You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by Svetlin Zarev <sv...@gmail.com> on 2017/09/01 05:34:10 UTC
Re: JSTL
Here it is: https://issues.apache.org/jira/browse/TOMEE-2113
2017-08-31 19:05 GMT+03:00 Jonathan Gallimore <jo...@gmail.com>
:
> I'll do a search and see if I can dig that out. Good shout - thank you.
>
> Jon
>
> On Thu, Aug 31, 2017 at 5:00 PM, Romain Manni-Bucau <rmannibucau@gmail.com
> >
> wrote:
>
> > +1
> >
> > side note: we should pby link this to the user thread, can try to find it
> > back later this week if needed
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <
> > jonathan.gallimore@gmail.com>
> > :
> >
> > > Just to make sure I understand - (3) would be your preference, but if
> > > that's difficult you'd live with (1) if it came to it, with (2) being
> > your
> > > least favorite.
> > >
> > > We should only need to pick one - I can confirm that option (1) on its
> > own
> > > works, as does option (2) on its own. I'm definitely happy to have a
> > crack
> > > at option (3) and present a PR for each and let the community decide
> > which
> > > it likes the best.
> > >
> > > Thanks for your input, I appreciate it.
> > >
> > > Jon
> > >
> > > On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <
> > rmannibucau@gmail.com
> > > >
> > > wrote:
> > >
> > > > yep, 3, 1, 2 for the complete order (a mix of compatibility and
> > > > influence/asf consistence).
> > > >
> > > >
> > > > Romain Manni-Bucau
> > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > rmannibucau> |
> > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > >
> > > > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
> > > > jonathan.gallimore@gmail.com>
> > > > :
> > > >
> > > > > Uh, yeah, I think I misunderstood. I think we agree that the code I
> > > > > attached should work out of the box, requiring no changes to TomEE.
> > > That
> > > > > leaves us with a few options:
> > > > >
> > > > > 1. Use the taglibs-standard-jstlel jars as we are now, and add the
> > > > > dependency for Xalan -> trivial change, but adds 3MB to our
> binaries.
> > > > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which uses a
> > > > > CDDL/GPL
> > > > > + CP exception licence. Does not require Xalan -> easy change to
> make
> > > and
> > > > > appears to work (I believe the license is ok for us to use it). Not
> > > sure
> > > > if
> > > > > there are other restrictions or issues with us using that.
> > > > > 3. Patch the Tomcat taglibs libraries to use the XPath support
> built
> > > into
> > > > > the JVM as opposed to Xalan. I did have a look at this yesterday,
> and
> > > it
> > > > > didn't look like a straightforward change at the time. I'm happy to
> > > look
> > > > at
> > > > > it again though if we feel that's the way forward.
> > > > >
> > > > > I think you're stating a preference for (3) - is that correct?
> > > > >
> > > > > Cheers
> > > > >
> > > > > Jon
> > > > >
> > > > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
> > > > rmannibucau@gmail.com
> > > > > >
> > > > > wrote:
> > > > >
> > > > > > Hmm, shout if wrong but think you misunderstood the "optional" in
> > my
> > > > > > sentence. I meant we patch trunk to remove the adherence to
> xalan.
> > > > > >
> > > > > >
> > > > > > Romain Manni-Bucau
> > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > > > rmannibucau> |
> > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> > Factory
> > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > > >
> > > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
> > > > > > jonathan.gallimore@gmail.com>
> > > > > > :
> > > > > >
> > > > > > > Thanks Romain. That is definitely the simplest path - xalan is
> > > > already
> > > > > > > marked as an optional dependency, so we wouldn't need to do
> > > anything.
> > > > > > From
> > > > > > > a compliance perspective, where would this leave us? Wouldn't
> we
> > > need
> > > > > > this
> > > > > > > to work out of the box without adding libraries to be
> compliant?
> > If
> > > > it
> > > > > > > doesn't affect us in that respect, then I think we're probably
> > good
> > > > to
> > > > > > go.
> > > > > > >
> > > > > > > Jon
> > > > > > >
> > > > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
> > > > > > rmannibucau@gmail.com
> > > > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi Jon
> > > > > > > >
> > > > > > > > there is another thread on it (probably on user@)
> > > > > > > >
> > > > > > > > I think we should just make xalan optional in the lib and
> > > upgrade.
> > > > > > > >
> > > > > > > >
> > > > > > > > Romain Manni-Bucau
> > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > > > > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/
> > > > > > > > rmannibucau> |
> > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> > > > Factory
> > > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > > > > >
> > > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> > > > > > > > jonathan.gallimore@gmail.com>
> > > > > > > > :
> > > > > > > >
> > > > > > > > > Correction - that should be: "CDDL or GPL with classpath
> > > > > exception".
> > > > > > > > >
> > > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > > > > > > > > jonathan.gallimore@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > > Great question. CDDL _or_ GPL, by the look of it.
> > > > > > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE -
> > > same
> > > > as
> > > > > > > JAXB
> > > > > > > > I
> > > > > > > > > > believe.
> > > > > > > > > >
> > > > > > > > > > Jon
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > > > > > > > > jlmonteiro@tomitribe.com> wrote:
> > > > > > > > > >
> > > > > > > > > >> What is the licence for GlassFish one?
> > > > > > > > > >>
> > > > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > > > > > > > > jonathan.gallimore@gmail.com
> > > > > > > > > >> >
> > > > > > > > > >> a écrit :
> > > > > > > > > >>
> > > > > > > > > >> > Hi
> > > > > > > > > >> >
> > > > > > > > > >> > On master we shifted from openejb-jstl to
> > > > > > > taglibs-standard-jstlel. I
> > > > > > > > > >> have
> > > > > > > > > >> > done the same on the 1.7.x branch, specifically to
> move
> > on
> > > > > from
> > > > > > > the
> > > > > > > > > old
> > > > > > > > > >> > openejb-jstl (looking at
> > > > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
> > > > > > > > > >> > taglibs-standard-jstlel
> > > > > > > > > >> > library does seem to depend on xalan, which we
> currently
> > > do
> > > > > not
> > > > > > > > > include
> > > > > > > > > >> in
> > > > > > > > > >> > TomEE.
> > > > > > > > > >> >
> > > > > > > > > >> > The impact is that some XML functions in JSP code does
> > not
> > > > > work,
> > > > > > > for
> > > > > > > > > >> > example:
> > > > > > > > > >> >
> > > > > > > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/
> xml
> > "
> > > %>
> > > > > > > > > >> >
> > > > > > > > > >> > <x:parse var="movies">
> > > > > > > > > >> > <movies>
> > > > > > > > > >> > <movie id="1" name="Wedding Crashers"
> > > director="David
> > > > > > > Dobkin"
> > > > > > > > > >> > genre="Comedy" rating="7" year="2005" />
> > > > > > > > > >> > <movie id="2" name="Starsky & Hutch"
> > > > director="Todd
> > > > > > > > > Phillips"
> > > > > > > > > >> > genre="Action" rating="6" year="2004" />
> > > > > > > > > >> > <movie id="3" name="Shanghai Knights"
> > > director="David
> > > > > > > Dobkin"
> > > > > > > > > >> > genre="Action" rating="6" year="2003" />
> > > > > > > > > >> > <movie id="4" name="I-Spy" director="Betty
> Thomas"
> > > > > > > > > >> genre="Adventure"
> > > > > > > > > >> > rating="5" year="2002" />
> > > > > > > > > >> > <movie id="5" name="The Royal Tenenbaums"
> > > > director="Wes
> > > > > > > > > Anderson"
> > > > > > > > > >> > genre="Comedy" rating="8" year="2001" />
> > > > > > > > > >> > <movie id="6" name="Zoolander" director="Ben
> > > Stiller"
> > > > > > > > > >> genre="Comedy"
> > > > > > > > > >> > rating="6" year="2001" />
> > > > > > > > > >> > <movie id="7" name="Shanghai Noon" director="Tom
> > > Dey"
> > > > > > > > > >> genre="Comedy"
> > > > > > > > > >> > rating="7" year="2000" />
> > > > > > > > > >> > </movies>
> > > > > > > > > >> > </x:parse>
> > > > > > > > > >> >
> > > > > > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1'
> > > > ]/@genre"
> > > > > > > /><br
> > > > > > > > > />
> > > > > > > > > >> >
> > > > > > > > > >> > fails with java.lang.NoClassDefFoundError:
> > > > > > org/apache/xpath/XPath
> > > > > > > > > >> (this on
> > > > > > > > > >> > both 1.7.x and master)
> > > > > > > > > >> >
> > > > > > > > > >> > Including Xalan does fix this, but its a 3MB
> dependency.
> > > > > > > > > >> >
> > > > > > > > > >> > The alternative is to use org.glassfish.web:javax.
> > > > > > > servlet.jsp.jstl
> > > > > > > > > >> > instead,
> > > > > > > > > >> > which I have tested and seems to work. Anyone have any
> > > > > thoughts?
> > > > > > > > > >> >
> > > > > > > > > >> > Jon
> > > > > > > > > >> >
> > > > > > > > > >>
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: JSTL
Posted by Andy Gumbrecht <ag...@tomitribe.com>.
I think it is best to move quickly and use method 1 and release asap.
This will buy us time to implement the better method 3.
Andy.
On 01/09/17 11:10, Jonathan Gallimore wrote:
> Awesome, thanks!
>
> Jon
>
> On Fri, Sep 1, 2017 at 6:34 AM, Svetlin Zarev <
> svetlin.angelov.zarev@gmail.com> wrote:
>
>> Here it is: https://issues.apache.org/jira/browse/TOMEE-2113
>>
>> 2017-08-31 19:05 GMT+03:00 Jonathan Gallimore <
>> jonathan.gallimore@gmail.com>
>> :
>>
>>> I'll do a search and see if I can dig that out. Good shout - thank you.
>>>
>>> Jon
>>>
>>> On Thu, Aug 31, 2017 at 5:00 PM, Romain Manni-Bucau <
>> rmannibucau@gmail.com
>>> wrote:
>>>
>>>> +1
>>>>
>>>> side note: we should pby link this to the user thread, can try to find
>> it
>>>> back later this week if needed
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/
>>>> rmannibucau> |
>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>
>>>> 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <
>>>> jonathan.gallimore@gmail.com>
>>>> :
>>>>
>>>>> Just to make sure I understand - (3) would be your preference, but if
>>>>> that's difficult you'd live with (1) if it came to it, with (2) being
>>>> your
>>>>> least favorite.
>>>>>
>>>>> We should only need to pick one - I can confirm that option (1) on
>> its
>>>> own
>>>>> works, as does option (2) on its own. I'm definitely happy to have a
>>>> crack
>>>>> at option (3) and present a PR for each and let the community decide
>>>> which
>>>>> it likes the best.
>>>>>
>>>>> Thanks for your input, I appreciate it.
>>>>>
>>>>> Jon
>>>>>
>>>>> On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <
>>>> rmannibucau@gmail.com
>>>>> wrote:
>>>>>
>>>>>> yep, 3, 1, 2 for the complete order (a mix of compatibility and
>>>>>> influence/asf consistence).
>>>>>>
>>>>>>
>>>>>> Romain Manni-Bucau
>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/
>>>>>> rmannibucau> |
>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
>> Factory
>>>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>>>
>>>>>> 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
>>>>>> jonathan.gallimore@gmail.com>
>>>>>> :
>>>>>>
>>>>>>> Uh, yeah, I think I misunderstood. I think we agree that the
>> code I
>>>>>>> attached should work out of the box, requiring no changes to
>> TomEE.
>>>>> That
>>>>>>> leaves us with a few options:
>>>>>>>
>>>>>>> 1. Use the taglibs-standard-jstlel jars as we are now, and add
>> the
>>>>>>> dependency for Xalan -> trivial change, but adds 3MB to our
>>> binaries.
>>>>>>> 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which
>> uses a
>>>>>>> CDDL/GPL
>>>>>>> + CP exception licence. Does not require Xalan -> easy change to
>>> make
>>>>> and
>>>>>>> appears to work (I believe the license is ok for us to use it).
>> Not
>>>>> sure
>>>>>> if
>>>>>>> there are other restrictions or issues with us using that.
>>>>>>> 3. Patch the Tomcat taglibs libraries to use the XPath support
>>> built
>>>>> into
>>>>>>> the JVM as opposed to Xalan. I did have a look at this yesterday,
>>> and
>>>>> it
>>>>>>> didn't look like a straightforward change at the time. I'm happy
>> to
>>>>> look
>>>>>> at
>>>>>>> it again though if we feel that's the way forward.
>>>>>>>
>>>>>>> I think you're stating a preference for (3) - is that correct?
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Jon
>>>>>>>
>>>>>>> On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
>>>>>> rmannibucau@gmail.com
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hmm, shout if wrong but think you misunderstood the "optional"
>> in
>>>> my
>>>>>>>> sentence. I meant we patch trunk to remove the adherence to
>>> xalan.
>>>>>>>>
>>>>>>>> Romain Manni-Bucau
>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/
>>>>>>>> rmannibucau> |
>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
>>>> Factory
>>>>>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>>>>>
>>>>>>>> 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>> :
>>>>>>>>
>>>>>>>>> Thanks Romain. That is definitely the simplest path - xalan
>> is
>>>>>> already
>>>>>>>>> marked as an optional dependency, so we wouldn't need to do
>>>>> anything.
>>>>>>>> From
>>>>>>>>> a compliance perspective, where would this leave us? Wouldn't
>>> we
>>>>> need
>>>>>>>> this
>>>>>>>>> to work out of the box without adding libraries to be
>>> compliant?
>>>> If
>>>>>> it
>>>>>>>>> doesn't affect us in that respect, then I think we're
>> probably
>>>> good
>>>>>> to
>>>>>>>> go.
>>>>>>>>> Jon
>>>>>>>>>
>>>>>>>>> On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
>>>>>>>> rmannibucau@gmail.com
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Jon
>>>>>>>>>>
>>>>>>>>>> there is another thread on it (probably on user@)
>>>>>>>>>>
>>>>>>>>>> I think we should just make xalan optional in the lib and
>>>>> upgrade.
>>>>>>>>>>
>>>>>>>>>> Romain Manni-Bucau
>>>>>>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>>>>>>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog
>>>>>>>>>> <http://rmannibucau.wordpress.com> | Github <
>>>> https://github.com/
>>>>>>>>>> rmannibucau> |
>>>>>>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> |
>> JavaEE
>>>>>> Factory
>>>>>>>>>> <https://javaeefactory-rmannibucau.rhcloud.com>
>>>>>>>>>>
>>>>>>>>>> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
>>>>>>>>>> jonathan.gallimore@gmail.com>
>>>>>>>>>> :
>>>>>>>>>>
>>>>>>>>>>> Correction - that should be: "CDDL or GPL with classpath
>>>>>>> exception".
>>>>>>>>>>> On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
>>>>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Great question. CDDL _or_ GPL, by the look of it.
>>>>>>>>>>>> https://github.com/javaee/jstl-api/blob/master/LICENSE
>> -
>>>>> same
>>>>>> as
>>>>>>>>> JAXB
>>>>>>>>>> I
>>>>>>>>>>>> believe.
>>>>>>>>>>>>
>>>>>>>>>>>> Jon
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
>>>>>>>>>>>> jlmonteiro@tomitribe.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> What is the licence for GlassFish one?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Le 31 août 2017 12:38, "Jonathan Gallimore" <
>>>>>>>>>>> jonathan.gallimore@gmail.com
>>>>>>>>>>>>> a écrit :
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On master we shifted from openejb-jstl to
>>>>>>>>> taglibs-standard-jstlel. I
>>>>>>>>>>>>> have
>>>>>>>>>>>>>> done the same on the 1.7.x branch, specifically to
>>> move
>>>> on
>>>>>>> from
>>>>>>>>> the
>>>>>>>>>>> old
>>>>>>>>>>>>>> openejb-jstl (looking at
>>>>>>>>>>>>>> https://nvd.nist.gov/vuln/detail/CVE-2015-0254).
>> The
>>>>>>>>>>>>>> taglibs-standard-jstlel
>>>>>>>>>>>>>> library does seem to depend on xalan, which we
>>> currently
>>>>> do
>>>>>>> not
>>>>>>>>>>> include
>>>>>>>>>>>>> in
>>>>>>>>>>>>>> TomEE.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The impact is that some XML functions in JSP code
>> does
>>>> not
>>>>>>> work,
>>>>>>>>> for
>>>>>>>>>>>>>> example:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> <%@ taglib prefix="x" uri="
>> http://java.sun.com/jstl/
>>> xml
>>>> "
>>>>> %>
>>>>>>>>>>>>>> <x:parse var="movies">
>>>>>>>>>>>>>> <movies>
>>>>>>>>>>>>>> <movie id="1" name="Wedding Crashers"
>>>>> director="David
>>>>>>>>> Dobkin"
>>>>>>>>>>>>>> genre="Comedy" rating="7" year="2005" />
>>>>>>>>>>>>>> <movie id="2" name="Starsky & Hutch"
>>>>>> director="Todd
>>>>>>>>>>> Phillips"
>>>>>>>>>>>>>> genre="Action" rating="6" year="2004" />
>>>>>>>>>>>>>> <movie id="3" name="Shanghai Knights"
>>>>> director="David
>>>>>>>>> Dobkin"
>>>>>>>>>>>>>> genre="Action" rating="6" year="2003" />
>>>>>>>>>>>>>> <movie id="4" name="I-Spy" director="Betty
>>> Thomas"
>>>>>>>>>>>>> genre="Adventure"
>>>>>>>>>>>>>> rating="5" year="2002" />
>>>>>>>>>>>>>> <movie id="5" name="The Royal Tenenbaums"
>>>>>> director="Wes
>>>>>>>>>>> Anderson"
>>>>>>>>>>>>>> genre="Comedy" rating="8" year="2001" />
>>>>>>>>>>>>>> <movie id="6" name="Zoolander" director="Ben
>>>>> Stiller"
>>>>>>>>>>>>> genre="Comedy"
>>>>>>>>>>>>>> rating="6" year="2001" />
>>>>>>>>>>>>>> <movie id="7" name="Shanghai Noon"
>> director="Tom
>>>>> Dey"
>>>>>>>>>>>>> genre="Comedy"
>>>>>>>>>>>>>> rating="7" year="2000" />
>>>>>>>>>>>>>> </movies>
>>>>>>>>>>>>>> </x:parse>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Movie 1 Genre: <x:out select="$movies//movie[@id='1'
>>>>>> ]/@genre"
>>>>>>>>> /><br
>>>>>>>>>>> />
>>>>>>>>>>>>>> fails with java.lang.NoClassDefFoundError:
>>>>>>>> org/apache/xpath/XPath
>>>>>>>>>>>>> (this on
>>>>>>>>>>>>>> both 1.7.x and master)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Including Xalan does fix this, but its a 3MB
>>> dependency.
>>>>>>>>>>>>>> The alternative is to use org.glassfish.web:javax.
>>>>>>>>> servlet.jsp.jstl
>>>>>>>>>>>>>> instead,
>>>>>>>>>>>>>> which I have tested and seems to work. Anyone have
>> any
>>>>>>> thoughts?
>>>>>>>>>>>>>> Jon
>>>>>>>>>>>>>>
>>>>>>>>>>>>
Re: JSTL
Posted by Jonathan Gallimore <jo...@gmail.com>.
Reverted my change back to the openejb-jstl on 1.7.x just until I have a
patch for the Tomcat JSTL jars ready.
Jon
On Fri, Sep 1, 2017 at 10:10 AM, Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:
> Awesome, thanks!
>
> Jon
>
> On Fri, Sep 1, 2017 at 6:34 AM, Svetlin Zarev <
> svetlin.angelov.zarev@gmail.com> wrote:
>
>> Here it is: https://issues.apache.org/jira/browse/TOMEE-2113
>>
>> 2017-08-31 19:05 GMT+03:00 Jonathan Gallimore <
>> jonathan.gallimore@gmail.com>
>> :
>>
>> > I'll do a search and see if I can dig that out. Good shout - thank you.
>> >
>> > Jon
>> >
>> > On Thu, Aug 31, 2017 at 5:00 PM, Romain Manni-Bucau <
>> rmannibucau@gmail.com
>> > >
>> > wrote:
>> >
>> > > +1
>> > >
>> > > side note: we should pby link this to the user thread, can try to
>> find it
>> > > back later this week if needed
>> > >
>> > >
>> > > Romain Manni-Bucau
>> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
>> > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
>> > > rmannibucau> |
>> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
>> > > <https://javaeefactory-rmannibucau.rhcloud.com>
>> > >
>> > > 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <
>> > > jonathan.gallimore@gmail.com>
>> > > :
>> > >
>> > > > Just to make sure I understand - (3) would be your preference, but
>> if
>> > > > that's difficult you'd live with (1) if it came to it, with (2)
>> being
>> > > your
>> > > > least favorite.
>> > > >
>> > > > We should only need to pick one - I can confirm that option (1) on
>> its
>> > > own
>> > > > works, as does option (2) on its own. I'm definitely happy to have a
>> > > crack
>> > > > at option (3) and present a PR for each and let the community decide
>> > > which
>> > > > it likes the best.
>> > > >
>> > > > Thanks for your input, I appreciate it.
>> > > >
>> > > > Jon
>> > > >
>> > > > On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <
>> > > rmannibucau@gmail.com
>> > > > >
>> > > > wrote:
>> > > >
>> > > > > yep, 3, 1, 2 for the complete order (a mix of compatibility and
>> > > > > influence/asf consistence).
>> > > > >
>> > > > >
>> > > > > Romain Manni-Bucau
>> > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
>> > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
>> > > > > rmannibucau> |
>> > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
>> Factory
>> > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
>> > > > >
>> > > > > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
>> > > > > jonathan.gallimore@gmail.com>
>> > > > > :
>> > > > >
>> > > > > > Uh, yeah, I think I misunderstood. I think we agree that the
>> code I
>> > > > > > attached should work out of the box, requiring no changes to
>> TomEE.
>> > > > That
>> > > > > > leaves us with a few options:
>> > > > > >
>> > > > > > 1. Use the taglibs-standard-jstlel jars as we are now, and add
>> the
>> > > > > > dependency for Xalan -> trivial change, but adds 3MB to our
>> > binaries.
>> > > > > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which
>> uses a
>> > > > > > CDDL/GPL
>> > > > > > + CP exception licence. Does not require Xalan -> easy change to
>> > make
>> > > > and
>> > > > > > appears to work (I believe the license is ok for us to use it).
>> Not
>> > > > sure
>> > > > > if
>> > > > > > there are other restrictions or issues with us using that.
>> > > > > > 3. Patch the Tomcat taglibs libraries to use the XPath support
>> > built
>> > > > into
>> > > > > > the JVM as opposed to Xalan. I did have a look at this
>> yesterday,
>> > and
>> > > > it
>> > > > > > didn't look like a straightforward change at the time. I'm
>> happy to
>> > > > look
>> > > > > at
>> > > > > > it again though if we feel that's the way forward.
>> > > > > >
>> > > > > > I think you're stating a preference for (3) - is that correct?
>> > > > > >
>> > > > > > Cheers
>> > > > > >
>> > > > > > Jon
>> > > > > >
>> > > > > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
>> > > > > rmannibucau@gmail.com
>> > > > > > >
>> > > > > > wrote:
>> > > > > >
>> > > > > > > Hmm, shout if wrong but think you misunderstood the
>> "optional" in
>> > > my
>> > > > > > > sentence. I meant we patch trunk to remove the adherence to
>> > xalan.
>> > > > > > >
>> > > > > > >
>> > > > > > > Romain Manni-Bucau
>> > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
>> > > > > > > <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/
>> > > > > > > rmannibucau> |
>> > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
>> > > Factory
>> > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
>> > > > > > >
>> > > > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
>> > > > > > > jonathan.gallimore@gmail.com>
>> > > > > > > :
>> > > > > > >
>> > > > > > > > Thanks Romain. That is definitely the simplest path - xalan
>> is
>> > > > > already
>> > > > > > > > marked as an optional dependency, so we wouldn't need to do
>> > > > anything.
>> > > > > > > From
>> > > > > > > > a compliance perspective, where would this leave us?
>> Wouldn't
>> > we
>> > > > need
>> > > > > > > this
>> > > > > > > > to work out of the box without adding libraries to be
>> > compliant?
>> > > If
>> > > > > it
>> > > > > > > > doesn't affect us in that respect, then I think we're
>> probably
>> > > good
>> > > > > to
>> > > > > > > go.
>> > > > > > > >
>> > > > > > > > Jon
>> > > > > > > >
>> > > > > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
>> > > > > > > rmannibucau@gmail.com
>> > > > > > > > >
>> > > > > > > > wrote:
>> > > > > > > >
>> > > > > > > > > Hi Jon
>> > > > > > > > >
>> > > > > > > > > there is another thread on it (probably on user@)
>> > > > > > > > >
>> > > > > > > > > I think we should just make xalan optional in the lib and
>> > > > upgrade.
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > > Romain Manni-Bucau
>> > > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> > > > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
>> > > > > > > > > <http://rmannibucau.wordpress.com> | Github <
>> > > https://github.com/
>> > > > > > > > > rmannibucau> |
>> > > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> |
>> JavaEE
>> > > > > Factory
>> > > > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
>> > > > > > > > >
>> > > > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
>> > > > > > > > > jonathan.gallimore@gmail.com>
>> > > > > > > > > :
>> > > > > > > > >
>> > > > > > > > > > Correction - that should be: "CDDL or GPL with classpath
>> > > > > > exception".
>> > > > > > > > > >
>> > > > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
>> > > > > > > > > > jonathan.gallimore@gmail.com> wrote:
>> > > > > > > > > >
>> > > > > > > > > > > Great question. CDDL _or_ GPL, by the look of it.
>> > > > > > > > > > > https://github.com/javaee/jstl
>> -api/blob/master/LICENSE -
>> > > > same
>> > > > > as
>> > > > > > > > JAXB
>> > > > > > > > > I
>> > > > > > > > > > > believe.
>> > > > > > > > > > >
>> > > > > > > > > > > Jon
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro
>> <
>> > > > > > > > > > > jlmonteiro@tomitribe.com> wrote:
>> > > > > > > > > > >
>> > > > > > > > > > >> What is the licence for GlassFish one?
>> > > > > > > > > > >>
>> > > > > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
>> > > > > > > > > > jonathan.gallimore@gmail.com
>> > > > > > > > > > >> >
>> > > > > > > > > > >> a écrit :
>> > > > > > > > > > >>
>> > > > > > > > > > >> > Hi
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > On master we shifted from openejb-jstl to
>> > > > > > > > taglibs-standard-jstlel. I
>> > > > > > > > > > >> have
>> > > > > > > > > > >> > done the same on the 1.7.x branch, specifically to
>> > move
>> > > on
>> > > > > > from
>> > > > > > > > the
>> > > > > > > > > > old
>> > > > > > > > > > >> > openejb-jstl (looking at
>> > > > > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254).
>> The
>> > > > > > > > > > >> > taglibs-standard-jstlel
>> > > > > > > > > > >> > library does seem to depend on xalan, which we
>> > currently
>> > > > do
>> > > > > > not
>> > > > > > > > > > include
>> > > > > > > > > > >> in
>> > > > > > > > > > >> > TomEE.
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > The impact is that some XML functions in JSP code
>> does
>> > > not
>> > > > > > work,
>> > > > > > > > for
>> > > > > > > > > > >> > example:
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > <%@ taglib prefix="x" uri="
>> http://java.sun.com/jstl/
>> > xml
>> > > "
>> > > > %>
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > <x:parse var="movies">
>> > > > > > > > > > >> > <movies>
>> > > > > > > > > > >> > <movie id="1" name="Wedding Crashers"
>> > > > director="David
>> > > > > > > > Dobkin"
>> > > > > > > > > > >> > genre="Comedy" rating="7" year="2005" />
>> > > > > > > > > > >> > <movie id="2" name="Starsky & Hutch"
>> > > > > director="Todd
>> > > > > > > > > > Phillips"
>> > > > > > > > > > >> > genre="Action" rating="6" year="2004" />
>> > > > > > > > > > >> > <movie id="3" name="Shanghai Knights"
>> > > > director="David
>> > > > > > > > Dobkin"
>> > > > > > > > > > >> > genre="Action" rating="6" year="2003" />
>> > > > > > > > > > >> > <movie id="4" name="I-Spy" director="Betty
>> > Thomas"
>> > > > > > > > > > >> genre="Adventure"
>> > > > > > > > > > >> > rating="5" year="2002" />
>> > > > > > > > > > >> > <movie id="5" name="The Royal Tenenbaums"
>> > > > > director="Wes
>> > > > > > > > > > Anderson"
>> > > > > > > > > > >> > genre="Comedy" rating="8" year="2001" />
>> > > > > > > > > > >> > <movie id="6" name="Zoolander" director="Ben
>> > > > Stiller"
>> > > > > > > > > > >> genre="Comedy"
>> > > > > > > > > > >> > rating="6" year="2001" />
>> > > > > > > > > > >> > <movie id="7" name="Shanghai Noon"
>> director="Tom
>> > > > Dey"
>> > > > > > > > > > >> genre="Comedy"
>> > > > > > > > > > >> > rating="7" year="2000" />
>> > > > > > > > > > >> > </movies>
>> > > > > > > > > > >> > </x:parse>
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > Movie 1 Genre: <x:out
>> select="$movies//movie[@id='1'
>> > > > > ]/@genre"
>> > > > > > > > /><br
>> > > > > > > > > > />
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > fails with java.lang.NoClassDefFoundError:
>> > > > > > > org/apache/xpath/XPath
>> > > > > > > > > > >> (this on
>> > > > > > > > > > >> > both 1.7.x and master)
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > Including Xalan does fix this, but its a 3MB
>> > dependency.
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > The alternative is to use org.glassfish.web:javax.
>> > > > > > > > servlet.jsp.jstl
>> > > > > > > > > > >> > instead,
>> > > > > > > > > > >> > which I have tested and seems to work. Anyone have
>> any
>> > > > > > thoughts?
>> > > > > > > > > > >> >
>> > > > > > > > > > >> > Jon
>> > > > > > > > > > >> >
>> > > > > > > > > > >>
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > > > > > > > > >
>> > > > > > > > >
>> > > > > > > >
>> > > > > > >
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
>
Re: JSTL
Posted by Jonathan Gallimore <jo...@gmail.com>.
Awesome, thanks!
Jon
On Fri, Sep 1, 2017 at 6:34 AM, Svetlin Zarev <
svetlin.angelov.zarev@gmail.com> wrote:
> Here it is: https://issues.apache.org/jira/browse/TOMEE-2113
>
> 2017-08-31 19:05 GMT+03:00 Jonathan Gallimore <
> jonathan.gallimore@gmail.com>
> :
>
> > I'll do a search and see if I can dig that out. Good shout - thank you.
> >
> > Jon
> >
> > On Thu, Aug 31, 2017 at 5:00 PM, Romain Manni-Bucau <
> rmannibucau@gmail.com
> > >
> > wrote:
> >
> > > +1
> > >
> > > side note: we should pby link this to the user thread, can try to find
> it
> > > back later this week if needed
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > >
> > > 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <
> > > jonathan.gallimore@gmail.com>
> > > :
> > >
> > > > Just to make sure I understand - (3) would be your preference, but if
> > > > that's difficult you'd live with (1) if it came to it, with (2) being
> > > your
> > > > least favorite.
> > > >
> > > > We should only need to pick one - I can confirm that option (1) on
> its
> > > own
> > > > works, as does option (2) on its own. I'm definitely happy to have a
> > > crack
> > > > at option (3) and present a PR for each and let the community decide
> > > which
> > > > it likes the best.
> > > >
> > > > Thanks for your input, I appreciate it.
> > > >
> > > > Jon
> > > >
> > > > On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <
> > > rmannibucau@gmail.com
> > > > >
> > > > wrote:
> > > >
> > > > > yep, 3, 1, 2 for the complete order (a mix of compatibility and
> > > > > influence/asf consistence).
> > > > >
> > > > >
> > > > > Romain Manni-Bucau
> > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > > > > rmannibucau> |
> > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> Factory
> > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > >
> > > > > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore <
> > > > > jonathan.gallimore@gmail.com>
> > > > > :
> > > > >
> > > > > > Uh, yeah, I think I misunderstood. I think we agree that the
> code I
> > > > > > attached should work out of the box, requiring no changes to
> TomEE.
> > > > That
> > > > > > leaves us with a few options:
> > > > > >
> > > > > > 1. Use the taglibs-standard-jstlel jars as we are now, and add
> the
> > > > > > dependency for Xalan -> trivial change, but adds 3MB to our
> > binaries.
> > > > > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which
> uses a
> > > > > > CDDL/GPL
> > > > > > + CP exception licence. Does not require Xalan -> easy change to
> > make
> > > > and
> > > > > > appears to work (I believe the license is ok for us to use it).
> Not
> > > > sure
> > > > > if
> > > > > > there are other restrictions or issues with us using that.
> > > > > > 3. Patch the Tomcat taglibs libraries to use the XPath support
> > built
> > > > into
> > > > > > the JVM as opposed to Xalan. I did have a look at this yesterday,
> > and
> > > > it
> > > > > > didn't look like a straightforward change at the time. I'm happy
> to
> > > > look
> > > > > at
> > > > > > it again though if we feel that's the way forward.
> > > > > >
> > > > > > I think you're stating a preference for (3) - is that correct?
> > > > > >
> > > > > > Cheers
> > > > > >
> > > > > > Jon
> > > > > >
> > > > > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau <
> > > > > rmannibucau@gmail.com
> > > > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Hmm, shout if wrong but think you misunderstood the "optional"
> in
> > > my
> > > > > > > sentence. I meant we patch trunk to remove the adherence to
> > xalan.
> > > > > > >
> > > > > > >
> > > > > > > Romain Manni-Bucau
> > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > > > <http://rmannibucau.wordpress.com> | Github <
> https://github.com/
> > > > > > > rmannibucau> |
> > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE
> > > Factory
> > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > > > >
> > > > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
> > > > > > > jonathan.gallimore@gmail.com>
> > > > > > > :
> > > > > > >
> > > > > > > > Thanks Romain. That is definitely the simplest path - xalan
> is
> > > > > already
> > > > > > > > marked as an optional dependency, so we wouldn't need to do
> > > > anything.
> > > > > > > From
> > > > > > > > a compliance perspective, where would this leave us? Wouldn't
> > we
> > > > need
> > > > > > > this
> > > > > > > > to work out of the box without adding libraries to be
> > compliant?
> > > If
> > > > > it
> > > > > > > > doesn't affect us in that respect, then I think we're
> probably
> > > good
> > > > > to
> > > > > > > go.
> > > > > > > >
> > > > > > > > Jon
> > > > > > > >
> > > > > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
> > > > > > > rmannibucau@gmail.com
> > > > > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Hi Jon
> > > > > > > > >
> > > > > > > > > there is another thread on it (probably on user@)
> > > > > > > > >
> > > > > > > > > I think we should just make xalan optional in the lib and
> > > > upgrade.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Romain Manni-Bucau
> > > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > > > > > > > > <http://rmannibucau.wordpress.com> | Github <
> > > https://github.com/
> > > > > > > > > rmannibucau> |
> > > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> |
> JavaEE
> > > > > Factory
> > > > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com>
> > > > > > > > >
> > > > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
> > > > > > > > > jonathan.gallimore@gmail.com>
> > > > > > > > > :
> > > > > > > > >
> > > > > > > > > > Correction - that should be: "CDDL or GPL with classpath
> > > > > > exception".
> > > > > > > > > >
> > > > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
> > > > > > > > > > jonathan.gallimore@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > > Great question. CDDL _or_ GPL, by the look of it.
> > > > > > > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE
> -
> > > > same
> > > > > as
> > > > > > > > JAXB
> > > > > > > > > I
> > > > > > > > > > > believe.
> > > > > > > > > > >
> > > > > > > > > > > Jon
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
> > > > > > > > > > > jlmonteiro@tomitribe.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > >> What is the licence for GlassFish one?
> > > > > > > > > > >>
> > > > > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" <
> > > > > > > > > > jonathan.gallimore@gmail.com
> > > > > > > > > > >> >
> > > > > > > > > > >> a écrit :
> > > > > > > > > > >>
> > > > > > > > > > >> > Hi
> > > > > > > > > > >> >
> > > > > > > > > > >> > On master we shifted from openejb-jstl to
> > > > > > > > taglibs-standard-jstlel. I
> > > > > > > > > > >> have
> > > > > > > > > > >> > done the same on the 1.7.x branch, specifically to
> > move
> > > on
> > > > > > from
> > > > > > > > the
> > > > > > > > > > old
> > > > > > > > > > >> > openejb-jstl (looking at
> > > > > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254).
> The
> > > > > > > > > > >> > taglibs-standard-jstlel
> > > > > > > > > > >> > library does seem to depend on xalan, which we
> > currently
> > > > do
> > > > > > not
> > > > > > > > > > include
> > > > > > > > > > >> in
> > > > > > > > > > >> > TomEE.
> > > > > > > > > > >> >
> > > > > > > > > > >> > The impact is that some XML functions in JSP code
> does
> > > not
> > > > > > work,
> > > > > > > > for
> > > > > > > > > > >> > example:
> > > > > > > > > > >> >
> > > > > > > > > > >> > <%@ taglib prefix="x" uri="
> http://java.sun.com/jstl/
> > xml
> > > "
> > > > %>
> > > > > > > > > > >> >
> > > > > > > > > > >> > <x:parse var="movies">
> > > > > > > > > > >> > <movies>
> > > > > > > > > > >> > <movie id="1" name="Wedding Crashers"
> > > > director="David
> > > > > > > > Dobkin"
> > > > > > > > > > >> > genre="Comedy" rating="7" year="2005" />
> > > > > > > > > > >> > <movie id="2" name="Starsky & Hutch"
> > > > > director="Todd
> > > > > > > > > > Phillips"
> > > > > > > > > > >> > genre="Action" rating="6" year="2004" />
> > > > > > > > > > >> > <movie id="3" name="Shanghai Knights"
> > > > director="David
> > > > > > > > Dobkin"
> > > > > > > > > > >> > genre="Action" rating="6" year="2003" />
> > > > > > > > > > >> > <movie id="4" name="I-Spy" director="Betty
> > Thomas"
> > > > > > > > > > >> genre="Adventure"
> > > > > > > > > > >> > rating="5" year="2002" />
> > > > > > > > > > >> > <movie id="5" name="The Royal Tenenbaums"
> > > > > director="Wes
> > > > > > > > > > Anderson"
> > > > > > > > > > >> > genre="Comedy" rating="8" year="2001" />
> > > > > > > > > > >> > <movie id="6" name="Zoolander" director="Ben
> > > > Stiller"
> > > > > > > > > > >> genre="Comedy"
> > > > > > > > > > >> > rating="6" year="2001" />
> > > > > > > > > > >> > <movie id="7" name="Shanghai Noon"
> director="Tom
> > > > Dey"
> > > > > > > > > > >> genre="Comedy"
> > > > > > > > > > >> > rating="7" year="2000" />
> > > > > > > > > > >> > </movies>
> > > > > > > > > > >> > </x:parse>
> > > > > > > > > > >> >
> > > > > > > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1'
> > > > > ]/@genre"
> > > > > > > > /><br
> > > > > > > > > > />
> > > > > > > > > > >> >
> > > > > > > > > > >> > fails with java.lang.NoClassDefFoundError:
> > > > > > > org/apache/xpath/XPath
> > > > > > > > > > >> (this on
> > > > > > > > > > >> > both 1.7.x and master)
> > > > > > > > > > >> >
> > > > > > > > > > >> > Including Xalan does fix this, but its a 3MB
> > dependency.
> > > > > > > > > > >> >
> > > > > > > > > > >> > The alternative is to use org.glassfish.web:javax.
> > > > > > > > servlet.jsp.jstl
> > > > > > > > > > >> > instead,
> > > > > > > > > > >> > which I have tested and seems to work. Anyone have
> any
> > > > > > thoughts?
> > > > > > > > > > >> >
> > > > > > > > > > >> > Jon
> > > > > > > > > > >> >
> > > > > > > > > > >>
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>