CAS 6.6.x - Override Spring Version

[Chris Durham]

Hi,

We use the overlay version of CAS 6.6.7 and because of Snyk warnings need to override the version of Spring from 5.3.22 to 5.3.26.

I've been back through the log4j remediation stuff and tried to follow those guidelines alongside an older requirement to upgrade Spring from 5.2.0, but am unable to get the generated war file to include the new files and exclude the old ones.

I added a bootWar section

bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from "org.apereo.cas:cas-server-webapp${project.appServer}:${project.'cas.version'}@war"
provided = false
excludes = ["WEB-INF/lib/spring-*-5.3.22.*.jar"]
}
}
}

and updated the dependencies section with

compileOnly "org.springframework:spring-aop:${springVersion}"
compileOnly "org.springframework:spring-beans:${springVersion}"
compileOnly "org.springframework:spring-context:${springVersion}"
compileOnly "org.springframework:spring-context-support:${springVersion}"
compileOnly "org.springframework:spring-core:${springVersion}"
compileOnly "org.springframework:spring-expression:${springVersion}"
compileOnly "org.springframework:spring-jcl:${springVersion}"
compileOnly "org.springframework:spring-jdbc:${springVersion}"
compileOnly "org.springframework:spring-jms:${springVersion}"
compileOnly "org.springframework:spring-messaging:${springVersion}"
compileOnly "org.springframework:spring-orm:${springVersion}"
compileOnly "org.springframework:spring-oxm:${springVersion}"
compileOnly "org.springframework:spring-tx:${springVersion}"
compileOnly "org.springframework:spring-web:${springVersion}"
compileOnly "org.springframework:spring-webmvc:${springVersion}"

Where springVersion is defined as "5.3.26"

I'm presuming the issue is that Spring is pulled in from multiple projects - but do I have to list every single one?

Thanks

[Ray Bon]

Chris,

I have this in my build.gradle

configurations.all {

resolutionStrategy {

cacheChangingModulesFor 0, "seconds"

cacheDynamicVersionsFor 0, "seconds"

preferProjectModules()

def failIfConflict = project.hasProperty("failOnVersionConflict") && Boolean.valueOf(project.getProperty("failOnVersionConflict"))

if (failIfConflict) {

failOnVersionConflict()

}

}

exclude group:"io.netty", module: "*"

exclude group:"com.sun.activation", module: "jakarta.activation"

exclude group:"jakarta.activation", module: "jakarta.activation-api"

exclude group:"com.sun.mail", module: "jakarta.mail"

exclude group:"jakarta.xml.bind", module: "jakarta.xml.bind-api"

exclude group:"org.jboss.logging", module: "jboss-logging"

exclude group:"io.dropwizard.metrics", module: "metrics-core"

// slf4j causes grief for unit tests

exclude group:"org.apache.logging.log4j", module: "log4j-slf4j-impl"

// exclude group:"com.squareup.retrofit2", module: "retrofit"

// exclude group:"", module: ""

}

And use implementation instead of compileOnly (which means only use the package during the compile step).

Ray

On Mon, 2023-04-03 at 09:24 -0700, 'Chris Durham' via CAS Community wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.