Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Regression] commons-configuration2 is pulled in as a required dependency #1352

Closed
1 task done
papegaaij opened this issue Mar 11, 2024 · 12 comments · Fixed by #1353
Closed
1 task done

[Regression] commons-configuration2 is pulled in as a required dependency #1352

papegaaij opened this issue Mar 11, 2024 · 12 comments · Fixed by #1353
Assignees
@lprimak
Labels
jakartaee Jakarta EE java Pull requests that update Java code
Milestone
2.0.1

Comments

@papegaaij
Copy link

papegaaij commented Mar 11, 2024
edited by lprimak
Loading

Search before asking

  • I had searched in the issues and found no similar issues.

Environment

This is a dependency of shiro-core, so it's for every environment.

Shiro version

2.0.0

Regression from:

1.13.0

What was the actual outcome?

Observe commons-configuration2 in the output below:

[INFO] Scanning for projects...
[INFO] 
[INFO] --------------------< org.apache.shiro:shiro-core >---------------------
[INFO] Building Apache Shiro :: Core 2.0.0
[INFO]   from shiro-core-2.0.0.pom
[INFO] -------------------------------[ bundle ]-------------------------------
[INFO] 
[INFO] --- dependency:3.6.1:tree (default-cli) @ shiro-core ---
[INFO] org.apache.shiro:shiro-core:bundle:2.0.0
[INFO] +- org.apache.shiro:shiro-lang:jar:2.0.0:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:2.0.12:compile
[INFO] +- org.apache.shiro:shiro-cache:jar:2.0.0:compile
[INFO] +- org.apache.shiro:shiro-crypto-hash:jar:2.0.0:compile
[INFO] |  +- org.apache.shiro:shiro-crypto-core:jar:2.0.0:compile
[INFO] |  \- org.bouncycastle:bcprov-jdk18on:jar:1.77:compile
[INFO] +- org.apache.shiro:shiro-crypto-cipher:jar:2.0.0:compile
[INFO] +- org.apache.shiro:shiro-config-core:jar:2.0.0:compile
[INFO] +- org.apache.shiro:shiro-config-ogdl:jar:2.0.0:compile
[INFO] |  \- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |     \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- org.apache.shiro:shiro-event:jar:2.0.0:compile
[INFO] +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:provided
[INFO] \- org.apache.commons:commons-configuration2:jar:2.9.0:compile
[INFO]    +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO]    \- org.apache.commons:commons-text:jar:1.10.0:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.969 s
[INFO] Finished at: 2024-03-11T21:48:45+01:00
[INFO] ------------------------------------------------------------------------

What was the expected outcome?

Commons-configuration2 should be made optional. The code here already supports it being optional:

shiro/config/ogdl/src/main/java/org/apache/shiro/config/ogdl/ReflectionBuilder.java

Lines 782 to 789 in 36cad48

private Interpolator createInterpolator() {
if (ClassUtils.isAvailable("org.apache.commons.configuration2.interpol.ConfigurationInterpolator")) {
return new CommonsInterpolator();
}
return new DefaultInterpolator();
}

How to reproduce

see above

Debug logs

No response
@lprimak
Copy link
Contributor

lprimak commented Mar 11, 2024
edited
Loading

I am not certain this is a bug. I believe the code started as optional, but later became required, but the optionality was not removed from the code.
IMHO it would be too much of a risk to make it optional at this time, because it would mysteriously break functionality existing applications currently rely on and require inclusions of explicit additional dependency for existing applications.

Perhaps the "action item" is to remove the above reflection / if statement from the code itself?

@lprimak
Copy link
Contributor

lprimak commented Mar 11, 2024

Maybe someone else can chime in?

@lprimak lprimak changed the title [Bug] commons-configuration2 is pulled in as a required dependency [Question] commons-configuration2 is pulled in as a required dependency Mar 11, 2024
@fpapon
Copy link
Member

fpapon commented Mar 12, 2024

I think this is a bug, I will go deeper.

It's well optional on config-ogdl:

shiro/config/ogdl/pom.xml

Line 97 in 9507f24

<optional>true</optional>

But not in core:

shiro/core/pom.xml

Line 147 in 9507f24

<groupId>org.apache.commons</groupId>

@lprimak
Copy link
Contributor

lprimak commented Mar 12, 2024

Maybe not a bug but a code smell? Perhaps the required dependency should be moved into ogdl and removed from core but net effect wouldn't change

@fpapon
Copy link
Member

fpapon commented Mar 12, 2024

@lprimak the problem was introduced in this commit:
5755721

Can you explain why adding a provided dependency because of compiler warning?

@lprimak
Copy link
Contributor

lprimak commented Mar 12, 2024

I remember... it's an OSGi warning from the bnd plugin

@lprimak
Copy link
Contributor

lprimak commented Mar 12, 2024

I will try a PR to fix it then... thanks for your research @fpapon

@lprimak lprimak mentioned this issue Mar 12, 2024
Merged
10 tasks
@fpapon
Copy link
Member

fpapon commented Mar 12, 2024

May be just adding the dependency in optional scope will be enough

@lprimak lprimak self-assigned this Mar 12, 2024
@lprimak lprimak added java Pull requests that update Java code jakartaee Jakarta EE labels Mar 12, 2024
@lprimak lprimak added this to the 2.0.1 milestone Mar 12, 2024
@fpapon
Copy link
Member

fpapon commented Mar 12, 2024

The warning from the bnd plugin comes from these lines:

shiro/core/pom.xml

Line 82 in 9507f24

org.apache.commons.configuration2*;resolution:=optional,

I will make some test in Karaf to see why we need them. I think we don't need to add these import package because we are not using them.

@lprimak
Copy link
Contributor

lprimak commented Mar 12, 2024

No need. Making it optional in core worked and there is no warning

@lprimak lprimak changed the title [Question] commons-configuration2 is pulled in as a required dependency [Regression] commons-configuration2 is pulled in as a required dependency Mar 12, 2024
@lprimak
Copy link
Contributor

lprimak commented Mar 13, 2024

@papegaaij Thank you for the report! This snuck in during build / code cleanup

@papegaaij
Copy link
Author

No problem. I just happen to notice it because commons-configuration2 triggered a failure due to its dependency on a javax API. Thanks for fixing this!

lprimak added a commit that referenced this issue Mar 13, 2024
@lprimak
Merge pull request #1353 from lprimak/commons-config-optional
e2caf6d 
[#1352] bugfix: made commons-configuration2 optional in shiro core
@lprimak lprimak mentioned this issue Jul 27, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lprimak lprimak

Labels
jakartaee Jakarta EE java Pull requests that update Java code
Projects
None yet
Milestone
2.0.1
Development

Successfully merging a pull request may close this issue.

[#1352] bugfix: made commons-configuration2 optional in shiro core lprimak/shiro
3 participants
@papegaaij @lprimak @fpapon