Stuart Maclean stuart-2Mt1T0R+FriWzc88wn+gRje48wsgrGvP@public.gmane.org [seajug]
2014-10-17 18:04:27 UTC
For better or worse, I bundle my Java applications (mostly cmd line
driven, on Linux) thus. Build in Maven, natch, and use the jar plugin
like this:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<archive>
<manifest>
<addClasspath>true</addClasspath>
</manifest>
<manifestEntries>
<!-- This will allow log4j config file locating -->
<Class-Path>.</Class-Path>
</manifestEntries>
</archive>
</configuration>
</plugin>
So the main jar's manifest has a classpath set to locate dependent jars
at runtime. I do not like 'uber jars' too much, so steer clear of the
'shade plugin' and assemblies.
I use log4j for logging. I do NOT want to bundle the log4.properties
file in the main jar, since then I have to unpack/repack the jar to
change a log level. Instead, I add '.' to the classpath, and then place
a log4j.properties file alongside the 'main jar' (the sole one
referenced in the java cmd line).
Looking at the manifest built by the jar plugin, I can see that the '.'
is PREPENDED to the class path. I would prefer it APPENDED. As it is,
it opens a security hole whereby trojaned classfiles in/under '.' would
get loaded ahead of classes housed in my intended jars. It's akin to
putting '.' at the start of your Unix PATH env var, a definite no-no.
Any Maven gurus out there know how to force the plugin to re-order my
manifest ?
Stu
------------------------------------
Posted by: Stuart Maclean <stuart-2Mt1T0R+FriWzc88wn+***@public.gmane.org>
------------------------------------
------------------------------------
Yahoo Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/seajug/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/seajug/join
(Yahoo! ID required)
<*> To change settings via email:
seajug-digest-***@public.gmane.org
seajug-fullfeatured-***@public.gmane.org
<*> To unsubscribe from this group, send an email to:
seajug-unsubscribe-***@public.gmane.org
<*> Your use of Yahoo Groups is subject to:
https://info.yahoo.com/legal/us/yahoo/utos/terms/
driven, on Linux) thus. Build in Maven, natch, and use the jar plugin
like this:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<archive>
<manifest>
<addClasspath>true</addClasspath>
</manifest>
<manifestEntries>
<!-- This will allow log4j config file locating -->
<Class-Path>.</Class-Path>
</manifestEntries>
</archive>
</configuration>
</plugin>
So the main jar's manifest has a classpath set to locate dependent jars
at runtime. I do not like 'uber jars' too much, so steer clear of the
'shade plugin' and assemblies.
I use log4j for logging. I do NOT want to bundle the log4.properties
file in the main jar, since then I have to unpack/repack the jar to
change a log level. Instead, I add '.' to the classpath, and then place
a log4j.properties file alongside the 'main jar' (the sole one
referenced in the java cmd line).
Looking at the manifest built by the jar plugin, I can see that the '.'
is PREPENDED to the class path. I would prefer it APPENDED. As it is,
it opens a security hole whereby trojaned classfiles in/under '.' would
get loaded ahead of classes housed in my intended jars. It's akin to
putting '.' at the start of your Unix PATH env var, a definite no-no.
Any Maven gurus out there know how to force the plugin to re-order my
manifest ?
Stu
------------------------------------
Posted by: Stuart Maclean <stuart-2Mt1T0R+FriWzc88wn+***@public.gmane.org>
------------------------------------
------------------------------------
Yahoo Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/seajug/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/seajug/join
(Yahoo! ID required)
<*> To change settings via email:
seajug-digest-***@public.gmane.org
seajug-fullfeatured-***@public.gmane.org
<*> To unsubscribe from this group, send an email to:
seajug-unsubscribe-***@public.gmane.org
<*> Your use of Yahoo Groups is subject to:
https://info.yahoo.com/legal/us/yahoo/utos/terms/