Description of problem: This is problem for customers and layered products, they are not able to get all supported jars from maven repo zip. BOM jboss-javaee-6.0-with-security is listed in EAP 6.1.1 Maven BOM Usage document - https://docspace.corp.redhat.com/docs/DOC-153970 I used this BOM from customer perspective and imported all supported/defined dependencies into my testing pom file. I executed dependency:tree goal for maven to get supported jars. The result is failure, I can't get expected files. I was using maven repo zip and central. Problematic artifacts: org.jboss.web:jbossweb:jar:7.0.16.Final Version-Release number of selected component: EAP 6.1.1. ER7
This should be included in EAP 6.1.1 Release Notes as a Known Issue
Nikoleta: can you attach your test pom.xml file and the output of your dependency tree? We need to determine what is requesting the missing artifacts. You are using this differently that a customer because you are attempting to load everything. The missing artifact may be so obscure it will never be used. I spoke with Paul Gier and we don't believe we need to release note this. It's probably been like this since 6.1 and no one has hit the issue.
Marking for exclusion from Release Notes as per comment 2.
Created attachment 792051 [details] Test pom file
Created attachment 792053 [details] Output for test pom file Output of command: mvn -X -U -e -s settings-with-central.xml -f jboss-javaee-6.0-with-security-1.0.4.Final-redhat-9.pom-test-pom dependency:tree Error message: [ERROR] Failed to execute goal on project repo-test: Could not resolve dependencies for project org.jboss.test:repo-test:jar:1.0.0: Could not find artifact org.jboss.web:jbossweb:jar:7.0.16.Final Dependency tree: [DEBUG] org.jboss.test:repo-test:jar:1.0.0 [DEBUG] org.jboss.security:jboss-negotiation-common:jar:2.2.5.Final-redhat-2:compile [DEBUG] org.jboss.logging:jboss-logging:jar:3.1.2.GA:compile [DEBUG] org.jboss.spec.javax.servlet:jboss-servlet-api_3.0_spec:jar:1.0.2.Final-redhat-1:compile (version managed from 1.0.1.Final) [DEBUG] org.jboss.web:jbossweb:jar:7.0.16.Final:compile [DEBUG] org.picketbox:picketbox:jar:4.0.15.Final:compile [DEBUG] org.picketbox:picketbox-commons:jar:1.0.0.final:compile [DEBUG] org.jboss.security:jboss-negotiation-extras:jar:2.2.5.Final-redhat-2:compile [DEBUG] org.jboss.security:jboss-negotiation-ntlm:jar:2.2.5.Final-redhat-2:provided [DEBUG] org.jboss.security:jboss-negotiation-spnego:jar:2.2.5.Final-redhat-2:provided
Created attachment 792055 [details] Modified test pom file Test pom file with problematic dependencies commented out.
The reason for the dependency on the *org.jboss.web:jbossweb:jar:7.0.16.Final* is the artifact: org.jboss.security:jboss-negotiation-project:2.2.5.Final-redhat-2, which has the version definition: *<version.org.jboss.web>7.0.16.Final</version.org.jboss.web>* And the EAP BOM groupId has been changed to: *org.jboss.bom.eap* in EAP 6.2.0 There are 2 approaches to solve this problem: * Rebuild jboss-security-negotiation to change the version definition * Uses the following command to build: mvn -s settings-with-central.xml -f jboss-javaee-6.0-with-security-1.0.4.Final-redhat-9.pom-test-pom -DdependencyManagement=org.jboss.bom:eap6-supported-artifacts:6.2.0.GA dependency:tree where the *-DdependencyManagement=org.jboss.bom:eap6-supported-artifacts:6.2.0.GA* specifies the version definitions, but it requires the maven-dependency-extension installed(see: https://github.com/jboss/maven-dependency-management-extension).
See: https://bugzilla.redhat.com/show_bug.cgi?id=1011918#c12 I think it should be OK for the artifact: org.jboss.security:jboss-negotiation-project:2.2.5.Final-redhat-2 depends on the upstream version of org.jboss:jbossweb:7.0.16.Final, customer can build it against jboss public maven repository(http://repository.jboss.org/nexus/content/groups/public/) So as long as the documentation is updated, this would not be a problem.
We need some more information from the jboss security developer(s) to correctly resolve this. The right solution seems to be one of the following: (A) If jbossweb is not required for development using the BOM, it should be marked "optional" in the jboss-negotiation pom(s) which would prevent it from being included transitively. (B) If jbossweb is required for development when using the BOM, it should be added to the BOM and version managed.
I checked the code of jboss security negotiation, the jbossweb is required(org.jboss.security.negotiation.NegotiationAuthenticator extends org.apache.catalina.authenticator.FormAuthenticator). so I will adopt plan B to add jbossweb to the -with-security bom.
Pull Request: https://github.com/jboss-developer/jboss-eap-boms/pull/46
Created a new PR with the scope set to "provided" for these two dependencies. https://github.com/jboss-developer/jboss-eap-boms/pull/47
Verified for EAP 6.2.0 ER7.1