spring-ws-security dependency conflict - spring-ws

I'd like to use spring-ws-security in order to secure my web service with Wss4jSecurityInterceptor and signatures. But there is a dependency conflict which make this system unworkable. The spring-ws-security:2.1.2.RELEASE seems to be not workable as well.
spring-ws-security : 2.1.3.RELEASE [compile]
- wss4j : 1.6.5 [compile]
- xmlsec : 1.5.1 [compile]
- opensaml : 2.5.1-1 [compile]
- openws : 1.4.2-1 [compile]
- xmltooling : 1.3.2-1 [compile]
- xmlsec : 1.4.4 [compile] (omitted for conflict with 1.5.1)
Is there any way to solve this problem?
Many thanks in advance.

Problem is you are already including a the same dependency witha newer version
I think something in the lines of this would solve it. Add it to your spring-ws-security dependency declaration.
<exclusions>
<exclusion>
<groupId>org.apache.santuario</groupId>
<artifactId>xmlsec</artifactId>
</exclusion>
</exclusions>

There is actually no problem here. wss4j has a direct dependency on xmlsec and it simply overrides the version of the transitive dependency. WSS4J is sufficiently tested to ensure that replacing 1.4.4 with 1.5.1 doesn't cause any issues in OpenSAML.

Related

grails 2.5.x does not evict oldest version of conflicting library

Using grails 2.5.1 with, in BuildConfig.groovy
[...]
grails.project.dependency.resolver = "maven"
[...]
I have a grails application including 2 custom plugins (hosted on our nexus maven repo): gw-mr:1.7.3-RELEASE and gw-mr-security:1.7.4-RELEASE
These 2 plugins depend on the same library, mr-client. However gw-mr lags behind gw-mr-security and was not rebuilt for some time, but its code has not changed. In the meantime, gw-mr-security has been bumped, and uses a newer version of the common library: mr-client. So if we take a look at the POM of gw-mr:
[...]
<dependency>
<groupId>irrelevant</groupId>
<artifactId>mr-client</artifactId>
<version>3.6.5-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
[...]
And looking at the POM of gw-mr-security, we see:
[...]
<dependency>
<groupId>irrelevant</groupId>
<artifactId>mr-client</artifactId>
<version>3.9.0-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
[...]
So, indeed, gw-mr-security declares a later version of mr-client than gw-mr.
When I include these 2 plugins in the host grails application, I can see something really weird, when I run grails dependency-report compile:
[...]
+--- irrelevant:gw-mr:1.7.3-RELEASE
| \--- irrelevant:mr-client:3.6.5-20170921.151252-2
+--- irrelevant:gw-mr-security:1.7.4-RELEASE
+--- irrelevant:gw-rest:1.7.8-RELEASE
[...]
So, even though my app declares both plugins in its dependencies (BuildConfig.groovy):
[...]
compile "irrelevant:gw-mr:1.7.3-RELEASE"
compile "irrelevant:gw-mr-security:1.7.4-RELEASE"
[...]
grails still does not examine both transitive dependencies and evicts the dependency coming from gw-mr (3.6.5-SNAPSHOT) for more recent version included in gw-mr-security (3.9.0-SNAPSHOT).
Of course, when I include the transitive dependency explicitly in my host application:
[...]
compile "irrelevant:mr-client:3.9.0-SNAPSHOT"
[...]
Then the right library is packaged in my war.
Is my assumption wrong, that grails evicts older versions of the transitive dependencies included by plugins?
Thanks for any insight.

Startup Error: java.lang.IncompatibleClassChangeError: org/apache/struts2/convention/DefaultClassFinder$InfoBuildingVisitor

I have a Struts2 application, originally XML-based, but now for the first time I introduced an Annotation-based action, and the application broke on startup.
Given the following Action mapping, on startup of the application, I get the error
java.lang.InstantiationError: com.opensymphony.xwork2.util.finder.ClassFinder
at org.apache.struts2.convention.PackageBasedActionConfigBuilder.findActions(PackageBasedActionConfigBuilder.java:390)
at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildActionConfigs(PackageBasedActionConfigBuilder.java:347)
at org.apache.struts2.convention.ClasspathPackageProvider.loadPackages(ClasspathPackageProvider.java:53)
at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:199)
at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:67)
at org.apache.struts2.dispatcher.Dispatcher.getContainer(Dispatcher.java:906)
at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:445)
at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:486)
at org.apache.struts2.dispatcher.InitOperations.initDispatcher(InitOperations.java:75)
at org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrepareAndExecuteFilter.java:63)
at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:279)
There was a similar question here, but no one responded,
Issue with Struts2 Filter Exception
Libraries Used:
struts2-convention-plugin-2.3.14.3.jar
struts2-core-2.5.10.1.jar
struts2-json-plugin-2.5.10.1.jar
struts2-spring-plugin-2.5.10.1.jar
struts2-tiles-plugin-2.5.10.1.jar
xwork-core-2.1.6.jar
Update: I thought the Convention-Plugin-JAR 2.3.14.3 was incompatible with the other 2.5.10.1 ones, so I downloaded: struts2-convention-plugin-2.5.10.1.jar
Now on startup getting
java.lang.IncompatibleClassChangeError: org/apache/struts2/convention/DefaultClassFinder$InfoBuildingVisitor
at org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFinder.java:459) ~[struts2-convention-plugin-2.5.10.1.jar:2.5.10.1]
at org.apache.struts2.convention.DefaultClassFinder.<init>(DefaultClassFinder.java:90) [struts2-convention-plugin-2.5.10.1.jar:2.5.10.1]
at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildClassFinder(PackageBasedActionConfigBuilder.java:397) [struts2-convention-plugin-2.5.10.1.jar:2.5.10.1]
at org.apache.struts2.convention.PackageBasedActionConfigBuilder.findActions(PackageBasedActionConfigBuilder.java:379) [struts2-convention-plugin-2.5.10.1.jar:2.5.10.1]
at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildActionConfigs(PackageBasedActionConfigBuilder.java:335) [struts2-convention-plugin-2.5.10.1.jar:2.5.10.1]
at org.apache.struts2.convention.ClasspathPackageProvider.loadPackages(ClasspathPackageProvider.java:53) [struts2-convention-plugin-2.5.10.1.jar:2.5.10.1]
at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:199) [struts2-core-2.5.10.1.jar:2.5.10.1]
SOLUTION The solution was to add ASM 5.x JARs which are a dependency of the Struts-Convention JAR for annotations. We were using ASM 3.3. I added the ASM-Core, -Common, -Tree Version 5.1 JARs.
struts2-convention plugin 2.5.10.1 has compile dependencies
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.4</version>
</dependency>
<dependency>
<groupId>org.ow2.asm</groupId>
<artifactId>asm</artifactId>
<version>5.1</version>
</dependency>
<dependency>
<groupId>org.ow2.asm</groupId>
<artifactId>asm-commons</artifactId>
<version>5.1</version>
</dependency>
Note: if you don't need asm and asm-commons dependencies you can downgrade to Struts 2.5.5.
Struts2 uses ASM 5x for the Convention plugin. Check you classpath and make sure you have appropriate version of ASM jars.

maven direct dependency on two versions of the same object in one project

I have a case where I need to build what could be considered a patch between 2 versions of the same object. I am using Maven 3.1.1
<dependency>
<groupId>my.group.id</groupId>
<artifactId>artifact1</artifactId>
<!-- managed version from parent pom -->
<!-- 1.0.1-SNAPSHOT -->
<type>zip</type>
</dependency>
<dependency>
<groupId>my.group.id</groupId>
<artifactId>artifact1</artifactId>
<version>1.0.0</version>
<type>zip</type>
</dependency>
I use the maven-dependency-plugin to unzip them into different directories during the build process. The exec-maven-plugin is used to execute an external tool that creates what is essentially a patch.
This all works.
The problem is a warning
[WARNING]
[WARNING] Some problems were encountered while building the effective model for my.group.id:build-patch:pom:1.0.1-SNAPSHOT
[WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)' must be unique: my.group.id:artifact1:zip -> version (?) vs 1.0.0 # my.group.id:build-patch:[unknown-version], /my/jenkins/workspace/directory/stuff/build-patch/pom.xml, line 163, column 15
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
I know this is only a warning
However I want to make the build as clean as possible. Also note that the groupId:artifactId:type:classifier will never be unique. How can I set this up so that there are no warnings? Does anyone else suspect that this may be a problem in the future?

OWL-API 4.0.1 compatiable pellet reasoner?

I was using OWL-API version 4.0.1 together with Pellet reasoner version 2.3.6 as can be seen in the extracted from pom file maven dependency section below
<dependency>
<groupId>net.sourceforge.owlapi</groupId>
<artifactId>owlapi-api</artifactId>
<version>4.0.1</version>
</dependency>
<dependency>
<groupId>net.sourceforge.owlapi</groupId>
<artifactId>owlapi-apibinding</artifactId>
<version>4.0.1</version>
</dependency>
<dependency>
<groupId>com.github.ansell.pellet</groupId>
<artifactId>pellet-owlapiv3</artifactId>
<version>2.3.6-ansell</version>
</dependency>
When i complied the project, i found an error as below:
Exception in thread "main" java.lang.AbstractMethodError at
org.semanticweb.owlapi.OWLAPIServiceLoaderModule.loadFactories(OWLAPIServiceLoaderModule.java:99)
at
org.semanticweb.owlapi.OWLAPIServiceLoaderModule.configure(OWLAPIServiceLoaderModule.java:52)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
at
com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:230)
at com.google.inject.spi.Elements.getElements(Elements.java:103) at
com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:136)
at
com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
at com.google.inject.Guice.createInjector(Guice.java:96) at
com.google.inject.Guice.createInjector(Guice.java:73) at
com.google.inject.Guice.createInjector(Guice.java:62) at
org.semanticweb.owlapi.apibinding.OWLManager.(OWLManager.java:43)
at
sematicdm.parser.CreateIndividualsClass.main(CreateIndividualsClass.java:73)
In the class createIndividualsClass the line which raises the error is below:
OWLOntologyManager manager = OWLManager.createOWLOntologyManager();
Is it a compatibility issues ? If so, what version of pellet resoner should i include in the pom file?
There isn't a Pellet version compatible with OWLAPI 4 yet - I'm planning to release one at the end of this week. Keep an eye on https://github.com/ignazio1977/pellet for updates.
Currently, the latest versions of FaCT++ (1.6.3) and JFact (4.0.0) are compatible with OWLAPI 4.0.1. I am not aware of the current status for other reasoners - HermiT is planning an update but has not completed that yet.
Pallet is now supporting up to OWLAPI 4.0.2 and Protege 5.0 (As Plugin) beta 21 and newer.
https://github.com/ignazio1977/pellet/commit/5ee814edd52df9aa9366db1fae76f7e9ea9057aa

java.lang.NoClassDefFoundError: org/neo4j/cypherdsl/grammar/Execute

I have a project using spring mvc, and neo4j. After upgrading the dependencies, I am now getting the error "java.lang.NoClassDefFoundError: org/neo4j/cypherdsl/grammar/Execute". I want to see if I'm using incompatible packages together.
I changed packages to the following:
neo4j-kernel: 1.8.2
neo4j-cypher: 1.8.2
neo4j-cypher-dsl: 1.7
spring-data-neo4j: 2.1.0.RELEASE
spring-data-neo4j-rest: 2.1.0.RELEASE
When browsing the neo4j-cypher-dsl-1.7, I don't see a grammer subpackage. I'm wondering if this is the problem, or perhaps I'm missing something.
Hopefully that is enough info, if not, please let me know what to include.
You're mixing 1.7 and 1.8 versions. Use the following instead:
<dependency>
<groupId>org.neo4j</groupId>
<artifactId>neo4j-cypher-dsl</artifactId>
<version>1.8</version>
</dependency>
In 1.7, the Execute class resides in "org.neo4j.cypherdsl" package.

Resources