Topics

Release 1.0 in Maven Central and its dependency tree


Ashley Richardson
 

Hi,

Now that the 1.0 release is posted on Maven Central, can someone just check if I am following the POMs completely wrong:

org.glassfish.security:javax.security.enterprise 1.0 contains the following dependency:

<dependency>
   <groupId>javax.security.enterprise</groupId>
   <artifactId>javax.security.enterprise-api</artifactId>
   <version>${api_dependency_version}</version>
</dependency>

http://central.maven.org/maven2/org/glassfish/soteria/javax.security.enterprise/1.0/javax.security.enterprise-1.0.pom

That ${api_dependency_version} comes from the parent POM at org.glassfish.soteria:parent 1.0
http://central.maven.org/maven2/org/glassfish/soteria/parent/1.0/parent-1.0.pom

In that parent POM that property is listed as 1.1-b01-SNAPSHOT

However on Maven Central that version does not exist and only versions b05-b11 plus 1.0 exist
http://central.maven.org/maven2/javax/security/enterprise/javax.security.enterprise-api/

I only noticed this as I am updating a project to use Soteria 1.0 from b07 and the build no longer runs due to dependencies not being found.

Can someone please check my train of logic and if I did follow this correctly what can we do to fix it up?

Regards,

Ashley Richardson


Arjan Tijms
 

Hi,

At a quick glance, that does't look quite good at all :O

The Java EE 8 samples project uses the API 1.0 pom without any issues. Both local and on a clean travis environment it could be resolved.

See https://github.com/javaee-samples/javaee8-samples/blob/1ddfa41dd54582fea518124c3d1f307b61f57396/pom.xml#L149

Payara 5 also used the 1.0 version, but includes both API and Implementation artefacts:

See https://github.com/payara/Payara/blob/Payara-5/appserver/pom.xml#L670

The workaround therefor may be to specify both API and Implementations dependencies in your pom. Not ideal, of course. But could you perhaps try that?

Kind regards,
Arjan Tijms


Ashley Richardson
 

Hi,

Specifying the API version at 1.0 does indeed fix the dependency and build problem.

I'll just add a Github issue reflecting my original email to the Soteria repository so its at least documented and tracked.

Regards,

Ashley Richardson


Ashley Richardson
 

Hi,

This issue (and workaround) is now logged as 193: https://github.com/javaee/security-soteria/issues/193

Regards,

Ashley Richardson


Will Hopkins
 

The other thing you can do is build with "mvn -P release". That's how the 1.0 implementation jar was built with a dependency on the 1.0 final API jar.

Maven doesn't make it easy to release things that also need to be built in snapshot mode, and the release plugin is helpful in someways but unhelpful in others. If anybody has any ideas how to code the pom file so it works better I'm open to suggestions. Meanwhile I'll figure out what the options are for publishing an updated release and publish something that has a 1.0 API dependency in snapshot mode (probably not until sometime next week -- taking vacation this week).

Will

On 09/21/2017 07:59 PM, Ashley Richardson wrote:
Hi,

Specifying the API version at 1.0 does indeed fix the dependency and build problem.

I'll just add a Github issue reflecting my original email to the Soteria repository so its at least documented and tracked.

Regards,

Ashley Richardson

-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Developer Experience
35 Network Drive, Burlington, MA 01803