[MGNLSSO-80] JSONArray library conflict Created: 02/Sep/21  Updated: 03/Aug/22  Resolved: 17/Jun/22

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: 2.0
Fix Version/s: 2.0.4

Type: Bug Priority: Low
Reporter: Richard Gange Assignee: Evzen Fochr
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: JPEG File JSONArray-conflict.jpg     PNG File NoClassDefFound.png    
Issue Links:
relation
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLSSO-136 Implementation Technical task Completed Evzen Fochr  
MGNLSSO-137 Review Technical task Closed Nguyen Phung Chi  
MGNLSSO-138 PiQA Technical task Closed Evzen Fochr  
MGNLSSO-139 QA Technical task Completed Nguyen Phung Chi  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Epic Link: SSO support for custom IdPs
Sprint: AdminX 12
Story Points: 1
Team: AdminX

 Description   

The code from pac4j-config-4.5.2 has a dependency on com.nimbusds lib in OidcClientBuilder.

When trying to satisfy the dependency it creates a conflict with the JSONArray library. Our code brings in net.minidev.json.JSONArray while nimbusds has its own version com.nimbusds.jose.shaded.json.JSONArray.

We should remove the hard dependency to net.minidev and instead use the common List interface which would allow either JSONArray class to work.

Notes
Issue caused by nimbus v9. Use v8.22.



 Comments   
Comment by Richard Gange [ 02/Sep/21 ]

Should be done when we upgrade to pac4j v5

Comment by Nguyen Phung Chi [ 08/Jun/22 ]

Discovery:

We have done the removing the dependency to net.minidev while upgrading to pac4j version 5 (MGNLSSO-105), but the upgrade only done for SSO module v3 because SSO v2.x need to compatible with Java 8 (along with Magnolia 6.2)

In fact, this dependency removing can be done on SSO v2 without the upgrade.

To do:

  • Remove net.minidev:json-smart dependency in pom.xml
  • Change the casting in GroupsAuthorizationGenerator#generate (reference to SSO v3 on the same class)

cc mrajkovic , efochr 

Generated at Mon Feb 12 10:50:55 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.