Closed wilkinsona closed 3 years ago
@wilkinsona This is fixed in 5.5.1-SNAPSHOT and 5.6.0-SNAPSHOT by spring-security-core depends on spring-security-crypto without embedding the classes. Could you give one of those a try to ensure the problem is resolved?
Thanks, Rob. Things look good to me with 5.5.1-SNAPSHOT. We no longer see any duplicate classes.
Update Rather than embedding spring-security-crypto, spirng-security-core should just depend on it to avoid this scenario. This breaks passivity for applications that do not leverage transitive dependencies, but it should not impact a majority of users. Users that don't leverage transitive dependencies will need to explicitly add the spring-security-crypto jar to their classpath.
In 5.5.0,
spring-security-core
has started declaring a dependency onspring-security-crypto
in addition to embeddingspring-security-crypto
's classes. This resulted in a number of Spring Boot's starters containing duplicates of the crypto classes. We've worked around it by excludingspring-security-crypto
.