问题
I'm building a self-contained jar with the maven shade plugin (an uberjar) and I get warnings for all the spring-security-crypto classes:
[WARNING] We have a duplicate org/springframework/security/crypto/bcrypt/BCrypt.class in ***\.m2\repository\org\springframework\security\spring-security-crypto\3.1.0.RELEASE\spring-security-crypto-3.1.0.RELEASE.jar
[WARNING] We have a duplicate org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.class in ***\.m2\repository\org\springframework\security\spring-security-crypto\3.1.0.RELEASE\spring-security-crypto-3.1.0.RELEASE.jar
[WARNING] We have a duplicate org/springframework/security/crypto/codec/Base64.class in ***\.m2\repository\org\springframework\security\spring-security-crypto\3.1.0.RELEASE\spring-security-crypto-3.1.0.RELEASE.jar
[WARNING] We have a duplicate org/springframework/security/crypto/codec/Hex.class in ***\.m2\repository\org\springframework\security\spring-security-crypto\3.1.0.RELEASE\spring-security-crypto-3.1.0.RELEASE.jar
[WARNING] We have a duplicate org/springframework/security/crypto/codec/InvalidBase64CharacterException.class in ***\.m2\repository\org\springframework\security\spring-security-crypto\3.1.0.RELEASE\spring-security-crypto-3.1.0.RELEASE.jar
[WARNING] We have a duplicate org/springframework/security/crypto/codec/package-info.class in ***\.m2\repository\org\springframework\security\spring-security-crypto\3.1.0.RELEASE\spring-security-crypto-3.1.0.RELEASE.jar
[WARNING] We have a duplicate org/springframework/security/crypto/codec/Utf8.class in ***\.m2\repository\org\springframework\security\spring-security-crypto\3.1.0.RELEASE\spring-security-crypto-3.1.0.RELEASE.jar
[WARNING] We have a duplicate org/springframework/security/crypto/encrypt/AesBytesEncryptor$1.class in ***\.m2\repository\org\springframework\security\spring-security-crypto\3.1.0.RELEASE\spring-security-crypto-3.1.0.RELEASE.jar
[WARNING] We have a duplicate org/springframework/security/crypto/encrypt/AesBytesEncryptor.class in ***\.m2\repository\org\springframework\security\spring-security-crypto\3.1.0.RELEASE\spring-security-crypto-3.1.0.RELEASE.jar
...
I looked into the spring-security-core jar and saw that it contains all the classes spring-security-crypto contains. Furthermore upon comparing the sources you see they are the same.
I know I can ignore it since the classes are the same but:
- This can change if the classes in spring-security-core don't get updated.
- More importantly I don't understand why this is happening? It is important to note that spring-security-core itself has a compile dependency on spring-security-crypto which totally baffles me.
Would love any explanation and solution that are out there.
回答1:
It's a bug in 3.1.0. There shouldn't be dependency from core to crypto. The separate crypto jar is only intended for use in some other Spring projects which don't use Spring Security. It's a side-effect of the way the build is configured that it ended up in the core pom.
Just add a Maven exclusion to your pom dependency for spring-security-core to stop it pulling in the crpyto jar as a transitive dependency.
来源:https://stackoverflow.com/questions/10870015/spring-security-core-and-spring-security-crypto-maven-artifacts-duplicate-class