Hi,
First, the spring-security bundles are available on Maven Central:
https://repo1.maven.org/maven2/org/apache/servicemix/bundles/org.apache.servicemix.bundles.spring-security-core/5.4.6_1/
Second, the resolver uses your bundle headers. So, if you use import package
statement without boundaries, the resolver could try to use the latest spring
security version available for the resolver.
Then, you have two options:
1. You use right import package statement, something like
org.springframework.security*;version=“[5.3,5.4)”.
For instance, if you don’t specify the version (it means version=0.0.0), or
if you set version=5.3 (meaning [5.3,) so any version newer or equal to 5.3),
the resolver will try to use 5.4.
2. You can blacklist spring-security 5.4 features to avoid resolver to consider
it
Regards
JB
> Le 22 déc. 2021 à 16:56, Steven Huypens <steven.huyp...@gmail.com> a écrit :
>
> Hi all,
>
> After upgrading our custom Karaf distribution from 4.3.3 to 4.3.4 our
> application tries to download some spring-security 5.4.x bundles that are
> not used by our application (it uses 5.3.x). The download fails because our
> application has no access to any repository:
>
> 2021-12-22 12:39:27,040 -
> [o.a.k.f.i.s.BootFeaturesInstaller][activator-1-thread-2] ERROR - Error
> installing boot features
> org.apache.karaf.features.internal.util.MultiException: Error:
> Error downloading
> mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-security-taglibs/5.4.6_1
> Error downloading
> mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-security-core/5.4.6_1
> Error downloading
> mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-security-config/5.4.6_1
> Error downloading
> mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-security-acl/5.4.6_1
> Error downloading
> mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-security-web/5.4.6_1
> at
> org.apache.karaf.features.internal.download.impl.MavenDownloadManager$MavenDownloader.<init>(MavenDownloadManager.java:91)
> at
> org.apache.karaf.features.internal.download.impl.MavenDownloadManager.createDownloader(MavenDownloadManager.java:72)
> at
> org.apache.karaf.features.internal.region.Subsystem.downloadBundles(Subsystem.java:457)
> at
> org.apache.karaf.features.internal.region.Subsystem.downloadBundles(Subsystem.java:452)
> at
> org.apache.karaf.features.internal.region.SubsystemResolver.resolve(SubsystemResolver.java:224)
> at
> org.apache.karaf.features.internal.service.Deployer.deploy(Deployer.java:399)
> at
> org.apache.karaf.features.internal.service.FeaturesServiceImpl.doProvision(FeaturesServiceImpl.java:1069)
> at
> org.apache.karaf.features.internal.service.FeaturesServiceImpl.lambda$doProvisionInThread$13(FeaturesServiceImpl.java:1004)
> at
> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> at java.base/java.lang.Thread.run(Thread.java:829)
>
> It looks like adding the 5.4.x spring-security features (KARAF-7198) to
> spring-legacy-4.3.4-features.xml makes our application download them,
> although we're explicitly stating we want another version :
>
> <feature version="5.3.3.RELEASE_2"
> dependency="false">spring-security</feature>
>
> Because the karaf-maven-plugin does not download the 5.4.x bundles in the
> system-folder when creating the distro, I'm assuming our configuration is
> OK, but it looks the mechanism at runtime works different from the one used
> by the karaf-maven-plugin.
>
> Any suggestions, other than upgrading to Spring 5.4.x ?
>
> Kind regards,
> Steven
