Skip to content

Transitive module dependences not matching dependencies in POM #369

Description

@g-tom

With 4278cc1 (#299), jakarta.security requires transitive jakarta.servlet, jakarta.security.auth.message and jakarta.json. While the Maven artifact providing jakarta.json (jakarta.json:jakarta.json-api) has <scope>compile</scope>, the artifacts providing the two other modules (jakarta.servlet:jakarta.servlet-api, jakarta.authentication:jakarta.authentication-api) have <scope>provided</scope>.

The latter therefore are not transitive dependencies of a Maven project with dependency jakarta.security.enterprise:jakarta.security.enterprise-api (see table in Maven docs).

As a consequence, if the Maven project defines a module which requires jakarta.security, it has implicit dependences on jakarta.servlet, jakarta.security.auth.message and jakarta.json, but only jakarta.json is provided by a transitive dependency.

Therefore, the build fails with e.g. "module not found: jakarta.security.auth.message", if there is no direct dependency on jakarta.authentication:jakarta.authentication-api, regardless of whether this dependency is actually used.

Example:
A Maven project with

<dependencies>
  <dependency>
    <groupId>jakarta.servlet</groupId>
    <artifactId>jakarta.servlet-api</artifactId>
    <version>6.1.0</version>
  </dependency>
  <dependency>
    <groupId>jakarta.security.enterprise</groupId>
    <artifactId>jakarta.security.enterprise-api</artifactId>
    <version>4.0.0</version>
  </dependency>
</dependencies>

provides all necessary classes for e.g.

public class TestAuthentication implements HttpAuthenticationMechanism {
    @Override
    public AuthenticationStatus validateRequest(
        HttpServletRequest httpRequest,
        HttpServletResponse httpResponse,
        HttpMessageContext ctx
    ) throws AuthenticationException {
        return ctx.doNothing();
    }
}

If this is packaged into a module

module test {
  requires jakarta.security;
  requires jakarta.servlet;
}

building fails as described above.

As a work-around, an unused dependency has to be declared:

<dependency>
  <groupId>jakarta.authentication</groupId>
  <artifactId>jakarta.authentication-api</artifactId>
  <version>3.1.0</version>
</dependency>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions