Missing dependencies in maven poms

[MichaelVetter]

The maven pom files of the spring security modules in Version 5.5.1 do not contain third party dependencies. This can cause build or runtime errors when other dependency versions are used. We had a problem with the update to commons-codec 1.15 (see #9575 ).

To Reproduce
Use spring security modules like spring-security-saml2-service-provider in Version 5.5.1 with maven and without spring boot.

Expected behavior
The generated maven poms should contain all third party dependencies.

[rwinch]

Is this still a problem? If so, can you provide a pom that is missing a dependency and state which dependency is missing? Our poms do not include optional, provided, or test dependencies as they are not used by Maven for transitive dependencies anyway.

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[MichaelVetter]

@rwinch: Sorry for the late answer, I am currently on vacation.
Yes it is still a problem in 5.7.1
This pom does not have a direct dependency to commons-codec 1.15:
https://repo1.maven.org/maven2/org/springframework/security/spring-security-saml2-service-provider/5.7.1/spring-security-saml2-service-provider-5.7.1.pom
spring-security-dependencies.gradle contains several other depentencies that are not in the spring security poms we use (core, config, web, saml2, oauth2), e.g.:

• api "commons-logging:commons-logging:1.2"
• api "org.bouncycastle:bcprov-jdk15on:1.68"

Where can I find the information which dependencies are considered optional in spring security?

[rwinch]

This pom does not have a direct dependency to commons-codec 1.15:

You are correct. This was addressed in gh-11322

api "commons-logging:commons-logging:1.2"

Spring uses spring-jcl for logging which uses the same APIs as commons-logging, but implements improved support for other logging libraries. See spring-projects/spring-framework#19081 (comment)

api "org.bouncycastle:bcprov-jdk15on:1.68"

This is an optional dependency that you are responsible for managing the version for. You can find the list of versions that Spring Security uses at https://github.com/spring-projects/spring-security/blob/5.7.0/dependencies/spring-security-dependencies.gradle When we add support for using Gradle Feature Variants (see gh-11377) you would see optional dependencies listed in the Maven poms and be able to consume the variants from Gradle.

Does this address all of your concerns?

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[MichaelVetter]

@rwinch: Thank you, Gradle Feature Variants would be helpful.
Is it possible to add comments to the spring-security-dependencies.gradle file to mark optional and required dependencies there?

[rwinch]

@MichaelVetter It doesn't make sense to add comments to optional dependencies in spring-security-dependencies.gradle because it is only for managing the version. The decision if it is optional is in each individual module's gradle file.

[rwinch]

I'm going to close this in favor of the gh-11377 If you find that this doesn't solve the issue, please comment on this issue.