Hi, Shiro moved to using GitHub Issues and away from JIRA. Please feel free to create an issue there.
Yes, multiple dependencies are required. However, it’s not a showstopper by any means, and is clearly documented here: https://shiro.apache.org/jakarta-ee.html <https://shiro.apache.org/jakarta-ee.html> JSP dependency is optional and does not trickle down into applications. It’s used only for downstream tests, so it should not be an issue. As far as commons-configuration2, it doesn’t bring any javax.* transitive dependencies downstream, so it should not be an issue either. Here is an example of mvn dependency:tree of a sample project. As you can see, no javax.* dependencies are included: [INFO] --- dependency:3.6.1:tree (default-cli) @ hope-website --- [INFO] com.flowlogix:hope-website:war:1.x-SNAPSHOT [INFO] +- jakarta.platform:jakarta.jakartaee-api:jar:10.0.0:provided [INFO] | +- jakarta.platform:jakarta.jakartaee-web-api:jar:10.0.0:provided [INFO] | | +- jakarta.servlet:jakarta.servlet-api:jar:6.0.0:provided [INFO] | | +- jakarta.servlet.jsp:jakarta.servlet.jsp-api:jar:3.1.0:provided [INFO] | | +- jakarta.el:jakarta.el-api:jar:5.0.1:provided [INFO] | | +- jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:jar:3.0.0:provided [INFO] | | +- jakarta.faces:jakarta.faces-api:jar:4.0.1:provided [INFO] | | +- jakarta.websocket:jakarta.websocket-api:jar:2.1.0:provided [INFO] | | +- jakarta.websocket:jakarta.websocket-client-api:jar:2.1.0:provided [INFO] | | +- jakarta.ejb:jakarta.ejb-api:jar:4.0.1:provided [INFO] | | +- jakarta.transaction:jakarta.transaction-api:jar:2.0.1:provided [INFO] | | +- jakarta.persistence:jakarta.persistence-api:jar:3.1.0:provided [INFO] | | +- jakarta.validation:jakarta.validation-api:jar:3.0.2:provided [INFO] | | +- jakarta.authentication:jakarta.authentication-api:jar:3.0.0:provided [INFO] | | +- jakarta.security.enterprise:jakarta.security.enterprise-api:jar:3.0.0:provided [INFO] | | \- jakarta.enterprise.concurrent:jakarta.enterprise.concurrent-api:jar:3.0.1:provided [INFO] | +- jakarta.platform:jakarta.jakartaee-core-api:jar:10.0.0:provided [INFO] | | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:3.1.0:provided [INFO] | | +- jakarta.json:jakarta.json-api:jar:2.1.0:provided [INFO] | | +- jakarta.json.bind:jakarta.json.bind-api:jar:3.0.0:provided [INFO] | | +- jakarta.interceptor:jakarta.interceptor-api:jar:2.1.0:provided [INFO] | | +- jakarta.enterprise:jakarta.enterprise.cdi-api:jar:4.0.1:provided [INFO] | | +- jakarta.inject:jakarta.inject-api:jar:2.0.1:provided [INFO] | | \- jakarta.enterprise:jakarta.enterprise.lang-model:jar:4.0.1:provided [INFO] | +- jakarta.jms:jakarta.jms-api:jar:3.1.0:provided [INFO] | +- jakarta.activation:jakarta.activation-api:jar:2.1.0:provided [INFO] | +- jakarta.mail:jakarta.mail-api:jar:2.1.0:provided [INFO] | +- jakarta.resource:jakarta.resource-api:jar:2.1.0:provided [INFO] | +- jakarta.authorization:jakarta.authorization-api:jar:2.1.0:provided [INFO] | \- jakarta.batch:jakarta.batch-api:jar:2.1.1:provided [INFO] +- org.eclipse.microprofile:microprofile:pom:6.0:provided [INFO] | +- org.eclipse.microprofile.config:microprofile-config-api:jar:3.0.2:provided [INFO] | +- org.eclipse.microprofile.fault-tolerance:microprofile-fault-tolerance-api:jar:4.0.2:provided [INFO] | +- org.eclipse.microprofile.health:microprofile-health-api:jar:4.0.1:provided [INFO] | +- org.eclipse.microprofile.metrics:microprofile-metrics-api:jar:5.0.0:provided [INFO] | +- org.eclipse.microprofile.jwt:microprofile-jwt-auth-api:jar:2.1:provided [INFO] | +- org.eclipse.microprofile.openapi:microprofile-openapi-api:jar:3.1:provided [INFO] | \- org.eclipse.microprofile.rest.client:microprofile-rest-client-api:jar:3.0.1:provided [INFO] +- org.osgi:osgi.annotation:jar:8.1.0:provided [INFO] +- org.kohsuke:libpam4j:jar:1.11:compile [INFO] +- net.java.dev.jna:jna:jar:5.14.0:compile [INFO] +- org.postgresql:postgresql:jar:42.7.2:compile [INFO] | \- org.checkerframework:checker-qual:jar:3.42.0:runtime [INFO] +- org.projectlombok:lombok:jar:1.18.30:provided [INFO] +- com.flowlogix:flowlogix-datamodel:jar:9.0:compile [INFO] | \- com.flowlogix:flowlogix-jee:jar:9.0:compile [INFO] +- org.apache.shiro:shiro-jakarta-ee:jar:jakarta:2.0.0:compile [INFO] +- org.apache.shiro:shiro-cdi:jar:jakarta:2.0.0:compile [INFO] +- org.apache.commons:commons-lang3:jar:3.14.0:compile [INFO] +- org.slf4j:slf4j-api:jar:2.0.12:compile [INFO] +- org.jsoup:jsoup:jar:1.17.2:compile [INFO] +- org.apache.shiro:shiro-core:jar:jakarta:2.0.0:compile [INFO] | +- org.apache.shiro:shiro-lang:jar:2.0.0:compile [INFO] | +- org.apache.shiro:shiro-cache:jar:2.0.0:compile [INFO] | +- org.apache.shiro:shiro-crypto-hash:jar:2.0.0:compile [INFO] | | +- org.apache.shiro:shiro-crypto-core:jar:2.0.0:compile [INFO] | | \- org.bouncycastle:bcprov-jdk18on:jar:1.77:compile [INFO] | +- org.apache.shiro.crypto:shiro-hashes-argon2:jar:2.0.0:runtime [INFO] | +- org.apache.shiro.crypto:shiro-hashes-bcrypt:jar:2.0.0:runtime [INFO] | +- org.apache.shiro:shiro-crypto-cipher:jar:2.0.0:compile [INFO] | +- org.apache.shiro:shiro-config-core:jar:2.0.0:compile [INFO] | +- org.apache.shiro:shiro-config-ogdl:jar:2.0.0:compile [INFO] | | \- commons-beanutils:commons-beanutils:jar:1.9.4:compile [INFO] | | \- commons-collections:commons-collections:jar:3.2.2:compile [INFO] | +- org.apache.shiro:shiro-event:jar:2.0.0:compile [INFO] | \- org.apache.commons:commons-configuration2:jar:2.9.0:compile [INFO] | \- org.apache.commons:commons-text:jar:1.10.0:compile [INFO] +- org.apache.shiro:shiro-web:jar:jakarta:2.0.0:compile [INFO] | \- org.owasp.encoder:encoder:jar:1.2.3:compile [INFO] +- org.omnifaces:omnifaces:jar:4.3:compile [INFO] +- org.primefaces:primefaces:jar:jakarta:13.0.7:compile [INFO] +- org.eclipse.persistence:org.eclipse.persistence.jpa.modelgen.processor:jar:4.0.2:provided [INFO] | +- org.eclipse.persistence:org.eclipse.persistence.jpa:jar:4.0.2:provided [INFO] | | +- org.eclipse.persistence:org.eclipse.persistence.asm:jar:9.5.0:provided [INFO] | | +- org.eclipse.persistence:org.eclipse.persistence.core:jar:4.0.2:provided [INFO] | | \- org.eclipse.persistence:org.eclipse.persistence.jpa.jpql:jar:4.0.2:provided [INFO] | \- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:provided [INFO] +- org.slf4j:slf4j-jdk14:jar:2.0.12:compile [INFO] +- org.slf4j:jcl-over-slf4j:jar:2.0.12:compile [INFO] +- org.junit.jupiter:junit-jupiter-api:jar:5.10.2:test [INFO] | +- org.opentest4j:opentest4j:jar:1.3.0:test [INFO] | +- org.junit.platform:junit-platform-commons:jar:1.10.2:test [INFO] | \- org.apiguardian:apiguardian-api:jar:1.1.2:test [INFO] \- org.junit.jupiter:junit-jupiter-engine:jar:5.10.2:test [INFO] \- org.junit.platform:junit-platform-engine:jar:1.10.2:test > On Mar 11, 2024, at 9:21 AM, Emond Papegaaij <[email protected]> > wrote: > > Op ma 11 mrt 2024 om 13:37 schreef Francois Papon > <[email protected] <mailto:[email protected]>>: > Most of the dependencies are linked to Shiro-core, this is why we didn't add > exclusion on this one: > > https://github.com/apache/shiro/blob/36cad481dd1f58f7f0263981d7f4a61dd39dbd8c/bom/pom.xml#L36 > > <https://github.com/apache/shiro/blob/36cad481dd1f58f7f0263981d7f4a61dd39dbd8c/bom/pom.xml#L36> > Yes, I noticed, but this still requires multiple dependencies in your > project. For example, shiro-spring depends on shiro-web and shiro-core. To > use shiro-spring with jakarta, you now need to add 3 dependencies, not just > 1. This is the reason why we at Topicus decided to publish transformed > artifacts under a different version, not with a classifier. Its very easy to > manage the version of dependencies, without breaking the transitive > dependencies. > > For the shiro-lang javax dependencies, it's not normal, we missed it (issue > and PR are welcome). > > Unfortunately I cannot create tickets on your Jira, even though I do have a > valid Jira account (being a commiter on Apache Wicket). Shiro does not show > up in the list of projects I can create issues on. I don't know why. A PR > will be difficult as I do not know what this dependency is for and what > resolution would be desired. > > > About the jakarta move, we are discussing about it and the next major release > will bring it without jakarta classifier. > > That would be great. The world is moving on and many open source projects are > already dropping support for JEE8. > > PS. It seems something went wrong with the dependency on > commons-configuration2. It currently is a required dependency of shiro-core. > Everything in the code seems to suggest this was supposed to be an optional > dependency. > > Best regards, > Emond
