Missing dependency org.bouncycastle in spring-security 5.2 - spring-security

Iam using spring-security 5.2.0, specifically Argon2PasswordEncoder. In the documentation they state that it requires BouncyCastle. However in my maven project the BouncyCastle is not downloaded when I add the spring-security dependency. Also in the maven repository the dependency is not listed, which I don't understand:
https://mvnrepository.com/artifact/org.springframework.security/spring-security-core/5.2.0.RELEASE
I expected that all dependencies of a library should be listed, at least as Optional, right? is there any explanation for this? My code works when explicitly adding the BouncyCastle dependency in my pom.xml, but I find this unrelialble, as how would I know that I selected the correct version of BouncyCastle?

Related

Grails Project missing Java library at runtime

I was trying to add some Java Libraries (AWS SDK for Java, Apache Commons Math, etc.) to my Grails project since some of my Java source code (placed in src/java) had dependencies. By following this answer, I was able to resolve compile errors by adding the jar files to the /lib folder and add it to the build path, as answered here: Add Java Libraries to a Netbeans Grails Project
However, when I call my Java source code from my controller during runtime, it is unable to find the Java libraries that I added, showing a NoClassDefFoundError. Should I be adding something to the BuildConfig.groovy file? I'm not sure what the name convention for the jar files to be added to the dependencies.
The question you refer to is 5 years old. You should use newer resources :)
The preferred approach now is to use dependencies in BuildConfig.groovy, and let Grails (via Ivy or Maven) download the jars for you once and reuse them for various projects.
It's not always obvious what the syntax is, and I find that http://mvnrepository.com/ is a great resource. For example if you search for "commons math" and click through to http://mvnrepository.com/artifact/org.apache.commons/commons-math you'll see a few versions. Click on version 2.2 and you'll see the Maven dependency XML but you can click on the Gradle tab and it's going to be similar to what you need for Grails. So I'd add
dependencies {
compile 'org.apache.commons:commons-math:2.2'
}
and if necessary change compile to runtime, build, etc. depending on what you need the jar in the build process.
In the rare case that you do have a jar that isn't available in a Maven repo (e.g. a shared library at your company) then you can put the jar file in the lib directory. As you've seen, Grails doesn't auto-detect it (this is as of version 2.0). But you can run grails compile --refresh-dependencies to get your jar added to the classpath.
My issue turns out to be the fact that AWS Java SDK had dependencies (Apache HTTP Client) that were not installed yet and that I was unaware of.
This is what I had to configure this for my BuildConfig.groovy file
dependencies {
runtime 'org.apache.httpcomponents:httpclient:4.2.5'
runtime 'com.amazonaws:aws-java-sdk:1.4.7'
}
All the dependencies for AWS Java SDK 1.4.7 can be found here: http://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk/1.4.7. All the dependencies outside of HTTP client were already installed for me, but may not be for your Grails setup.

Inconsistencies with Grails 2.2.1 plugin dependency resolution

After I upgraded to Grails 2.2.1 my inline plugin directives have stopped working.
For example the following does not resolve the plugin.
grails.plugin.location.'commons' = "../../common/commons-upgrade"
I followed the guide
http://grails.org/doc/latest/guide/upgradingFromPreviousVersionsOfGrails.html
which says to add the following
legacyResolve true to the BuildConfig.groovy but it still doesn't work.
Also the guide claims that
Grails 2.2 no longer uses the BuildConfig of the plugin for dependency resolution and only uses data provided by POMs
Although I have found that the application neither requires a POM and by default still uses the BuildConfig for plugin resolution. Given that Grails depends on some plugins by default I would expect the create-app to automatically generate a POM and for it to be used by default.
Can someone resolve my confusion with dependency resolution?
You can use
grails generate-pom
to create a pom for your plugin which can be used for deployment, however that doesn't fix the problem you're seeing at the moment.
The only way I've found to get around it is to set legacyResolve true in the build config as per http://grails.org/doc/2.2.1/guide/upgradingFromPreviousVersionsOfGrails.html
Hopefully that will be fixed soon.

install spring-security-core plugin into plugin, which then is installed in application

I've just switched to grails 2.2 and have got a major plugin problem. I've got an application - my-app and a plugin - my-plugin. I want to install spring-security-core plugin into my-plugin, and then install my-plugin into my-app. When I've done this and did s2-quickstart, so that LoginController got created. I can start my-plugin with no problems now, but when I try to start my-app it complains that it cannot find any springsecurity classes. Errors looks like this:
12: unable to resolve class org.springframework.security.web.WebAttributes # line 12, column 1.
7: unable to resolve class org.springframework.security.authentication.AccountExpiredException # line 7, column 1.
11: unable to resolve class org.springframework.security.core.context.SecurityContextHolder # line 11, column 1.
It looks to me, like only my-plugin can see spring security plugin dependencies, and my-app cannot, so they didn't cascade even thought according to manual they should have.
I've also tryed to install spring-security-core plugin by adding in BuildConfig.conf this:
compile ":spring-security-core:1.2.7.3"
but it didn't work either.
Any ideas?
If you use install-plugin in a plugin, it's only installed locally by adding a line in application.properties. It doesn't get exported as a dependency of your plugin. This could be used for plugins like code-coverage where you want to use it during development and testing but not force users to also install it.
In older versions of Grails the dependsOn map in the plugin descriptor was used to express plugin dependencies. This is now deprecated in favor of dependencies registered in the plugins secton of BuildConfig.groovy. This is both for consistency and to take advantage of the more fine-grained features supported by the dependency DSL including specifying scopes and exclusions. This is also true for applications - don't use install-plugin for either apps or plugins, always use BuildConfig.groovy.
Take a look at the spring-security-ldap plugin's BuildConfig.groovy. It has a compile-scope dependency on the core plugin, plus one for the hibernate plugin that's not exported (since it's just for testing) and a build-scope dependency on the release plugin (also not exported since it's just used to release the plugins).
You should probably using a similar dependency on the core plugin in your BuildConfig.groovy. Delete any plugin references in your application.properties and convert to BuildConfig.groovy syntax and run grails clean followed by grails compile.
Thank you Burt for your advice. I've used it and here's what I came to:
I created a plugin-app and installed spring-security-core plugin in it (using DataSource.groovy, and not install plugin). Then I created a main-app and installed my plugin-app (again using DataSource.groovy). When I did this in grails 2.1.1 everything worked just fine - I could use spring-security in my main-app, so the dependency got pulled just right. When I did everything the same, but in grails 2.2 I couldn't use spring-security in my main-app, so dependencies didn't get pulled. That's why I think this might be some kind of a bug in new grails version.

How do I use Hibernate in a dependency of a Grails project (IntelliJ Module dependency)?

I have a Grail application that references a Java library (as an IntelliJ Module dependency). This works, but as soon as I add hibernate as a dependency of the Java library the Grails will no longer run.
Loading Grails 2.0.1
Error Error executing script RunApp: Provider for javax.xml.parsers.SAXParserFactory cannot be found (Use --stacktrace to see the full trace)
In my Java module, I am adding hibernate with the following:
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-entitymanager</artifactId>
<version>4.0.0.Final</version>
</dependency>
I can't see any good way around this. The Grails dependency-report does not show any libraries in conflict. The error occurs if the hibernate plugin is installed in the Grails application or not.
Bear in mind that (in this case) the Java library is not being incorporated via the BuildConfig.groovy. It is being incorporated as an IntelliJ Module dependency. If I incorporate the module as a jar via BuildConfig.groovy, everything works, but I lose the ability to step into the Java code.
Clarifying:
Per the JetBrains folks, the Java library is incorporated both as an IntelliJ Module dependency and in the BuildConfig.groovy. When executed from the command line, the project works, this is only an issue when starting from the IDE.
Suggestions?
Return dependency to java library to BuildConfig.groovy and use last version of IDEA: http://confluence.jetbrains.net/display/IDEADEV/IDEA+11.1+EAP . Navigation should work fine.
After experimentation, I stumbled upon the following which seems to be working very well (at least in IDEA 11.1):
Your Java library JAR should be referenced from the
BuildConfig.groovy (we use Maven, so we had to add the local Maven
repo as well)
Also reference your modules as module dependencies of the Grails module
(this is critical) in the run config for your grails project, uncheck the "add --classpath ..." option
The module dependency gives you:
Immediate awareness of the Java classes and their methods from the Grails project
Support for stepping into the Java code from your Grails project.
The BuildConfig reference gives you:
support for the grails commands, including run-app (which is how IntelliJ kicks things off when running/debugging a project)
If you leave the --classpath option checked, then you foul up the way that grails resolves its dependencies. There may be a better way to do this, but I haven't found it.
Additional Note
There's a bug in the interaction of grails and maven which causes grails to not pull in dependencies from local Maven 3 repositories if the pom.xml wasn't changed.
Therefore, our complete dependency refresh cycle looks like:
goto top
mvn clean install
find the relevant POM files in the repo and touch them
back to grails app directory and grails refresh-dependencies
run the app
You only need to do this when there are updates to the upstream Java libraries.
Hat tip to Sergey from Jet Brains for tracking that one down.

Grails Plugin dependencies

When creating a plugin that depends on other plugins, you specify these dependencies in the config of the plugin via the dependsOn map.
What I want to know is if these plugins are downloaded automatically when you run install-plugin command??
If not, how can it be set up to do so?
That's how it works in 1.2 and 1.3. In 2.0 however you'll want to configure dependencies in the plugins section of BuildConfig.groovy since dependsOn doesn't populate the pom file and that's what's used for dependency management in 2.0.
1.3 can also work with dependencies in BuildConfig.groovy, but 1.2 and earlier cannot. I think it's safe to assume that there aren't many users still on 1.2 or earlier, but if you need to support older versions you can just include instructions for them to explicitly install the required dependencies before installing your plugin.

Resources