Uh, yeah, I think I misunderstood. I think we agree that the code I attached should work out of the box, requiring no changes to TomEE. That leaves us with a few options:
1. Use the taglibs-standard-jstlel jars as we are now, and add the dependency for Xalan -> trivial change, but adds 3MB to our binaries. 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which uses a CDDL/GPL + CP exception licence. Does not require Xalan -> easy change to make and appears to work (I believe the license is ok for us to use it). Not sure if there are other restrictions or issues with us using that. 3. Patch the Tomcat taglibs libraries to use the XPath support built into the JVM as opposed to Xalan. I did have a look at this yesterday, and it didn't look like a straightforward change at the time. I'm happy to look at it again though if we feel that's the way forward. I think you're stating a preference for (3) - is that correct? Cheers Jon On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <[email protected]> wrote: > Hmm, shout if wrong but think you misunderstood the "optional" in my > sentence. I meant we patch trunk to remove the adherence to xalan. > > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://blog-rmannibucau.rhcloud.com> | Old Blog > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > <https://javaeefactory-rmannibucau.rhcloud.com> > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore < > [email protected]> > : > > > Thanks Romain. That is definitely the simplest path - xalan is already > > marked as an optional dependency, so we wouldn't need to do anything. > From > > a compliance perspective, where would this leave us? Wouldn't we need > this > > to work out of the box without adding libraries to be compliant? If it > > doesn't affect us in that respect, then I think we're probably good to > go. > > > > Jon > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau < > [email protected] > > > > > wrote: > > > > > Hi Jon > > > > > > there is another thread on it (probably on user@) > > > > > > I think we should just make xalan optional in the lib and upgrade. > > > > > > > > > Romain Manni-Bucau > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > > > rmannibucau> | > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > > > <https://javaeefactory-rmannibucau.rhcloud.com> > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore < > > > [email protected]> > > > : > > > > > > > Correction - that should be: "CDDL or GPL with classpath exception". > > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore < > > > > [email protected]> wrote: > > > > > > > > > Great question. CDDL _or_ GPL, by the look of it. > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE - same as > > JAXB > > > I > > > > > believe. > > > > > > > > > > Jon > > > > > > > > > > > > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro < > > > > > [email protected]> wrote: > > > > > > > > > >> What is the licence for GlassFish one? > > > > >> > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" < > > > > [email protected] > > > > >> > > > > > >> a écrit : > > > > >> > > > > >> > Hi > > > > >> > > > > > >> > On master we shifted from openejb-jstl to > > taglibs-standard-jstlel. I > > > > >> have > > > > >> > done the same on the 1.7.x branch, specifically to move on from > > the > > > > old > > > > >> > openejb-jstl (looking at > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The > > > > >> > taglibs-standard-jstlel > > > > >> > library does seem to depend on xalan, which we currently do not > > > > include > > > > >> in > > > > >> > TomEE. > > > > >> > > > > > >> > The impact is that some XML functions in JSP code does not work, > > for > > > > >> > example: > > > > >> > > > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"; %> > > > > >> > > > > > >> > <x:parse var="movies"> > > > > >> > <movies> > > > > >> > <movie id="1" name="Wedding Crashers" director="David > > Dobkin" > > > > >> > genre="Comedy" rating="7" year="2005" /> > > > > >> > <movie id="2" name="Starsky & Hutch" director="Todd > > > > Phillips" > > > > >> > genre="Action" rating="6" year="2004" /> > > > > >> > <movie id="3" name="Shanghai Knights" director="David > > Dobkin" > > > > >> > genre="Action" rating="6" year="2003" /> > > > > >> > <movie id="4" name="I-Spy" director="Betty Thomas" > > > > >> genre="Adventure" > > > > >> > rating="5" year="2002" /> > > > > >> > <movie id="5" name="The Royal Tenenbaums" director="Wes > > > > Anderson" > > > > >> > genre="Comedy" rating="8" year="2001" /> > > > > >> > <movie id="6" name="Zoolander" director="Ben Stiller" > > > > >> genre="Comedy" > > > > >> > rating="6" year="2001" /> > > > > >> > <movie id="7" name="Shanghai Noon" director="Tom Dey" > > > > >> genre="Comedy" > > > > >> > rating="7" year="2000" /> > > > > >> > </movies> > > > > >> > </x:parse> > > > > >> > > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" > > /><br > > > > /> > > > > >> > > > > > >> > fails with java.lang.NoClassDefFoundError: > org/apache/xpath/XPath > > > > >> (this on > > > > >> > both 1.7.x and master) > > > > >> > > > > > >> > Including Xalan does fix this, but its a 3MB dependency. > > > > >> > > > > > >> > The alternative is to use org.glassfish.web:javax. > > servlet.jsp.jstl > > > > >> > instead, > > > > >> > which I have tested and seems to work. Anyone have any thoughts? > > > > >> > > > > > >> > Jon > > > > >> > > > > > >> > > > > > > > > > > > > > > > > > > > >
