Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0 clash over version of transitive dependency json-smart #8608

Closed
ninjacoda opened this issue May 28, 2020 · 5 comments
Assignees
Labels
in: build An issue in the build type: bug A general bug
Milestone

Comments

@ninjacoda
Copy link

Describe the bug
When trying to run an integration test the following error occurs:

java.lang.AssertionError: No value at JSON path "$[?(@.name == 'foo' && @.pId == 'bar')]"
  at org.springframework.test.util.JsonPathExpectationsHelper.evaluateJsonPath(JsonPathExpectationsHelper.java:295)
  ...
Caused by: java.lang.NoClassDefFoundError: net/minidev/json/writer/JsonReaderI
  at com.jayway.jsonpath.internal.DefaultsImpl.<init>(DefaultsImpl.java:17)
  ...
Caused by: java.lang.ClassNotFoundException: net.minidev.json.writer.JsonReaderI
  at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
  ...

This is due to a version clash on transitive dependency net.minidev:json-smart between spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0.

Here's the partial output from

mvn org.apache.maven.plugins:maven-dependency-plugin:2.10:tree -Dverbose=true
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.3.0.RELEASE:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  +- (net.minidev:json-smart:jar:2.3:test - omitted for conflict with 1.3.1)
=> dependency is net.minidev:json-smart:jar:2.3:test

[INFO] +- org.springframework.security:spring-security-oauth2-client:jar:5.3.2.RELEASE:compile
[INFO] |  +- com.nimbusds:oauth2-oidc-sdk:jar:7.1.1:compile
[INFO] |  |  +- net.minidev:json-smart:jar:1.3.1:compile
=> dependency is net.minidev:json-smart:jar:1.3.1:compile

I'm logging this against Spring Security, as moving from com.nimbusds:oauth2-oidc-sdk:jar:7.1.1 to com.nimbusds:oauth2-oidc-sdk:jar:8.4.2 would likely fix the issue, as that defines its dependency as net.minidev:json-smart:[1.3.1,2.3]

As per maven docs, that would permit for json-smart:2.3 being used:

[1.2,1.3]: Hard requirement for any version between 1.2 and 1.3 inclusive.

By the way: The dependency in oauth2-oidc-sdk:jar:8.4.2 (i.e. [1.3.1,2.3]) would indicate that json-smart version 2.3 might be backwards-compatible to version 1.3.1, but as this is a dependency of a security-related library I would rather not take the chance of just forcing the new version of json-smart on oauth2-oidc-sdk using dependencyManagement.

To Reproduce
Using the following dependencies:

  • spring-security-oauth2-client:5.3.2
  • spring-boot-starter-test:2.3.0

running this test:

            webTestClient.get().uri("${PATH}?pid=bar")
                    .exchange()
                    .expectStatus().is2xxSuccessful
                    .expectBody()
                    .jsonPath("$[?(@.name == 'foo' && @.pId == 'bar')]").exists()

Expected behavior
Provided the response contains the properties and values specified in the jsonPath, the test should run and pass, not fail due to a missing class.

@ninjacoda ninjacoda added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 28, 2020
@ninjacoda
Copy link
Author

I did a bit more digging, and it turns out that up to and including com.nimbusds:oauth2-oidc-sdk:7.0.2, the library declared the same dependency range of [1.3.1,2.3] for json-smart. At that point, they changed it due to this request, but reintroduced the range for json-smart in April 2020 (for newer releases). Based on that, it's probably safe to force version 2.3 on com.nimbusds:oauth2-oidc-sdk:jar:7.1.1 (provided that what I found is indeed the official repo or a correct clone of it).

@jzheaux jzheaux added in: build An issue in the build and removed status: waiting-for-triage An issue we've not yet triaged labels May 30, 2020
@jzheaux jzheaux added this to the 5.4.0-M2 milestone May 30, 2020
@jzheaux
Copy link
Contributor

jzheaux commented May 30, 2020

Thanks for all the digging you did here, @ninjacoda.

After some of my own, I think it's best to simply upgrade the Nimbus dependencies, that way Spring Security doesn't add any additional managed dependencies to its list. In general, it's a bit easier to only manage the beans that Spring Security depends on directly.

There's a bit of a related discussion going on in #8543 and #8564, so I think it'd be best to see how those conversations go before deciding precisely what versions of nimbus-jose-jwt and oauth2-oidc-sdk to upgrade to.

jzheaux added a commit that referenced this issue Jun 3, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Jun 4, 2020

Fixed via 94737df

@jzheaux jzheaux closed this as completed Jun 4, 2020
@ninjacoda
Copy link
Author

Thanks, @jzheaux . Unfortunately,

  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-dependencies</artifactId>
  <version>2.3.1.RELEASE</version>

still defines

   <oauth2-oidc-sdk.version>7.1.1</oauth2-oidc-sdk.version>

and

  <dependencyManagement>
    <dependencies>

      <dependency>
        <groupId>com.nimbusds</groupId>
        <artifactId>oauth2-oidc-sdk</artifactId>
        <version>${oauth2-oidc-sdk.version}</version>
      </dependency>

    </dependencies>
  </dependencyManagement>

in its dependency management, so this is still broken for JSON Path asserts:

[INFO] +- org.springframework.security:spring-security-oauth2-client:jar:5.3.3.RELEASE:compile
[INFO] |  +- com.nimbusds:oauth2-oidc-sdk:jar:7.1.1:compile (version managed from 7.5)
[INFO] |  |  +- net.minidev:json-smart:jar:1.3.1:compile

and

[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.3.1.RELEASE:test
[INFO] |  +- (org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:test - omitted for duplicate)
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  +- (net.minidev:json-smart:jar:2.3:test - omitted for conflict with 1.3.1)

I'm not sure this is the right project to report it to, though - or if this ticket will reopen.
If not, I might try the main spring boot project instead...

@jzheaux
Copy link
Contributor

jzheaux commented Jun 16, 2020

Thanks for this extra information, @ninjacoda, and sorry this is still a problem for you.

You are correct that Spring Boot manages dependencies via spring-boot-dependencies and that filing a ticket there is a good place to begin addressing that concern.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: build An issue in the build type: bug A general bug
Projects
None yet
Development

No branches or pull requests

2 participants