excluding log4j from third party jar in pom - spring

I am creating a webservice which hits existing business code.
The required jar which deals with logging is org.ops4j.pax.logging.
I have include this in the pom
<dependency>
<groupId>org.ops4j.pax.logging</groupId>
<artifactId>pax-logging-api</artifactId>
<version>1.6.0</version>
</dependency>
This jar allows access to a particular log4j method which is used throughout the business layer
LOGGER.debug(object, object);
One of the other required jars is a third party jar.
This jar contains a different version of log4j which does not implement the debug(object, object) method.
When I add this jar to the pom, the JVM finds the log4j classes in this third party jar first and the code falls over.
I have tried to exclude the log4j in the third party jar but to no avail.
<dependency>
<groupId>...</groupId>
<artifactId>...</artifactId>
<version>...</version>
<exclusions>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
Any thoughts?

This is the correct answer from https://www.baeldung.com/slf4j-classpath-multiple-bindings
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>

Sometimes log4j-core also shows up even after excluding log4j.Below configurations worked for me.
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</exclusion>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
</exclusion>
</exclusions>

Related

Can't use hbase-shaded-client jar because of its internal dependency to log4j-1.2.17(CVE-2019-1757)

Is there a way to exclude it.I did give it a try but got ClassNotFoundException: org.apache.log4j.Level
I do see that hbase-shaded-client do have slf4j dependency so there might be a way to exclude log4j and use slf4j but I'm not able to.
Yes, you can exclude log4j, but you must add back in log4j-over-slf4j.
<dependency>
<groupId>org.apache.hbase</groupId>
<artifactId>hbase-client</artifactId>
<version>[some version]</version>
<exclusions>
<exclusion>
<artifactId>log4j</artifactId>
<groupId>log4j</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>log4j-over-slf4j</artifactId>
<version>[some version]</version>
</dependency>

Where to get the exclusion items in Spring Boot Starter Packages

I'm using Spring initializr to have the necessary package and downloading. Once I download, there are changes that I'm making in the pom.xml like excluding packages like slf4j, logging (when i plan to use log4j2) and excluding tomcat when trying to deploy into standalone server.
I don't know what are the other items that are capable to exclude. Is there any documentation like which package contains additional artifacts? Trying to avoid certain jars while packaging so that I think I can reduce the package(jar/war) size.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-batch</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-java</artifactId>
<exclusions>
<exclusion>
<artifactId>commons-logging</artifactId>
<groupId>commons-logging</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
All spring boot starter packages can be found here:
https://github.com/spring-projects/spring-boot/tree/master/spring-boot-project/spring-boot-starters
They are all just pom.xml files. You can exclude anything you want from any dependency you are using by analyzing the pom's dependencies in the started packages.

Why isn't maven including a needed transitive dependency?

I am converting our Jenkins Freestyle build to Declarative Pipeline mode. I am using the same POM files.
But whenever i run the pipeline build, i see that the desired war is missing a transitive dependency. The Freestyle build includes that missing dependency however.
The Main parent POM includes:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>net.sf.dozer</groupId>
<artifactId>dozer</artifactId>
<version>5.5.1</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</dependencyManagement>
The second parent includes section below, :
<dependencies>
<dependency>
<groupId>net.sf.dozer</groupId>
<artifactId>dozer</artifactId>
</dependency>
</dependencies>
For both build processes, the dozer artifact is contained in the war file. But dozer contains a dependency of its own:
<dependencies>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.1</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
It is this commons-beanutils that I am missing from my final war when i do the Pipeline build. Since I am using the same POM files for both build processes, how can this be possible?
Please help

Multiple spring dependencies of different versions

I am working with spring-boot and want to include two different versions of spring-web in my project since one of the APIs in the latest version has been deprecated. In order to continue using that, I have included two dependencies of spring-web with different versions but eclipse is recognizing only of them.
I have tried excluding almost everything from the older version of spring-web but that doesn't seems to work either- any way out please?
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>3.0.2.RELEASE</version>
<exclusions>
<exclusion>
<groupId>aopalliance</groupId>
<artifactId>aopalliance</artifactId>
</exclusion>
<exclusion>
<groupId>axis</groupId>
<artifactId>axis</artifactId>
</exclusion>
<exclusion>
<groupId>com.caucho</groupId>
<artifactId>com.springsource.com.caucho</artifactId>
</exclusion>
<exclusion>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
</exclusion>
<exclusion>
<groupId>javax.el</groupId>
<artifactId>el-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.faces</groupId>
<artifactId>jsf-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.xml</groupId>
<artifactId>jaxrpc-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.xml.ws</groupId>
<artifactId>jaxws-api</artifactId>
</exclusion>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
<exclusion>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-oxm</artifactId>
</exclusion>
<exclusion>
<groupId>javax.portlet</groupId>
<artifactId>portlet-api</artifactId>
</exclusion>
</exclusions>
</dependency>
You won't be able to have two different versions of a dependency in your project because of a Maven concept called 'Dependency Mediation'. Have a look at the Maven Introduction to the Dependency Mechanism documentation.
Dependency mediation - this determines what version of a dependency
will be used when multiple versions of an artifact are encountered.
Currently, Maven 2.0 only supports using the "nearest definition"
which means that it will use the version of the closest dependency to
your project in the tree of dependencies. You can always guarantee a
version by declaring it explicitly in your project's POM. Note that if
two dependency versions are at the same depth in the dependency tree,
until Maven 2.0.8 it was not defined which one would win, but since
Maven 2.0.9 it's the order in the declaration that counts: the first
declaration wins.

owl api - pellet used in osgi

I am trying to use OWL api and Pellet in an OSGI bundle. The bundle builds successfully but on runtime I am getting the following error: org.osgi.framework.BundleException: Unresolved constraint in bundle smp.lighting.client.osgi [2]: package; (package=org.mindswap.pellet).
These are the dependencies as they are declared in the pom file:
<dependency>
<groupId>edu.stanford.protege</groupId>
<artifactId>org.semanticweb.owl.owlapi</artifactId>
<version>3.4.4</version>
<exclusions>
<exclusion>
<artifactId>org.osgi.core</artifactId>
<groupId>org.apache.felix</groupId>
</exclusion>
<exclusion>
<artifactId>owlapi-apibinding</artifactId>
<groupId>net.sourceforge.owlapi</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.github.ansell.pellet</groupId>
<artifactId>pellet-owlapiv3</artifactId>
<version>2.3.3</version>
<exclusions>
<exclusion>
<artifactId>slf4j-api</artifactId>
<groupId>org.slf4j</groupId>
</exclusion>
<exclusion>
<artifactId>log4j</artifactId>
<groupId>log4j</groupId>
</exclusion>
<exclusion>
<artifactId>xercesImpl</artifactId>
<groupId>xerces</groupId>
</exclusion>
</exclusions>
</dependency>
Also, in the launch file of the bundle, I call:
mvn:edu.stanford.protege/org.semanticweb.owl.owlapi/3.4.4
and in the next level:
wrap:mvn:com.github.ansell.pellet/pellet-jena/2.3.3
wrap:mvn:com.github.ansell.pellet/pellet-owlapiv3/2.3.3
I do not know if I a missing something, any help is appreciated. Thank you in advance!
pellet-owlapiv3 is an adapter between Pellet and the OWL API, so it does not, itself, contain the core Pellet classes. From the error, I believe you need to wrap pellet-core as well, and possibly some others of the Pellet modules.

Resources