SEC-2417: Make more obvious that pom.xml cannot be used for building Spring Security

[spring-projects-issues]

Mat Booth (Migrated from SEC-2417) said:

The maven pom.xml files should declare all the dependencies necessary to build a given module, but the pom.xml for the core module does not declare a compile-time dependency on the crypto module.

[spring-projects-issues]

Mat Booth said:

Pull request submitted:

#59

[spring-projects-issues]

Rob Winch said:

Can you elaborate on what problems this is causing you? I ask because, this fix isn't really necessary when using the deployed spring-security-core jar since it includes spring-security-crypto in it. This is done because the core jar should not have any dependencies, but we want crypto available as a standalone jar for projects like Spring Social. The only time this may be a problem is if you are trying to develop Spring Security project itself with Maven (which you shouldn't do you should import as a Gradle project).

[spring-projects-issues]

Mat Booth said:

Yes, that is exactly what I was trying to do - I imported spring-security-core into eclipse as a maven project in order to develop a patch for it as I have no experience with gradle. There are poms in the source, which led me to assume I could use maven.

[spring-projects-issues]

Rob Winch said:

The poms exist in source control so we can see the pom.xml generation has been messed up. In all honesty, I'm not sure how we could properly model something this complex with Maven. Even if that were solved the integration tests are much more complex than Maven can handle (i.e. we compile with Spring 3.2, run all tests using Spring 3.2, and then rerun all the tests against Spring 4 without recompiling the Spring Security jars).

I can see how this causes confusion so I will change this to make it more obvious that the project must be built with Gradle.

[spring-projects-issues]

Mat Booth said:

Thanks for taking the time to explain.

[spring-projects-issues]

Chris Pimlott said:

I ran into similar frustrations and agree it is not at all clear that maven is not a viable way to build spring-security. Why are the poms still there if they are broken and there is no plan to fix them? Otherwise users will naturally assume they can use maven, only to inevitably end up frustrated and confused.

At the very least, there should be a BUILD.md that explains the situation (and maybe a dummy root pom.xml that shows the same thing when you try to run it).

[spring-projects-issues]

Chris Pimlott said:

Thinking on this more, even if spring-security itself can't be built with maven, the samples should all have working POMs in order to demonstrate how to use the library itself, since many people use maven for their own projects. Part of the value of the sample projects is to show how you need to modify your pom in order to start using different aspects spring-security with maven.