Dependency Mismatch Between Security and Core?

[danic]

Hello everybody.

I am working on an application which, additionally to Spring MVC uses Spring Security. I have recently tried to upgrade to the latest Spring versions (3.2.1 and 3.1.3). However, I have encountered the following problem:
- Spring Security Core depends on Spring AOP
- Spring AOP depends on Spring ASM
- Spring Core doesn't depend on ASM as the needed parts from ASM are already packaged within the Spring Core (especially the ClassVisitor abstract class)
- the application is packaged as a web archive (WAR)
- in the lib folder, Maven copies both spring-core-3.2.1.RELEASE.jar and spring-asm-3.0.7.RELEASE.jar
- the problem is that both of them contain different definitions for ClassVisitor (abstract class vs. interface)
- when trying to deploy the application, I have:

Code:

Caused by: java.lang.IncompatibleClassChangeError: class org.springframework.core.type.classreading.ClassMetadataReadingVisitor has interface org.springframework.asm.ClassVisitor as super class

Can anyone explain me how I can overcome this?

Thanks in advance!

Best regards,
Daniel

[Marten Deinum]

Use the correct versions... Use dependency-management to enforce the 3.2 version (or exclude the old version from spring security).

[danic]

Dear Marten,

Thank you for your reply. I have tried forcing ASM to the latest version (3.1.4) with no result (same exception). I do not really understand what you mean by "correct versions". Is there an incompatibility between Security 3.1.3 and Core 3.2.1?

Currently, my pom.xml contains:

Code:

	<properties>
		<org.springframework.version>3.2.1.RELEASE</org.springframework.version>
		<org.springframework.security.version>3.1.3.RELEASE</org.springframework.security.version>
	</properties>

	<dependencies>
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-webmvc</artifactId>
			<version>${org.springframework.version}</version>
			<scope>compile</scope>
		</dependency>

		
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-core</artifactId>
			<version>${org.springframework.security.version}</version>
			<scope>compile</scope>
		</dependency>

		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
			<version>${org.springframework.security.version}</version>
			<scope>compile</scope>
		</dependency>

		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
			<version>${org.springframework.security.version}</version>
			<scope>compile</scope>
		</dependency>

		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-taglibs</artifactId>
			<version>${org.springframework.security.version}</version>
			<scope>compile</scope>
		</dependency>
...

Best regards,
Daniel

[Marten Deinum]

There is no asm for spring 3.2.x as those files are in core...

No there is no mismatch but you have to manage yoru dependencies correctly... Currently you only have spring-webmvc as dpendency which would result in the other dependencies to come transative from spring-security.

I tend to use the dependencyManagement tag to enforce the correct versions of the dependencies. You can use mvn dependency:tree to check which dependencies pulls in the asm jar and then exclude it.

[danic]

Thank you very much for your suggestions, Marten. They helped me understand and solve the problem.

Here is the modified pom.xml (maybe this will help someone else as well) - I also had to force other dependencies (context, web, jdbc, tx) to the latest versions:

Code:

	<properties>
		<org.springframework.version>3.2.1.RELEASE</org.springframework.version>
		<org.springframework.security.version>3.1.3.RELEASE</org.springframework.security.version>
	</properties>

	<dependencies>
		<dependency>
		    <groupId>org.springframework</groupId>
		    <artifactId>spring-context</artifactId>
		    <version>${org.springframework.version}</version>
		</dependency>		

		<dependency>
		    <groupId>org.springframework</groupId>
		    <artifactId>spring-web</artifactId>
		    <version>${org.springframework.version}</version>
		</dependency>

		<dependency>
		    <groupId>org.springframework</groupId>
		    <artifactId>spring-jdbc</artifactId>
		    <version>${org.springframework.version}</version>
		</dependency>
		
		<dependency>
		    <groupId>org.springframework</groupId>
		    <artifactId>spring-tx</artifactId>
		    <version>${org.springframework.version}</version>
		</dependency>

		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-webmvc</artifactId>
			<version>${org.springframework.version}</version>
			<scope>compile</scope>
		</dependency>
		
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-core</artifactId>
			<version>${org.springframework.security.version}</version>
			<scope>compile</scope>
			<exclusions>
				<exclusion>
					<groupId>org.springframework</groupId>
					<artifactId>spring-asm</artifactId>
				</exclusion>
			</exclusions>
		</dependency>

		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
			<version>${org.springframework.security.version}</version>
			<scope>compile</scope>
		</dependency>

		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
			<version>${org.springframework.security.version}</version>
			<scope>compile</scope>
		</dependency>

		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-taglibs</artifactId>
			<version>${org.springframework.security.version}</version>
			<scope>compile</scope>
		</dependency>
...

Best regards,
Daniel