search

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 136 forks source link

Maven module depends on slf4j-simple implementation causing dependency problems #245

Closed MatKuhr closed 4 years ago

MatKuhr commented 4 years ago

Hi, when using com.sap.cloud.security:java-api:2.5.1:compile we discovered that the module depends on org.slf4j:slf4j-simple:1.7.30:compile.

This is a problem because it brings an SLF4J implementation to the classpath which is unexpected. If there is already an implementation present the application will exit with an exception, since having multiple logging implementations present are not tolerated. Also this is hard to discover because it can be easily missed by test scenarios.

For the above reasons I think it might be better to not introduce this dependency through java-api. For now we solved the problem by excluding the transitive dependency in our import:

<dependency>
    <groupId>com.sap.cloud.security</groupId>
    <artifactId>java-api</artifactId>
    <exclusions>
        <exclusion>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
        </exclusion>
        <exclusion>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-simple</artifactId>
        </exclusion>
    </exclusions>
</dependency>

Just FYI, for our setup we have a maven-enforcer-plugin rule in place that enforces we do not export logging implementations in our project:

<execution>
<id>ban-logging-frameworks</id>
<goals>
    <goal>enforce</goal>
</goals>
<configuration>
    <skip>${enforcer.skipBanLoggingFrameworks}</skip>
    <rules>
        <bannedDependencies>
            <message>Do not use and do exclude all transitive uses of logging frameworks.</message>
            <excludes>
                <exclude>org.slf4j:slf4j-simple</exclude>
                <exclude>commons-logging</exclude>
                <exclude>ch.qos.logback</exclude>
                <exclude>org.apache.logging.log4j</exclude>
                <exclude>org.apache.log4j</exclude>
                <exclude>log4j</exclude>
                <exclude>org.tinylog</exclude>
            </excludes>
            <includes>
                <include>org.slf4j:slf4j-simple:*:*:test</include>
            </includes>
        </bannedDependencies>
    </rules>
</configuration>
</execution>
nenaraab commented 4 years ago

Hi @MatKuhr thanks a lot for reporting! We already recognized it and fixed it in version 2.5.2 which will be released hopefuly today.

https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/CHANGELOG.md#252

Thanks!

MatKuhr commented 4 years ago

Ok cool, thanks 👍