Hi,
Most of the dependencies are linked to Shiro-core, this is why we didn't
add exclusion on this one:
https://github.com/apache/shiro/blob/36cad481dd1f58f7f0263981d7f4a61dd39dbd8c/bom/pom.xml#L36
For the shiro-lang javax dependencies, it's not normal, we missed it
(issue and PR are welcome).
About the jakarta move, we are discussing about it and the next major
release will bring it without jakarta classifier.
regards,
François
On 11/03/2024 13:14, Emond Papegaaij wrote:
Hi François,
Thanks for your reply. This BOM simply excludes every shiro
dependency. That makes the problem even worse, because then you have
to manually add every single shiro dependency back into your project.
Also, it seems shiro-lang still has a dependency on the Servlet JSP
API and no transformed jar is available. I don't know why shiro-lang
has this optional dependency. I decided to ignore it, because we do
not use JSP. This dependency however will never be satisfied in a JEE
9/10/11 environment.
Bytecode transformation for Jakarta has always been seen as a stop gap
solution. Almost all of our dependencies now provide native JEE
9/10/11 support on their latest releases. Are there any plans on
moving to Jakarta in source?
Best regards,
Emond
Op ma 11 mrt 2024 om 13:02 schreef Francois Papon
<francois.pa...@openobject.fr>:
Hi,
You need to use the Shiro BOM to not have to deal with the exclusions:
https://github.com/apache/shiro/blob/main/bom/pom.xml
regards,
François
On 11/03/2024 11:01, Emond Papegaaij wrote:
> Hi all,
>
> Our application uses Jakarta EE 10. We've been using transformed
> artifacts for Shiro 1.x and now I'm trying to migrate to 2.0.0.
Shiro
> 2.0.0 seems to have pre-transformed jars for jakarta with a
different
> classifier. This does not work at all. All dependencies (both from
> third party libraries and internal between shiro modules) still
> reference the artifacts without the classifiers. For example,
> org.apache.shiro:shiro-web:2.0.0:jakarta depends on
> org.apache.shiro:shiro-core:2.0.0 (without the jakarta). This
forces
> us to add exclusions all over the place and at the same time add
extra
> dependencies for the modules that are now missing.
>
> I've tried to submit a ticket for this in Jira, but somehow I'm not
> able to. Shiro is not in the list of projects, even though I do
have a
> valid Jira account. Do you have any plans to provide proper Jakarta
> support, preferably without any transformation?
>
> Also, Shiro seems to use apache commons configuation2. This library
> still depends on the javax servlet API, and it seems it does not
yet
> support Jakarta. I don't know what Shiro uses this library for,
but it
> might fail if deployed on a JEE9+ server.
>
> Best regards,
> Emond
