shiro-web jakarta only references javax and not jakarta in MANIFEST.MF

[adessaigne]

Search before asking

• I had searched in the issues and found no similar issues.

Environment

Java 17

Shiro version

shiro-web 1.13.0 jakarta classifier

What was the actual outcome?

The MANIFEST.MF contains references towards javax.servlet and not jakarta.servlet

What was the expected outcome?

The MANIFEST.MF only contains references towards jakarta.servlet and not javax.servlet

How to reproduce

There are 2 ways to see the issue:

1. Add shiro-web with jakarta classifier in an OSGi environment, it will says it cannot find jakarta/servlet/Filter as the bundle classloader is not configured to load jakarta.servlet package but javax.servlet
2. Open the MANIFEST.MF file in the jar and see references to javax and not jakarta

Debug logs

No response

[adessaigne]

Thank you very much 👍

[marcanpilami]

Hello, I've tested the main branch and the fix seems to be incomplete: it replaces the javax namespace by a jakarta one inside the manifest, but without changing the version of the import.

For example, the normal package imports javax.annotation.security;version="[1.3,2)". The fix for the jakarta version just renames it to jakarta.annotation.security;version="[1.3,2)".

However, Jakarta never released a 1.3.x bundle containing jakarta.* package - they only released a transition bundle containing javax.* packages. The first version of jakarta.annotations-api containing a jakarta.* package is 2.0.0.

So we need to change the version, not only the imports. I do not know what shade is able to do here - we may have to add a Maven profile to change the dependencies.

@lprimak : Would it be possible to reopen this or should I create a new ticket?

[marcanpilami]

Please note that as a workaround I'm using these additions at the start of the shade rules. It's rather disgusting, but we are talking about something that is already dirty to work around the Jakarta/javax mess anyway, so if you want I can create a PR with this.

                                    <relocation>
                                        <pattern>javax.annotation.security;version="\[1.3,2\)"</pattern>
                                        <shadedPattern>jakarta.annotation.security;version="\[2,4\)"</shadedPattern>
                                    </relocation>
                                    <relocation>
                                        <pattern>javax.servlet;version="\[4.0,5\)"</pattern>
                                        <shadedPattern>jakarta.servlet;version="\[5.0,6\)"</shadedPattern>
                                    </relocation>
                                    <relocation>
                                        <pattern>javax.servlet.http;version="\[4.0,5\)"</pattern>
                                        <shadedPattern>jakarta.servlet.http;version="\[5.0,6\)"</shadedPattern>
                                    </relocation>

[lprimak]

Thanks for the follow-up.
I am not an OSGi expert, but doesn’t the import say 1.3 or greater? Would this be an actual problem?

If yes, please open another issue.

[marcanpilami]

The original line [1.3,2) says "1.3.0 or greater but strictly less than 2.0.0". I'm replacing it with "2.0.0 or greater but strictly less than 4.0.0" (you use 2, but 3 is actually fully backward compatible with 2 in terms of API).

So OK I'll open an issue, thanks for the answer.

[fpapon]

Yes 2) means 2 and greater are not allowed. I will take a look if we can do something but I'm afraid that the best is to move all to jakarta in source code to avoid fixing these kind of things.

[marcanpilami]

I fully agree. The javax/jakarta issue is too complicated to be made a packaging detail. I see you are already discussing this in #1351 so I'll just concentrate on fixing 2.0.1.

I see a few reasonable ways to get out of this.

• Create an explicit bnd config that overrides the imports. Needs someone used to this on the team.
• Use the hack above. Simplest, somewhat fragile.
• Create another artifact shiro-web-jakarta (and shiro-core-jakarta etc) that imports/shades shiro-web with its own set of correct dependencies (therefore with excludes). Probably the trickiest but most solid.