search

grails / grails-spring-security-rest

Grails plugin to implement token-based, RESTful authentication using Spring Security
http://alvarosanchez.github.io/grails-spring-security-rest/
Apache License 2.0
203 stars 116 forks source link

duplicate bcprov dependency in version 1.5.2 #236

Closed ghost closed 8 years ago

ghost commented 9 years ago

After upgrading from version 1.5.1 to version 1.5.2, I had duplicate copies of a Bouncy Castle dependency in my .war file's lib dir, which caused the following error that prevented Tomcat from starting up

25-Sep-2015 08:38:24.384 SEVERE [localhost-startStop-1] org.apache.catalina.core.ContainerBase.addChildInternal ContainerBase.addChild: start: 
 org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[]]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
    at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1101)
    at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1786)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: Unable to complete the scan for annotations for web application [] due to a StackOverflowError. Possible root causes include a too low setting for -Xss and illegal cyclic inheritance dependencies. The class hierarchy being processed was [org.bouncycastle.asn1.ASN1EncodableVector->org.bouncycastle.asn1.DEREncodableVector->org.bouncycastle.asn1.ASN1EncodableVector]
    at org.apache.catalina.startup.ContextConfig.checkHandlesTypes(ContextConfig.java:2066)
    at org.apache.catalina.startup.ContextConfig.processAnnotationsStream(ContextConfig.java:2012)
    at org.apache.catalina.startup.ContextConfig.processAnnotationsJar(ContextConfig.java:1961)
    at org.apache.catalina.startup.ContextConfig.processAnnotationsUrl(ContextConfig.java:1936)
    at org.apache.catalina.startup.ContextConfig.processAnnotations(ContextConfig.java:1897)
    at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1149)
    at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:771)
    at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:305)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
    at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5066)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    ... 10 more

The duplicate Bouncy Castle dependencies were

I ran grails dependency-report which indicated both of these are originating from the spring-security-rest plugin

+--- org.grails.plugins:spring-security-rest:1.5.2
|    \--- net.spy:spymemcached:2.11.6
|    \--- com.google.guava:guava-io:r03
|         \--- com.google.guava:guava-annotations:r03
|         \--- com.google.guava:guava-base:r03
|    \--- org.pac4j:pac4j-core:1.6.0
|    \--- org.pac4j:pac4j-oauth:1.6.0
|         \--- org.apache.commons:commons-lang3:3.1
|         \--- org.scribe:scribe:1.3.6
|    \--- org.pac4j:pac4j-cas:1.6.0
|         \--- org.jasig.cas.client:cas-client-core:3.3.3
|         \--- org.opensaml:opensaml:2.5.1-1
|              \--- org.opensaml:openws:1.4.2-1
|                   \--- org.opensaml:xmltooling:1.3.2-1
|                        \--- joda-time:joda-time:1.6.2
|                        \--- org.bouncycastle:bcprov-jdk15:1.45
|                        \--- org.apache.santuario:xmlsec:1.4.4
|                        \--- ca.juliusdavies:not-yet-commons-ssl:0.3.9
|                   \--- commons-httpclient:commons-httpclient:3.1
|              \--- velocity:velocity:1.5
|              \--- org.owasp.esapi:esapi:2.0GA
|         \--- xml-security:xmlsec:1.3.0
|         \--- org.slf4j:log4j-over-slf4j:1.7.2
|    \--- com.nimbusds:nimbus-jose-jwt:3.9
|         \--- net.jcip:jcip-annotations:1.0
|         \--- net.minidev:json-smart:1.1.1
|         \--- org.bouncycastle:bcprov-jdk15on:1.51
|         \--- commons-io:commons-io:2.4

In my case I can resolve this by excluding pac4j-cas because I don't need it, but others may not be so fortunate. In other words, I can workaround this issue by including the plugin like so in BuildConfig.groovy

compile ":spring-security-rest:1.5.2", {
    exclude 'spring-security-core'
    exclude 'pac4j-cas'
}
ransilad commented 8 years ago

Just what I needed