2

I created a project in Github to demonstrate this issue. Why isn't org.springframework.security.oauth2.config.annotation.web.configuration in the classpath?

I have an existing Spring Boot 1.5.x project using Spring Security 4.x that I am trying to upgrade to Spring Boot 2.x with Spring Security 5.x using spring-security-oauth2-autoconfigure:

<dependency>
  <groupId>org.springframework.security.oauth.boot</groupId>
  <artifactId>spring-security-oauth2-autoconfigure</artifactId>
  <version>2.0.5.RELEASE</version>
</dependency>

Here is one of the failing imports:

import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;

Application.java:[9,79] package org.springframework.security.oauth2.config.annotation.web.configuration does not exist [ERROR] /Users/stevemitchell/Downloads/problem-spring-security-oauth2-boot/src/main/java/com/demo/service/auth/Application.java:[16,2] cannot find symbol symbol: class EnableResourceServer

I can see org.springframework.security.oauth:spring-security-oauth2:jar:2.3.3.RELEASE:runtime in "mvn dependency:tree."

$ mvn dependency:tree
...
[INFO] \- org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:jar:2.0.5.RELEASE:compile
[INFO]    +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO]    +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.6:compile
[INFO]    |  \- com.fasterxml.jackson.core:jackson-core:jar:2.9.6:compile
[INFO]    +- org.springframework.boot:spring-boot:jar:2.0.5.RELEASE:compile
[INFO]    +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.5.RELEASE:compile
[INFO]    +- org.springframework.security.oauth:spring-security-oauth2:jar:2.3.3.RELEASE:runtime
[INFO]    |  +- org.springframework:spring-webmvc:jar:5.0.9.RELEASE:compile
[INFO]    |  +- commons-codec:commons-codec:jar:1.11:runtime
[INFO]    |  \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:runtime
[INFO]    |     \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:runtime
[INFO]    +- org.springframework.security:spring-security-jwt:jar:1.0.9.RELEASE:compile
[INFO]    |  \- org.bouncycastle:bcpkix-jdk15on:jar:1.56:compile
[INFO]    |     \- org.bouncycastle:bcprov-jdk15on:jar:1.56:compile
[INFO]    \- org.springframework:spring-web:jar:5.0.9.RELEASE:compile

This should compile. What am I missing?

dur
  • 15,689
  • 25
  • 79
  • 125
Steve Mitchell
  • 88
  • 1
  • 8
  • Possible duplicate of [Maven : what is the "runtime" scope purpose?](https://stackoverflow.com/questions/12272499/maven-what-is-the-runtime-scope-purpose) – dur Oct 04 '18 at 09:37
  • I saw that runtime issue as well, but that is not my situation. I added spring-security-oauth2 explicitly, but it made no difference. It almost feels like a name collision. If you use Intellij autocomplete in the spring-security-oauth2 version attribute, Intellij suggests 2.0.8.RELEASE - 2.0.15.RELEASE; however, the version in the build is 2.3.3.RELEASE. I'll try to exclude it from the spring-security-oauth2-autoconfigure dependency and see what happens. – Steve Mitchell Oct 04 '18 at 20:08
  • I can only pull in 2.0.8 when I exclude it from spring-security-oauth2-autoconfigure. 2.3.3 won't import` org.springframework.security.oauth.boot spring-security-oauth2-autoconfigure 2.0.5.RELEASE org.springframework.security.oauth spring-security-oauth2 ` – Steve Mitchell Oct 04 '18 at 20:37
  • The lastest version is 2.3.3.RELEASE. That should not be a problem. – dur Oct 04 '18 at 20:41
  • After excluding, the explicit dependency only works with 2.0.8, not 2.3.3 ` org.springframework.security.oauth spring-security-oauth2 2.0.8.RELEASE ` – Steve Mitchell Oct 04 '18 at 20:41
  • I did see something strange yesterday making me think it could be a cached Maven Central repo. I did two Google Searches for "spring-security-auth2 maven" and 2.0.8.RELEASE and then for 2.3.3.RELEASE. I got two results with the same URL but different release ranges. Chrome said one URL was not secured. A moment later I could not reproduce that result. – Steve Mitchell Oct 05 '18 at 12:44
  • @dur, can you clone my repository and see if you get the same compile error? https://github.com/smitchell/problem-spring-security-oauth2-boot – Steve Mitchell Oct 05 '18 at 12:45

1 Answers1

2

You should use version 2.0.8 or lower https://mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2/2.0.8.RELEASE

Monse
  • 61
  • 5