Dependency conflict between spring-boot-starter-remote-shell and spring-security-jwt

[stdll]

When using both spring-boot-starter-remote-shell and spring-security-jwt there is a version conflict concerning org.bouncycastle:bcpkix-jdk15on.

Simple steps to replicate the issue:

1. Open Spring Initializr
2. Use spring-boot 1.2.5.RELEASE, choose Remote Shell and download/open the project
3. Manually add spring-security-jwt as dependency

The POM should have the following dependencies:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-remote-shell</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-jwt</artifactId>
        </dependency>

spring-boot-starter-remote-shell (1.2.5.RELEASE) needs org.bouncycastle:bcpkix-jdk15on (1.51), but having spring-security-jwt (1.0.3.RELEASE) as dependency leads to version 1.47 to be used.

This will cause errors when using the remote shell as the API of the bouncycastle library has changed considerably between 1.47 and 1.51. More precisely, it causes an exception when someone tries to connect to the remote shell: java.lang.IllegalStateException: Unable to negotiate key exchange for server host key algorithms.

However, the real issue is an InvocationTargetException which is thrown while trying to read the server key due to the incompatible API.

[wilkinsona]

Have you tried forcing the version of Bouncycastle to 1.47? I believe that the shell will work with both 1.47 and 1.51.

[snicoll]

See also #2425

[stdll]

@wilkinsona Forcing the version to either 1.47 or 1.51 solves the problem.

[wilkinsona]

That's good news, thanks. I've opened spring-attic/spring-security-oauth#531 to consider enhancing spring-security-jwt to support 1.51.