[
https://issues.apache.org/jira/browse/SLING-11882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723174#comment-17723174
]
Stefan Seifert edited comment on SLING-11882 at 5/16/23 3:54 PM:
-----------------------------------------------------------------
if you run into this problem in unit test context, add a dependency definition
like this on the last position in your POM as a workaround:
{code:xml}
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.xss</artifactId>
<scope>test</scope>
</dependency>
{code}
this will ensure that the guava classes defined in other dependencies are
loaded first, and the embedded classes from this bundle do not take precedence.
this may e.g. happen if sling-mock is used, because sling-mock has a dependency
to org.apache.sling.xss. and usually, it's best practice to place sling-mock
dependency near the top of your dependency list.
was (Author: sseif...@pro-vision.de):
if you run into this problem in unit test context, add a dependency definition
like this on the last position in your POM as a workaround:
{code:xml}
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.xss</artifactId>
<scope>test</scope>
</dependency>
{code}
this will ensure that the guava classes defined in other dependencies are
loaded first, and the embedded classes from this bundle do not take precedence.
> XSS Protection API: Apply shading/package relocation to embedded Guava+Co
> Libraries
> -----------------------------------------------------------------------------------
>
> Key: SLING-11882
> URL: https://issues.apache.org/jira/browse/SLING-11882
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
> Affects Versions: XSS Protection API 2.3.0
> Reporter: Stefan Seifert
> Priority: Major
> Fix For: XSS Protection API 2.3.8
>
>
> with version 2.3.0 of the XSS Protection API the internal implementation was
> switched to OWASP sanitizer library (esapi) in SLING-7231.
> with this new implementation comes a load of 3rdparty libraries including a
> guava version, which is embedded as private packages in the OSGi bundle. this
> is completely fine from an OSGi bundle perspective and works.
> however, in unit test contexts this can lead to problems, because depending
> on the dependency order the embedded guava classes may overlay other guava
> classes references in the same POM with a different version, leading to
> problems running code in the unit test context. to prevent problems like
> this, we usually apply a shading and relocation of the package names to
> ensure such clashes in classpath does no happen.
> the same problem may affect other libraries embedded in the bundle.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
