Why is the Spring Security REST Plugin not compatible with JDK 1.6?

468 views Asked by At

According to the official Grails docs, Grails 2.4.2 works with JDK 1.6. As far as a I'm concerned, this means I can run all plugins that work with Grails 2.4.2 in an execution environment that runs on JDK 1.6.

However, as I tried to deploy the war file of my Grails application to a Glassfish v3.1 that runs on JDK 1.6, I experienced issues with dependencies that were not JDK 1.6 compliant:

Caused by: java.lang.UnsupportedClassVersionError: WEB9032: Class   com.nimbusds.jwt.JWT has unsupported major or minor version numbers, which are greater than those found in the Java Runtime Env
ironment version 1.6.0_07
    at       org.glassfish.web.loader.WebappClassLoader.findClass(WebappClassLoader.java:948)
    at org.glassfish.web.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1485)
    at org.glassfish.web.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1368)
    at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
    at java.lang.Class.privateGetDeclaredMethods(Class.java:2427)
    at java.lang.Class.getDeclaredMethods(Class.java:1791)
    ... 55 more

After running dependency-report, I found out that the issue was caused by a dependency of the Spring Security REST Plugin:

+--- org.grails.plugins:spring-security-rest:1.5.1
|    \--- net.spy:spymemcached:2.11.6
|    \--- com.google.guava:guava-io:r03
|         \--- com.google.guava:guava-annotations:r03
|         \--- com.google.guava:guava-base:r03
|    \--- org.pac4j:pac4j-core:1.6.0
|    \--- org.pac4j:pac4j-oauth:1.6.0
|         \--- org.apache.commons:commons-lang3:3.1
|         \--- org.scribe:scribe:1.3.6
|         \--- com.fasterxml.jackson.core:jackson-databind:2.0.6
|              \--- com.fasterxml.jackson.core:jackson-annotations:2.0.6
|              \--- com.fasterxml.jackson.core:jackson-core:2.0.6
|    \--- com.nimbusds:nimbus-jose-jwt:3.9
|         \--- net.jcip:jcip-annotations:1.0
|         \--- net.minidev:json-smart:1.1.1
|         \--- org.bouncycastle:bcprov-jdk15on:1.51
|         \--- commons-io:commons-io:2.4

The class causing the issue, com.nimbusds.jwt.JWT is part of the artifact nimbus-jose-jwt, which the Spring Security REST Plugin depends on.

I feel like this Plugin should be JDK 1.6 compliant, since on the plugin's page it says Grails version: 2.0 > *. This is very misleading, as I spent quite some time developing and now I realize that I cannot even deploy it to production. Shouldn't it say Grails version: 3.0 > *, or am I misunderstanding something here?

1

There are 1 answers

4
Joshua Moore On BEST ANSWER

I suspect the reason why Nimbus JOSE+JWT (which is used by Spring Security Core plugin) requires Java 7+ is due to the fact lesser versions of Java don't support the same cryptography. Take a look through their website and you will see the minimum requirements:

The Nimbus JOSE + JWT library requires Java 7+ and has minimal dependencies.

Your assumption that just because the plugin supports Grails 2.0+ means that it also supports JDK 1.6 is just that, an assumption, and obviously incorrect. There is no requirement that Grails plugins target a specific Java compatibility level.

The fact your development was done without using the minimum target version of Java used in your production environment is the real culprit. You should always develop and test with the minimum requirements of your target production environment.