SEC-1994: Spring security 3.1.1.RELEASE is not JDK 1.5 compatible #2215

Closed
spring-issuemaster opened this Issue Jul 8, 2012 · 5 comments

2 participants

@spring-issuemaster

Lyor Goldstein (Migrated from SEC-1994) said:

Even though the site states that it only requires 1.5+. See maven build exception below as well as javap command result.

Compiled from "Authentication.java"
public interface org.springframework.security.core.Authentication extends java.security.Principal,java.io.Serializable
SourceFile: "Authentication.java"
minor version: 0
major version: 50
Constant pool:
const #1 = class #21; // org/springframework/security/core/Authentication
const #2 = class #22; // java/lang/Object
const #3 = class #23; // java/security/Principal
const #4 = class #24; // java/io/Serializable
const #5 = Asciz getAuthorities;
const #6 = Asciz ()Ljava/util/Collection;;
const #7 = Asciz Signature;
const #8 = Asciz ()Ljava/util/Collection<+Lorg/springframework/security/core/GrantedAuthority;>;;
const #9 = Asciz getCredentials;
const #10 = Asciz ()Ljava/lang/Object;;
const #11 = Asciz getDetails;
const #12 = Asciz getPrincipal;
const #13 = Asciz isAuthenticated;
const #14 = Asciz ()Z;
const #15 = Asciz setAuthenticated;
const #16 = Asciz (Z)V;
const #17 = Asciz Exceptions;
const #18 = class #25; // java/lang/IllegalArgumentException
const #19 = Asciz SourceFile;
const #20 = Asciz Authentication.java;
const #21 = Asciz org/springframework/security/core/Authentication;
const #22 = Asciz java/lang/Object;
const #23 = Asciz java/security/Principal;
const #24 = Asciz java/io/Serializable;
const #25 = Asciz java/lang/IllegalArgumentException;

{
public abstract java.util.Collection getAuthorities();
Signature: length = 0x2
00 08

public abstract java.lang.Object getCredentials();

public abstract java.lang.Object getDetails();

public abstract java.lang.Object getPrincipal();

public abstract boolean isAuthenticated();

public abstract void setAuthenticated(boolean) throws java.lang.IllegalArgumentException;
Exceptions:
throws java.lang.IllegalArgumentException
}


org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.2:compile (default-compile) on project insight-dashboard: Compilation failure
/opt/hudson/workspace/jobs/insight-continuous-jvm1.5/workspace/core/dashboard/src/main/java/com/springsource/insight/dashboard/util/RequireAdminTag.java:[11,-1] cannot access org.springframework.security.core.Authentication
bad class file: /opt/hudson/.m2/repository/org/springframework/security/spring-security-core/3.1.1.RELEASE/spring-security-core-3.1.1.RELEASE.jar(org/springframework/security/core/Authentication.class)
class file has wrong version 50.0, should be 49.0

@spring-issuemaster

Rob Winch said:

Thank you for reporting this issue. Like any bug this should not have happened, but hopefully the explanation below helps to understand why it did happen. The problem occurred with the update from gradle 1.0-m3 to gradle 1.0 which had changed the default sourceCompatibility from 1.5 to the current JDK being used. While our CI server builds with 1.5 we typically release with 1.6 due to:

  • It can be difficult to obtain a 1.5 JDK for a Mac
  • We run into unfixed JDK bugs in 1.5 that have been fixed in JDK 1.6
@spring-issuemaster

Rob Winch said:

A fix which explicitly states the sourceCompatibility and targetCompatibility has been pushed to master. If anyone wants a workaround until 3.1.2 is released they can use 3.1.0 or they can build the tagged 3.1.1 release with JDK 1.5. Note that I have also logged SEC-1995 and SEC-1996 to help ensure things like this do not happen again.

@spring-issuemaster

Lyor Goldstein said:

Thanks for the quick reply - we have "downgraded" to 3.1.0.RELEASE for now and can wait for 3.1.2 which I assume will be JDK 1.5 compatible. BTW, on an un-related (or yes) question, is there some intention to declare that Spring artifacts will no longer be JDK 1.5 compatible as of some future version ? Like you mentioned, there are quite a few issues/bugs that have been fixed in 1.6 ...

@spring-issuemaster

Rob Winch said:

Spring Security will likely follow the JDK version of Spring. Despite JDK 1.5 being EOL since Oct of 2009, I am not aware of any planned changes in the minimum JDK version (i.e. Spring 3.2.0.M1 at this time still requires JDK 1.5+).

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016
@spring-issuemaster

This issue relates to #2125

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment