Spring SAML: Could not find artifacts while using as maven dependency with version 1.0.4.RELEASE

Question

I am trying to use spring-security-saml2-core-1.0.4.RELEASE as maven dependency for my project and encounter two issues when mvn install:

1. Failure "Could not find artifact xml-apis:xml-apis:jar:1.4 ... ". I have not found 1.4 version of xml-apis dependency neither in Maven repository nor in repositories listed in build.gradle file. As a workaround I am forced to add explicit dependency with slightly different version to my project:

   <dependency>
       <groupId>xml-apis</groupId>
       <artifactId>xml-apis</artifactId>
       <version>1.4.01</version>
       <scope>runtime</scope>
   </dependency>
   

2. Failure: "Could not find artifact org.opensaml:opensaml:jar:2.6.6 ..." and "Could not find artifact ca.juliusdavies:not-yet-commons-ssl:jar:0.3.17 ...". As a workaround I am forced to add explicit maven repositories where I was able to find the artifacts to my project:

   <repository>
       <id>alfresco</id>
       <name>Alfresco</name>
       <url>https://artifacts.alfresco.com/nexus/content/repositories/public/</url>
   </repository>
   <repository>
       <id>mulesoft</id>
       <name>Mulesoft</name>
       <url>http://repository.mulesoft.org/releases/</url>
   </repository>
   

Is it possible to handle the build issues without declaring explicit dependency and repositories?

Answer 1

You are not alone with this problem: https://github.com/spring-projects/spring-security-saml/issues/237

The xml-apis artifact version used in version 1.0.4.RELEASE is actually wrong, like you mentioned version 1.4.01 is the correct one.

As long as the versions used in the other two remaining libraries are not uploaded to the public maven repository I am afraid we are stuck using third party repositories.

Note: I would recommend using the Shibbolet repository to get the 2.6.6 version of OpenSaml : https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManJavaInstall

        <repository>
            <id>Shibbolet</id>
            <name>Shibbolet</name>
            <url>https://build.shibboleth.net/nexus/content/repositories/releases/</url>
        </repository>

I wonder if all this is the reason that version 1.0.3.RELEASE is still marked as the current release and version 1.0.4.RELEASE is marked as snapshot (https://projects.spring.io/spring-security-saml/) although they made a blog post about the release of version 1.0.4.RELEASE : https://spring.io/blog/2018/03/16/spring-security-saml-1-0-4-released .... No answer so far: https://github.com/spring-projects/spring-security-saml/issues/242

Note that when using version 1.0.3.RELEASE there are no problems with the maven dependencies when using maven central.