使用spring-ws/spring-ws-security 2.4.0.RELEASE,我们得到了一个Maven Enforcer插件依赖收敛错误。
Apache 的 xmlsec 版本 1.x 和 2.x 是可传递依赖项。
排除 org.apache.santuario:xmlsec 的 1.x 版本是否安全?
Dependency convergence error for org.apache.santuario:xmlsec:1.5.8 paths to dependency are:
+-com.acme.web.app:3.14.0.0-SNAPSHOT
+-org.springframework.ws:spring-ws-security:2.4.0.RELEASE
+-org.apache.ws.security:wss4j:1.6.19
+-org.apache.santuario:xmlsec:1.5.8
and
+-com.acme.web.app:3.14.0.0-SNAPSHOT
+-org.springframework.ws:spring-ws-security:2.4.0.RELEASE
+-org.apache.ws.security:wss4j:1.6.19
+-org.opensaml:opensaml:2.5.1-1
+-org.opensaml:openws:1.4.2-1
+-org.opensaml:xmltooling:1.3.2-1
+-org.apache.santuario:xmlsec:1.4.4
and
+-com.acme.web.app:3.14.0.0-SNAPSHOT
+-org.springframework.ws:spring-ws-security:2.4.0.RELEASE
+-org.apache.wss4j:wss4j-ws-security-dom:2.1.4
+-org.apache.wss4j:wss4j-ws-security-common:2.1.4
+-org.apache.santuario:xmlsec:2.0.5
and
+-com.acme.web.app:3.14.0.0-SNAPSHOT
+-org.springframework.ws:spring-ws-security:2.4.0.RELEASE
+-org.apache.wss4j:wss4j-ws-security-dom:2.1.4
+-org.apache.wss4j:wss4j-ws-security-common:2.1.4
+-org.opensaml:opensaml-saml-impl:3.1.1
+-org.opensaml:opensaml-security-impl:3.1.1
+-org.opensaml:opensaml-security-api:3.1.1
+-org.apache.santuario:xmlsec:2.0.3
最近我在添加此依赖项时收到此错误
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
<version>1.0.9.RELEASE</version>
</dependency>
如 https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html 中所述,解决方案是排除重复的依赖项,但使用不同的版本。