I am using maven 3 with the Enforcer plugin configured to force version convergence. I am using Spring 3.1.2 and Spring Security 3.1.3.
The problem is that Spring 3.1.3 POM declares dependencies on Spring 3.0.7 because that is the minimum version need for spring security. This means that the enforcer plugin complains because the transitive dependency graph has both Spring 3.1.2 and Spring 3.0.7 in it.
The fix is to explicitly exclude spring 3.0.7 as a dependency of spring security so that the enforcer plugin in happy.
The code snippet below does just that, the problem with it is that I am having to repeat the same snippet over and over gain for each jar of spring security, this is tedious and makes the pom hard to read, is there a way to tell maven something along the lines.
for the dependency org.springframework.security no matter what artificatId ignore the dependency of the security framework on the spring framework?
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>${spring.security.version}</version>
<exclusions>
<exclusion>
<artifactId>spring-tx</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-asm</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-core</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-aop</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-beans</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-jdbc</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-expression</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-context</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
<exclusions>
<exclusion>
<artifactId>spring-aop</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-core</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-expression</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-beans</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-context</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>aopalliance</artifactId>
<groupId>aopalliance</groupId>
</exclusion>
<exclusion>
<artifactId>spring-web</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-jdbc</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-tx</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
</exclusions>
</dependency>
This worked for me, excluding all artifacts for groupId org.springframework:
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
This probably won't help you much, but there is a feature request to allow wildcards in exclusions, however it is not in the current release version of Maven (3.0.4). (Edit: this feature is now present in Maven 3.2.1)
https://issues.apache.org/jira/browse/MNG-3832
Interesting is a comment in this JIRA issue:
Not sure what's going on, but this seems to work in Maven 3.0.3, using this:
<exclusion>
<groupId>*</groupId>
<artifactId>*</artifactId>
</exclusion>
However, this produces these warnings:
[WARNING] 'dependencies.dependency.exclusions.exclusion.groupId' for my.groupid:my.artifactid:ejb-client with value '*' does not match a valid id pattern. # line 31, column 30
[WARNING] 'dependencies.dependency.exclusions.exclusion.artifactId' for my.groupid:my.artifactid:ejb-client with value '*' does not match a valid id pattern. # line 32, column 33
So I probably shouldn't be doing it, but it does work.
So you might be able to use an artifactId wildcard in Maven 3.0.3 or later and have it work, but with warnings and with no guarantee of compatibility with later versions.
I encountered the same problem. I think you should explicit include Spring 3.2.x in your pom.xml to enforce the spring version in level 0 when Maven solve the conflict jars.
Please refer to:
http://www.baeldung.com/spring-security-with-maven
Related
I am working with spring-boot and want to include two different versions of spring-web in my project since one of the APIs in the latest version has been deprecated. In order to continue using that, I have included two dependencies of spring-web with different versions but eclipse is recognizing only of them.
I have tried excluding almost everything from the older version of spring-web but that doesn't seems to work either- any way out please?
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>3.0.2.RELEASE</version>
<exclusions>
<exclusion>
<groupId>aopalliance</groupId>
<artifactId>aopalliance</artifactId>
</exclusion>
<exclusion>
<groupId>axis</groupId>
<artifactId>axis</artifactId>
</exclusion>
<exclusion>
<groupId>com.caucho</groupId>
<artifactId>com.springsource.com.caucho</artifactId>
</exclusion>
<exclusion>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
</exclusion>
<exclusion>
<groupId>javax.el</groupId>
<artifactId>el-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.faces</groupId>
<artifactId>jsf-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.xml</groupId>
<artifactId>jaxrpc-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.xml.ws</groupId>
<artifactId>jaxws-api</artifactId>
</exclusion>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
<exclusion>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-oxm</artifactId>
</exclusion>
<exclusion>
<groupId>javax.portlet</groupId>
<artifactId>portlet-api</artifactId>
</exclusion>
</exclusions>
</dependency>
You won't be able to have two different versions of a dependency in your project because of a Maven concept called 'Dependency Mediation'. Have a look at the Maven Introduction to the Dependency Mechanism documentation.
Dependency mediation - this determines what version of a dependency
will be used when multiple versions of an artifact are encountered.
Currently, Maven 2.0 only supports using the "nearest definition"
which means that it will use the version of the closest dependency to
your project in the tree of dependencies. You can always guarantee a
version by declaring it explicitly in your project's POM. Note that if
two dependency versions are at the same depth in the dependency tree,
until Maven 2.0.8 it was not defined which one would win, but since
Maven 2.0.9 it's the order in the declaration that counts: the first
declaration wins.
I already did a research, I found one way using <sec:authorize ifNotGranted="ROLE_ANONYMOUS">. but unfortunately sec taglib is not working for me. I tried every single solution in the web but in vain.
Is there any other way to show content depending on user without using taglib ?
Make sure you've added the spring-security-taglibs library to your project.
For example, if you are using maven for resolving the dependencies.
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.1.3.RELEASE</version>
<exclusions>
<exclusion>
<artifactId>spring-aop</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
</exclusions>
</dependency>
It's working now, obviously there was a conflict, I had to exclude manually each spring-security-taglib dependency.
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.1.1.RELEASE</version>
<exclusions>
<exclusion>
<artifactId>jsp-api</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>servlet-api</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-security-acl</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-security-core</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-security-web</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-aop</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-beans</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-context</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-core</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-expression</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-web</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
</exclusions>
</dependency>
I guess such error is because there are two conflicting jars in classpath. When I put into my pom these lines:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.version}</version>
</dependency>
it fails, but when i put those
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.version}</version>
<exclusions>
<exclusion>
<artifactId>spring-aop</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-core</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-context</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-beans</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-expression</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
</exclusions>
it works. These is yet another jar where these exclusions must be applied to that is spring-security-web.
Is there any more elegant way to do that? Maybe the problem lies elsewhere and this is only a "hack" or something?
Spring security has a different version scheme with spring core (I believe historically they are maintained by different organization). I suggest you don't use generic ${spring.version} variable.
Read the documentation of what minimum spring core is required for corresponding spring security version
If you believe you've got all the versioning correct, next possible cause is your maven configuration itself. Often you did not realize you've set your settings to NOT lookup from central repository / your organization internal maven repo (nexus) has a stale index not having latest version of spring artifacts
I'm trying to configure Jersey and Spring. The error I'm getting is the following:
Unexpected exception parsing XML document from class path resource [applicationCo
ntext.xml]; nested exception is org.springframework.beans.FatalBeanException: Invalid NamespaceHandler class [org.spring
framework.data.jpa.repository.config.JpaRepositoryNameSpaceHandler] for namespace [http://www.springframework.org/schema
/data/jpa]: problem with handler class file or dependent class; nested exception is java.lang.NoClassDefFoundError: org/
springframework/aop/framework/AbstractAdvisingBeanPostProcessor
because of the following dependencies
<dependency>
<groupId>com.sun.jersey.contribs</groupId>
<artifactId>jersey-spring</artifactId>
<version>1.8</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
</exclusions>
</dependency>
My pom also has the following spring dependencies:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>${spring.version}</version>
<scope>test</scope>
</dependency>
<!-- Spring Data -->
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-jpa</artifactId>
<version>${spring-data.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>${spring.version}</version>
</dependency>
spring.verion = 3.2.0.RELEASE
spring-data.version = 1.2.1.RELEASE
If I remove the jersey-spring artifact then my unit tests for the repository fields passes without any exceptions. However, when I start up my server jetty complains that it can't find:
"2013-05-03 00:10:43.885:WARN:oejs.Holder:
java.lang.ClassNotFoundException: com.sun.jersey.spi.spring.container.servlet.SpringServlet
at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass(SelfFirstStrategy.java:50)
at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:244)
at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:230)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:424)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:377)"
Is the jersey-spring dependency compatible with my version of spring?
Jersey has an older version of Spring AOP so I excluded the dependency and the issues were resolved.
I need to run the Spring-MVC in my scratch project. At the same time i have minimum memory area to store all the jar files. So any body recommend me only need for the Spring-MVC not any other jar files. Thanks in Advance.
according to maven, spring-webmvc 3.1.2 need following jar:
aopalliance-1.0.jar
commons-logging-1.1.1.jar
spring-webmvc-3.1.2.RELEASE.jar
spring-asm-3.1.2.RELEASE.jar
spring-beans-3.1.2.RELEASE.jar
spring-core-3.1.2.RELEASE.jar
spring-context-3.1.2.RELEASE.jar
spring-aop-3.1.2.RELEASE.jar
spring-expression-3.1.2.RELEASE.jar
spring-context-support-3.1.2.RELEASE.jar
spring-web-3.1.2.RELEASE.jar
things provided by servlet container (f.e. servlet-api) are left out.
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>3.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>3.1.0.RELEASE</version>
<exclusions>
<exclusion>
<artifactId>commons-logging</artifactId>
<groupId>commons-logging</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>3.1.0.RELEASE</version>
</dependency>