Optional spring security dependencies lead to ClassNotFoundException - Githubissues

zkoss / zkspring

Automatically exported from code.google.com/p/zkspring

6 stars 15 forks source link

Optional spring security dependencies lead to ClassNotFoundException #30

Closed michbeck100 closed 4 years ago

michbeck100 commented 4 years ago

Why are these dependencies optional? They are obviously needed for compilation.

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>${springsecurity.version}</version>
    <optional>true</optional>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>${springsecurity.version}</version>
    <optional>true</optional>
</dependency>

The optional tag is used if a dependency is really optional, so developers can choose which implementation they use (like a jdbc driver), but it's not needed at runtime. These dependencies are definitely needed. Unfortunately this leads to this error: https://forum.zkoss.org/question/92707/javalangclassnotfoundexception-orgspringframeworksecurityaclsmodelsidretrievalstrategy/

cor3000 commented 4 years ago

yes we made it optional to 'force' the user to pick their dependency deliberately. Since everyone is picking their favorite version the one we pre-pick is most likely the wrong one. In the best case just causing version conflicts, in the worst case it's out-dated introducing unexpected security vulnerabilities.

Our examples show how to specify your own version. E.g. here in this repo Or the spring-boot way.

Especially when it comes to security I prefer a broken build over the wrong version picked from a transitive dependency.

michbeck100 commented 4 years ago

Not sure if I understand you correct, but if I use a different spring version in my project, zkspring will automatically pick this version instead of the original spring version in zkspring. So this is not a problem. The bigger problem is, that spring-security-config and spring-security-taglibs are completely missing in the classpath if I don't add it accidentally dently to my projects pom.xml.

cor3000 commented 4 years ago

We encountered enough version conflicts in the past that we decided to avoid this at all by not introducing transitive dependencies here.

Security concerns are not added "accidentally" to a project anyway. My point is even if this is not initially intuitive, there should be an active decision to add a specific spring security version. If it just happened to work out of the box you'll likely not get the best version for your project. In addition your spring security config is usually runnable/testable without zkspring. So you'll have this in place before adding a ZK integration layer.

cor3000 commented 4 years ago

side effect of: ZKSPRING-51

TODO: post FR to

improve error handling ... inform about missing dependencies more gracefully at startup
ensure the taglib functions don't fail if an unused optional dependency is missing

cor3000 commented 4 years ago

posted FR -> ZKSPRING-59 - Enhance optional spring-security dependency handling

cor3000 commented 4 years ago

implemented and available nightly 4.0.1-FL-2020062213 (for testing) -> closed comments / feedback -> ZKSPRING-59

cor3000 commented 4 years ago

v4.0.1 available on maven