I am trying to install spring-security-core to my project and here's how I am doing it in my pom.xml
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>5.0.7.RELEASE</version>
</dependency>
The issue is that when I build the project I see org.springframework.security.spring-security-core with version 4.2.9.RELEASE in my artifacts instead of 5.0.7.RELEASE. My pom.xml is deep down in my build tree and it's a part of a big spring boot project. artifact spring-security-core is not present in any other pom.xml in my tree.
From what I've read so far it looks like this is happening because something in the parent tree is downloading spring-security-core 4.2.9.RELEASE as a dependency without explicitly mentioning it in their pom.xml. How to debug this problem ?
In one of the parent pom.xml there's a dependency like this :
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>4.3.22.RELEASE</version>
</dependency>
Would that explain why spring-security-core old version is getting downloaded ? Any help is appreciated.
Check the dependency tree with this command
mvn dependency:tree
If spring-context-support also has spring-security, you can exclude that from the dependency by adding exclusions
example
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>4.3.22.RELEASE</version>
<exclusions>
<exclusion>
<groupId> groupid of the jar to be excluded </groupId>
<artifactId>artifact id of the jar to be excluded</artifactId>
</exclusion>
</exclusions>
</dependency>
Go to the location of parent pom.xml file and as run the command
mvn dependency:tree >> tree.txt
It will create a file with dependency tree. Search for "spring-security-core" you will find which version is downloaded.
There are couple of work around:
You can repeat this to each pom.xml as well to know from where it gets the reference.
If one of the pom referring the version then your dependency will not consider if its got resolve earlier.
Check if any po.xml file referring to any spring security related libraries. If so, what is there version. And if you need then as mentioned by #Vinay, exclude it so your library version gets referred.
If you want to download this version of library then mentioned it at the top, so it gets referred and no other version will downloaded.
There is no relation for spring security with spring-context-code. Refer this maven link.
Related
I am trying to use a pom file from a existing project and I am getting an error "Cannot resolve org.yaml:snakeyaml:1.15"
What I find out about this error is that the com.datastax.spark:spark-cassandra-connector_2.11:2.5.0 uses a couple dependencies and a couple levels down it is using snakeyaml:1.15 which is quarantined by company proxy. Is there a way to specify for a given maven dependency that I want to use snakeyaml:1.16?
One thing I do not understand is that I look into the reference project that is also using com.datastax.spark:spark-cassandra-connector_2.11:2.5.0, it is using the updated com.datastax.oss:java-driver-core-shaded:4.9.0, which no longer requires snakeyaml:1.15
where as mine uses the old com.datastax.oss:java-driver-core-shaded:4.5.0
Why is it working in that pom? we have the same maven listing version for com.datastax.spark:spark-cassandra-connector_2.11:2.5.0
I see it has some exclusions but none addresses the snake yaml version or any of its parent dependencies.
Is there another section of the pom file that addresses this I am missing? please advise.
My pom
<scala.compat.version>2.11</scala.compat.version>
<spark.cassandra.version>2.5.0</spark.cassandra.version>
<dependency>
<groupId>com.datastax.spark</groupId>
<artifactId>spark-cassandra-connector_${scala.compat.version}</artifactId>
<version>${spark.cassandra.version}</version>
</dependency>
where it goes wrong
however another project is using the correct shaded version com.datastax.oss:java-driver-core-shaded:4.9.0, which eliminates the snake dependency
working pom
<scala.compat.version>2.11</scala.compat.version>
<spark.cassandra.version>2.5.0</spark.cassandra.version>
<dependency>
<artifactId>spark-cassandra-connector_${scala.compat.version}</artifactId>
<exclusions>
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
<exclusion>
<artifactId>netty-all</artifactId>
<groupId>io.netty</groupId>
</exclusion>
<exclusion>
<groupId>org.scala-lang</groupId>
<artifactId>scala-library</artifactId>
</exclusion>
</exclusions>
<groupId>com.datastax.spark</groupId>
<version>${spark.cassandra.version}</version>
</dependency>
You add an entry your <dependencyManagement> section of your POM, where you specify the version of snakeyaml that you want.
This will override all transitive version definitions of snakeyaml.
I suggest to switch to the SCC 2.5.2 (or at least 2.5.1) - there were fixes there regarding dependencies, it has driver upgraded to 4.10.0, etc. Another possibility is to use spark-cassandra-connector-assembly instead, with all dependencies included & shaded.
Ive included following lines in my pom.xml
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.1.6.RELEASE</version>
</dependency>
The specific spring-core JAR version I want is 4.1.6, but whenever I do an mvn clean install, the dependencies folder under my project in netbeans shows a downgraded version (currently 3.0.7.RELEASE).
I want to know how I can force maven to put 4.1.6.RELEASE jar in my dependencies folder. I've done
mvn dependency:purge-local-repository -DactTransitively=false -DreResolve=false
And I've the folder 4.1.6.RELEASE with correct jar in my local /.m2/repositories folder. I need to access org.springframework.util.MimeType class which is not available in spring-core 3.0.7.RELEASE jar.
See the result of mvn dependency:tree to know if another jar bring back the version 3.0.7. and exclude from this dependency the spring-core
See the same result to know if the right version is present
Add the pom.xml and the result of mvn dependency:tree in the question
Please follow these steps:
Check in .m2 local repository where the Spring 3.0.7 jar is downloaded(It should be under folder org->springframework)
Delete the folder present inside springframework, so that mvn will try to fetch required dependencies.
Let me know if it helps
The issue is that spring-core is a mandatory dependenecy of most spring artifacts. Most likely you are using a dependent artifact e.g spring-context which is of version 3.0.7. Then Maven is fetching spring-core of the same version as the dependent artifact using its transitive dependency mechanism.
To control the version of spring-core you need to move its declaration from the dependencies section to the dependency management section of your pom.xml as follows
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.1.6</version>
</dependency>
</dependencies>
</dependencyManagement>
Recently I've been working on some improvements in a project developed some time ago, and here's what I found. A lot of dependencies in the pom files go without versions specified, and yet they are resolved. The project consists of 1 root module and 2 submodules. The Aggregator pattern is used, meaning there's no dependencyManagement section at all. The upper-project simply aggregates 2 modules and that's all it does. Subprojects don't refer to it as to a parent. They have a different parent. What I can't grasp is that neither subprojects themselves nor their parent(as a matter of fact, it doesn't have dependencyManagement either) specify versions for some of the dependencies. For instance:
<dependency>
<groupId>javax.mail</groupId>
<artifactId>javax.mail-api</artifactId>
</dependency>
<dependency>
<groupId>com.sun.mail</groupId>
<artifactId>javax.mail</artifactId>
</dependency>
<dependency>
<groupId>com.sun.mail</groupId>
<artifactId>imap</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jul-to-slf4j</artifactId>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</dependency>
Can someone help me figure this out? Is maven handling versioning with some default strategy? What is that default strategy?
Ok, I think I'm gonna answer it myself. Of course I took a look at dependency:tree, but all the dependencies that I mentioned were first-level members of the tree. What I failed to notice right away, is that dependencyManagement is not present in the parent, but it is however present in the submodules, and what is more interesting it contains:
<dependency>
<groupId>io.spring.platform</groupId>
<artifactId>platform-bom</artifactId>
<version>1.0.2.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
I've never used Spring IO Platform before, so this is a totally new concept for me. As it turns out the platform includes quite a few preconfigured dependencies:
http://docs.spring.io/platform/docs/current/reference/htmlsingle/#appendix-dependency-versions
It is impossible for maven to work without defining versions of the artifacts. They should be defined somewhere in dependencyManagement tag either in the submodule or parent. Please check your pom hierarchy. Use mvn help:effective-pom in the submodule directory of the project. Also you can use mvn dependency:tree in order to find out which artifacts - along with full artifact information including version numbers - are resolved in the result of dependency management.
Use
mvn -P<my_profile_of_interest> help:effective-pom -Dverbose
Verbose mode (Since: 3.2.0) adds XML comments containing precise reference to a place where dependency declaration is coming from.
Each maven dependency defined in the pom must have a version either directly or indirectly for example, through dependencyManagement or parent. That being said, if the version is not given, then the version provided in the dependencyManagement or the parent pom will be used.
For example: in the pom (only important sections are mentioned) given below, no version is provided for the artifact jstl. However, in the "mvn dependency:tree", it shows that jstl version 1.2 is included. And looking at the spring-boot-starter-parent, for the version 2.3.3.RELEASE pom, it includes jstl version 1.2.
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.3.RELEASE</version>
</parent>
<dependencies>
....
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
....
</dependencies>
In my case if i was using Spring boot starter parent to manage all dependency and lombok version is managed by Spring boot , This problem was coming due to higher java version JAVA 11 . I exported JAVA 8 in to my compile time environment and after using JAVA 8 this problem was gone.
Initially, I had the maven dependency for asm version 3.2 in pom.xml file of my project. I update the same to version 4.1 using the following dependency
<dependency>
<groupId>org.ow2.asm</groupId>
<artifactId>asm</artifactId>
<version>4.1</version>
<scope>compile</scope>
</dependency>
but now my project has both jar files in WEB-INF/lib - asm 3.2 and asm 4.1. I need some features of asm 4.1 but due to both jars being available asm 3.2 code is used because of which I cannot use the asm 4.1 feature.
Any help in this matter is appreciated.
The dependency for asm 3.2 is:
<dependency>
<groupId>asm</groupId>
<artifactId>asm</artifactId>
<version>3.2</version>
</dependency>
Note the group IDs do not match. What is likely happening is that another of your dependencies is loading asm 3.2 as a transitive dependency. Maven's dependency resolution process cannot determine that the 4.1 version is supposed to override the 3.2 version due to the group ID difference, and there is a problem.
What you need to do is eliminate the 3.2 version. First figure out which dependency is causing Maven to pull it in, by running mvn dependency:tree or using the Eclipse POM editor's dependency hierarchy tab. Then find that dependency in your POM and add an exclusion:
<dependency>
<groupId>some.group.id</groupId>
<artifactId>dependency-pulling-in-asm</artifactId>
<version>1.0</version>
<scope>compile</scope>
<exclusions>
<exclusion>
<groupId>asm</groupId>
<artifactId>asm</artifactId>
</exclusion>
</exclusions>
</dependency>
Maven documentation explains this further.
Give the following command after updating pom.xml
mvn clean
I am new to Maven and am trying to set up one of my first POMs. My application will cache using EhCache. Going to Maven Central Repo (link here) I copy-n-pasted the <dependency> tag and copy it into my pom.xml like so:
...many dependencies above this point
<dependency>
<scope>compile</scope>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-entitymanager</artifactId>
<version>4.0.1.Final</version>
</dependency>
<dependency>
<scope>compile</scope>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache</artifactId>
<version>2.5.0</version>
</dependency>
<dependency>
<scope>compile</scope>
<groupId>jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>3.5.3</version>
</dependency>
...many dependencies below this point
When I save the changes, Eclipse builds the workspace and gives me an error on the opening <dependency> tag for EhCache 2.5:
Missing artifact net.sf.ehcache:ehcache:jar:2.5.0
So I figured that perhaps v.2.5.0 has something wrong with it, and repeated the same for 2.4.7 (the last 2.4.x release before 2.5.0). Same deal.
Since I'm so new to Maven, I don't even know where to begin looking. I tried Project >> Clean and even restarted Eclipse to see if it was just a typical Eclipse "quirk". Nope.
I am thinking:
Could EhCache be publishing bad JARs to the Maven repo?
Could Maven Repo have something wrong with it?
Could this be due to something else configured wrong in my pom.xml?
Could this be a "JAR hell" issue where I have a conflict somewhere on my dependency graph?
How would SO start tackling this problem? Thanks in advance!
It is usually safer to refer to search.maven.org. Dependency from there:
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache</artifactId>
<version>2.5.0</version>
<type>pom</type>
</dependency>
Mind type pom. From module's pom:
This is a pom artifact to pull in ehcache-core and ehcache-terracotta
for clustering. Make sure to set 'type' to 'pom' in your dependency.
Aparently when someone does not need terracotta, ehcache-core will do perfectly fine as other answer states.
They use ehcache-core in the official documentation. Maven Central does not have a jar artifact for ehcache 2.5 which explains your error message.
Using ehcache-core changes the dependency to:
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache-core</artifactId>
<version>2.5.0</version>
</dependency>
Which successfully downloads on my machine (ehcache does not).
I dropped this into IntelliJ and it found it. I suspect there is something wrong with your settings. Try creating a project with only this dependency in it. If it fails to download, I would check your setting. e.g. .m2/settings.xml Are you using a Nexus server or maven proxy/cache?
BTW: A simpler way to search for JARs is to use http://mvnrepository.com/ which will find all the available versions and show you the XML you need to add.