Gentoo Archives: gentoo-java

From: Joshua Nichols <nichoj@g.o>
Cc: gentoo-java@l.g.o
Subject: Re: Fwd: [gentoo-java] webapp-config & Java
Date: Sun, 29 Jan 2006 01:58:51
In Reply to: Fwd: [gentoo-java] webapp-config & Java by Jose Gonzalez Gomez
Jose Gonzalez Gomez wrote:
> ---------- Forwarded message ---------- > From: *Jose Gonzalez Gomez* <jgonzalez.openinput@×××××.com > <mailto:jgonzalez.openinput@×××××.com>> > Date: 27-ene-2006 12:54 > Subject: Re: [gentoo-java] webapp-config & Java > To: Andrew Cowie <andrew@×××××××××××××××××××.com > <mailto:andrew@×××××××××××××××××××.com>> > > 2006/1/27, Andrew Cowie < andrew@×××××××××××××××××××.com > <mailto:andrew@×××××××××××××××××××.com>>: > > On Thu, 2006-26-01 at 16:56 -0500, Joshua Nichols wrote: > > > Following the spirit of not using bundled jars for building, this > leads > > me to think that it would be better to explode the wars, and > replace the > > jars contained within with symlinks to the jars on the system. > > Note that some app-servers can't/won't deal with an exploded war/ear. > > > I think this issue has more to do with solving the issues with java > builds based in ant or maven than finding bundled jars... currently > almost every Java package out there is built using either ant or maven > (please, some Java Gentoo developer correct me if I'm wrong). In the > case of maven, jar dependencies are not bundled with source files, > they are specified as dependencies in the project descriptors. In the > case of web applications, those dependencies are downloaded from > binary repositories, and bundled in the WEB-INF/lib directory of the > war file at build time. The obvious solution (don't know if easy to > implement, I remember some discussion here regarding this) is to > intercept in some way the maven dependency resolution mechanism and > instead of downloading binary jars, take jars from the java packages > already installed by Gentoo.
You are right that most things build using maven and/or ant. We don't currently build packages using maven due to the downloading-random-jars bit. But the solution to that isn't really relevant to this particular discussion, although feel free to revive the previous thread on that matter.
> In case you still want to go the explode/replace way, as Andrew tells, > you won't be able to use symlinks, as some app-servers can't deal with > exploded archives. You should replace those jars with jars present on > the system, and then repackage and deploy the archive. I see this more > unnatural than the previous solution, although maybe easier to do.
Perhaps we should first figure out which, if any, web containers / app servers don't support explodedness, before discounting this method. There is a very good reason for going the exploded-war-with-symlinked-jars path: you'd always be using the most up to date versions of the jars that have been installed on your system. Case in point, I recall a security vulnerability recently with struts. Now, if you were deploying an unexploded webapp with a vulnerable version of struts, then you'd still have the vulnerability in your webapp even after updating to a non-vulnerable version of struts. This wouldn't happen if we went the exploded-war-with-symlinked-jars, and at most you may have to restart the webapp and / or web container. - Josh -- gentoo-java@g.o mailing list


Subject Author
Re: Fwd: [gentoo-java] webapp-config & Java Greg Tassone <greg@×××××××.net>