Details
-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
Description
Files in an "ext" source directory in grouperClient and grouper-installer are forked classes from external dependency source code, with packages renamed. Was the goal to not have external jars so that a standalone jar could be executable? There are ways in Maven to unpack and repackage required classes from dependencies into a single jar (shade plugin), so this fork method is no longer necessary. It's also a security risk, as the classes are frozen in time from the time they are forked, and are not easily upgraded. They are also not as visible to security scanners, since they are not in their own published jars.
There is also an ext directory in the Grouper api for Apache ddlutils classes. It's possible that was a workaround to fix functionality.