Jose Gonzalez Gomez wrote:
> ---------- Forwarded message ----------
> From: *Jose Gonzalez Gomez* <jgonzalez.openinput@...
> Date: 27-ene-2006 12:54
> Subject: Re: [gentoo-java] webapp-config & Java
> To: Andrew Cowie <andrew@...
> 2006/1/27, Andrew Cowie < andrew@...
> On Thu, 2006-26-01 at 16:56 -0500, Joshua Nichols wrote:
> > Following the spirit of not using bundled jars for building, this
> > me to think that it would be better to explode the wars, and
> replace the
> > jars contained within with symlinks to the jars on the system.
> Note that some app-servers can't/won't deal with an exploded war/ear.
> I think this issue has more to do with solving the issues with java
> builds based in ant or maven than finding bundled jars... currently
> almost every Java package out there is built using either ant or maven
> (please, some Java Gentoo developer correct me if I'm wrong). In the
> case of maven, jar dependencies are not bundled with source files,
> they are specified as dependencies in the project descriptors. In the
> case of web applications, those dependencies are downloaded from
> binary repositories, and bundled in the WEB-INF/lib directory of the
> war file at build time. The obvious solution (don't know if easy to
> implement, I remember some discussion here regarding this) is to
> intercept in some way the maven dependency resolution mechanism and
> instead of downloading binary jars, take jars from the java packages
> already installed by Gentoo.
You are right that most things build using maven and/or ant. We don't
currently build packages using maven due to the downloading-random-jars
bit. But the solution to that isn't really relevant to this particular
discussion, although feel free to revive the previous thread on that matter.
> In case you still want to go the explode/replace way, as Andrew tells,
> you won't be able to use symlinks, as some app-servers can't deal with
> exploded archives. You should replace those jars with jars present on
> the system, and then repackage and deploy the archive. I see this more
> unnatural than the previous solution, although maybe easier to do.
Perhaps we should first figure out which, if any, web containers / app
servers don't support explodedness, before discounting this method.
There is a very good reason for going the
exploded-war-with-symlinked-jars path: you'd always be using the most up
to date versions of the jars that have been installed on your system.
Case in point, I recall a security vulnerability recently with struts.
Now, if you were deploying an unexploded webapp with a vulnerable
version of struts, then you'd still have the vulnerability in your
webapp even after updating to a non-vulnerable version of struts. This
wouldn't happen if we went the exploded-war-with-symlinked-jars, and at
most you may have to restart the webapp and / or web container.
email@example.com mailing list