Add OSGI bundle packaging

[benapple]

In its current state, this project does not work out-of-the-box within an OSGi environment. Adding the Maven bundle plugin and changing the packaging to bundle allows the project to be used more seamlessly. Without the resulting manifest files of the plugin, developers either need to embed this dependency in all bundles that use the project or need to separately wrap the java-html-sanitizer jar as a bundle using the standalone BND tool.

[mikesamuel]

I'm horribly ignorant of OSGI bundling. How does changing the packaging type affect non-OSGI clients?

Is there a standard way to test, pre-commit, that OSGI integration works?

[mikesamuel]

Is "Adding OSGi metadata to existing projects without changing the packaging type" insufficient?

[benapple]

A bundle is a jar with some extra OSGi bits within the manifest that non-OSGi clients can safely ignore. For example, Guava uses bundle packaging without the java-html-sanitizer project needing to do anything special to use it. With that said, both the bundle packaging and the jar packaging with extra manifest-generating steps work equally well.

OSGi integration is not something I have done within a unit test, though I am taking a look at osgi-mock to see what is possible. Ideally, the test would ensure the Maven plugin generates a usable manifest.

[mikesamuel]

Ideally, the test would ensure the Maven plugin generates a usable manifest.

I wonder whether a shell test that looks at the output of

unzip -p target/owasp-*-SNAPSHOT.jar META-INF/MANIFEST.MF

would suffice.

[benapple]

There turned out to be a somewhat handy maven plugin for verifying file contents from a build, the Maven verifier plugin. I've added just a simple check to ensure the main package of each module is specified in the Export-Package section of the manifest.

[mikesamuel]

Thanks. I'll pull this locally and see how it works.

[mikesamuel]

Thanks alot for explaining bundling and for the PR. Merged.

I plan to clean up some mvn warnings around missing versions. Then I'll push a new version that is properly bundled. I'll post here with a link to the new version when that's done.

[mikesamuel]

Present in https://search.maven.org/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20191001.1/bundle

IIUC, the /bundle at the end of that URL reflects the change.

[benapple]

Awesome! I've pulled the 20191001.1 version and confirmed my project activates the bundle and that my local services can reference org.owasp.html.* classes. Thanks for merging this!