spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0 clash over version of transitive dependency json-smart

[ninjacoda]

Describe the bug
When trying to run an integration test the following error occurs:

java.lang.AssertionError: No value at JSON path "$[?(@.name == 'foo' && @.pId == 'bar')]"
  at org.springframework.test.util.JsonPathExpectationsHelper.evaluateJsonPath(JsonPathExpectationsHelper.java:295)
  ...
Caused by: java.lang.NoClassDefFoundError: net/minidev/json/writer/JsonReaderI
  at com.jayway.jsonpath.internal.DefaultsImpl.<init>(DefaultsImpl.java:17)
  ...
Caused by: java.lang.ClassNotFoundException: net.minidev.json.writer.JsonReaderI
  at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
  ...

This is due to a version clash on transitive dependency net.minidev:json-smart between spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0.

Here's the partial output from

mvn org.apache.maven.plugins:maven-dependency-plugin:2.10:tree -Dverbose=true

[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.3.0.RELEASE:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  +- (net.minidev:json-smart:jar:2.3:test - omitted for conflict with 1.3.1)
=> dependency is net.minidev:json-smart:jar:2.3:test

[INFO] +- org.springframework.security:spring-security-oauth2-client:jar:5.3.2.RELEASE:compile
[INFO] |  +- com.nimbusds:oauth2-oidc-sdk:jar:7.1.1:compile
[INFO] |  |  +- net.minidev:json-smart:jar:1.3.1:compile
=> dependency is net.minidev:json-smart:jar:1.3.1:compile

I'm logging this against Spring Security, as moving from com.nimbusds:oauth2-oidc-sdk:jar:7.1.1 to com.nimbusds:oauth2-oidc-sdk:jar:8.4.2 would likely fix the issue, as that defines its dependency as net.minidev:json-smart:[1.3.1,2.3]

As per maven docs, that would permit for json-smart:2.3 being used:

[1.2,1.3]: Hard requirement for any version between 1.2 and 1.3 inclusive.

By the way: The dependency in oauth2-oidc-sdk:jar:8.4.2 (i.e. [1.3.1,2.3]) would indicate that json-smart version 2.3 might be backwards-compatible to version 1.3.1, but as this is a dependency of a security-related library I would rather not take the chance of just forcing the new version of json-smart on oauth2-oidc-sdk using dependencyManagement.

To Reproduce
Using the following dependencies:

• spring-security-oauth2-client:5.3.2
• spring-boot-starter-test:2.3.0

running this test:

            webTestClient.get().uri("${PATH}?pid=bar")
                    .exchange()
                    .expectStatus().is2xxSuccessful
                    .expectBody()
                    .jsonPath("$[?(@.name == 'foo' && @.pId == 'bar')]").exists()

Expected behavior
Provided the response contains the properties and values specified in the jsonPath, the test should run and pass, not fail due to a missing class.

[ninjacoda]

I did a bit more digging, and it turns out that up to and including com.nimbusds:oauth2-oidc-sdk:7.0.2, the library declared the same dependency range of [1.3.1,2.3] for json-smart. At that point, they changed it due to this request, but reintroduced the range for json-smart in April 2020 (for newer releases). Based on that, it's probably safe to force version 2.3 on com.nimbusds:oauth2-oidc-sdk:jar:7.1.1 (provided that what I found is indeed the official repo or a correct clone of it).

[jzheaux]

Thanks for all the digging you did here, @ninjacoda.

After some of my own, I think it's best to simply upgrade the Nimbus dependencies, that way Spring Security doesn't add any additional managed dependencies to its list. In general, it's a bit easier to only manage the beans that Spring Security depends on directly.

There's a bit of a related discussion going on in #8543 and #8564, so I think it'd be best to see how those conversations go before deciding precisely what versions of nimbus-jose-jwt and oauth2-oidc-sdk to upgrade to.

[jzheaux]

Fixed via 94737df

[ninjacoda]

Thanks, @jzheaux . Unfortunately,

  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-dependencies</artifactId>
  <version>2.3.1.RELEASE</version>

still defines

   <oauth2-oidc-sdk.version>7.1.1</oauth2-oidc-sdk.version>

and

  <dependencyManagement>
    <dependencies>

      <dependency>
        <groupId>com.nimbusds</groupId>
        <artifactId>oauth2-oidc-sdk</artifactId>
        <version>${oauth2-oidc-sdk.version}</version>
      </dependency>

    </dependencies>
  </dependencyManagement>

in its dependency management, so this is still broken for JSON Path asserts:

[INFO] +- org.springframework.security:spring-security-oauth2-client:jar:5.3.3.RELEASE:compile
[INFO] |  +- com.nimbusds:oauth2-oidc-sdk:jar:7.1.1:compile (version managed from 7.5)
[INFO] |  |  +- net.minidev:json-smart:jar:1.3.1:compile

and

[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.3.1.RELEASE:test
[INFO] |  +- (org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:test - omitted for duplicate)
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  +- (net.minidev:json-smart:jar:2.3:test - omitted for conflict with 1.3.1)

I'm not sure this is the right project to report it to, though - or if this ticket will reopen.
If not, I might try the main spring boot project instead...

[jzheaux]

Thanks for this extra information, @ninjacoda, and sorry this is still a problem for you.

You are correct that Spring Boot manages dependencies via spring-boot-dependencies and that filing a ticket there is a good place to begin addressing that concern.