JSTL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

JSTL

jgallimore
Hi

On master we shifted from openejb-jstl to taglibs-standard-jstlel. I have
done the same on the 1.7.x branch, specifically to move on from the old
openejb-jstl (looking at
https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
taglibs-standard-jstlel
library does seem to depend on xalan, which we currently do not include in
TomEE.

The impact is that some XML functions in JSP code does not work, for
example:

<%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>

<x:parse var="movies">
    <movies>
      <movie id="1" name="Wedding Crashers" director="David Dobkin"
genre="Comedy" rating="7" year="2005" />
      <movie id="2" name="Starsky &amp; Hutch" director="Todd Phillips"
genre="Action" rating="6" year="2004" />
      <movie id="3" name="Shanghai Knights" director="David Dobkin"
genre="Action" rating="6" year="2003" />
      <movie id="4" name="I-Spy" director="Betty Thomas" genre="Adventure"
rating="5" year="2002" />
      <movie id="5" name="The Royal Tenenbaums" director="Wes Anderson"
genre="Comedy" rating="8" year="2001" />
      <movie id="6" name="Zoolander" director="Ben Stiller" genre="Comedy"
rating="6" year="2001" />
      <movie id="7" name="Shanghai Noon" director="Tom Dey" genre="Comedy"
rating="7" year="2000" />
    </movies>
</x:parse>

Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" /><br />

fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath (this on
both 1.7.x and master)

Including Xalan does fix this, but its a 3MB dependency.

The alternative is to use org.glassfish.web:javax.servlet.jsp.jstl instead,
which I have tested and seems to work. Anyone have any thoughts?

Jon
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

Jean-Louis MONTEIRO
What is the licence for GlassFish one?

Le 31 août 2017 12:38, "Jonathan Gallimore" <[hidden email]>
a écrit :

> Hi
>
> On master we shifted from openejb-jstl to taglibs-standard-jstlel. I have
> done the same on the 1.7.x branch, specifically to move on from the old
> openejb-jstl (looking at
> https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> taglibs-standard-jstlel
> library does seem to depend on xalan, which we currently do not include in
> TomEE.
>
> The impact is that some XML functions in JSP code does not work, for
> example:
>
> <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
>
> <x:parse var="movies">
>     <movies>
>       <movie id="1" name="Wedding Crashers" director="David Dobkin"
> genre="Comedy" rating="7" year="2005" />
>       <movie id="2" name="Starsky &amp; Hutch" director="Todd Phillips"
> genre="Action" rating="6" year="2004" />
>       <movie id="3" name="Shanghai Knights" director="David Dobkin"
> genre="Action" rating="6" year="2003" />
>       <movie id="4" name="I-Spy" director="Betty Thomas" genre="Adventure"
> rating="5" year="2002" />
>       <movie id="5" name="The Royal Tenenbaums" director="Wes Anderson"
> genre="Comedy" rating="8" year="2001" />
>       <movie id="6" name="Zoolander" director="Ben Stiller" genre="Comedy"
> rating="6" year="2001" />
>       <movie id="7" name="Shanghai Noon" director="Tom Dey" genre="Comedy"
> rating="7" year="2000" />
>     </movies>
> </x:parse>
>
> Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" /><br />
>
> fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath (this on
> both 1.7.x and master)
>
> Including Xalan does fix this, but its a 3MB dependency.
>
> The alternative is to use org.glassfish.web:javax.servlet.jsp.jstl
> instead,
> which I have tested and seems to work. Anyone have any thoughts?
>
> Jon
>
   --
    Jean-Louis Monteiro
    http://twitter.com/jlouismonteiro
    http://www.tomitribe.com
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

jgallimore
Great question. CDDL _or_ GPL, by the look of it.
https://github.com/javaee/jstl-api/blob/master/LICENSE - same as JAXB I
believe.

Jon



On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
[hidden email]> wrote:

> What is the licence for GlassFish one?
>
> Le 31 août 2017 12:38, "Jonathan Gallimore" <[hidden email]>
> a écrit :
>
> > Hi
> >
> > On master we shifted from openejb-jstl to taglibs-standard-jstlel. I have
> > done the same on the 1.7.x branch, specifically to move on from the old
> > openejb-jstl (looking at
> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> > taglibs-standard-jstlel
> > library does seem to depend on xalan, which we currently do not include
> in
> > TomEE.
> >
> > The impact is that some XML functions in JSP code does not work, for
> > example:
> >
> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
> >
> > <x:parse var="movies">
> >     <movies>
> >       <movie id="1" name="Wedding Crashers" director="David Dobkin"
> > genre="Comedy" rating="7" year="2005" />
> >       <movie id="2" name="Starsky &amp; Hutch" director="Todd Phillips"
> > genre="Action" rating="6" year="2004" />
> >       <movie id="3" name="Shanghai Knights" director="David Dobkin"
> > genre="Action" rating="6" year="2003" />
> >       <movie id="4" name="I-Spy" director="Betty Thomas"
> genre="Adventure"
> > rating="5" year="2002" />
> >       <movie id="5" name="The Royal Tenenbaums" director="Wes Anderson"
> > genre="Comedy" rating="8" year="2001" />
> >       <movie id="6" name="Zoolander" director="Ben Stiller"
> genre="Comedy"
> > rating="6" year="2001" />
> >       <movie id="7" name="Shanghai Noon" director="Tom Dey"
> genre="Comedy"
> > rating="7" year="2000" />
> >     </movies>
> > </x:parse>
> >
> > Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" /><br />
> >
> > fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath (this
> on
> > both 1.7.x and master)
> >
> > Including Xalan does fix this, but its a 3MB dependency.
> >
> > The alternative is to use org.glassfish.web:javax.servlet.jsp.jstl
> > instead,
> > which I have tested and seems to work. Anyone have any thoughts?
> >
> > Jon
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

jgallimore
Correction - that should be: "CDDL or GPL with classpath exception".

On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
[hidden email]> wrote:

> Great question. CDDL _or_ GPL, by the look of it.
> https://github.com/javaee/jstl-api/blob/master/LICENSE - same as JAXB I
> believe.
>
> Jon
>
>
>
> On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> [hidden email]> wrote:
>
>> What is the licence for GlassFish one?
>>
>> Le 31 août 2017 12:38, "Jonathan Gallimore" <[hidden email]
>> >
>> a écrit :
>>
>> > Hi
>> >
>> > On master we shifted from openejb-jstl to taglibs-standard-jstlel. I
>> have
>> > done the same on the 1.7.x branch, specifically to move on from the old
>> > openejb-jstl (looking at
>> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
>> > taglibs-standard-jstlel
>> > library does seem to depend on xalan, which we currently do not include
>> in
>> > TomEE.
>> >
>> > The impact is that some XML functions in JSP code does not work, for
>> > example:
>> >
>> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
>> >
>> > <x:parse var="movies">
>> >     <movies>
>> >       <movie id="1" name="Wedding Crashers" director="David Dobkin"
>> > genre="Comedy" rating="7" year="2005" />
>> >       <movie id="2" name="Starsky &amp; Hutch" director="Todd Phillips"
>> > genre="Action" rating="6" year="2004" />
>> >       <movie id="3" name="Shanghai Knights" director="David Dobkin"
>> > genre="Action" rating="6" year="2003" />
>> >       <movie id="4" name="I-Spy" director="Betty Thomas"
>> genre="Adventure"
>> > rating="5" year="2002" />
>> >       <movie id="5" name="The Royal Tenenbaums" director="Wes Anderson"
>> > genre="Comedy" rating="8" year="2001" />
>> >       <movie id="6" name="Zoolander" director="Ben Stiller"
>> genre="Comedy"
>> > rating="6" year="2001" />
>> >       <movie id="7" name="Shanghai Noon" director="Tom Dey"
>> genre="Comedy"
>> > rating="7" year="2000" />
>> >     </movies>
>> > </x:parse>
>> >
>> > Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" /><br />
>> >
>> > fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath
>> (this on
>> > both 1.7.x and master)
>> >
>> > Including Xalan does fix this, but its a 3MB dependency.
>> >
>> > The alternative is to use org.glassfish.web:javax.servlet.jsp.jstl
>> > instead,
>> > which I have tested and seems to work. Anyone have any thoughts?
>> >
>> > Jon
>> >
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

Romain Manni-Bucau
Hi Jon

there is another thread on it (probably on user@)

I think we should just make xalan optional in the lib and upgrade.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <[hidden email]>
:

> Correction - that should be: "CDDL or GPL with classpath exception".
>
> On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> [hidden email]> wrote:
>
> > Great question. CDDL _or_ GPL, by the look of it.
> > https://github.com/javaee/jstl-api/blob/master/LICENSE - same as JAXB I
> > believe.
> >
> > Jon
> >
> >
> >
> > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > [hidden email]> wrote:
> >
> >> What is the licence for GlassFish one?
> >>
> >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> [hidden email]
> >> >
> >> a écrit :
> >>
> >> > Hi
> >> >
> >> > On master we shifted from openejb-jstl to taglibs-standard-jstlel. I
> >> have
> >> > done the same on the 1.7.x branch, specifically to move on from the
> old
> >> > openejb-jstl (looking at
> >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> >> > taglibs-standard-jstlel
> >> > library does seem to depend on xalan, which we currently do not
> include
> >> in
> >> > TomEE.
> >> >
> >> > The impact is that some XML functions in JSP code does not work, for
> >> > example:
> >> >
> >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
> >> >
> >> > <x:parse var="movies">
> >> >     <movies>
> >> >       <movie id="1" name="Wedding Crashers" director="David Dobkin"
> >> > genre="Comedy" rating="7" year="2005" />
> >> >       <movie id="2" name="Starsky &amp; Hutch" director="Todd
> Phillips"
> >> > genre="Action" rating="6" year="2004" />
> >> >       <movie id="3" name="Shanghai Knights" director="David Dobkin"
> >> > genre="Action" rating="6" year="2003" />
> >> >       <movie id="4" name="I-Spy" director="Betty Thomas"
> >> genre="Adventure"
> >> > rating="5" year="2002" />
> >> >       <movie id="5" name="The Royal Tenenbaums" director="Wes
> Anderson"
> >> > genre="Comedy" rating="8" year="2001" />
> >> >       <movie id="6" name="Zoolander" director="Ben Stiller"
> >> genre="Comedy"
> >> > rating="6" year="2001" />
> >> >       <movie id="7" name="Shanghai Noon" director="Tom Dey"
> >> genre="Comedy"
> >> > rating="7" year="2000" />
> >> >     </movies>
> >> > </x:parse>
> >> >
> >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" /><br
> />
> >> >
> >> > fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath
> >> (this on
> >> > both 1.7.x and master)
> >> >
> >> > Including Xalan does fix this, but its a 3MB dependency.
> >> >
> >> > The alternative is to use org.glassfish.web:javax.servlet.jsp.jstl
> >> > instead,
> >> > which I have tested and seems to work. Anyone have any thoughts?
> >> >
> >> > Jon
> >> >
> >>
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

jgallimore
Thanks Romain. That is definitely the simplest path - xalan is already
marked as an optional dependency, so we wouldn't need to do anything. From
a compliance perspective, where would this leave us? Wouldn't we need this
to work out of the box without adding libraries to be compliant? If it
doesn't affect us in that respect, then I think we're probably good to go.

Jon

On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <[hidden email]>
wrote:

> Hi Jon
>
> there is another thread on it (probably on user@)
>
> I think we should just make xalan optional in the lib and upgrade.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> [hidden email]>
> :
>
> > Correction - that should be: "CDDL or GPL with classpath exception".
> >
> > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > [hidden email]> wrote:
> >
> > > Great question. CDDL _or_ GPL, by the look of it.
> > > https://github.com/javaee/jstl-api/blob/master/LICENSE - same as JAXB
> I
> > > believe.
> > >
> > > Jon
> > >
> > >
> > >
> > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > [hidden email]> wrote:
> > >
> > >> What is the licence for GlassFish one?
> > >>
> > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > [hidden email]
> > >> >
> > >> a écrit :
> > >>
> > >> > Hi
> > >> >
> > >> > On master we shifted from openejb-jstl to taglibs-standard-jstlel. I
> > >> have
> > >> > done the same on the 1.7.x branch, specifically to move on from the
> > old
> > >> > openejb-jstl (looking at
> > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> > >> > taglibs-standard-jstlel
> > >> > library does seem to depend on xalan, which we currently do not
> > include
> > >> in
> > >> > TomEE.
> > >> >
> > >> > The impact is that some XML functions in JSP code does not work, for
> > >> > example:
> > >> >
> > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
> > >> >
> > >> > <x:parse var="movies">
> > >> >     <movies>
> > >> >       <movie id="1" name="Wedding Crashers" director="David Dobkin"
> > >> > genre="Comedy" rating="7" year="2005" />
> > >> >       <movie id="2" name="Starsky &amp; Hutch" director="Todd
> > Phillips"
> > >> > genre="Action" rating="6" year="2004" />
> > >> >       <movie id="3" name="Shanghai Knights" director="David Dobkin"
> > >> > genre="Action" rating="6" year="2003" />
> > >> >       <movie id="4" name="I-Spy" director="Betty Thomas"
> > >> genre="Adventure"
> > >> > rating="5" year="2002" />
> > >> >       <movie id="5" name="The Royal Tenenbaums" director="Wes
> > Anderson"
> > >> > genre="Comedy" rating="8" year="2001" />
> > >> >       <movie id="6" name="Zoolander" director="Ben Stiller"
> > >> genre="Comedy"
> > >> > rating="6" year="2001" />
> > >> >       <movie id="7" name="Shanghai Noon" director="Tom Dey"
> > >> genre="Comedy"
> > >> > rating="7" year="2000" />
> > >> >     </movies>
> > >> > </x:parse>
> > >> >
> > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" /><br
> > />
> > >> >
> > >> > fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath
> > >> (this on
> > >> > both 1.7.x and master)
> > >> >
> > >> > Including Xalan does fix this, but its a 3MB dependency.
> > >> >
> > >> > The alternative is to use org.glassfish.web:javax.servlet.jsp.jstl
> > >> > instead,
> > >> > which I have tested and seems to work. Anyone have any thoughts?
> > >> >
> > >> > Jon
> > >> >
> > >>
> > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

Romain Manni-Bucau
Hmm, shout if wrong but think you misunderstood the "optional" in my
sentence. I meant we patch trunk to remove the adherence to xalan.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <[hidden email]>
:

> Thanks Romain. That is definitely the simplest path - xalan is already
> marked as an optional dependency, so we wouldn't need to do anything. From
> a compliance perspective, where would this leave us? Wouldn't we need this
> to work out of the box without adding libraries to be compliant? If it
> doesn't affect us in that respect, then I think we're probably good to go.
>
> Jon
>
> On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <[hidden email]
> >
> wrote:
>
> > Hi Jon
> >
> > there is another thread on it (probably on user@)
> >
> > I think we should just make xalan optional in the lib and upgrade.
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> > [hidden email]>
> > :
> >
> > > Correction - that should be: "CDDL or GPL with classpath exception".
> > >
> > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > > [hidden email]> wrote:
> > >
> > > > Great question. CDDL _or_ GPL, by the look of it.
> > > > https://github.com/javaee/jstl-api/blob/master/LICENSE - same as
> JAXB
> > I
> > > > believe.
> > > >
> > > > Jon
> > > >
> > > >
> > > >
> > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > > [hidden email]> wrote:
> > > >
> > > >> What is the licence for GlassFish one?
> > > >>
> > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > > [hidden email]
> > > >> >
> > > >> a écrit :
> > > >>
> > > >> > Hi
> > > >> >
> > > >> > On master we shifted from openejb-jstl to
> taglibs-standard-jstlel. I
> > > >> have
> > > >> > done the same on the 1.7.x branch, specifically to move on from
> the
> > > old
> > > >> > openejb-jstl (looking at
> > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> > > >> > taglibs-standard-jstlel
> > > >> > library does seem to depend on xalan, which we currently do not
> > > include
> > > >> in
> > > >> > TomEE.
> > > >> >
> > > >> > The impact is that some XML functions in JSP code does not work,
> for
> > > >> > example:
> > > >> >
> > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
> > > >> >
> > > >> > <x:parse var="movies">
> > > >> >     <movies>
> > > >> >       <movie id="1" name="Wedding Crashers" director="David
> Dobkin"
> > > >> > genre="Comedy" rating="7" year="2005" />
> > > >> >       <movie id="2" name="Starsky &amp; Hutch" director="Todd
> > > Phillips"
> > > >> > genre="Action" rating="6" year="2004" />
> > > >> >       <movie id="3" name="Shanghai Knights" director="David
> Dobkin"
> > > >> > genre="Action" rating="6" year="2003" />
> > > >> >       <movie id="4" name="I-Spy" director="Betty Thomas"
> > > >> genre="Adventure"
> > > >> > rating="5" year="2002" />
> > > >> >       <movie id="5" name="The Royal Tenenbaums" director="Wes
> > > Anderson"
> > > >> > genre="Comedy" rating="8" year="2001" />
> > > >> >       <movie id="6" name="Zoolander" director="Ben Stiller"
> > > >> genre="Comedy"
> > > >> > rating="6" year="2001" />
> > > >> >       <movie id="7" name="Shanghai Noon" director="Tom Dey"
> > > >> genre="Comedy"
> > > >> > rating="7" year="2000" />
> > > >> >     </movies>
> > > >> > </x:parse>
> > > >> >
> > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre"
> /><br
> > > />
> > > >> >
> > > >> > fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath
> > > >> (this on
> > > >> > both 1.7.x and master)
> > > >> >
> > > >> > Including Xalan does fix this, but its a 3MB dependency.
> > > >> >
> > > >> > The alternative is to use org.glassfish.web:javax.
> servlet.jsp.jstl
> > > >> > instead,
> > > >> > which I have tested and seems to work. Anyone have any thoughts?
> > > >> >
> > > >> > Jon
> > > >> >
> > > >>
> > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

jgallimore
Uh, yeah, I think I misunderstood. I think we agree that the code I
attached should work out of the box, requiring no changes to TomEE. That
leaves us with a few options:

1. Use the taglibs-standard-jstlel jars as we are now, and add the
dependency for Xalan -> trivial change, but adds 3MB to our binaries.
2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which uses a CDDL/GPL
+ CP exception licence. Does not require Xalan -> easy change to make and
appears to work (I believe the license is ok for us to use it). Not sure if
there are other restrictions or issues with us using that.
3. Patch the Tomcat taglibs libraries to use the XPath support built into
the JVM as opposed to Xalan. I did have a look at this yesterday, and it
didn't look like a straightforward change at the time. I'm happy to look at
it again though if we feel that's the way forward.

I think you're stating a preference for (3) - is that correct?

Cheers

Jon

On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <[hidden email]>
wrote:

> Hmm, shout if wrong but think you misunderstood the "optional" in my
> sentence. I meant we patch trunk to remove the adherence to xalan.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
> [hidden email]>
> :
>
> > Thanks Romain. That is definitely the simplest path - xalan is already
> > marked as an optional dependency, so we wouldn't need to do anything.
> From
> > a compliance perspective, where would this leave us? Wouldn't we need
> this
> > to work out of the box without adding libraries to be compliant? If it
> > doesn't affect us in that respect, then I think we're probably good to
> go.
> >
> > Jon
> >
> > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
> [hidden email]
> > >
> > wrote:
> >
> > > Hi Jon
> > >
> > > there is another thread on it (probably on user@)
> > >
> > > I think we should just make xalan optional in the lib and upgrade.
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > >
> > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> > > [hidden email]>
> > > :
> > >
> > > > Correction - that should be: "CDDL or GPL with classpath exception".
> > > >
> > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > > > [hidden email]> wrote:
> > > >
> > > > > Great question. CDDL _or_ GPL, by the look of it.
> > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE - same as
> > JAXB
> > > I
> > > > > believe.
> > > > >
> > > > > Jon
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > > > [hidden email]> wrote:
> > > > >
> > > > >> What is the licence for GlassFish one?
> > > > >>
> > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > > > [hidden email]
> > > > >> >
> > > > >> a écrit :
> > > > >>
> > > > >> > Hi
> > > > >> >
> > > > >> > On master we shifted from openejb-jstl to
> > taglibs-standard-jstlel. I
> > > > >> have
> > > > >> > done the same on the 1.7.x branch, specifically to move on from
> > the
> > > > old
> > > > >> > openejb-jstl (looking at
> > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> > > > >> > taglibs-standard-jstlel
> > > > >> > library does seem to depend on xalan, which we currently do not
> > > > include
> > > > >> in
> > > > >> > TomEE.
> > > > >> >
> > > > >> > The impact is that some XML functions in JSP code does not work,
> > for
> > > > >> > example:
> > > > >> >
> > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
> > > > >> >
> > > > >> > <x:parse var="movies">
> > > > >> >     <movies>
> > > > >> >       <movie id="1" name="Wedding Crashers" director="David
> > Dobkin"
> > > > >> > genre="Comedy" rating="7" year="2005" />
> > > > >> >       <movie id="2" name="Starsky &amp; Hutch" director="Todd
> > > > Phillips"
> > > > >> > genre="Action" rating="6" year="2004" />
> > > > >> >       <movie id="3" name="Shanghai Knights" director="David
> > Dobkin"
> > > > >> > genre="Action" rating="6" year="2003" />
> > > > >> >       <movie id="4" name="I-Spy" director="Betty Thomas"
> > > > >> genre="Adventure"
> > > > >> > rating="5" year="2002" />
> > > > >> >       <movie id="5" name="The Royal Tenenbaums" director="Wes
> > > > Anderson"
> > > > >> > genre="Comedy" rating="8" year="2001" />
> > > > >> >       <movie id="6" name="Zoolander" director="Ben Stiller"
> > > > >> genre="Comedy"
> > > > >> > rating="6" year="2001" />
> > > > >> >       <movie id="7" name="Shanghai Noon" director="Tom Dey"
> > > > >> genre="Comedy"
> > > > >> > rating="7" year="2000" />
> > > > >> >     </movies>
> > > > >> > </x:parse>
> > > > >> >
> > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre"
> > /><br
> > > > />
> > > > >> >
> > > > >> > fails with java.lang.NoClassDefFoundError:
> org/apache/xpath/XPath
> > > > >> (this on
> > > > >> > both 1.7.x and master)
> > > > >> >
> > > > >> > Including Xalan does fix this, but its a 3MB dependency.
> > > > >> >
> > > > >> > The alternative is to use org.glassfish.web:javax.
> > servlet.jsp.jstl
> > > > >> > instead,
> > > > >> > which I have tested and seems to work. Anyone have any thoughts?
> > > > >> >
> > > > >> > Jon
> > > > >> >
> > > > >>
> > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

Romain Manni-Bucau
yep, 3, 1, 2 for the complete order (a mix of compatibility and
influence/asf consistence).


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <[hidden email]>
:

> Uh, yeah, I think I misunderstood. I think we agree that the code I
> attached should work out of the box, requiring no changes to TomEE. That
> leaves us with a few options:
>
> 1. Use the taglibs-standard-jstlel jars as we are now, and add the
> dependency for Xalan -> trivial change, but adds 3MB to our binaries.
> 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which uses a
> CDDL/GPL
> + CP exception licence. Does not require Xalan -> easy change to make and
> appears to work (I believe the license is ok for us to use it). Not sure if
> there are other restrictions or issues with us using that.
> 3. Patch the Tomcat taglibs libraries to use the XPath support built into
> the JVM as opposed to Xalan. I did have a look at this yesterday, and it
> didn't look like a straightforward change at the time. I'm happy to look at
> it again though if we feel that's the way forward.
>
> I think you're stating a preference for (3) - is that correct?
>
> Cheers
>
> Jon
>
> On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <[hidden email]
> >
> wrote:
>
> > Hmm, shout if wrong but think you misunderstood the "optional" in my
> > sentence. I meant we patch trunk to remove the adherence to xalan.
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
> > [hidden email]>
> > :
> >
> > > Thanks Romain. That is definitely the simplest path - xalan is already
> > > marked as an optional dependency, so we wouldn't need to do anything.
> > From
> > > a compliance perspective, where would this leave us? Wouldn't we need
> > this
> > > to work out of the box without adding libraries to be compliant? If it
> > > doesn't affect us in that respect, then I think we're probably good to
> > go.
> > >
> > > Jon
> > >
> > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
> > [hidden email]
> > > >
> > > wrote:
> > >
> > > > Hi Jon
> > > >
> > > > there is another thread on it (probably on user@)
> > > >
> > > > I think we should just make xalan optional in the lib and upgrade.
> > > >
> > > >
> > > > Romain Manni-Bucau
> > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > rmannibucau> |
> > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > >
> > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> > > > [hidden email]>
> > > > :
> > > >
> > > > > Correction - that should be: "CDDL or GPL with classpath
> exception".
> > > > >
> > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > > > > [hidden email]> wrote:
> > > > >
> > > > > > Great question. CDDL _or_ GPL, by the look of it.
> > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE - same as
> > > JAXB
> > > > I
> > > > > > believe.
> > > > > >
> > > > > > Jon
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > > > > [hidden email]> wrote:
> > > > > >
> > > > > >> What is the licence for GlassFish one?
> > > > > >>
> > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > > > > [hidden email]
> > > > > >> >
> > > > > >> a écrit :
> > > > > >>
> > > > > >> > Hi
> > > > > >> >
> > > > > >> > On master we shifted from openejb-jstl to
> > > taglibs-standard-jstlel. I
> > > > > >> have
> > > > > >> > done the same on the 1.7.x branch, specifically to move on
> from
> > > the
> > > > > old
> > > > > >> > openejb-jstl (looking at
> > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> > > > > >> > taglibs-standard-jstlel
> > > > > >> > library does seem to depend on xalan, which we currently do
> not
> > > > > include
> > > > > >> in
> > > > > >> > TomEE.
> > > > > >> >
> > > > > >> > The impact is that some XML functions in JSP code does not
> work,
> > > for
> > > > > >> > example:
> > > > > >> >
> > > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
> > > > > >> >
> > > > > >> > <x:parse var="movies">
> > > > > >> >     <movies>
> > > > > >> >       <movie id="1" name="Wedding Crashers" director="David
> > > Dobkin"
> > > > > >> > genre="Comedy" rating="7" year="2005" />
> > > > > >> >       <movie id="2" name="Starsky &amp; Hutch" director="Todd
> > > > > Phillips"
> > > > > >> > genre="Action" rating="6" year="2004" />
> > > > > >> >       <movie id="3" name="Shanghai Knights" director="David
> > > Dobkin"
> > > > > >> > genre="Action" rating="6" year="2003" />
> > > > > >> >       <movie id="4" name="I-Spy" director="Betty Thomas"
> > > > > >> genre="Adventure"
> > > > > >> > rating="5" year="2002" />
> > > > > >> >       <movie id="5" name="The Royal Tenenbaums" director="Wes
> > > > > Anderson"
> > > > > >> > genre="Comedy" rating="8" year="2001" />
> > > > > >> >       <movie id="6" name="Zoolander" director="Ben Stiller"
> > > > > >> genre="Comedy"
> > > > > >> > rating="6" year="2001" />
> > > > > >> >       <movie id="7" name="Shanghai Noon" director="Tom Dey"
> > > > > >> genre="Comedy"
> > > > > >> > rating="7" year="2000" />
> > > > > >> >     </movies>
> > > > > >> > </x:parse>
> > > > > >> >
> > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre"
> > > /><br
> > > > > />
> > > > > >> >
> > > > > >> > fails with java.lang.NoClassDefFoundError:
> > org/apache/xpath/XPath
> > > > > >> (this on
> > > > > >> > both 1.7.x and master)
> > > > > >> >
> > > > > >> > Including Xalan does fix this, but its a 3MB dependency.
> > > > > >> >
> > > > > >> > The alternative is to use org.glassfish.web:javax.
> > > servlet.jsp.jstl
> > > > > >> > instead,
> > > > > >> > which I have tested and seems to work. Anyone have any
> thoughts?
> > > > > >> >
> > > > > >> > Jon
> > > > > >> >
> > > > > >>
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

jgallimore
Just to make sure I understand - (3) would be your preference, but if
that's difficult you'd live with (1) if it came to it, with (2) being your
least favorite.

We should only need to pick one - I can confirm that option (1) on its own
works, as does option (2) on its own. I'm definitely happy to have a crack
at option (3) and present a PR for each and let the community decide which
it likes the best.

Thanks for your input, I appreciate it.

Jon

On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <[hidden email]>
wrote:

> yep, 3, 1, 2 for the complete order (a mix of compatibility and
> influence/asf consistence).
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
> [hidden email]>
> :
>
> > Uh, yeah, I think I misunderstood. I think we agree that the code I
> > attached should work out of the box, requiring no changes to TomEE. That
> > leaves us with a few options:
> >
> > 1. Use the taglibs-standard-jstlel jars as we are now, and add the
> > dependency for Xalan -> trivial change, but adds 3MB to our binaries.
> > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which uses a
> > CDDL/GPL
> > + CP exception licence. Does not require Xalan -> easy change to make and
> > appears to work (I believe the license is ok for us to use it). Not sure
> if
> > there are other restrictions or issues with us using that.
> > 3. Patch the Tomcat taglibs libraries to use the XPath support built into
> > the JVM as opposed to Xalan. I did have a look at this yesterday, and it
> > didn't look like a straightforward change at the time. I'm happy to look
> at
> > it again though if we feel that's the way forward.
> >
> > I think you're stating a preference for (3) - is that correct?
> >
> > Cheers
> >
> > Jon
> >
> > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
> [hidden email]
> > >
> > wrote:
> >
> > > Hmm, shout if wrong but think you misunderstood the "optional" in my
> > > sentence. I meant we patch trunk to remove the adherence to xalan.
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > >
> > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
> > > [hidden email]>
> > > :
> > >
> > > > Thanks Romain. That is definitely the simplest path - xalan is
> already
> > > > marked as an optional dependency, so we wouldn't need to do anything.
> > > From
> > > > a compliance perspective, where would this leave us? Wouldn't we need
> > > this
> > > > to work out of the box without adding libraries to be compliant? If
> it
> > > > doesn't affect us in that respect, then I think we're probably good
> to
> > > go.
> > > >
> > > > Jon
> > > >
> > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
> > > [hidden email]
> > > > >
> > > > wrote:
> > > >
> > > > > Hi Jon
> > > > >
> > > > > there is another thread on it (probably on user@)
> > > > >
> > > > > I think we should just make xalan optional in the lib and upgrade.
> > > > >
> > > > >
> > > > > Romain Manni-Bucau
> > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > > rmannibucau> |
> > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> Factory
> > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > >
> > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> > > > > [hidden email]>
> > > > > :
> > > > >
> > > > > > Correction - that should be: "CDDL or GPL with classpath
> > exception".
> > > > > >
> > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > > > > > [hidden email]> wrote:
> > > > > >
> > > > > > > Great question. CDDL _or_ GPL, by the look of it.
> > > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE - same
> as
> > > > JAXB
> > > > > I
> > > > > > > believe.
> > > > > > >
> > > > > > > Jon
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > > > > > [hidden email]> wrote:
> > > > > > >
> > > > > > >> What is the licence for GlassFish one?
> > > > > > >>
> > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > > > > > [hidden email]
> > > > > > >> >
> > > > > > >> a écrit :
> > > > > > >>
> > > > > > >> > Hi
> > > > > > >> >
> > > > > > >> > On master we shifted from openejb-jstl to
> > > > taglibs-standard-jstlel. I
> > > > > > >> have
> > > > > > >> > done the same on the 1.7.x branch, specifically to move on
> > from
> > > > the
> > > > > > old
> > > > > > >> > openejb-jstl (looking at
> > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> > > > > > >> > taglibs-standard-jstlel
> > > > > > >> > library does seem to depend on xalan, which we currently do
> > not
> > > > > > include
> > > > > > >> in
> > > > > > >> > TomEE.
> > > > > > >> >
> > > > > > >> > The impact is that some XML functions in JSP code does not
> > work,
> > > > for
> > > > > > >> > example:
> > > > > > >> >
> > > > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
> > > > > > >> >
> > > > > > >> > <x:parse var="movies">
> > > > > > >> >     <movies>
> > > > > > >> >       <movie id="1" name="Wedding Crashers" director="David
> > > > Dobkin"
> > > > > > >> > genre="Comedy" rating="7" year="2005" />
> > > > > > >> >       <movie id="2" name="Starsky &amp; Hutch"
> director="Todd
> > > > > > Phillips"
> > > > > > >> > genre="Action" rating="6" year="2004" />
> > > > > > >> >       <movie id="3" name="Shanghai Knights" director="David
> > > > Dobkin"
> > > > > > >> > genre="Action" rating="6" year="2003" />
> > > > > > >> >       <movie id="4" name="I-Spy" director="Betty Thomas"
> > > > > > >> genre="Adventure"
> > > > > > >> > rating="5" year="2002" />
> > > > > > >> >       <movie id="5" name="The Royal Tenenbaums"
> director="Wes
> > > > > > Anderson"
> > > > > > >> > genre="Comedy" rating="8" year="2001" />
> > > > > > >> >       <movie id="6" name="Zoolander" director="Ben Stiller"
> > > > > > >> genre="Comedy"
> > > > > > >> > rating="6" year="2001" />
> > > > > > >> >       <movie id="7" name="Shanghai Noon" director="Tom Dey"
> > > > > > >> genre="Comedy"
> > > > > > >> > rating="7" year="2000" />
> > > > > > >> >     </movies>
> > > > > > >> > </x:parse>
> > > > > > >> >
> > > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1'
> ]/@genre"
> > > > /><br
> > > > > > />
> > > > > > >> >
> > > > > > >> > fails with java.lang.NoClassDefFoundError:
> > > org/apache/xpath/XPath
> > > > > > >> (this on
> > > > > > >> > both 1.7.x and master)
> > > > > > >> >
> > > > > > >> > Including Xalan does fix this, but its a 3MB dependency.
> > > > > > >> >
> > > > > > >> > The alternative is to use org.glassfish.web:javax.
> > > > servlet.jsp.jstl
> > > > > > >> > instead,
> > > > > > >> > which I have tested and seems to work. Anyone have any
> > thoughts?
> > > > > > >> >
> > > > > > >> > Jon
> > > > > > >> >
> > > > > > >>
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

Romain Manni-Bucau
+1

side note: we should pby link this to the user thread, can try to find it
back later this week if needed


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <[hidden email]>
:

> Just to make sure I understand - (3) would be your preference, but if
> that's difficult you'd live with (1) if it came to it, with (2) being your
> least favorite.
>
> We should only need to pick one - I can confirm that option (1) on its own
> works, as does option (2) on its own. I'm definitely happy to have a crack
> at option (3) and present a PR for each and let the community decide which
> it likes the best.
>
> Thanks for your input, I appreciate it.
>
> Jon
>
> On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <[hidden email]
> >
> wrote:
>
> > yep, 3, 1, 2 for the complete order (a mix of compatibility and
> > influence/asf consistence).
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
> > [hidden email]>
> > :
> >
> > > Uh, yeah, I think I misunderstood. I think we agree that the code I
> > > attached should work out of the box, requiring no changes to TomEE.
> That
> > > leaves us with a few options:
> > >
> > > 1. Use the taglibs-standard-jstlel jars as we are now, and add the
> > > dependency for Xalan -> trivial change, but adds 3MB to our binaries.
> > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which uses a
> > > CDDL/GPL
> > > + CP exception licence. Does not require Xalan -> easy change to make
> and
> > > appears to work (I believe the license is ok for us to use it). Not
> sure
> > if
> > > there are other restrictions or issues with us using that.
> > > 3. Patch the Tomcat taglibs libraries to use the XPath support built
> into
> > > the JVM as opposed to Xalan. I did have a look at this yesterday, and
> it
> > > didn't look like a straightforward change at the time. I'm happy to
> look
> > at
> > > it again though if we feel that's the way forward.
> > >
> > > I think you're stating a preference for (3) - is that correct?
> > >
> > > Cheers
> > >
> > > Jon
> > >
> > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
> > [hidden email]
> > > >
> > > wrote:
> > >
> > > > Hmm, shout if wrong but think you misunderstood the "optional" in my
> > > > sentence. I meant we patch trunk to remove the adherence to xalan.
> > > >
> > > >
> > > > Romain Manni-Bucau
> > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > rmannibucau> |
> > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > >
> > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
> > > > [hidden email]>
> > > > :
> > > >
> > > > > Thanks Romain. That is definitely the simplest path - xalan is
> > already
> > > > > marked as an optional dependency, so we wouldn't need to do
> anything.
> > > > From
> > > > > a compliance perspective, where would this leave us? Wouldn't we
> need
> > > > this
> > > > > to work out of the box without adding libraries to be compliant? If
> > it
> > > > > doesn't affect us in that respect, then I think we're probably good
> > to
> > > > go.
> > > > >
> > > > > Jon
> > > > >
> > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
> > > > [hidden email]
> > > > > >
> > > > > wrote:
> > > > >
> > > > > > Hi Jon
> > > > > >
> > > > > > there is another thread on it (probably on user@)
> > > > > >
> > > > > > I think we should just make xalan optional in the lib and
> upgrade.
> > > > > >
> > > > > >
> > > > > > Romain Manni-Bucau
> > > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > > > rmannibucau> |
> > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> > Factory
> > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > > >
> > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> > > > > > [hidden email]>
> > > > > > :
> > > > > >
> > > > > > > Correction - that should be: "CDDL or GPL with classpath
> > > exception".
> > > > > > >
> > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > > > > > > [hidden email]> wrote:
> > > > > > >
> > > > > > > > Great question. CDDL _or_ GPL, by the look of it.
> > > > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE -
> same
> > as
> > > > > JAXB
> > > > > > I
> > > > > > > > believe.
> > > > > > > >
> > > > > > > > Jon
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > > > > > > [hidden email]> wrote:
> > > > > > > >
> > > > > > > >> What is the licence for GlassFish one?
> > > > > > > >>
> > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > > > > > > [hidden email]
> > > > > > > >> >
> > > > > > > >> a écrit :
> > > > > > > >>
> > > > > > > >> > Hi
> > > > > > > >> >
> > > > > > > >> > On master we shifted from openejb-jstl to
> > > > > taglibs-standard-jstlel. I
> > > > > > > >> have
> > > > > > > >> > done the same on the 1.7.x branch, specifically to move on
> > > from
> > > > > the
> > > > > > > old
> > > > > > > >> > openejb-jstl (looking at
> > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> > > > > > > >> > taglibs-standard-jstlel
> > > > > > > >> > library does seem to depend on xalan, which we currently
> do
> > > not
> > > > > > > include
> > > > > > > >> in
> > > > > > > >> > TomEE.
> > > > > > > >> >
> > > > > > > >> > The impact is that some XML functions in JSP code does not
> > > work,
> > > > > for
> > > > > > > >> > example:
> > > > > > > >> >
> > > > > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"
> %>
> > > > > > > >> >
> > > > > > > >> > <x:parse var="movies">
> > > > > > > >> >     <movies>
> > > > > > > >> >       <movie id="1" name="Wedding Crashers"
> director="David
> > > > > Dobkin"
> > > > > > > >> > genre="Comedy" rating="7" year="2005" />
> > > > > > > >> >       <movie id="2" name="Starsky &amp; Hutch"
> > director="Todd
> > > > > > > Phillips"
> > > > > > > >> > genre="Action" rating="6" year="2004" />
> > > > > > > >> >       <movie id="3" name="Shanghai Knights"
> director="David
> > > > > Dobkin"
> > > > > > > >> > genre="Action" rating="6" year="2003" />
> > > > > > > >> >       <movie id="4" name="I-Spy" director="Betty Thomas"
> > > > > > > >> genre="Adventure"
> > > > > > > >> > rating="5" year="2002" />
> > > > > > > >> >       <movie id="5" name="The Royal Tenenbaums"
> > director="Wes
> > > > > > > Anderson"
> > > > > > > >> > genre="Comedy" rating="8" year="2001" />
> > > > > > > >> >       <movie id="6" name="Zoolander" director="Ben
> Stiller"
> > > > > > > >> genre="Comedy"
> > > > > > > >> > rating="6" year="2001" />
> > > > > > > >> >       <movie id="7" name="Shanghai Noon" director="Tom
> Dey"
> > > > > > > >> genre="Comedy"
> > > > > > > >> > rating="7" year="2000" />
> > > > > > > >> >     </movies>
> > > > > > > >> > </x:parse>
> > > > > > > >> >
> > > > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1'
> > ]/@genre"
> > > > > /><br
> > > > > > > />
> > > > > > > >> >
> > > > > > > >> > fails with java.lang.NoClassDefFoundError:
> > > > org/apache/xpath/XPath
> > > > > > > >> (this on
> > > > > > > >> > both 1.7.x and master)
> > > > > > > >> >
> > > > > > > >> > Including Xalan does fix this, but its a 3MB dependency.
> > > > > > > >> >
> > > > > > > >> > The alternative is to use org.glassfish.web:javax.
> > > > > servlet.jsp.jstl
> > > > > > > >> > instead,
> > > > > > > >> > which I have tested and seems to work. Anyone have any
> > > thoughts?
> > > > > > > >> >
> > > > > > > >> > Jon
> > > > > > > >> >
> > > > > > > >>
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

jgallimore
I'll do a search and see if I can dig that out. Good shout - thank you.

Jon

On Thu, Aug 31, 2017 at 5:00 PM, Romain Manni-Bucau <[hidden email]>
wrote:

> +1
>
> side note: we should pby link this to the user thread, can try to find it
> back later this week if needed
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <
> [hidden email]>
> :
>
> > Just to make sure I understand - (3) would be your preference, but if
> > that's difficult you'd live with (1) if it came to it, with (2) being
> your
> > least favorite.
> >
> > We should only need to pick one - I can confirm that option (1) on its
> own
> > works, as does option (2) on its own. I'm definitely happy to have a
> crack
> > at option (3) and present a PR for each and let the community decide
> which
> > it likes the best.
> >
> > Thanks for your input, I appreciate it.
> >
> > Jon
> >
> > On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <
> [hidden email]
> > >
> > wrote:
> >
> > > yep, 3, 1, 2 for the complete order (a mix of compatibility and
> > > influence/asf consistence).
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > >
> > > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
> > > [hidden email]>
> > > :
> > >
> > > > Uh, yeah, I think I misunderstood. I think we agree that the code I
> > > > attached should work out of the box, requiring no changes to TomEE.
> > That
> > > > leaves us with a few options:
> > > >
> > > > 1. Use the taglibs-standard-jstlel jars as we are now, and add the
> > > > dependency for Xalan -> trivial change, but adds 3MB to our binaries.
> > > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which uses a
> > > > CDDL/GPL
> > > > + CP exception licence. Does not require Xalan -> easy change to make
> > and
> > > > appears to work (I believe the license is ok for us to use it). Not
> > sure
> > > if
> > > > there are other restrictions or issues with us using that.
> > > > 3. Patch the Tomcat taglibs libraries to use the XPath support built
> > into
> > > > the JVM as opposed to Xalan. I did have a look at this yesterday, and
> > it
> > > > didn't look like a straightforward change at the time. I'm happy to
> > look
> > > at
> > > > it again though if we feel that's the way forward.
> > > >
> > > > I think you're stating a preference for (3) - is that correct?
> > > >
> > > > Cheers
> > > >
> > > > Jon
> > > >
> > > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
> > > [hidden email]
> > > > >
> > > > wrote:
> > > >
> > > > > Hmm, shout if wrong but think you misunderstood the "optional" in
> my
> > > > > sentence. I meant we patch trunk to remove the adherence to xalan.
> > > > >
> > > > >
> > > > > Romain Manni-Bucau
> > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > > rmannibucau> |
> > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> Factory
> > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > >
> > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
> > > > > [hidden email]>
> > > > > :
> > > > >
> > > > > > Thanks Romain. That is definitely the simplest path - xalan is
> > > already
> > > > > > marked as an optional dependency, so we wouldn't need to do
> > anything.
> > > > > From
> > > > > > a compliance perspective, where would this leave us? Wouldn't we
> > need
> > > > > this
> > > > > > to work out of the box without adding libraries to be compliant?
> If
> > > it
> > > > > > doesn't affect us in that respect, then I think we're probably
> good
> > > to
> > > > > go.
> > > > > >
> > > > > > Jon
> > > > > >
> > > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
> > > > > [hidden email]
> > > > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Hi Jon
> > > > > > >
> > > > > > > there is another thread on it (probably on user@)
> > > > > > >
> > > > > > > I think we should just make xalan optional in the lib and
> > upgrade.
> > > > > > >
> > > > > > >
> > > > > > > Romain Manni-Bucau
> > > > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > > > <http://rmannibucau.wordpress.com> | Github <
> https://github.com/
> > > > > > > rmannibucau> |
> > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> > > Factory
> > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > > > >
> > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> > > > > > > [hidden email]>
> > > > > > > :
> > > > > > >
> > > > > > > > Correction - that should be: "CDDL or GPL with classpath
> > > > exception".
> > > > > > > >
> > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > > > > > > > [hidden email]> wrote:
> > > > > > > >
> > > > > > > > > Great question. CDDL _or_ GPL, by the look of it.
> > > > > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE -
> > same
> > > as
> > > > > > JAXB
> > > > > > > I
> > > > > > > > > believe.
> > > > > > > > >
> > > > > > > > > Jon
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > > > > > > > [hidden email]> wrote:
> > > > > > > > >
> > > > > > > > >> What is the licence for GlassFish one?
> > > > > > > > >>
> > > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > > > > > > > [hidden email]
> > > > > > > > >> >
> > > > > > > > >> a écrit :
> > > > > > > > >>
> > > > > > > > >> > Hi
> > > > > > > > >> >
> > > > > > > > >> > On master we shifted from openejb-jstl to
> > > > > > taglibs-standard-jstlel. I
> > > > > > > > >> have
> > > > > > > > >> > done the same on the 1.7.x branch, specifically to move
> on
> > > > from
> > > > > > the
> > > > > > > > old
> > > > > > > > >> > openejb-jstl (looking at
> > > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> > > > > > > > >> > taglibs-standard-jstlel
> > > > > > > > >> > library does seem to depend on xalan, which we currently
> > do
> > > > not
> > > > > > > > include
> > > > > > > > >> in
> > > > > > > > >> > TomEE.
> > > > > > > > >> >
> > > > > > > > >> > The impact is that some XML functions in JSP code does
> not
> > > > work,
> > > > > > for
> > > > > > > > >> > example:
> > > > > > > > >> >
> > > > > > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml
> "
> > %>
> > > > > > > > >> >
> > > > > > > > >> > <x:parse var="movies">
> > > > > > > > >> >     <movies>
> > > > > > > > >> >       <movie id="1" name="Wedding Crashers"
> > director="David
> > > > > > Dobkin"
> > > > > > > > >> > genre="Comedy" rating="7" year="2005" />
> > > > > > > > >> >       <movie id="2" name="Starsky &amp; Hutch"
> > > director="Todd
> > > > > > > > Phillips"
> > > > > > > > >> > genre="Action" rating="6" year="2004" />
> > > > > > > > >> >       <movie id="3" name="Shanghai Knights"
> > director="David
> > > > > > Dobkin"
> > > > > > > > >> > genre="Action" rating="6" year="2003" />
> > > > > > > > >> >       <movie id="4" name="I-Spy" director="Betty Thomas"
> > > > > > > > >> genre="Adventure"
> > > > > > > > >> > rating="5" year="2002" />
> > > > > > > > >> >       <movie id="5" name="The Royal Tenenbaums"
> > > director="Wes
> > > > > > > > Anderson"
> > > > > > > > >> > genre="Comedy" rating="8" year="2001" />
> > > > > > > > >> >       <movie id="6" name="Zoolander" director="Ben
> > Stiller"
> > > > > > > > >> genre="Comedy"
> > > > > > > > >> > rating="6" year="2001" />
> > > > > > > > >> >       <movie id="7" name="Shanghai Noon" director="Tom
> > Dey"
> > > > > > > > >> genre="Comedy"
> > > > > > > > >> > rating="7" year="2000" />
> > > > > > > > >> >     </movies>
> > > > > > > > >> > </x:parse>
> > > > > > > > >> >
> > > > > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1'
> > > ]/@genre"
> > > > > > /><br
> > > > > > > > />
> > > > > > > > >> >
> > > > > > > > >> > fails with java.lang.NoClassDefFoundError:
> > > > > org/apache/xpath/XPath
> > > > > > > > >> (this on
> > > > > > > > >> > both 1.7.x and master)
> > > > > > > > >> >
> > > > > > > > >> > Including Xalan does fix this, but its a 3MB dependency.
> > > > > > > > >> >
> > > > > > > > >> > The alternative is to use org.glassfish.web:javax.
> > > > > > servlet.jsp.jstl
> > > > > > > > >> > instead,
> > > > > > > > >> > which I have tested and seems to work. Anyone have any
> > > > thoughts?
> > > > > > > > >> >
> > > > > > > > >> > Jon
> > > > > > > > >> >
> > > > > > > > >>
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

Svetlin Zarev
Here it is: https://issues.apache.org/jira/browse/TOMEE-2113

2017-08-31 19:05 GMT+03:00 Jonathan Gallimore <[hidden email]>
:

> I'll do a search and see if I can dig that out. Good shout - thank you.
>
> Jon
>
> On Thu, Aug 31, 2017 at 5:00 PM, Romain Manni-Bucau <[hidden email]
> >
> wrote:
>
> > +1
> >
> > side note: we should pby link this to the user thread, can try to find it
> > back later this week if needed
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <
> > [hidden email]>
> > :
> >
> > > Just to make sure I understand - (3) would be your preference, but if
> > > that's difficult you'd live with (1) if it came to it, with (2) being
> > your
> > > least favorite.
> > >
> > > We should only need to pick one - I can confirm that option (1) on its
> > own
> > > works, as does option (2) on its own. I'm definitely happy to have a
> > crack
> > > at option (3) and present a PR for each and let the community decide
> > which
> > > it likes the best.
> > >
> > > Thanks for your input, I appreciate it.
> > >
> > > Jon
> > >
> > > On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <
> > [hidden email]
> > > >
> > > wrote:
> > >
> > > > yep, 3, 1, 2 for the complete order (a mix of compatibility and
> > > > influence/asf consistence).
> > > >
> > > >
> > > > Romain Manni-Bucau
> > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > rmannibucau> |
> > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > >
> > > > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
> > > > [hidden email]>
> > > > :
> > > >
> > > > > Uh, yeah, I think I misunderstood. I think we agree that the code I
> > > > > attached should work out of the box, requiring no changes to TomEE.
> > > That
> > > > > leaves us with a few options:
> > > > >
> > > > > 1. Use the taglibs-standard-jstlel jars as we are now, and add the
> > > > > dependency for Xalan -> trivial change, but adds 3MB to our
> binaries.
> > > > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which uses a
> > > > > CDDL/GPL
> > > > > + CP exception licence. Does not require Xalan -> easy change to
> make
> > > and
> > > > > appears to work (I believe the license is ok for us to use it). Not
> > > sure
> > > > if
> > > > > there are other restrictions or issues with us using that.
> > > > > 3. Patch the Tomcat taglibs libraries to use the XPath support
> built
> > > into
> > > > > the JVM as opposed to Xalan. I did have a look at this yesterday,
> and
> > > it
> > > > > didn't look like a straightforward change at the time. I'm happy to
> > > look
> > > > at
> > > > > it again though if we feel that's the way forward.
> > > > >
> > > > > I think you're stating a preference for (3) - is that correct?
> > > > >
> > > > > Cheers
> > > > >
> > > > > Jon
> > > > >
> > > > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
> > > > [hidden email]
> > > > > >
> > > > > wrote:
> > > > >
> > > > > > Hmm, shout if wrong but think you misunderstood the "optional" in
> > my
> > > > > > sentence. I meant we patch trunk to remove the adherence to
> xalan.
> > > > > >
> > > > > >
> > > > > > Romain Manni-Bucau
> > > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > > > rmannibucau> |
> > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> > Factory
> > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > > >
> > > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
> > > > > > [hidden email]>
> > > > > > :
> > > > > >
> > > > > > > Thanks Romain. That is definitely the simplest path - xalan is
> > > > already
> > > > > > > marked as an optional dependency, so we wouldn't need to do
> > > anything.
> > > > > > From
> > > > > > > a compliance perspective, where would this leave us? Wouldn't
> we
> > > need
> > > > > > this
> > > > > > > to work out of the box without adding libraries to be
> compliant?
> > If
> > > > it
> > > > > > > doesn't affect us in that respect, then I think we're probably
> > good
> > > > to
> > > > > > go.
> > > > > > >
> > > > > > > Jon
> > > > > > >
> > > > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
> > > > > > [hidden email]
> > > > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi Jon
> > > > > > > >
> > > > > > > > there is another thread on it (probably on user@)
> > > > > > > >
> > > > > > > > I think we should just make xalan optional in the lib and
> > > upgrade.
> > > > > > > >
> > > > > > > >
> > > > > > > > Romain Manni-Bucau
> > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > > > > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/
> > > > > > > > rmannibucau> |
> > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> > > > Factory
> > > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > > > > >
> > > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> > > > > > > > [hidden email]>
> > > > > > > > :
> > > > > > > >
> > > > > > > > > Correction - that should be: "CDDL or GPL with classpath
> > > > > exception".
> > > > > > > > >
> > > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > > > > > > > > [hidden email]> wrote:
> > > > > > > > >
> > > > > > > > > > Great question. CDDL _or_ GPL, by the look of it.
> > > > > > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE -
> > > same
> > > > as
> > > > > > > JAXB
> > > > > > > > I
> > > > > > > > > > believe.
> > > > > > > > > >
> > > > > > > > > > Jon
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > > > > > > > > [hidden email]> wrote:
> > > > > > > > > >
> > > > > > > > > >> What is the licence for GlassFish one?
> > > > > > > > > >>
> > > > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > > > > > > > > [hidden email]
> > > > > > > > > >> >
> > > > > > > > > >> a écrit :
> > > > > > > > > >>
> > > > > > > > > >> > Hi
> > > > > > > > > >> >
> > > > > > > > > >> > On master we shifted from openejb-jstl to
> > > > > > > taglibs-standard-jstlel. I
> > > > > > > > > >> have
> > > > > > > > > >> > done the same on the 1.7.x branch, specifically to
> move
> > on
> > > > > from
> > > > > > > the
> > > > > > > > > old
> > > > > > > > > >> > openejb-jstl (looking at
> > > > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> > > > > > > > > >> > taglibs-standard-jstlel
> > > > > > > > > >> > library does seem to depend on xalan, which we
> currently
> > > do
> > > > > not
> > > > > > > > > include
> > > > > > > > > >> in
> > > > > > > > > >> > TomEE.
> > > > > > > > > >> >
> > > > > > > > > >> > The impact is that some XML functions in JSP code does
> > not
> > > > > work,
> > > > > > > for
> > > > > > > > > >> > example:
> > > > > > > > > >> >
> > > > > > > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/
> xml
> > "
> > > %>
> > > > > > > > > >> >
> > > > > > > > > >> > <x:parse var="movies">
> > > > > > > > > >> >     <movies>
> > > > > > > > > >> >       <movie id="1" name="Wedding Crashers"
> > > director="David
> > > > > > > Dobkin"
> > > > > > > > > >> > genre="Comedy" rating="7" year="2005" />
> > > > > > > > > >> >       <movie id="2" name="Starsky &amp; Hutch"
> > > > director="Todd
> > > > > > > > > Phillips"
> > > > > > > > > >> > genre="Action" rating="6" year="2004" />
> > > > > > > > > >> >       <movie id="3" name="Shanghai Knights"
> > > director="David
> > > > > > > Dobkin"
> > > > > > > > > >> > genre="Action" rating="6" year="2003" />
> > > > > > > > > >> >       <movie id="4" name="I-Spy" director="Betty
> Thomas"
> > > > > > > > > >> genre="Adventure"
> > > > > > > > > >> > rating="5" year="2002" />
> > > > > > > > > >> >       <movie id="5" name="The Royal Tenenbaums"
> > > > director="Wes
> > > > > > > > > Anderson"
> > > > > > > > > >> > genre="Comedy" rating="8" year="2001" />
> > > > > > > > > >> >       <movie id="6" name="Zoolander" director="Ben
> > > Stiller"
> > > > > > > > > >> genre="Comedy"
> > > > > > > > > >> > rating="6" year="2001" />
> > > > > > > > > >> >       <movie id="7" name="Shanghai Noon" director="Tom
> > > Dey"
> > > > > > > > > >> genre="Comedy"
> > > > > > > > > >> > rating="7" year="2000" />
> > > > > > > > > >> >     </movies>
> > > > > > > > > >> > </x:parse>
> > > > > > > > > >> >
> > > > > > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1'
> > > > ]/@genre"
> > > > > > > /><br
> > > > > > > > > />
> > > > > > > > > >> >
> > > > > > > > > >> > fails with java.lang.NoClassDefFoundError:
> > > > > > org/apache/xpath/XPath
> > > > > > > > > >> (this on
> > > > > > > > > >> > both 1.7.x and master)
> > > > > > > > > >> >
> > > > > > > > > >> > Including Xalan does fix this, but its a 3MB
> dependency.
> > > > > > > > > >> >
> > > > > > > > > >> > The alternative is to use org.glassfish.web:javax.
> > > > > > > servlet.jsp.jstl
> > > > > > > > > >> > instead,
> > > > > > > > > >> > which I have tested and seems to work. Anyone have any
> > > > > thoughts?
> > > > > > > > > >> >
> > > > > > > > > >> > Jon
> > > > > > > > > >> >
> > > > > > > > > >>
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

jgallimore
Awesome, thanks!

Jon

On Fri, Sep 1, 2017 at 6:34 AM, Svetlin Zarev <
[hidden email]> wrote:

> Here it is: https://issues.apache.org/jira/browse/TOMEE-2113
>
> 2017-08-31 19:05 GMT+03:00 Jonathan Gallimore <
> [hidden email]>
> :
>
> > I'll do a search and see if I can dig that out. Good shout - thank you.
> >
> > Jon
> >
> > On Thu, Aug 31, 2017 at 5:00 PM, Romain Manni-Bucau <
> [hidden email]
> > >
> > wrote:
> >
> > > +1
> > >
> > > side note: we should pby link this to the user thread, can try to find
> it
> > > back later this week if needed
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > >
> > > 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <
> > > [hidden email]>
> > > :
> > >
> > > > Just to make sure I understand - (3) would be your preference, but if
> > > > that's difficult you'd live with (1) if it came to it, with (2) being
> > > your
> > > > least favorite.
> > > >
> > > > We should only need to pick one - I can confirm that option (1) on
> its
> > > own
> > > > works, as does option (2) on its own. I'm definitely happy to have a
> > > crack
> > > > at option (3) and present a PR for each and let the community decide
> > > which
> > > > it likes the best.
> > > >
> > > > Thanks for your input, I appreciate it.
> > > >
> > > > Jon
> > > >
> > > > On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <
> > > [hidden email]
> > > > >
> > > > wrote:
> > > >
> > > > > yep, 3, 1, 2 for the complete order (a mix of compatibility and
> > > > > influence/asf consistence).
> > > > >
> > > > >
> > > > > Romain Manni-Bucau
> > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > > rmannibucau> |
> > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> Factory
> > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > >
> > > > > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
> > > > > [hidden email]>
> > > > > :
> > > > >
> > > > > > Uh, yeah, I think I misunderstood. I think we agree that the
> code I
> > > > > > attached should work out of the box, requiring no changes to
> TomEE.
> > > > That
> > > > > > leaves us with a few options:
> > > > > >
> > > > > > 1. Use the taglibs-standard-jstlel jars as we are now, and add
> the
> > > > > > dependency for Xalan -> trivial change, but adds 3MB to our
> > binaries.
> > > > > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which
> uses a
> > > > > > CDDL/GPL
> > > > > > + CP exception licence. Does not require Xalan -> easy change to
> > make
> > > > and
> > > > > > appears to work (I believe the license is ok for us to use it).
> Not
> > > > sure
> > > > > if
> > > > > > there are other restrictions or issues with us using that.
> > > > > > 3. Patch the Tomcat taglibs libraries to use the XPath support
> > built
> > > > into
> > > > > > the JVM as opposed to Xalan. I did have a look at this yesterday,
> > and
> > > > it
> > > > > > didn't look like a straightforward change at the time. I'm happy
> to
> > > > look
> > > > > at
> > > > > > it again though if we feel that's the way forward.
> > > > > >
> > > > > > I think you're stating a preference for (3) - is that correct?
> > > > > >
> > > > > > Cheers
> > > > > >
> > > > > > Jon
> > > > > >
> > > > > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
> > > > > [hidden email]
> > > > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Hmm, shout if wrong but think you misunderstood the "optional"
> in
> > > my
> > > > > > > sentence. I meant we patch trunk to remove the adherence to
> > xalan.
> > > > > > >
> > > > > > >
> > > > > > > Romain Manni-Bucau
> > > > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > > > <http://rmannibucau.wordpress.com> | Github <
> https://github.com/
> > > > > > > rmannibucau> |
> > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> > > Factory
> > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > > > >
> > > > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
> > > > > > > [hidden email]>
> > > > > > > :
> > > > > > >
> > > > > > > > Thanks Romain. That is definitely the simplest path - xalan
> is
> > > > > already
> > > > > > > > marked as an optional dependency, so we wouldn't need to do
> > > > anything.
> > > > > > > From
> > > > > > > > a compliance perspective, where would this leave us? Wouldn't
> > we
> > > > need
> > > > > > > this
> > > > > > > > to work out of the box without adding libraries to be
> > compliant?
> > > If
> > > > > it
> > > > > > > > doesn't affect us in that respect, then I think we're
> probably
> > > good
> > > > > to
> > > > > > > go.
> > > > > > > >
> > > > > > > > Jon
> > > > > > > >
> > > > > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
> > > > > > > [hidden email]
> > > > > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Hi Jon
> > > > > > > > >
> > > > > > > > > there is another thread on it (probably on user@)
> > > > > > > > >
> > > > > > > > > I think we should just make xalan optional in the lib and
> > > > upgrade.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Romain Manni-Bucau
> > > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > > > > > <http://rmannibucau.wordpress.com> | Github <
> > > https://github.com/
> > > > > > > > > rmannibucau> |
> > > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> |
> JavaEE
> > > > > Factory
> > > > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > > > > > >
> > > > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> > > > > > > > > [hidden email]>
> > > > > > > > > :
> > > > > > > > >
> > > > > > > > > > Correction - that should be: "CDDL or GPL with classpath
> > > > > > exception".
> > > > > > > > > >
> > > > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > > > > > > > > > [hidden email]> wrote:
> > > > > > > > > >
> > > > > > > > > > > Great question. CDDL _or_ GPL, by the look of it.
> > > > > > > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE
> -
> > > > same
> > > > > as
> > > > > > > > JAXB
> > > > > > > > > I
> > > > > > > > > > > believe.
> > > > > > > > > > >
> > > > > > > > > > > Jon
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > > > > > > > > > [hidden email]> wrote:
> > > > > > > > > > >
> > > > > > > > > > >> What is the licence for GlassFish one?
> > > > > > > > > > >>
> > > > > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > > > > > > > > > [hidden email]
> > > > > > > > > > >> >
> > > > > > > > > > >> a écrit :
> > > > > > > > > > >>
> > > > > > > > > > >> > Hi
> > > > > > > > > > >> >
> > > > > > > > > > >> > On master we shifted from openejb-jstl to
> > > > > > > > taglibs-standard-jstlel. I
> > > > > > > > > > >> have
> > > > > > > > > > >> > done the same on the 1.7.x branch, specifically to
> > move
> > > on
> > > > > > from
> > > > > > > > the
> > > > > > > > > > old
> > > > > > > > > > >> > openejb-jstl (looking at
> > > > > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254).
> The
> > > > > > > > > > >> > taglibs-standard-jstlel
> > > > > > > > > > >> > library does seem to depend on xalan, which we
> > currently
> > > > do
> > > > > > not
> > > > > > > > > > include
> > > > > > > > > > >> in
> > > > > > > > > > >> > TomEE.
> > > > > > > > > > >> >
> > > > > > > > > > >> > The impact is that some XML functions in JSP code
> does
> > > not
> > > > > > work,
> > > > > > > > for
> > > > > > > > > > >> > example:
> > > > > > > > > > >> >
> > > > > > > > > > >> > <%@ taglib prefix="x" uri="
> http://java.sun.com/jstl/
> > xml
> > > "
> > > > %>
> > > > > > > > > > >> >
> > > > > > > > > > >> > <x:parse var="movies">
> > > > > > > > > > >> >     <movies>
> > > > > > > > > > >> >       <movie id="1" name="Wedding Crashers"
> > > > director="David
> > > > > > > > Dobkin"
> > > > > > > > > > >> > genre="Comedy" rating="7" year="2005" />
> > > > > > > > > > >> >       <movie id="2" name="Starsky &amp; Hutch"
> > > > > director="Todd
> > > > > > > > > > Phillips"
> > > > > > > > > > >> > genre="Action" rating="6" year="2004" />
> > > > > > > > > > >> >       <movie id="3" name="Shanghai Knights"
> > > > director="David
> > > > > > > > Dobkin"
> > > > > > > > > > >> > genre="Action" rating="6" year="2003" />
> > > > > > > > > > >> >       <movie id="4" name="I-Spy" director="Betty
> > Thomas"
> > > > > > > > > > >> genre="Adventure"
> > > > > > > > > > >> > rating="5" year="2002" />
> > > > > > > > > > >> >       <movie id="5" name="The Royal Tenenbaums"
> > > > > director="Wes
> > > > > > > > > > Anderson"
> > > > > > > > > > >> > genre="Comedy" rating="8" year="2001" />
> > > > > > > > > > >> >       <movie id="6" name="Zoolander" director="Ben
> > > > Stiller"
> > > > > > > > > > >> genre="Comedy"
> > > > > > > > > > >> > rating="6" year="2001" />
> > > > > > > > > > >> >       <movie id="7" name="Shanghai Noon"
> director="Tom
> > > > Dey"
> > > > > > > > > > >> genre="Comedy"
> > > > > > > > > > >> > rating="7" year="2000" />
> > > > > > > > > > >> >     </movies>
> > > > > > > > > > >> > </x:parse>
> > > > > > > > > > >> >
> > > > > > > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1'
> > > > > ]/@genre"
> > > > > > > > /><br
> > > > > > > > > > />
> > > > > > > > > > >> >
> > > > > > > > > > >> > fails with java.lang.NoClassDefFoundError:
> > > > > > > org/apache/xpath/XPath
> > > > > > > > > > >> (this on
> > > > > > > > > > >> > both 1.7.x and master)
> > > > > > > > > > >> >
> > > > > > > > > > >> > Including Xalan does fix this, but its a 3MB
> > dependency.
> > > > > > > > > > >> >
> > > > > > > > > > >> > The alternative is to use org.glassfish.web:javax.
> > > > > > > > servlet.jsp.jstl
> > > > > > > > > > >> > instead,
> > > > > > > > > > >> > which I have tested and seems to work. Anyone have
> any
> > > > > > thoughts?
> > > > > > > > > > >> >
> > > > > > > > > > >> > Jon
> > > > > > > > > > >> >
> > > > > > > > > > >>
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

jgallimore
Reverted my change back to the openejb-jstl on 1.7.x just until I have a
patch for the Tomcat JSTL jars ready.

Jon

On Fri, Sep 1, 2017 at 10:10 AM, Jonathan Gallimore <
[hidden email]> wrote:

> Awesome, thanks!
>
> Jon
>
> On Fri, Sep 1, 2017 at 6:34 AM, Svetlin Zarev <
> [hidden email]> wrote:
>
>> Here it is: https://issues.apache.org/jira/browse/TOMEE-2113
>>
>> 2017-08-31 19:05 GMT+03:00 Jonathan Gallimore <
>> [hidden email]>
>> :
>>
>> > I'll do a search and see if I can dig that out. Good shout - thank you.
>> >
>> > Jon
>> >
>> > On Thu, Aug 31, 2017 at 5:00 PM, Romain Manni-Bucau <
>> [hidden email]
>> > >
>> > wrote:
>> >
>> > > +1
>> > >
>> > > side note: we should pby link this to the user thread, can try to
>> find it
>> > > back later this week if needed
>> > >
>> > >
>> > > Romain Manni-Bucau
>> > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>> > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
>> > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
>> > > rmannibucau> |
>> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>> > > <https://javaeefactory-rmannibucau.rhcloud.com>
>> > >
>> > > 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <
>> > > [hidden email]>
>> > > :
>> > >
>> > > > Just to make sure I understand - (3) would be your preference, but
>> if
>> > > > that's difficult you'd live with (1) if it came to it, with (2)
>> being
>> > > your
>> > > > least favorite.
>> > > >
>> > > > We should only need to pick one - I can confirm that option (1) on
>> its
>> > > own
>> > > > works, as does option (2) on its own. I'm definitely happy to have a
>> > > crack
>> > > > at option (3) and present a PR for each and let the community decide
>> > > which
>> > > > it likes the best.
>> > > >
>> > > > Thanks for your input, I appreciate it.
>> > > >
>> > > > Jon
>> > > >
>> > > > On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <
>> > > [hidden email]
>> > > > >
>> > > > wrote:
>> > > >
>> > > > > yep, 3, 1, 2 for the complete order (a mix of compatibility and
>> > > > > influence/asf consistence).
>> > > > >
>> > > > >
>> > > > > Romain Manni-Bucau
>> > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>> > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
>> > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
>> > > > > rmannibucau> |
>> > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
>> Factory
>> > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
>> > > > >
>> > > > > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
>> > > > > [hidden email]>
>> > > > > :
>> > > > >
>> > > > > > Uh, yeah, I think I misunderstood. I think we agree that the
>> code I
>> > > > > > attached should work out of the box, requiring no changes to
>> TomEE.
>> > > > That
>> > > > > > leaves us with a few options:
>> > > > > >
>> > > > > > 1. Use the taglibs-standard-jstlel jars as we are now, and add
>> the
>> > > > > > dependency for Xalan -> trivial change, but adds 3MB to our
>> > binaries.
>> > > > > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which
>> uses a
>> > > > > > CDDL/GPL
>> > > > > > + CP exception licence. Does not require Xalan -> easy change to
>> > make
>> > > > and
>> > > > > > appears to work (I believe the license is ok for us to use it).
>> Not
>> > > > sure
>> > > > > if
>> > > > > > there are other restrictions or issues with us using that.
>> > > > > > 3. Patch the Tomcat taglibs libraries to use the XPath support
>> > built
>> > > > into
>> > > > > > the JVM as opposed to Xalan. I did have a look at this
>> yesterday,
>> > and
>> > > > it
>> > > > > > didn't look like a straightforward change at the time. I'm
>> happy to
>> > > > look
>> > > > > at
>> > > > > > it again though if we feel that's the way forward.
>> > > > > >
>> > > > > > I think you're stating a preference for (3) - is that correct?
>> > > > > >
>> > > > > > Cheers
>> > > > > >
>> > > > > > Jon
>> > > > > >
>> > > > > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
>> > > > > [hidden email]
>> > > > > > >
>> > > > > > wrote:
>> > > > > >
>> > > > > > > Hmm, shout if wrong but think you misunderstood the
>> "optional" in
>> > > my
>> > > > > > > sentence. I meant we patch trunk to remove the adherence to
>> > xalan.
>> > > > > > >
>> > > > > > >
>> > > > > > > Romain Manni-Bucau
>> > > > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>> > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
>> > > > > > > <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/
>> > > > > > > rmannibucau> |
>> > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
>> > > Factory
>> > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
>> > > > > > >
>> > > > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
>> > > > > > > [hidden email]>
>> > > > > > > :
>> > > > > > >
>> > > > > > > > Thanks Romain. That is definitely the simplest path - xalan
>> is
>> > > > > already
>> > > > > > > > marked as an optional dependency, so we wouldn't need to do
>> > > > anything.
>> > > > > > > From
>> > > > > > > > a compliance perspective, where would this leave us?
>> Wouldn't
>> > we
>> > > > need
>> > > > > > > this
>> > > > > > > > to work out of the box without adding libraries to be
>> > compliant?
>> > > If
>> > > > > it
>> > > > > > > > doesn't affect us in that respect, then I think we're
>> probably
>> > > good
>> > > > > to
>> > > > > > > go.
>> > > > > > > >
>> > > > > > > > Jon
>> > > > > > > >
>> > > > > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
>> > > > > > > [hidden email]
>> > > > > > > > >
>> > > > > > > > wrote:
>> > > > > > > >
>> > > > > > > > > Hi Jon
>> > > > > > > > >
>> > > > > > > > > there is another thread on it (probably on user@)
>> > > > > > > > >
>> > > > > > > > > I think we should just make xalan optional in the lib and
>> > > > upgrade.
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > > Romain Manni-Bucau
>> > > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>> > > > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
>> > > > > > > > > <http://rmannibucau.wordpress.com> | Github <
>> > > https://github.com/
>> > > > > > > > > rmannibucau> |
>> > > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> |
>> JavaEE
>> > > > > Factory
>> > > > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
>> > > > > > > > >
>> > > > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
>> > > > > > > > > [hidden email]>
>> > > > > > > > > :
>> > > > > > > > >
>> > > > > > > > > > Correction - that should be: "CDDL or GPL with classpath
>> > > > > > exception".
>> > > > > > > > > >
>> > > > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
>> > > > > > > > > > [hidden email]> wrote:
>> > > > > > > > > >
>> > > > > > > > > > > Great question. CDDL _or_ GPL, by the look of it.
>> > > > > > > > > > > https://github.com/javaee/jstl
>> -api/blob/master/LICENSE -
>> > > > same
>> > > > > as
>> > > > > > > > JAXB
>> > > > > > > > > I
>> > > > > > > > > > > believe.
>> > > > > > > > > > >
>> > > > > > > > > > > Jon
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro
>> <
>> > > > > > > > > > > [hidden email]> wrote:
>> > > > > > > > > > >
>> > > > > > > > > > >> What is the licence for GlassFish one?
>> > > > > > > > > > >>
>> > > > > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
>> > > > > > > > > > [hidden email]
>> > > > > > > > > > >> >
>> > > > > > > > > > >> a écrit :
>> > > > > > > > > > >>
>> > > > > > > > > > >> > Hi
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > On master we shifted from openejb-jstl to
>> > > > > > > > taglibs-standard-jstlel. I
>> > > > > > > > > > >> have
>> > > > > > > > > > >> > done the same on the 1.7.x branch, specifically to
>> > move
>> > > on
>> > > > > > from
>> > > > > > > > the
>> > > > > > > > > > old
>> > > > > > > > > > >> > openejb-jstl (looking at
>> > > > > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254).
>> The
>> > > > > > > > > > >> > taglibs-standard-jstlel
>> > > > > > > > > > >> > library does seem to depend on xalan, which we
>> > currently
>> > > > do
>> > > > > > not
>> > > > > > > > > > include
>> > > > > > > > > > >> in
>> > > > > > > > > > >> > TomEE.
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > The impact is that some XML functions in JSP code
>> does
>> > > not
>> > > > > > work,
>> > > > > > > > for
>> > > > > > > > > > >> > example:
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > <%@ taglib prefix="x" uri="
>> http://java.sun.com/jstl/
>> > xml
>> > > "
>> > > > %>
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > <x:parse var="movies">
>> > > > > > > > > > >> >     <movies>
>> > > > > > > > > > >> >       <movie id="1" name="Wedding Crashers"
>> > > > director="David
>> > > > > > > > Dobkin"
>> > > > > > > > > > >> > genre="Comedy" rating="7" year="2005" />
>> > > > > > > > > > >> >       <movie id="2" name="Starsky &amp; Hutch"
>> > > > > director="Todd
>> > > > > > > > > > Phillips"
>> > > > > > > > > > >> > genre="Action" rating="6" year="2004" />
>> > > > > > > > > > >> >       <movie id="3" name="Shanghai Knights"
>> > > > director="David
>> > > > > > > > Dobkin"
>> > > > > > > > > > >> > genre="Action" rating="6" year="2003" />
>> > > > > > > > > > >> >       <movie id="4" name="I-Spy" director="Betty
>> > Thomas"
>> > > > > > > > > > >> genre="Adventure"
>> > > > > > > > > > >> > rating="5" year="2002" />
>> > > > > > > > > > >> >       <movie id="5" name="The Royal Tenenbaums"
>> > > > > director="Wes
>> > > > > > > > > > Anderson"
>> > > > > > > > > > >> > genre="Comedy" rating="8" year="2001" />
>> > > > > > > > > > >> >       <movie id="6" name="Zoolander" director="Ben
>> > > > Stiller"
>> > > > > > > > > > >> genre="Comedy"
>> > > > > > > > > > >> > rating="6" year="2001" />
>> > > > > > > > > > >> >       <movie id="7" name="Shanghai Noon"
>> director="Tom
>> > > > Dey"
>> > > > > > > > > > >> genre="Comedy"
>> > > > > > > > > > >> > rating="7" year="2000" />
>> > > > > > > > > > >> >     </movies>
>> > > > > > > > > > >> > </x:parse>
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > Movie 1 Genre: <x:out
>> select="$movies//movie[@id='1'
>> > > > > ]/@genre"
>> > > > > > > > /><br
>> > > > > > > > > > />
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > fails with java.lang.NoClassDefFoundError:
>> > > > > > > org/apache/xpath/XPath
>> > > > > > > > > > >> (this on
>> > > > > > > > > > >> > both 1.7.x and master)
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > Including Xalan does fix this, but its a 3MB
>> > dependency.
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > The alternative is to use org.glassfish.web:javax.
>> > > > > > > > servlet.jsp.jstl
>> > > > > > > > > > >> > instead,
>> > > > > > > > > > >> > which I have tested and seems to work. Anyone have
>> any
>> > > > > > thoughts?
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > Jon
>> > > > > > > > > > >> >
>> > > > > > > > > > >>
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > > > > > > > > >
>> > > > > > > > >
>> > > > > > > >
>> > > > > > >
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

agumbrecht
In reply to this post by jgallimore
I think it is best to move quickly and use method 1 and release asap.

This will buy us time to implement the better method 3.


Andy.


On 01/09/17 11:10, Jonathan Gallimore wrote:

> Awesome, thanks!
>
> Jon
>
> On Fri, Sep 1, 2017 at 6:34 AM, Svetlin Zarev <
> [hidden email]> wrote:
>
>> Here it is: https://issues.apache.org/jira/browse/TOMEE-2113
>>
>> 2017-08-31 19:05 GMT+03:00 Jonathan Gallimore <
>> [hidden email]>
>> :
>>
>>> I'll do a search and see if I can dig that out. Good shout - thank you.
>>>
>>> Jon
>>>
>>> On Thu, Aug 31, 2017 at 5:00 PM, Romain Manni-Bucau <
>> [hidden email]
>>> wrote:
>>>
>>>> +1
>>>>
>>>> side note: we should pby link this to the user thread, can try to find
>> it
>>>> back later this week if needed
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/
>>>> rmannibucau> |
>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>
>>>> 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <
>>>> [hidden email]>
>>>> :
>>>>
>>>>> Just to make sure I understand - (3) would be your preference, but if
>>>>> that's difficult you'd live with (1) if it came to it, with (2) being
>>>> your
>>>>> least favorite.
>>>>>
>>>>> We should only need to pick one - I can confirm that option (1) on
>> its
>>>> own
>>>>> works, as does option (2) on its own. I'm definitely happy to have a
>>>> crack
>>>>> at option (3) and present a PR for each and let the community decide
>>>> which
>>>>> it likes the best.
>>>>>
>>>>> Thanks for your input, I appreciate it.
>>>>>
>>>>> Jon
>>>>>
>>>>> On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <
>>>> [hidden email]
>>>>> wrote:
>>>>>
>>>>>> yep, 3, 1, 2 for the complete order (a mix of compatibility and
>>>>>> influence/asf consistence).
>>>>>>
>>>>>>
>>>>>> Romain Manni-Bucau
>>>>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/
>>>>>> rmannibucau> |
>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
>> Factory
>>>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>>>
>>>>>> 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
>>>>>> [hidden email]>
>>>>>> :
>>>>>>
>>>>>>> Uh, yeah, I think I misunderstood. I think we agree that the
>> code I
>>>>>>> attached should work out of the box, requiring no changes to
>> TomEE.
>>>>> That
>>>>>>> leaves us with a few options:
>>>>>>>
>>>>>>> 1. Use the taglibs-standard-jstlel jars as we are now, and add
>> the
>>>>>>> dependency for Xalan -> trivial change, but adds 3MB to our
>>> binaries.
>>>>>>> 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which
>> uses a
>>>>>>> CDDL/GPL
>>>>>>> + CP exception licence. Does not require Xalan -> easy change to
>>> make
>>>>> and
>>>>>>> appears to work (I believe the license is ok for us to use it).
>> Not
>>>>> sure
>>>>>> if
>>>>>>> there are other restrictions or issues with us using that.
>>>>>>> 3. Patch the Tomcat taglibs libraries to use the XPath support
>>> built
>>>>> into
>>>>>>> the JVM as opposed to Xalan. I did have a look at this yesterday,
>>> and
>>>>> it
>>>>>>> didn't look like a straightforward change at the time. I'm happy
>> to
>>>>> look
>>>>>> at
>>>>>>> it again though if we feel that's the way forward.
>>>>>>>
>>>>>>> I think you're stating a preference for (3) - is that correct?
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Jon
>>>>>>>
>>>>>>> On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
>>>>>> [hidden email]
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hmm, shout if wrong but think you misunderstood the "optional"
>> in
>>>> my
>>>>>>>> sentence. I meant we patch trunk to remove the adherence to
>>> xalan.
>>>>>>>>
>>>>>>>> Romain Manni-Bucau
>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>>>>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/
>>>>>>>> rmannibucau> |
>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
>>>> Factory
>>>>>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>>>>>
>>>>>>>> 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
>>>>>>>> [hidden email]>
>>>>>>>> :
>>>>>>>>
>>>>>>>>> Thanks Romain. That is definitely the simplest path - xalan
>> is
>>>>>> already
>>>>>>>>> marked as an optional dependency, so we wouldn't need to do
>>>>> anything.
>>>>>>>> From
>>>>>>>>> a compliance perspective, where would this leave us? Wouldn't
>>> we
>>>>> need
>>>>>>>> this
>>>>>>>>> to work out of the box without adding libraries to be
>>> compliant?
>>>> If
>>>>>> it
>>>>>>>>> doesn't affect us in that respect, then I think we're
>> probably
>>>> good
>>>>>> to
>>>>>>>> go.
>>>>>>>>> Jon
>>>>>>>>>
>>>>>>>>> On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
>>>>>>>> [hidden email]
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Jon
>>>>>>>>>>
>>>>>>>>>> there is another thread on it (probably on user@)
>>>>>>>>>>
>>>>>>>>>> I think we should just make xalan optional in the lib and
>>>>> upgrade.
>>>>>>>>>>
>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>>>>>>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>> https://github.com/
>>>>>>>>>> rmannibucau> |
>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> |
>> JavaEE
>>>>>> Factory
>>>>>>>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>>>>>>>
>>>>>>>>>> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
>>>>>>>>>> [hidden email]>
>>>>>>>>>> :
>>>>>>>>>>
>>>>>>>>>>> Correction - that should be: "CDDL or GPL with classpath
>>>>>>> exception".
>>>>>>>>>>> On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
>>>>>>>>>>> [hidden email]> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Great question. CDDL _or_ GPL, by the look of it.
>>>>>>>>>>>> https://github.com/javaee/jstl-api/blob/master/LICENSE
>> -
>>>>> same
>>>>>> as
>>>>>>>>> JAXB
>>>>>>>>>> I
>>>>>>>>>>>> believe.
>>>>>>>>>>>>
>>>>>>>>>>>> Jon
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
>>>>>>>>>>>> [hidden email]> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> What is the licence for GlassFish one?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Le 31 août 2017 12:38, "Jonathan Gallimore" <
>>>>>>>>>>> [hidden email]
>>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On master we shifted from openejb-jstl to
>>>>>>>>> taglibs-standard-jstlel. I
>>>>>>>>>>>>> have
>>>>>>>>>>>>>> done the same on the 1.7.x branch, specifically to
>>> move
>>>> on
>>>>>>> from
>>>>>>>>> the
>>>>>>>>>>> old
>>>>>>>>>>>>>> openejb-jstl (looking at
>>>>>>>>>>>>>> https://nvd.nist.gov/vuln/detail/CVE-2015-0254).
>> The
>>>>>>>>>>>>>> taglibs-standard-jstlel
>>>>>>>>>>>>>> library does seem to depend on xalan, which we
>>> currently
>>>>> do
>>>>>>> not
>>>>>>>>>>> include
>>>>>>>>>>>>> in
>>>>>>>>>>>>>> TomEE.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The impact is that some XML functions in JSP code
>> does
>>>> not
>>>>>>> work,
>>>>>>>>> for
>>>>>>>>>>>>>> example:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> <%@ taglib prefix="x" uri="
>> http://java.sun.com/jstl/
>>> xml
>>>> "
>>>>> %>
>>>>>>>>>>>>>> <x:parse var="movies">
>>>>>>>>>>>>>>      <movies>
>>>>>>>>>>>>>>        <movie id="1" name="Wedding Crashers"
>>>>> director="David
>>>>>>>>> Dobkin"
>>>>>>>>>>>>>> genre="Comedy" rating="7" year="2005" />
>>>>>>>>>>>>>>        <movie id="2" name="Starsky &amp; Hutch"
>>>>>> director="Todd
>>>>>>>>>>> Phillips"
>>>>>>>>>>>>>> genre="Action" rating="6" year="2004" />
>>>>>>>>>>>>>>        <movie id="3" name="Shanghai Knights"
>>>>> director="David
>>>>>>>>> Dobkin"
>>>>>>>>>>>>>> genre="Action" rating="6" year="2003" />
>>>>>>>>>>>>>>        <movie id="4" name="I-Spy" director="Betty
>>> Thomas"
>>>>>>>>>>>>> genre="Adventure"
>>>>>>>>>>>>>> rating="5" year="2002" />
>>>>>>>>>>>>>>        <movie id="5" name="The Royal Tenenbaums"
>>>>>> director="Wes
>>>>>>>>>>> Anderson"
>>>>>>>>>>>>>> genre="Comedy" rating="8" year="2001" />
>>>>>>>>>>>>>>        <movie id="6" name="Zoolander" director="Ben
>>>>> Stiller"
>>>>>>>>>>>>> genre="Comedy"
>>>>>>>>>>>>>> rating="6" year="2001" />
>>>>>>>>>>>>>>        <movie id="7" name="Shanghai Noon"
>> director="Tom
>>>>> Dey"
>>>>>>>>>>>>> genre="Comedy"
>>>>>>>>>>>>>> rating="7" year="2000" />
>>>>>>>>>>>>>>      </movies>
>>>>>>>>>>>>>> </x:parse>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Movie 1 Genre: <x:out select="$movies//movie[@id='1'
>>>>>> ]/@genre"
>>>>>>>>> /><br
>>>>>>>>>>> />
>>>>>>>>>>>>>> fails with java.lang.NoClassDefFoundError:
>>>>>>>> org/apache/xpath/XPath
>>>>>>>>>>>>> (this on
>>>>>>>>>>>>>> both 1.7.x and master)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Including Xalan does fix this, but its a 3MB
>>> dependency.
>>>>>>>>>>>>>> The alternative is to use org.glassfish.web:javax.
>>>>>>>>> servlet.jsp.jstl
>>>>>>>>>>>>>> instead,
>>>>>>>>>>>>>> which I have tested and seems to work. Anyone have
>> any
>>>>>>> thoughts?
>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>
>>>>>>>>>>>>

    --
    Andy Gumbrecht

    http://www.tomitribe.com
    agumbrecht@tomitribe.com
    https://twitter.com/AndyGeeDe

    TomEE treibt Tomitribe ! | http://tomee.apache.org
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

Mark Struberg-2
In reply to this post by Romain Manni-Bucau
+1 to NOT have a hard xalan and xerces dependency.
Usually we don't need it but use the version which is packaged within the JRE.
It should really remain optional pretty please.

LieGrue,
strub


> Am 31.08.2017 um 16:25 schrieb Romain Manni-Bucau <[hidden email]>:
>
> Hmm, shout if wrong but think you misunderstood the "optional" in my
> sentence. I meant we patch trunk to remove the adherence to xalan.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <[hidden email]>
> :
>
>> Thanks Romain. That is definitely the simplest path - xalan is already
>> marked as an optional dependency, so we wouldn't need to do anything. From
>> a compliance perspective, where would this leave us? Wouldn't we need this
>> to work out of the box without adding libraries to be compliant? If it
>> doesn't affect us in that respect, then I think we're probably good to go.
>>
>> Jon
>>
>> On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <[hidden email]
>>>
>> wrote:
>>
>>> Hi Jon
>>>
>>> there is another thread on it (probably on user@)
>>>
>>> I think we should just make xalan optional in the lib and upgrade.
>>>
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/
>>> rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>
>>> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
>>> [hidden email]>
>>> :
>>>
>>>> Correction - that should be: "CDDL or GPL with classpath exception".
>>>>
>>>> On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
>>>> [hidden email]> wrote:
>>>>
>>>>> Great question. CDDL _or_ GPL, by the look of it.
>>>>> https://github.com/javaee/jstl-api/blob/master/LICENSE - same as
>> JAXB
>>> I
>>>>> believe.
>>>>>
>>>>> Jon
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
>>>>> [hidden email]> wrote:
>>>>>
>>>>>> What is the licence for GlassFish one?
>>>>>>
>>>>>> Le 31 août 2017 12:38, "Jonathan Gallimore" <
>>>> [hidden email]
>>>>>>>
>>>>>> a écrit :
>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> On master we shifted from openejb-jstl to
>> taglibs-standard-jstlel. I
>>>>>> have
>>>>>>> done the same on the 1.7.x branch, specifically to move on from
>> the
>>>> old
>>>>>>> openejb-jstl (looking at
>>>>>>> https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
>>>>>>> taglibs-standard-jstlel
>>>>>>> library does seem to depend on xalan, which we currently do not
>>>> include
>>>>>> in
>>>>>>> TomEE.
>>>>>>>
>>>>>>> The impact is that some XML functions in JSP code does not work,
>> for
>>>>>>> example:
>>>>>>>
>>>>>>> <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
>>>>>>>
>>>>>>> <x:parse var="movies">
>>>>>>>    <movies>
>>>>>>>      <movie id="1" name="Wedding Crashers" director="David
>> Dobkin"
>>>>>>> genre="Comedy" rating="7" year="2005" />
>>>>>>>      <movie id="2" name="Starsky &amp; Hutch" director="Todd
>>>> Phillips"
>>>>>>> genre="Action" rating="6" year="2004" />
>>>>>>>      <movie id="3" name="Shanghai Knights" director="David
>> Dobkin"
>>>>>>> genre="Action" rating="6" year="2003" />
>>>>>>>      <movie id="4" name="I-Spy" director="Betty Thomas"
>>>>>> genre="Adventure"
>>>>>>> rating="5" year="2002" />
>>>>>>>      <movie id="5" name="The Royal Tenenbaums" director="Wes
>>>> Anderson"
>>>>>>> genre="Comedy" rating="8" year="2001" />
>>>>>>>      <movie id="6" name="Zoolander" director="Ben Stiller"
>>>>>> genre="Comedy"
>>>>>>> rating="6" year="2001" />
>>>>>>>      <movie id="7" name="Shanghai Noon" director="Tom Dey"
>>>>>> genre="Comedy"
>>>>>>> rating="7" year="2000" />
>>>>>>>    </movies>
>>>>>>> </x:parse>
>>>>>>>
>>>>>>> Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre"
>> /><br
>>>> />
>>>>>>>
>>>>>>> fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath
>>>>>> (this on
>>>>>>> both 1.7.x and master)
>>>>>>>
>>>>>>> Including Xalan does fix this, but its a 3MB dependency.
>>>>>>>
>>>>>>> The alternative is to use org.glassfish.web:javax.
>> servlet.jsp.jstl
>>>>>>> instead,
>>>>>>> which I have tested and seems to work. Anyone have any thoughts?
>>>>>>>
>>>>>>> Jon
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>


.
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

jgallimore
I believe its only xalan required, and not xerces as well.

What's the rationale for the -1?

We'd like to release 7.0.4, and the community appears to want a release
based on feedback we have seen on the users list.

Changing the jstlel library appears to be not-entirely-trivial (unless
someone better than me wants to give some pointers). I'd like to try it,
but I don't want it to drag on for ages and hold up a release.

We already established that we'd like this to work out the box without
requiring the user to add anything earlier in this thread.

So, how do we want to proceed? The other option appears to be picking up an
updated version of the glassfish library we had before.

Jon

On 14 Sep 2017 13:26, "Mark Struberg" <[hidden email]> wrote:

> +1 to NOT have a hard xalan and xerces dependency.
> Usually we don't need it but use the version which is packaged within the
> JRE.
> It should really remain optional pretty please.
>
> LieGrue,
> strub
>
>
> > Am 31.08.2017 um 16:25 schrieb Romain Manni-Bucau <[hidden email]
> >:
> >
> > Hmm, shout if wrong but think you misunderstood the "optional" in my
> > sentence. I meant we patch trunk to remove the adherence to xalan.
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
> [hidden email]>
> > :
> >
> >> Thanks Romain. That is definitely the simplest path - xalan is already
> >> marked as an optional dependency, so we wouldn't need to do anything.
> From
> >> a compliance perspective, where would this leave us? Wouldn't we need
> this
> >> to work out of the box without adding libraries to be compliant? If it
> >> doesn't affect us in that respect, then I think we're probably good to
> go.
> >>
> >> Jon
> >>
> >> On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
> [hidden email]
> >>>
> >> wrote:
> >>
> >>> Hi Jon
> >>>
> >>> there is another thread on it (probably on user@)
> >>>
> >>> I think we should just make xalan optional in the lib and upgrade.
> >>>
> >>>
> >>> Romain Manni-Bucau
> >>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> >>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> >>> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> >>> rmannibucau> |
> >>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> >>> <https://javaeefactory-rmannibucau.rhcloud.com>
> >>>
> >>> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> >>> [hidden email]>
> >>> :
> >>>
> >>>> Correction - that should be: "CDDL or GPL with classpath exception".
> >>>>
> >>>> On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> >>>> [hidden email]> wrote:
> >>>>
> >>>>> Great question. CDDL _or_ GPL, by the look of it.
> >>>>> https://github.com/javaee/jstl-api/blob/master/LICENSE - same as
> >> JAXB
> >>> I
> >>>>> believe.
> >>>>>
> >>>>> Jon
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> >>>>> [hidden email]> wrote:
> >>>>>
> >>>>>> What is the licence for GlassFish one?
> >>>>>>
> >>>>>> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> >>>> [hidden email]
> >>>>>>>
> >>>>>> a écrit :
> >>>>>>
> >>>>>>> Hi
> >>>>>>>
> >>>>>>> On master we shifted from openejb-jstl to
> >> taglibs-standard-jstlel. I
> >>>>>> have
> >>>>>>> done the same on the 1.7.x branch, specifically to move on from
> >> the
> >>>> old
> >>>>>>> openejb-jstl (looking at
> >>>>>>> https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> >>>>>>> taglibs-standard-jstlel
> >>>>>>> library does seem to depend on xalan, which we currently do not
> >>>> include
> >>>>>> in
> >>>>>>> TomEE.
> >>>>>>>
> >>>>>>> The impact is that some XML functions in JSP code does not work,
> >> for
> >>>>>>> example:
> >>>>>>>
> >>>>>>> <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
> >>>>>>>
> >>>>>>> <x:parse var="movies">
> >>>>>>>    <movies>
> >>>>>>>      <movie id="1" name="Wedding Crashers" director="David
> >> Dobkin"
> >>>>>>> genre="Comedy" rating="7" year="2005" />
> >>>>>>>      <movie id="2" name="Starsky &amp; Hutch" director="Todd
> >>>> Phillips"
> >>>>>>> genre="Action" rating="6" year="2004" />
> >>>>>>>      <movie id="3" name="Shanghai Knights" director="David
> >> Dobkin"
> >>>>>>> genre="Action" rating="6" year="2003" />
> >>>>>>>      <movie id="4" name="I-Spy" director="Betty Thomas"
> >>>>>> genre="Adventure"
> >>>>>>> rating="5" year="2002" />
> >>>>>>>      <movie id="5" name="The Royal Tenenbaums" director="Wes
> >>>> Anderson"
> >>>>>>> genre="Comedy" rating="8" year="2001" />
> >>>>>>>      <movie id="6" name="Zoolander" director="Ben Stiller"
> >>>>>> genre="Comedy"
> >>>>>>> rating="6" year="2001" />
> >>>>>>>      <movie id="7" name="Shanghai Noon" director="Tom Dey"
> >>>>>> genre="Comedy"
> >>>>>>> rating="7" year="2000" />
> >>>>>>>    </movies>
> >>>>>>> </x:parse>
> >>>>>>>
> >>>>>>> Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre"
> >> /><br
> >>>> />
> >>>>>>>
> >>>>>>> fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath
> >>>>>> (this on
> >>>>>>> both 1.7.x and master)
> >>>>>>>
> >>>>>>> Including Xalan does fix this, but its a 3MB dependency.
> >>>>>>>
> >>>>>>> The alternative is to use org.glassfish.web:javax.
> >> servlet.jsp.jstl
> >>>>>>> instead,
> >>>>>>> which I have tested and seems to work. Anyone have any thoughts?
> >>>>>>>
> >>>>>>> Jon
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
>
>
> .
>
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

agumbrecht
Yes it's just xalan-2.7.2, and this solution seems to be/is painless
regarding the build and TCK. The Apache Standard Taglib requires it,
along with serializer-2.7.2. What makes adding this a breaking issue
Mark? If it helps get a release out now to resolve a known CVE then it's
+1 from me (hmm that rhymes). Once it is out then we can spend several
weeks working on a better solution.

Andy.


On 14/09/17 21:00, Jonathan Gallimore wrote:

> I believe its only xalan required, and not xerces as well.
>
> What's the rationale for the -1?
>
> We'd like to release 7.0.4, and the community appears to want a release
> based on feedback we have seen on the users list.
>
> Changing the jstlel library appears to be not-entirely-trivial (unless
> someone better than me wants to give some pointers). I'd like to try it,
> but I don't want it to drag on for ages and hold up a release.
>
> We already established that we'd like this to work out the box without
> requiring the user to add anything earlier in this thread.
>
> So, how do we want to proceed? The other option appears to be picking up an
> updated version of the glassfish library we had before.
>
> Jon
>
> On 14 Sep 2017 13:26, "Mark Struberg" <[hidden email]> wrote:
>
>> +1 to NOT have a hard xalan and xerces dependency.
>> Usually we don't need it but use the version which is packaged within the
>> JRE.
>> It should really remain optional pretty please.
>>
>> LieGrue,
>> strub
>>
>>
>>> Am 31.08.2017 um 16:25 schrieb Romain Manni-Bucau <[hidden email]
>>> :
>>>
>>> Hmm, shout if wrong but think you misunderstood the "optional" in my
>>> sentence. I meant we patch trunk to remove the adherence to xalan.
>>>
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/
>> rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>
>>> 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
>> [hidden email]>
>>> :
>>>
>>>> Thanks Romain. That is definitely the simplest path - xalan is already
>>>> marked as an optional dependency, so we wouldn't need to do anything.
>> From
>>>> a compliance perspective, where would this leave us? Wouldn't we need
>> this
>>>> to work out of the box without adding libraries to be compliant? If it
>>>> doesn't affect us in that respect, then I think we're probably good to
>> go.
>>>> Jon
>>>>
>>>> On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
>> [hidden email]
>>>> wrote:
>>>>
>>>>> Hi Jon
>>>>>
>>>>> there is another thread on it (probably on user@)
>>>>>
>>>>> I think we should just make xalan optional in the lib and upgrade.
>>>>>
>>>>>
>>>>> Romain Manni-Bucau
>>>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/
>>>>> rmannibucau> |
>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>>
>>>>> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
>>>>> [hidden email]>
>>>>> :
>>>>>
>>>>>> Correction - that should be: "CDDL or GPL with classpath exception".
>>>>>>
>>>>>> On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
>>>>>> [hidden email]> wrote:
>>>>>>
>>>>>>> Great question. CDDL _or_ GPL, by the look of it.
>>>>>>> https://github.com/javaee/jstl-api/blob/master/LICENSE - same as
>>>> JAXB
>>>>> I
>>>>>>> believe.
>>>>>>>
>>>>>>> Jon
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
>>>>>>> [hidden email]> wrote:
>>>>>>>
>>>>>>>> What is the licence for GlassFish one?
>>>>>>>>
>>>>>>>> Le 31 août 2017 12:38, "Jonathan Gallimore" <
>>>>>> [hidden email]
>>>>>>>> a écrit :
>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> On master we shifted from openejb-jstl to
>>>> taglibs-standard-jstlel. I
>>>>>>>> have
>>>>>>>>> done the same on the 1.7.x branch, specifically to move on from
>>>> the
>>>>>> old
>>>>>>>>> openejb-jstl (looking at
>>>>>>>>> https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
>>>>>>>>> taglibs-standard-jstlel
>>>>>>>>> library does seem to depend on xalan, which we currently do not
>>>>>> include
>>>>>>>> in
>>>>>>>>> TomEE.
>>>>>>>>>
>>>>>>>>> The impact is that some XML functions in JSP code does not work,
>>>> for
>>>>>>>>> example:
>>>>>>>>>
>>>>>>>>> <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
>>>>>>>>>
>>>>>>>>> <x:parse var="movies">
>>>>>>>>>     <movies>
>>>>>>>>>       <movie id="1" name="Wedding Crashers" director="David
>>>> Dobkin"
>>>>>>>>> genre="Comedy" rating="7" year="2005" />
>>>>>>>>>       <movie id="2" name="Starsky &amp; Hutch" director="Todd
>>>>>> Phillips"
>>>>>>>>> genre="Action" rating="6" year="2004" />
>>>>>>>>>       <movie id="3" name="Shanghai Knights" director="David
>>>> Dobkin"
>>>>>>>>> genre="Action" rating="6" year="2003" />
>>>>>>>>>       <movie id="4" name="I-Spy" director="Betty Thomas"
>>>>>>>> genre="Adventure"
>>>>>>>>> rating="5" year="2002" />
>>>>>>>>>       <movie id="5" name="The Royal Tenenbaums" director="Wes
>>>>>> Anderson"
>>>>>>>>> genre="Comedy" rating="8" year="2001" />
>>>>>>>>>       <movie id="6" name="Zoolander" director="Ben Stiller"
>>>>>>>> genre="Comedy"
>>>>>>>>> rating="6" year="2001" />
>>>>>>>>>       <movie id="7" name="Shanghai Noon" director="Tom Dey"
>>>>>>>> genre="Comedy"
>>>>>>>>> rating="7" year="2000" />
>>>>>>>>>     </movies>
>>>>>>>>> </x:parse>
>>>>>>>>>
>>>>>>>>> Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre"
>>>> /><br
>>>>>> />
>>>>>>>>> fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath
>>>>>>>> (this on
>>>>>>>>> both 1.7.x and master)
>>>>>>>>>
>>>>>>>>> Including Xalan does fix this, but its a 3MB dependency.
>>>>>>>>>
>>>>>>>>> The alternative is to use org.glassfish.web:javax.
>>>> servlet.jsp.jstl
>>>>>>>>> instead,
>>>>>>>>> which I have tested and seems to work. Anyone have any thoughts?
>>>>>>>>>
>>>>>>>>> Jon
>>>>>>>>>
>>>>>>>
>>
>> .
>>

    --
    Andy Gumbrecht

    http://www.tomitribe.com
    agumbrecht@tomitribe.com
    https://twitter.com/AndyGeeDe

    TomEE treibt Tomitribe ! | http://tomee.apache.org
Reply | Threaded
Open this post in threaded view
|

Re: JSTL

jgallimore
I'm +1. This feels like a reasonable approach to get the release going
sooner rather than later, without a breaking change from 7.0.3. I am also
in favour of coming back to this soon after release to try use the
functionality in the JDK.

Jon

On Thu, Sep 14, 2017 at 8:31 PM, Andy Gumbrecht <[hidden email]>
wrote:

> Yes it's just xalan-2.7.2, and this solution seems to be/is painless
> regarding the build and TCK. The Apache Standard Taglib requires it, along
> with serializer-2.7.2. What makes adding this a breaking issue Mark? If it
> helps get a release out now to resolve a known CVE then it's +1 from me
> (hmm that rhymes). Once it is out then we can spend several weeks working
> on a better solution.
>
> Andy.
>
>
>
> On 14/09/17 21:00, Jonathan Gallimore wrote:
>
>> I believe its only xalan required, and not xerces as well.
>>
>> What's the rationale for the -1?
>>
>> We'd like to release 7.0.4, and the community appears to want a release
>> based on feedback we have seen on the users list.
>>
>> Changing the jstlel library appears to be not-entirely-trivial (unless
>> someone better than me wants to give some pointers). I'd like to try it,
>> but I don't want it to drag on for ages and hold up a release.
>>
>> We already established that we'd like this to work out the box without
>> requiring the user to add anything earlier in this thread.
>>
>> So, how do we want to proceed? The other option appears to be picking up
>> an
>> updated version of the glassfish library we had before.
>>
>> Jon
>>
>> On 14 Sep 2017 13:26, "Mark Struberg" <[hidden email]> wrote:
>>
>> +1 to NOT have a hard xalan and xerces dependency.
>>> Usually we don't need it but use the version which is packaged within the
>>> JRE.
>>> It should really remain optional pretty please.
>>>
>>> LieGrue,
>>> strub
>>>
>>>
>>> Am 31.08.2017 um 16:25 schrieb Romain Manni-Bucau <[hidden email]
>>>> :
>>>>
>>>> Hmm, shout if wrong but think you misunderstood the "optional" in my
>>>> sentence. I meant we patch trunk to remove the adherence to xalan.
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/
>>>>
>>> rmannibucau> |
>>>
>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>
>>>> 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
>>>>
>>> [hidden email]>
>>>
>>>> :
>>>>
>>>> Thanks Romain. That is definitely the simplest path - xalan is already
>>>>> marked as an optional dependency, so we wouldn't need to do anything.
>>>>>
>>>> From
>>>
>>>> a compliance perspective, where would this leave us? Wouldn't we need
>>>>>
>>>> this
>>>
>>>> to work out of the box without adding libraries to be compliant? If it
>>>>> doesn't affect us in that respect, then I think we're probably good to
>>>>>
>>>> go.
>>>
>>>> Jon
>>>>>
>>>>> On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
>>>>>
>>>> [hidden email]
>>>
>>>> wrote:
>>>>>
>>>>> Hi Jon
>>>>>>
>>>>>> there is another thread on it (probably on user@)
>>>>>>
>>>>>> I think we should just make xalan optional in the lib and upgrade.
>>>>>>
>>>>>>
>>>>>> Romain Manni-Bucau
>>>>>> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
>>>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/
>>>>>> rmannibucau> |
>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>>>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>>>
>>>>>> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
>>>>>> [hidden email]>
>>>>>> :
>>>>>>
>>>>>> Correction - that should be: "CDDL or GPL with classpath exception".
>>>>>>>
>>>>>>> On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
>>>>>>> [hidden email]> wrote:
>>>>>>>
>>>>>>> Great question. CDDL _or_ GPL, by the look of it.
>>>>>>>> https://github.com/javaee/jstl-api/blob/master/LICENSE - same as
>>>>>>>>
>>>>>>> JAXB
>>>>>
>>>>>> I
>>>>>>
>>>>>>> believe.
>>>>>>>>
>>>>>>>> Jon
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
>>>>>>>> [hidden email]> wrote:
>>>>>>>>
>>>>>>>> What is the licence for GlassFish one?
>>>>>>>>>
>>>>>>>>> Le 31 août 2017 12:38, "Jonathan Gallimore" <
>>>>>>>>>
>>>>>>>> [hidden email]
>>>>>>>
>>>>>>>> a écrit :
>>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> On master we shifted from openejb-jstl to
>>>>>>>>>>
>>>>>>>>> taglibs-standard-jstlel. I
>>>>>
>>>>>> have
>>>>>>>>>
>>>>>>>>>> done the same on the 1.7.x branch, specifically to move on from
>>>>>>>>>>
>>>>>>>>> the
>>>>>
>>>>>> old
>>>>>>>
>>>>>>>> openejb-jstl (looking at
>>>>>>>>>> https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
>>>>>>>>>> taglibs-standard-jstlel
>>>>>>>>>> library does seem to depend on xalan, which we currently do not
>>>>>>>>>>
>>>>>>>>> include
>>>>>>>
>>>>>>>> in
>>>>>>>>>
>>>>>>>>>> TomEE.
>>>>>>>>>>
>>>>>>>>>> The impact is that some XML functions in JSP code does not work,
>>>>>>>>>>
>>>>>>>>> for
>>>>>
>>>>>> example:
>>>>>>>>>>
>>>>>>>>>> <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
>>>>>>>>>>
>>>>>>>>>> <x:parse var="movies">
>>>>>>>>>>     <movies>
>>>>>>>>>>       <movie id="1" name="Wedding Crashers" director="David
>>>>>>>>>>
>>>>>>>>> Dobkin"
>>>>>
>>>>>> genre="Comedy" rating="7" year="2005" />
>>>>>>>>>>       <movie id="2" name="Starsky &amp; Hutch" director="Todd
>>>>>>>>>>
>>>>>>>>> Phillips"
>>>>>>>
>>>>>>>> genre="Action" rating="6" year="2004" />
>>>>>>>>>>       <movie id="3" name="Shanghai Knights" director="David
>>>>>>>>>>
>>>>>>>>> Dobkin"
>>>>>
>>>>>> genre="Action" rating="6" year="2003" />
>>>>>>>>>>       <movie id="4" name="I-Spy" director="Betty Thomas"
>>>>>>>>>>
>>>>>>>>> genre="Adventure"
>>>>>>>>>
>>>>>>>>>> rating="5" year="2002" />
>>>>>>>>>>       <movie id="5" name="The Royal Tenenbaums" director="Wes
>>>>>>>>>>
>>>>>>>>> Anderson"
>>>>>>>
>>>>>>>> genre="Comedy" rating="8" year="2001" />
>>>>>>>>>>       <movie id="6" name="Zoolander" director="Ben Stiller"
>>>>>>>>>>
>>>>>>>>> genre="Comedy"
>>>>>>>>>
>>>>>>>>>> rating="6" year="2001" />
>>>>>>>>>>       <movie id="7" name="Shanghai Noon" director="Tom Dey"
>>>>>>>>>>
>>>>>>>>> genre="Comedy"
>>>>>>>>>
>>>>>>>>>> rating="7" year="2000" />
>>>>>>>>>>     </movies>
>>>>>>>>>> </x:parse>
>>>>>>>>>>
>>>>>>>>>> Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre"
>>>>>>>>>>
>>>>>>>>> /><br
>>>>>
>>>>>> />
>>>>>>>
>>>>>>>> fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath
>>>>>>>>>>
>>>>>>>>> (this on
>>>>>>>>>
>>>>>>>>>> both 1.7.x and master)
>>>>>>>>>>
>>>>>>>>>> Including Xalan does fix this, but its a 3MB dependency.
>>>>>>>>>>
>>>>>>>>>> The alternative is to use org.glassfish.web:javax.
>>>>>>>>>>
>>>>>>>>> servlet.jsp.jstl
>>>>>
>>>>>> instead,
>>>>>>>>>> which I have tested and seems to work. Anyone have any thoughts?
>>>>>>>>>>
>>>>>>>>>> Jon
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>> .
>>>
>>>
>
12