Hi Lenny,
> Shiro moved to using GitHub Issues and away from JIRA. Please feel free to > create an issue there. > That explains why I couldn't report an issue. I've created https://github.com/apache/shiro/issues/1351 > Yes, multiple dependencies are required. However, it’s not a showstopper > by any means, > and is clearly documented here: https://shiro.apache.org/jakarta-ee.html > I'm not saying its a showstopper. I've migrated our code base to v2.0.0 and its working. However, the current solution isn't pretty as it breaks basic maven rules with transitive dependencies. I've managed to put most of the hassle in our shared code base, so individual projects don't have to add the extra dependencies. We also have to keep monitoring we do not get the non-jakarta artifacts again if we pull in other libraries that depend on Shiro. JSP dependency is optional and does not trickle down into applications. > It’s used only for downstream tests, so it should not be an issue. > That's what I thought. We're using an extension on the maven enforcer that warns us if we include code that still uses JEE8 APIs. I've decided to ignore this class. > As far as commons-configuration2, it doesn’t bring any javax.* transitive > dependencies downstream, so it should not be an issue either. > commons-configuration2 does depend on Javax Servlet APIs, but these classes are not used by Shiro from what I can see. However, it seems this dependencies was supposed to be optional, and its not. This code checks if the classes are available: https://github.com/apache/shiro/blob/36cad481dd1f58f7f0263981d7f4a61dd39dbd8c/config/ogdl/src/main/java/org/apache/shiro/config/ogdl/ReflectionBuilder.java#L782-L789 But here, the dependency is add as required: https://github.com/apache/shiro/blob/36cad481dd1f58f7f0263981d7f4a61dd39dbd8c/core/pom.xml#L146-L149 I've submit a bug report for that. It's not related to Jakarta EE and should be very easy to fix. Best regards, Emond
