Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1085: Import-Package version constraints too limited in the annotations bundle #1337

spring-issuemaster opened this Issue Jan 21, 2009 · 1 comment


None yet
1 participant

Jawher Moussa(Migrated from SEC-1085) said:

in, spring-security-core-tiger-2.0.4.jar/META-INF/MANIFEST.MF, and in the Import-Package section, one can see :


ramework.security;version=“[2.0.3.RELEASE,2.0.3.RELEASE]”,org.springf ramework.security.annotation;version=“[2.0.3.RELEASE,2.0.3.RELEASE]”, org.springframework.security.intercept.method;version="[2.0.3.RELEASE ,2.0.3.RELEASE]“,org.springframework.security.vote;version=”[2.0.3.RE LEASE,2.0.3.RELEASE]"

i.e. the import package constraints accepts only the 2.0.3.RELEASE version of the core security bundle.
This way, the annotations bundle ver. 2.0.4 WILL NOT work as is with the core security bundle of the same version in an OSGi environment.

By the way, the version hosted in the “SpringSource Enterprise Bundle Repository” does have a correct manifest (well, with an A qualifier).

I would suggest upgrading the constraints to 2.0.4, or evenen to relax it to something like [2.0.3, 2.1.0).


Luke Taylor said:

We have to redo OSGi support in the next release. There is no longer a core-tiger jar as it will require JDK 1.5. The project modules have also been substantially refactored to support better partitioning of the codebase, avoid split packages across OSGi modules etc.

We will be using bundlor moving forward – See SEC-998.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment