Re: Fwd: [gentoo-java] webapp-config & Java

[Joshua Nichols <nichoj@gentoo.org>]

Jose Gonzalez Gomez wrote:
> ---------- Forwarded message ----------
> From: *Jose Gonzalez Gomez* <jgonzalez.openinput@gmail.com 
> <mailto:jgonzalez.openinput@gmail.com>>
> Date: 27-ene-2006 12:54
> Subject: Re: [gentoo-java] webapp-config & Java
> To: Andrew Cowie <andrew@operationaldynamics.com 
> <mailto:andrew@operationaldynamics.com>>
>
> 2006/1/27, Andrew Cowie < andrew@operationaldynamics.com 
> <mailto:andrew@operationaldynamics.com>>:
>
>     On Thu, 2006-26-01 at 16:56 -0500, Joshua Nichols wrote:
>
>     > Following the spirit of not using bundled jars for building, this
>     leads
>     > me to think that it would be better to explode the wars, and
>     replace the
>     > jars contained within with symlinks to the jars on the system.
>
>     Note that some app-servers can't/won't deal with an exploded war/ear.
>
>
> I think this issue has more to do with solving the issues with java 
> builds based in ant or maven than finding bundled jars... currently 
> almost every Java package out there is built using either ant or maven 
> (please, some Java Gentoo developer correct me if I'm wrong). In the 
> case of maven, jar dependencies are not bundled with source files, 
> they are specified as dependencies in the project descriptors. In the 
> case of web applications, those dependencies are downloaded from 
> binary repositories, and bundled in the WEB-INF/lib directory of the 
> war file at build time. The obvious solution (don't know if easy to 
> implement, I remember some discussion here regarding this) is to 
> intercept in some way the maven dependency resolution mechanism and 
> instead of downloading binary jars, take jars from the java packages 
> already installed by Gentoo.
You are right that most things build using maven and/or ant. We don't 
currently build packages using maven due to the downloading-random-jars 
bit. But the solution to that isn't really relevant to this particular 
discussion, although feel free to revive the previous thread on that matter.
> In case you still want to go the explode/replace way, as Andrew tells, 
> you won't be able to use symlinks, as some app-servers can't deal with 
> exploded archives. You should replace those jars with jars present on 
> the system, and then repackage and deploy the archive. I see this more 
> unnatural than the previous solution, although maybe easier to do.
Perhaps we should first figure out which, if any, web containers / app 
servers don't support explodedness, before discounting this method.

There is a very good reason for going the 
exploded-war-with-symlinked-jars path: you'd always be using the most up 
to date versions of the jars that have been installed on your system. 
Case in point, I recall a security vulnerability recently with struts. 
Now, if you were deploying an unexploded webapp with a vulnerable 
version of struts, then you'd still have the vulnerability in your 
webapp even after updating to a non-vulnerable version of struts. This 
wouldn't happen if we went the exploded-war-with-symlinked-jars, and at 
most you may have to restart the webapp and / or web container.

- Josh
-- 
gentoo-java@gentoo.org mailing list