Describe the bug When trying to run an integration test the following error occurs:
java.lang.AssertionError: No value at JSON path "$[?(@.name == 'foo' && @.pId == 'bar')]"
at org.springframework.test.util.JsonPathExpectationsHelper.evaluateJsonPath(JsonPathExpectationsHelper.java:295)
...
Caused by: java.lang.NoClassDefFoundError: net/minidev/json/writer/JsonReaderI
at com.jayway.jsonpath.internal.DefaultsImpl.<init>(DefaultsImpl.java:17)
...
Caused by: java.lang.ClassNotFoundException: net.minidev.json.writer.JsonReaderI
at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
...
This is due to a version clash on transitive dependency net.minidev:json-smart between spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0.
Here's the partial output from
mvn org.apache.maven.plugins:maven-dependency-plugin:2.10:tree -Dverbose=true
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.3.0.RELEASE:test
[INFO] | +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] | | +- (net.minidev:json-smart:jar:2.3:test - omitted for conflict with 1.3.1)
=> dependency is net.minidev:json-smart:jar:2.3:test
[INFO] +- org.springframework.security:spring-security-oauth2-client:jar:5.3.2.RELEASE:compile
[INFO] | +- com.nimbusds:oauth2-oidc-sdk:jar:7.1.1:compile
[INFO] | | +- net.minidev:json-smart:jar:1.3.1:compile
=> dependency is net.minidev:json-smart:jar:1.3.1:compile
I'm logging this against Spring Security, as moving from com.nimbusds:oauth2-oidc-sdk:jar:7.1.1 to com.nimbusds:oauth2-oidc-sdk:jar:8.4.2 would likely fix the issue, as that defines its dependency as net.minidev:json-smart:[1.3.1,2.3]
As per maven docs, that would permit for json-smart:2.3 being used:
[1.2,1.3]: Hard requirement for any version between 1.2 and 1.3 inclusive.
By the way: The dependency in oauth2-oidc-sdk:jar:8.4.2 (i.e. [1.3.1,2.3]) would indicate that json-smart version 2.3 might be backwards-compatible to version 1.3.1, but as this is a dependency of a security-related library I would rather not take the chance of just forcing the new version of json-smart on oauth2-oidc-sdk using dependencyManagement.
To Reproduce Using the following dependencies:
- spring-security-oauth2-client:5.3.2
- spring-boot-starter-test:2.3.0
running this test:
webTestClient.get().uri("${PATH}?pid=bar")
.exchange()
.expectStatus().is2xxSuccessful
.expectBody()
.jsonPath("$[?(@.name == 'foo' && @.pId == 'bar')]").exists()
Expected behavior Provided the response contains the properties and values specified in the jsonPath, the test should run and pass, not fail due to a missing class.
Comment From: ninjacoda
I did a bit more digging, and it turns out that up to and including com.nimbusds:oauth2-oidc-sdk:7.0.2, the library declared the same dependency range of [1.3.1,2.3] for json-smart. At that point, they changed it due to this request, but reintroduced the range for json-smart in April 2020 (for newer releases). Based on that, it's probably safe to force version 2.3 on com.nimbusds:oauth2-oidc-sdk:jar:7.1.1 (provided that what I found is indeed the official repo or a correct clone of it).
Comment From: jzheaux
Thanks for all the digging you did here, @ninjacoda.
After some of my own, I think it's best to simply upgrade the Nimbus dependencies, that way Spring Security doesn't add any additional managed dependencies to its list. In general, it's a bit easier to only manage the beans that Spring Security depends on directly.
There's a bit of a related discussion going on in https://github.com/spring-projects/spring-security/issues/8543 and https://github.com/spring-projects/spring-security/issues/8564, so I think it'd be best to see how those conversations go before deciding precisely what versions of nimbus-jose-jwt and oauth2-oidc-sdk to upgrade to.
Comment From: jzheaux
Fixed via 94737df37865fa754f4c5dd14e5a225a8ce94739
Comment From: ninjacoda
Thanks, @jzheaux . Unfortunately,
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>2.3.1.RELEASE</version>
still defines
<oauth2-oidc-sdk.version>7.1.1</oauth2-oidc-sdk.version>
and
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
<version>${oauth2-oidc-sdk.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
in its dependency management, so this is still broken for JSON Path asserts:
[INFO] +- org.springframework.security:spring-security-oauth2-client:jar:5.3.3.RELEASE:compile
[INFO] | +- com.nimbusds:oauth2-oidc-sdk:jar:7.1.1:compile (version managed from 7.5)
[INFO] | | +- net.minidev:json-smart:jar:1.3.1:compile
and
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.3.1.RELEASE:test
[INFO] | +- (org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:test - omitted for duplicate)
[INFO] | +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] | | +- (net.minidev:json-smart:jar:2.3:test - omitted for conflict with 1.3.1)
I'm not sure this is the right project to report it to, though - or if this ticket will reopen. If not, I might try the main spring boot project instead...
Comment From: jzheaux
Thanks for this extra information, @ninjacoda, and sorry this is still a problem for you.
You are correct that Spring Boot manages dependencies via spring-boot-dependencies and that filing a ticket there is a good place to begin addressing that concern.