rgcv opened a new pull request, #2018: URL: https://github.com/apache/shiro/pull/2018
<!-- For Security Vulnerabilities, please email: [email protected] For more details on how to report a vulnerablity see: https://www.apache.org/security/ --> Following this checklist to help us incorporate your contribution quickly and easily: - [ ] Make sure there is a [GitHub issue](https://github.com/apache/shiro/issues) filed for the change (usually before you start working on it). Trivial changes like typos do not require a GitHub issue. Your pull request should address just this issue, without pulling in other changes. - [ ] Each commit in the pull request should have a meaningful subject line and body. - [ ] Format the pull request title like `[#XXX] - Fixes bug in SessionManager`, where you replace `#XXX` with the appropriate GitHub issue. Best practice is to use the GitHub issue title in the pull request title and in the first line of the commit message. - [ ] Write a pull request description that is detailed enough to understand what the pull request does, how, and why. - [ ] add `fixes #XXX` if merging the PR should close a related issue. - [ ] Run `mvn verify` to make sure basic checks pass. A more thorough check will be performed on your pull request automatically. - [ ] If you have a group of commits related to the same change, please squash your commits into one and force push your branch using `git rebase -i`. - [ ] Committers: Make sure a milestone is set on the PR Trivial changes like typos do not require a GitHub issue (javadoc, comments...). In this case, just format the pull request title like `[DOC] - Add javadoc in SessionManager`. If this is your first contribution, you have to read the [Contribution Guidelines](https://github.com/apache/shiro/blob/master/CONTRIBUTING.md) If your pull request is about ~20 lines of code you don't need to sign an [Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf) if you are unsure please ask on the developers list. To make clear that you license your contribution under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0) you have to acknowledge this by using the following check-box. - [ ] I hereby declare this contribution to be licenced under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0) - [ ] In any other case, please file an [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf). --- Hello everyone 👋 First off, I'd like to thank everyone at Apache and the many contributors that make Shiro work. Secondly, I hope you'll excuse the intrusion (which I deeply apologize for, surely one could've read up more on issue tracking, mailing lists -- anywhere but here -- to speak with someone about this,) but I felt like exploring what complications could arise from a "big bang" update to Shiro on virtually all fronts: Jakarta EE, support modules, and the like. This PR consists of my findings. In no way, shape, or form, am I hoping for this contribution to be assimilated. I wished, if anything, to at least start some discourse, and perhaps look into chopping this big bulk of.. "something" (I won't dare call it work) down, understand what's missing (either here or elsewhere) and go from there. I'm aware that I've trumped contribution guidelines with this "patch," for which I once again apologize. But if you'll indulge me, here are a few details about the changeset being "proposed": <details> <summary>List of version changes, concerns, and known issues</summary> Includes version bumps: - Java: 11 -> 17 - Ehcache: 2.6 -> 3.10 - Guice: 6 -> 7 - Jetty: 9.4.56.v2024.. -> 12.0 - `org.eclipse.jetty` -> `org.eclipse.jetty.ee10` - Jakarta EE: 8 -> 10 - Activation: 1.2 -> 2.1 - Annotation: 1.3 -> 2.1 - Enterprise CDI API: 2.0 -> 4.0 - JSON API: 1.1 -> 2.1 - JSON Bind: 1.0 -> 3.0 - Servlet: 4.0 -> 6.0 - Servlet JSP API: 2.2 -> 3.1 - Validation API: 2.0 -> 3.0 - WS RS API: 2.1 -> 3.1 - XML Bind: 2.3 -> 4.0 - Omnifaces: 4.6.1 - CXF RT Client: 3.6 -> 4.0 - Glassfish JAXB RT: 2.3 -> 4.0 - Spring: 5.3 -> 6.2 - Spring Boot: 2.7 -> 3.4 - Hibernate: 5.6 -> 6.6 (sample project) Concerns: - Ehcache migration most certainly needs revision - CI untested (specially Jenkins CD) - `flowlogix`, `omnifaces`, and a few other libs I have no knowledge of, certainly need attention - Spring remoting seems to have been dropped from Spring Context, not sure if replaceable Known issues: - No immediate suitable replacement for `org.eclipse.jetty:apache-jstl` - Ehcache 3.10 is pulling earlier version of jaxb runtime -> conflicting - Added exclusion to circumvent woes - Some web integration tests aren't up to speed - Embedded jetty-based ITs fail, server reports 503 - Arquillian IT fails - Meecrowave support missing (solved in unreleased 2.0.0?) </details> The bulk of the transformation was aided by an [OpenRewrite recipe designed for Spring Boot](https://docs.openrewrite.org/recipes/java/spring/boot3/upgradespringboot_3_3). The choice for employing such a recipe is it is terribly comprehensive, and already includes migrations for things such as Java EE -> Jakarta EE, Java 11 -> 17, and, of course, spring-related dependencies. Certainly there are ways to slice up the work required into pieces, or at least segment this changeset into a more amicable set of commits that makes understanding and reviewing the changes easier. I'm afraid, however, that a lot of things hang on to the Jakarta EE migration, which makes it somewhat difficult to clearly segment units of work. One could potentially work up, module by module, bumping their respective versions and build on top of that. Perhaps that could help, unfortunately I'm only now considering that. --- In short, with a need to upgrade Shiro into the modern (or semi-modern) world of Java came an exploratory venture that led to quite a large changeset. I thought of breaking it down further, but when I realized that, I was in far too deep. Ultimately, decided to share with the community and gather some thoughts, ideas, discuss, and hopefully learn how to then seriously contribute something befitting of a proper release. Thanks in advance! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
