This may not be an issue.. I am wondering whether uber jars could
complicate security in the future.
For example, we could provide sample/default security policies to be
used by a security manager (that assume the individual jars are being
used) that use CodeSource and Principal based authorization. Permissions
are associated with each CodeSource. Basically, you wouldn't be able to
use the same policies with the uberjar, since everything would be loaded
from the one CodeSource and be associated with the one ProtectionDomain,
therefore users would lose the ability to have fine grained (per
library) control over what code executed by a Principal can do.
This level of security would probably only be used by a minority, most
likely large enterprise users.
Do we only expect people to be using an uberjar in a development/build
environment where they won't be running a security manager?
IMO it is important that we make it easy for ant users etc. I have an
experimental ant tasks module (I used a while ago against Geronimo M4)
that can start and stop a server (the ant task code was largely based
upon the geronimo deployment plugin code). The build of the ant task
jar built a uberjar with the all the required dependencies. I think my
ant task jar would be quite large if we included all of geronimo's
dependencies in it. When i find some time I will look at placing it in
the sandbox.
John
Alan D. Cabrera wrote:
David Blevins wrote, On 1/30/2006 11:39 AM:
On Jan 30, 2006, at 11:24 AM, Alan D. Cabrera wrote:
If we moved to Maven 2 and used its transitive dependencies, would
the the need for an Uber jar be obviated?
For maven 2 all we need is an uber pom. For people on maven 1 and
ant and plain IDEs, an uber jar is nice.
Following that line of reasoning, should we not have a super-uber jar
that contains the specs, Geronimo, and its depdendencies? I think
that it's better to do away w/ the uber jar all together.
Regards,
Alan
