SEC-1060: Incompatibility with Spring 2.5 POMs #1311

spring-issuemaster opened this Issue Dec 14, 2008 · 3 comments


None yet

1 participant


Brian Hanafee (Migrated from SEC-1060) said:

The Spring Security FAQs say it should be compatible with Spring 2.5.×.

The class
imports org.springframework.dao.DataAccessException and throws it from the loadUserByUsername method.
DataAccessException was declared in spring-dao 2.08.

A workaround is to declare dependency on spring-tx module and set up exclusions to avoid Spring Security 2.0.4 bringing in Spring 2.0.8 modules transitively.
Declare a dependency on spring-tx version 2.5.x, and exclude spring-dao and spring-support from the spring-security dependency. spring-security-core org.springframework spring-tx org.springframework spring-aop ${spring-version} org.springframework spring-tx ${spring-version} spring-security-core ${security-version} org.springframework spring-dao org.springframework spring-support

Luke Taylor said:

Can you explain why do you think this is a bug, please? It just seems like you are describing standard maven behaviour. Spring Security 2.0 is built against Spring 2.0, so obviously if you want to use it in a maven build with Spring 2.5 you will have to add the necessary exclusions. Could expand on what you think should be changed?


Luke Taylor said:

Not a bug.


Brian Hanafee said:

Perhaps this report is recorded against the wrong component. If you want the FAQs to be right, then the POM would have to change (and become rather more complex). Otherwise, the documentation should change.

It’s not quite so obvious, because it’s not just the versions that have changed. In Spring 2.0, DataAccessException is declared in spring-dao, but in Spring 2.5 it is moved to spring-tx. Because that exception is declared thrown by UserDetailsService, the modules that Spring Security 2.0.4 depends on are different between Spring 2.0 and Spring 2.5. There are two FAQs relevant to using Spring Security 2.0.4 with Spring 2.5. Neither FAQ mentions that it’s not just the versions that need to be changed.

As-of this writing, the FAQs say:

“What Java and Spring Framework versions are required
“Spring Security 2.0.x requires a minimum JDK version of 1.4 and is built against Spring 2.0.×. It should also be compatible with applications using Spring 2.5.×.”


“How do I know what dependencies to add to my application to work with Spring Security?
“There is no definite answer here, (it will depend on what features you are using), but a good starting point is to copy those from one of the pre-built sample applications WEB-INF/lib directories. For a basic application, you can start with the tutorial sample. If you want to use LDAP, with an embedded test server, then use the LDAP sample as a starting point.

“If you are building your project with maven, then adding the appropriate Spring Security modules to your pom.xml will automatically pull in the core jars that the framework requires. Any which are marked as “optional” in the Spring Security POM files will have to be added to your own pom.xml file if you need them."

If a project happens to have a direct dependency on spring-dao and declares it to be 2.5 then the compilation will come out OK by luck, because of the transitive dependency of spring-dao 2.5 on spring-tx. However, if the project has no dependency on spring-dao, such as if it’s using just LDAP or openid based authentication, then the transitive declarations pull in unnecessary modules and, unless handled explicitly in the project POM, those extra modules will come from Spring 2.0. I’d suggest at minimum adding a note to the second FAQ highlighting the different module dependency and including the workaround.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment