Exclude signed javax-servlet coming from jetty #10364
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Jetty comes with a signed version of javax-servlet, this conflict with the standard servlet api which is not signed, and make the test throw `SecurityException` when the classes are loaded. The mock agent server in the test JVM uses repackaged Jetty which requires Servlet 3.1, so we exclude the signed Servlet 3.0 and use the unsigned Servlet 3.1 everywhere (including in the shadowJar for the smoke test app running in a separate process).
bric3
added
type: bug
amarziali
approved these changes
Jan 13, 2026
amarziali
reviewed
Jan 13, 2026
| // Servlet API conflict resolution: | ||
| // Two servlet JARs end up on the test classpath causing a SecurityException (signer mismatch): | ||
| // 1. org.eclipse.jetty.orbit:javax.servlet (Servlet 3.0, signed) - from Jetty 9.0.4 | ||
| // 2. javax.servlet:javax.servlet-api (Servlet 3.1, unsigned) - from the testing module |
Contributor
There was a problem hiding this comment.
we really need to avoid leaking that out
Contributor
Author
There was a problem hiding this comment.
agreed, but this time the issue is a bit different, I tried to do without standard servlet api, but I couldn't make anything work using the jetty signed variant.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Use only a single servlet-api to avoid conflict.
Motivation
Jetty comes with a signed version of javax-servlet, this conflict with the standard servlet api which is not signed, and make the test throw
SecurityExceptionwhen the classes are loaded.The mock agent server in the test JVM uses repackaged Jetty which requires Servlet 3.1, so we exclude the signed Servlet 3.0 and use the unsigned Servlet 3.1 everywhere (including in the shadowJar for the smoke test app running in a separate process).
Additional Notes
Related to #10365, but different due to jetty having a signed variant.
Contributor Checklist
type:and (comp:orinst:) labels in addition to any useful labelsclose,fixor any linking keywords when referencing an issue.Use
solvesinstead, and assign the PR milestone to the issueJira ticket: [PROJ-IDENT]