why javax.annotation of different organization are different
Question
I'm using guava and jetty in my java project, while i found an odd problem. In guava,it depend javax.annotation has so many class while in jetty the javax.annotation has less than in guava. What's the difference between them.
What's more,the javax.annotation in jetty is signed,while in guava is not signed. When the jvm load the class from the package javax.annotation in guava.jar and jetty.jar,it throw the SecurityException cause one package is signed and the others is not signed.
So,what's the real difference of the javax.annotation package between the guava.jar and the jetty.jar.
The package in guava: no sign and has lot of class
The package in jetty: signed and has little class
1 answers
solution1
2 ACCPTED 2015-10-31 04:54:00
There are different libraries that provide types in the javax.annotations package. The one Guava is using is a JAR from the (now abandoned) JSR-305 proposal . In Maven this is com.google.code.findbugs:jsr305:1.3.9 .
The other JAR appears to be org.eclipse.jetty.orbit:javax.annotation:1.1.0.v201108011116 . It's not clear where that JAR comes from, and it appears to have been uploaded in 2011 and then never updated since.
The conflict between these two JARs appears to be a well-known one .
It appears that the "dependency" on this JAR was added in Guava release 13 , but the release notes for that version say:
Made findbugs a provided dependency to avert dep conflicts when using findbugs 2.0. The side-effect of this change is that projects which relied upon Guava to grant access to the JSR-305 annotations "for free" will break unless they provide their own direct dependency on that jar (or an equivalent). Projects should always have been directly depending on JSR-305 (per maven best-practice), but this change makes that should into a must.
Because of this, from what I understand, Guava doesn't actually have any dependency on the com.google.code.findbugs:jsr305:1.3.9 JAR. So you should be free to exclude that dependency and provide your own javax.annotations JAR that you use instead. Alternatively, if you prefer the com.google.code.findbugs:jsr305 JAR, you should exclude the org.eclipse.jetty.orbit:javax.annotation dependency from your build. You can refer to the Maven documentation for how to exclude the unwanted dependency.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.