Dependency resolution failure for OpenSAML after upgrading to Spring Web Services 4.1
search cancel

Dependency resolution failure for OpenSAML after upgrading to Spring Web Services 4.1

book

Article ID: 428943

calendar_today

Updated On:

Products

VMware Tanzu Platform Spring Developer Support for Spring Developer Support only for Spring Enterprise VMware Tanzu Platform Spring Essentials VMware Tanzu Spring Essentials VMware Tanzu Spring Runtime - SM

Issue/Introduction

Upon upgrading to Spring Web Services (Spring-WS) 4.1.x, developers may find that their builds fail because Maven or Gradle cannot locate OpenSAML artifacts. This occurs even though the project successfully resolved previous versions of OpenSAML from Maven Central.

The error typically appears as a "Could not find artifact" or "Missing dependency" error for group ID org.opensaml.

Cause

This issue is caused by a change in the publishing strategy of the OpenSAML project and the subsequent upgrade of internal dependencies in Spring-WS:

  1. WSS4J Upgrade: Spring-WS 4.1.x upgrades its security engine to Apache WSS4J v4, which in turn depends on OpenSAML v4/v5.

  2. Repository Exclusion: Recent versions of OpenSAML (specifically v4 and above) are no longer published to Maven Central. The Shibboleth project, which maintains OpenSAML, hosts these artifacts exclusively on its own dedicated Maven repository due to specific licensing and indemnification requirements.

  3. Transitive Failure: Because Spring-WS 4.1.x transitively pulls in these newer OpenSAML versions, standard builds that only check Maven Central will fail to resolve the necessary

Resolution

To resolve this issue, you must explicitly add the Shibboleth Release Repository to your build configuration.

For Maven (pom.xml)

Add the following <repository> block to your pom.xml:

<repositories>
    <repository>
        <id>shibboleth-releases</id>
        <url>https://build.shibboleth.net/maven/releases/</url>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>
</repositories>

For Gradle (build.gradle)

Add the Shibboleth URL to your repositories block:

repositories {
    mavenCentral()
    maven {
        url "https://build.shibboleth.net/maven/releases/"
    }
}

For Enterprise Environments (Nexus/Artifactory)

If your organization uses a repository manager (like Sonatype Nexus or JFrog Artifactory):

  1. Create a new Proxy Repository pointing to https://build.shibboleth.net/maven/releases/.

  2. Add this new proxy repository to your Public Repository Group.

Powered by Wolken Software