Topics

Dependency Bug in Soteria 1.0


Werner Keil
 

That is good to know, thanks.

Will try it probably on Monday when I get to that demo for security I have to do.

Werner


Rudy De Busscher
 

Werner,

Workaround from Arjan works, I have used it already some months ago for a demo. Works for any Java EE 7 server which doesn't contain Soteria already.

Rudy



On 14 February 2018 at 21:06, Werner Keil <werner.keil@...> wrote:
If the hints for build-time by Arjan work (deployment in Payara 4 build 174 or above should be fine) I guess that'll do for the client I'm helping with security and identity management right now. For many others that also cannot use a snapshot repo a patch within a few weeks would be good.



Werner Keil
 

If the hints for build-time by Arjan work (deployment in Payara 4 build 174 or above should be fine) I guess that'll do for the client I'm helping with security and identity management right now. For many others that also cannot use a snapshot repo a patch within a few weeks would be good.


Werner Keil
 


Will try those in the POM of the dev environment tomorrow. Would be great if it works to show them Soteria in the security PoC, 
but nevertheless it would be as great if Oracle or someone else could release a patch. Like it was done for the JSON-P RI at least once before that moved to EE4J.


Bill Shannon
 

The project proposal for Soteria should be submitted to the Eclipse Foundation this week.  Then it takes a few weeks for Eclipse to vote on and approve the proposal.  Then the repository and issues need to be migrated.  Then the build infrastructure needs to be set up.  My guess is that it will probably be 4 - 6 weeks before a bug fix can be published from the Eclipse project.  No changes are being made to the existing Java EE Soteria project while this work is in progress.

Werner Keil wrote on 02/14/18 10:23 AM:

All,

I just found a very bad bug in Soteria 1.0 as it's out there in MavenCentral since August 2017 ;-/
I can't even set labels like "bug" but it is clearly a major bug and showstopper from using Soteria unless you run Maven/Gradle etc. in a public web or cloud where Snapshot repositories are available:
https://github.com/javaee/security-soteria/issues/206

When I switch the Java EE dependency to Java EE 8, it seems to work, but the container I'm supposed to use is not Java EE 8 compatible yet nor do any productive Java EE containers out there support EE 8. At most you get betas like Payara 5. 

Without such fix I may be able to abandon Soteria in the actual PoC for now and stick to APIs in JAX-RS with similar functionality (like SecurityContext) 
Hope this can be fixed in the org.glassfish.soteria groupId rather than having to wait for the new EE4J project to release something eventually?

Regards,
Werner


Arjan Tijms
 

Payara 174 has Soteria as well. The war only has to depend on the API, not on Soteria itself. The 1.0 API is available from Maven central:

<dependency>
    <groupId>javax.security.enterprise</groupId>
    <artifactId>javax.security.enterprise-api</artifactId>
    <version>1.0</version>
    <scope>provided</scope>
</dependency>

Alternatively, I think it should work with any other server if you depend on Soteria indeed, but exclude the API from it. See:

https://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html

Then include the 1.0 API dependency.

Something like:

<!-- API -->
<dependency>
    <groupId>javax.security.enterprise</groupId>
    <artifactId>javax.security.enterprise-api</artifactId>
    <version>1.0</version>
</dependency>

<!-- Impl, without Api -->
<dependency>
    <groupId>org.glassfish.soteria</groupId>
    <artifactId>javax.security.enterprise</artifactId>
    <version>1.0</version>
    <exclusions> 
        <exclusion> 
          <groupId>javax.security.enterprise</groupId>
          <artifactId>javax.security.enterprise-api</artifactId>
        </exclusion>
      </exclusions> 
</dependency>


Werner Keil
 

I know but the client currently only uses Payara 174 at most, and the WAR still must be built against a valid Maven repo, no snapshots allowed there.
If Payara has public (Final) Maven JARs I could use here instead, that might work.


Arjan Tijms
 

On Wed, Feb 14, 2018 at 10:23 am, Werner Keil wrote:
When I switch the Java EE dependency to Java EE 8, it seems to work, but the container I'm supposed to use is not Java EE 8 compatible yet nor do any productive Java EE containers out there support EE 8. At most you get betas like Payara 5. 
One other option is Payara 4.181, which includes Soteria and is fully supported, as well as publicly available.


Werner Keil
 

All,

I just found a very bad bug in Soteria 1.0 as it's out there in MavenCentral since August 2017 ;-/
I can't even set labels like "bug" but it is clearly a major bug and showstopper from using Soteria unless you run Maven/Gradle etc. in a public web or cloud where Snapshot repositories are available:
https://github.com/javaee/security-soteria/issues/206

When I switch the Java EE dependency to Java EE 8, it seems to work, but the container I'm supposed to use is not Java EE 8 compatible yet nor do any productive Java EE containers out there support EE 8. At most you get betas like Payara 5. 

Without such fix I may be able to abandon Soteria in the actual PoC for now and stick to APIs in JAX-RS with similar functionality (like SecurityContext) 
Hope this can be fixed in the org.glassfish.soteria groupId rather than having to wait for the new EE4J project to release something eventually?

Regards,
Werner