The maven pom files of the spring security modules in Version 5.5.1 do not contain third party dependencies. This can cause build or runtime errors when other dependency versions are used. We had a problem with the update to commons-codec 1.15 (see #9575 ).
To Reproduce Use spring security modules like spring-security-saml2-service-provider in Version 5.5.1 with maven and without spring boot.
Expected behavior The generated maven poms should contain all third party dependencies.
Comment From: rwinch
Is this still a problem? If so, can you provide a pom that is missing a dependency and state which dependency is missing? Our poms do not include optional, provided, or test dependencies as they are not used by Maven for transitive dependencies anyway.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: MichaelVetter
@rwinch: Sorry for the late answer, I am currently on vacation. Yes it is still a problem in 5.7.1 This pom does not have a direct dependency to commons-codec 1.15: https://repo1.maven.org/maven2/org/springframework/security/spring-security-saml2-service-provider/5.7.1/spring-security-saml2-service-provider-5.7.1.pom spring-security-dependencies.gradle contains several other depentencies that are not in the spring security poms we use (core, config, web, saml2, oauth2), e.g.:
- api "commons-logging:commons-logging:1.2"
- api "org.bouncycastle:bcprov-jdk15on:1.68"
Where can I find the information which dependencies are considered optional in spring security?
Comment From: rwinch
This pom does not have a direct dependency to commons-codec 1.15:
You are correct. This was addressed in gh-11322
api "commons-logging:commons-logging:1.2"
Spring uses spring-jcl for logging which uses the same APIs as commons-logging, but implements improved support for other logging libraries. See https://github.com/spring-projects/spring-framework/issues/19081#issuecomment-453442627
api "org.bouncycastle:bcprov-jdk15on:1.68"
This is an optional dependency that you are responsible for managing the version for. You can find the list of versions that Spring Security uses at https://github.com/spring-projects/spring-security/blob/5.7.0/dependencies/spring-security-dependencies.gradle When we add support for using Gradle Feature Variants (see gh-11377) you would see optional dependencies listed in the Maven poms and be able to consume the variants from Gradle.
Does this address all of your concerns?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: MichaelVetter
@rwinch: Thank you, Gradle Feature Variants would be helpful. Is it possible to add comments to the spring-security-dependencies.gradle file to mark optional and required dependencies there?
Comment From: rwinch
@MichaelVetter It doesn't make sense to add comments to optional dependencies in spring-security-dependencies.gradle because it is only for managing the version. The decision if it is optional is in each individual module's gradle file.
Comment From: rwinch
I'm going to close this in favor of the gh-11377 If you find that this doesn't solve the issue, please comment on this issue.