Dependency error in jasper-reports from itext

Question

From yesterday I have problems compiling with maven because of iText jar. My project has a dependency of jasperreports-2.0.1 that depends on itext-1.02b or higher.

<dependency>
    <groupId>com.lowagie</groupId>
    <artifactId>itext</artifactId>
    <version>[1.02b,)</version>
    <scope>compile</scope>
</dependency>

That is the log error in maven:

Failed to collect dependencies for [jasperreports:jasperreports:jar:2.0.1 (compile)]: Failed to read artifact descriptor for com.lowagie:itext:jar:4.2.2: Could not transfer artifact com.itextpdf:itextpdf:pom:4.2.2 from/to jaspersoft (http://www.jasperforge.org/maven2): Access denied to http://www.jasperforge.org/maven2/com/itextpdf/itextpdf/4.2.2/itextpdf-4.2.2.pom. Error code 403, Forbidden -> [Help 1] 

I see here a comment from Amedee Van Gasse that says something about a 4.2.2 version with no jar.

Why does the 1.02b version attach to 4.2.2?

Edit: Jasper-reports uses an open version range:

[1.02b,)

This range says to maven to take the library latest version.

With the update from iText adding new version Pom with no jar and editting the maven-metadata of maven-central to that no-jar version crashes the compilation to all jar depending form latest com.lowagie library.

Updating locally your maven-metadata-central.xml (and other metadata if your company has it's own nexus.public) from ...m2\repository\com\lowagie\itext to that works. Temporally solucion until iText updates the metadata or ALL companies that has dependencies for it's latest version updates it's pom

<metadata modelVersion="1.1.0">
  <groupId>com.lowagie</groupId>
  <artifactId>itext</artifactId>
  <versioning>
    <latest>4.2.1</latest>
    <release>4.2.1</release>
    <versions>
      <version>0.99</version>
      <version>1.1.4</version>
      <version>1.02b</version>
      <version>1.2.3</version>
      <version>1.3</version>
      <version>1.3.1</version>
      <version>1.4</version>
      <version>1.4.8</version>
      <version>2.0.1</version>
      <version>2.0.6</version>
      <version>2.0.7</version>
      <version>2.0.8</version>
      <version>2.1.0</version>
      <version>2.1.2</version>
      <version>2.1.3</version>
      <version>2.1.4</version>
      <version>2.1.5</version>
      <version>2.1.7</version>
      <version>4.2.0</version>
      <version>4.2.1</version>
    </versions>
    <lastUpdated>20150709153501</lastUpdated>
  </versioning>
</metadata>

Answer 1

The problem is indeed in the POM of jasper-reports:

<dependency>
  <groupId>com.lowagie</groupId>
  <artifactId>itext</artifactId>
  <version>[1.02b,)</version>
  <scope>compile</scope>
</dependency>

Jasper-reports distributes a (modified) build of iText 2.1.7 since at least November 2012 (if memory serves me well), so if your version of jasper-reports still has a dependency on 1.02b and up, it must be a very old version.

The jasper-reports dependency on iText should be changed to:

<dependency>
  <groupId>com.lowagie</groupId>
  <artifactId>itext</artifactId>
  <version>[1.02b,2.1.7]</version>
  <scope>compile</scope>
</dependency>

Or just:

<dependency>
  <groupId>com.lowagie</groupId>
  <artifactId>itext</artifactId>
  <version>2.1.7</version>
  <scope>compile</scope>
</dependency>

This relates to this question: How do I tell Maven to use the latest version of a dependency? That page is riddled with cautions about always using the latest version for your dependencies. It reduces reproducibility of your builds.

2.1.7 was the last version of iText released by the company iText Group NV (or its legal predecessor), with the com.lowagie groupId. The next version of iText, released by the company iText Group NV, was version 5.0.0, with the com.itextpdf groupId, which means it's binary incompatible with your current code. There's also the matter of a license change to AGPL, but that is outside the scope of StackOverflow, I want to restrict my answer to the technical matters.

Any other versions of iText between 2.1.7 and 5.0.0, like 4.2.0 and 4.2.1, are forks by other companies. According to Apache's Guide to uploading artifacts to the Central Repository (https://maven.apache.org/guides/mini/guide-central-repository-upload.html), those companies should have used a different groupId, as the page clearly states in their FAQ:

I have a patched version of the foo project developed at foo.com, what groupId should I use? When you patch / modify a third party project, that patched version becomes your project and therefore should be distributed under a groupId you control as any project you would have developed, never under com.foo. See above considerations about groupId.

TL;DR If you don't want to change your code, tell your Maven to only get iText 2.1.7.

Answer 2

I'm using gradle and for the current version 6.8.2 I got the following build error:
> Could not find com.lowagie:itext:2.1.7.js6

So I added http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/ as repository and now it works.

repositories {
    mavenCentral()
    maven { url "https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/" }
}

dependencies {
    compile 'net.sf.jasperreports:jasperreports:6.8.0'
}

EDIT: If you used this solution and suddenly get an error like

> Could not resolve com.lowagie:itext:2.1.7.js6.
    > Could not parse POM http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/com/lowagie/itext/2.1.7.js6/itext-2.1.7.js6.pom
       > The element type "hr" must be terminated by the matching end-tag "</hr>".

This is because the jfrog repository disabled http and only allows https now. For some reason this creates a broken pom with the following content

<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>

Solution: Replace the http in the repository url with https.