
https://nvd.nist.gov/vuln/detail/CVE-2017-5929
Now, is there a way to override the logback version to 1.2 from what spring-boot-starter automatically resolves it to so that I am not exposed to this vulnerability ?
Based on your pom file, you can achieve this by excluding the dependency of 1.1.8 first then add the dependency of 1.2.0.
For example:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.0</version>
</dependency>
add properties tag in pom like this
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<start-class>org.roshan.Application</start-class>
<hibernate.version>5.2.10.Final</hibernate.version>
<liquibase.version>3.5.3</liquibase.version>
<liquibase-hibernate5.version>3.6.0</liquibase-hibernate5.version>
<httpcore.version>4.4.5</httpcore.version>
<httpclient.version>4.5.3</httpclient.version>
<docker-maven-plugin.version>0.4.13</docker-maven-plugin.version>
</properties>
I have a new project that we are doing with spring Brixton.SR1...
and Brixton.SR1 or SR5 is built on 1.3.5.RELEASE but forum says it has been tested with 1.4.0.RELEASE and thus i want to use some features of 1.4.0.
<dependencyManagement>
<dependencies>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-parent</artifactId>
<version>Brixton.SR1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
..
</dependencyManagement>
And then we are adding dependencies and are all default versions are used eg.. spring boot is 1.3.5.RELEASE, so current structure is as given below.
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-autoconfigure</artifactId>
</dependency>
....
But i want to use 1.4.0 . Can i exclude 1.3.5 version and use this new version....and i dont want to overwritte this for all spring boot artifacts . eg.. as given below
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-autoconfigure</artifactId>
<version>1.4.0.RELEASE</version>
</dependency>
and so on so forth..
rather want to have a common version for spring-boot artifact and which should give default versions to all spring artifacts as 1.4.0
just import spring boot's 1.4 bom and spring cloud's bom into your pom.xml:
<dependencyManagement>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>1.4.0.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Brixton.SR5</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
I'm trying to setup an easy to maintain Maven config for my current project. The EAR with two EJB und one WAR module will be deployed to JBoss Wildfly v8.2.0.Final and I want to ease the build process by using the following dependency in my pom.xml:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.wildfly</groupId>
<artifactId>wildfly-server</artifactId>
<version>8.2.0.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
I've thought this would allow me to use all the provided modules like EJB, CDI and the others without explicitly naming them in my modules pom.xml. But that doesn't seem to be the case. I had to add the following dependencies manually... is this really needed?
<dependencies>
<dependency>
<groupId>org.jboss.spec.javax.interceptor</groupId>
<artifactId>jboss-interceptors-api_1.2_spec</artifactId>
</dependency>
<dependency>
<groupId>org.jboss.spec.javax.faces</groupId>
<artifactId>jboss-jsf-api_2.2_spec</artifactId>
</dependency>
<dependency>
<groupId>org.jboss.spec.javax.servlet</groupId>
<artifactId>jboss-servlet-api_3.1_spec</artifactId>
</dependency>
<dependency>
<groupId>org.jboss.spec.javax.ejb</groupId>
<artifactId>jboss-ejb-api_3.2_spec</artifactId>
</dependency>
<dependency>
<groupId>org.jboss.spec.javax.el</groupId>
<artifactId>jboss-el-api_3.0_spec</artifactId>
</dependency>
<dependency>
<groupId>org.jboss.spec.javax.transaction</groupId>
<artifactId>jboss-transaction-api_1.2_spec</artifactId>
</dependency>
</dependencies>
Or is this the way it should be? How to use jars from Wildfly correctly in Maven? is not clear at this point.
What are you looking for is not usage of wildfly-server, which is artifact that is entry point for booting the server and not needed by application developers in general.
You are looking for boms that go with WildFly.
you can find all different kind of boms here https://github.com/wildfly/boms
to include all dependencies you could use
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.wildfly.bom</groupId>
<artifactId>jboss-javaee-7.0-with-all</artifactId>
<version>8.2.1.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
If you only need the Java EE API then just use the Java EE API dependency. However, you may hit issues during unit and low-level integration testing.
So the approach I use is the glassfish-embedded-all dependency which is at least the reference implementation and bundles everything up nicely for me. However, I only recommend it only for testing and needs to be before the javaee dependency.
My core dependencies in my parent pom usually looks like this
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.glassfish.main.extras</groupId>
<artifactId>glassfish-embedded-all</artifactId>
<version>4.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-api</artifactId>
<version>7.0</version>
<scope>provided</scope>
</dependency>
</dependencies>
By using this approach I get the best of both worlds. I can run low level integration tests against a reference implementation while I ensure that when it compiles it only compiles against the standard API.
It is important you keep the glassfish-embedded-all before the API dependency otherwise the classloader will pick the API dependency first which isn't want you want during testing.