Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exclude the old annotation and cdi api dependencies #167

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

sberyozkin
Copy link
Contributor

Fixes #166

@sberyozkin sberyozkin requested a review from rdebusscher March 18, 2020 18:06
@rdebusscher
Copy link
Member

These dependencies have the scope runtime. So it is possible that the TCK runners of the vendors no longer work due to this exclusion.

So I would not merge this change as it has unknown effects.

@sberyozkin
Copy link
Contributor Author

@rdebusscher I'm not sure it may have side-effects as we have Jakarta dependencies offering the equivalent and more ? At the very least we should be able to pick up the uptodate DenyAll/etc annotation types, otherwise the legacy annotation types are interfering as in this case. Would it work if I update PR to exclude javax.annotation only ?

@sberyozkin
Copy link
Contributor Author

I'll double check as well on our end, please try running the TCK with these exclusions for your own implementation, if it works in at least 2 cases then it will be pretty safe to exclude :-)

@radcortez
Copy link
Contributor

TCK or Runtimes shouldn't rely on getting these dependencies transitively from Shrinkwrap, so I think its fine to exclude then.

Anyway, I'll run the TCK in SmallRye with these change to see how it looks like.

@sberyozkin
Copy link
Contributor Author

@radcortez I agree.
@rdebusscher I'm pretty sure we can go ahead with this PR but I won't rush and keep it open for a few days for you and other MP JWT colleagues to make sure it is safe

@rdebusscher
Copy link
Member

@sberyozkin I verified and the CDI dependency is today ignored because the CDI v 2.0 is also available at runtime. So the PR will not break our TCK.

But I do not agree with the reason why the PR is created, to circumvent a BUG in Eclipse IDE.

So I will not approve the PR.

@radcortez
Copy link
Contributor

Is this because of Eclipse? I thought we wanted to get rid of javax.* dependencies.

@sberyozkin
Copy link
Contributor Author

sberyozkin commented Mar 23, 2020

@rdebusscher Why is it an Eclipse bug or rather, what is it to do with Eclipse in the end of the day ? Using Eclipse helped to identify the problem which is: we have the legacy APIs leaking into the TCK set of dependencies which is a problem regardless of what IDE is used or if IntelliJ or whatever else is smarter in the way it orders the dependencies.

As per the above discussion, TCK or anything in MP JWT must not depend on anything coming from the non Jakarta dependencies. I'm sorry but I'd like a stronger reason to stop this PR from going in. Provide it to me please.

CC @dblevins, @chunlongliang-ibm, others - any concerns on your end - please let me know

@sberyozkin
Copy link
Contributor Author

@rdebusscher By the way, thanks for testing it with your implementation. I'd like to hear from others too.
IMHO there is no reason to be concerned about this update, it is a small clean up which will make MP JWT a tiny bit neater, without any agenda :-).

@rdebusscher
Copy link
Member

@sberyozkin

Why is it an Eclipse bug or rather, what is it to do with Eclipse in the end of the day ? Using Eclipse helped to identify the problem which is:

Eclipse IDE should not consider runtime scoped dependencies within development.

And by excluding those dependencies from shrinkwrap-resolver-depchain it is possible that shrinkwrap resolver isn't working anymore (because it doesn't have the required dependencies anymore when running the TCK)

So if you want to get rid of the old dependencies, do an upgrade of the shrinkwrap resolver to a newer version which contains the correct dependencies.

@sberyozkin
Copy link
Contributor Author

And by excluding those dependencies from shrinkwrap-resolver-depchain it is possible that shrinkwrap resolver isn't working anymore (because it doesn't have the required dependencies anymore when running the TCK)

I'm sorry, instead of theorizing, given that yourself, and myself too, have confirmed it is not the case, I prefer dealing with the concrete technical objections.

MP JWT, across the board, now uses Jakarta dependencies - these dependencies must, due to their guarantee of the backward compatibility, support anything that any other dependency in MP JWT needs that is now supported by Jakarta dependencies - if it is not the case, then something would be broken in Jakarta dependencies.

So if you want to get rid of the old dependencies, do an upgrade of the shrinkwrap resolver to a newer version which contains the correct dependencies.

Really ? Jakarta dependencies are here in MP JWT poms

@rdebusscher
Copy link
Member

I'm sorry, instead of theorizing, given that yourself, and myself too, have confirmed it is not the case, I prefer dealing with the concrete technical objections.

Because we have MP Rest Client in our TCK runner. But does everyone have this? In fact, our engineers are against excluding this, although it will not break our TCK tests.

Exclusion of transitive dependency is very risky business.

But go ahead if you want to merge this in.

@sberyozkin
Copy link
Contributor Author

@rdebusscher That is fine, thanks for this update. Lets revisit this issue in a few weeks just before 1.2 and make a final decision, cheers

@sberyozkin sberyozkin added this to the JWT-2.0 milestone Apr 5, 2020
@sberyozkin
Copy link
Contributor Author

sberyozkin commented Apr 5, 2020

Hi All, I'm marking it for 2.0.
@chunlongliang-ibm, @dblevins If you think it would be better to fix it for 1.2 then let me know please (myself, Roberto think 1.2 is OK but if someone has a concern then lets sort it out for 2.0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

DenyAll location error for ejb/EjbEndpoint and jaxrs/RolesEndpoint in Eclipse
3 participants