0

How to download mvn dependency as a single jar with it's dependencies embedded inside ?

My use case:

Downloading(org.apache.felix.http.servlet-api:1.1.0) and then copying it into a folder.

From MVN repository(http://mvnrepository.com/artifact/org.apache.felix/org.apache.felix.http.servlet-api) can get it as a single jar.

In local build I use maven-dependency-plugin:

         <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-dependency-plugin</artifactId>
            <version>2.10</version>
            <executions>
                <execution>
                    <id>copy</id>
                    <phase>package</phase>
                    <goals>
                        <goal>copy-dependencies</goal>
                    </goals>
                    <configuration>
                        <outputDirectory>/Users/user/dev/fun/felix-framework-5.0.0/bundle</outputDirectory>
                        <overWriteReleases>false</overWriteReleases>
                        <overWriteSnapshots>false</overWriteSnapshots>
                        <overWriteIfNewer>true</overWriteIfNewer>
                    </configuration>
                </execution>
            </executions>
        </plugin>

Now, it copies org.apache.felix.http.servlet-api not as a single jar, but as 2 jar's. First jar is the (org.apache.felix.http.servlet-api), second jar is tomcat-servlet-api. Which is mentioned in the dependency list of my dependency.

How can I just download and copy to a folder org.apache.felix.http.servlet-api as a single jar(same format as download from mvn repository) ?

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
Peter
  • 689
  • 2
  • 8
  • 20

1 Answers1

0

That's not how Maven repositories work. Take the well known SLF4J project's files:

http://search.maven.org/#artifactdetails|org.slf4j|slf4j-api|1.7.12|jar

You're notice that each file is signed by it's publisher (*.asc files) and has a SHA1 checksum. Signing the binary enables trust that the binary was built from its original source code and the checksum enables you to verify that the binary was not tampered with in transit.

Hopefully this explains why building "uber jars" (jars containing all dependencies) would have done by the original publisher of the software. If the Maven repository was to do this "on demand" the resultant binary would have a different checksum and would not match its signature.

Opinions differ, but I submit that you are much better off including 3rd party dependencies as discrete and separate files. It makes reverse engineering your dependencies a lot easier (The files checksum can be used to lookup a Maven repo and determine the project and version. I once had to this this on a really old Java project) and sometimes there are licensing conditions that allow linking of a library but not inclusion.

In conclusion executable jars can reference their dependencies using the "ClassPath" manifest entry. There is a Maven plugin that can help you create such a jar:

https://maven.apache.org/shared/maven-archiver/examples/classpath.html

PS There's also a plugin for creating uberjars so plenty options.

Mark O'Connor
  • 76,015
  • 10
  • 139
  • 185