OSGI jsoup. Can't use different versions of JSOUP library


how does OSGI works?
I downloaded two JSOUP libraries from MAVEN
and https://mvnrepository.com/artifact/org.jsoup/jsoup/1.15.3
and put them into “…commandbox\lucee-\WEB-INF\lucee-server\bundles” folder

But when I create object using “jsoup = createObject(“java”, “org.jsoup.Jsoup”, “org.jsoup”, “1.9.2”);”
I can’t use another library version using “jsoup = createObject(“java”, “org.jsoup.Jsoup”, “org.jsoup”, “1.15.3”);” Lucee create instance of “1.9.2” version
What I’m doing wrong?

Don’t forget to tell us about your stack!

OS: Windows Server 2012
Java Version: 1.8.0_131
Lucee Version: and others

Disappointingly, I can confirm that Lucee doesn’t seem to be working as I thought I understood from the docs.

jSoup does not ship with Lucee so if I call it without installing it and without specifying a version…

CreateObject( "java", "org.jsoup.Jsoup", "org.jsoup" )

it seems Lucee will automatically download the 1.9.2 version (presumably from Maven), which is over 6 years old.

If I then add jSoup 1.15.3 to the bundles folder and specify the version when calling it…

CreateObject( "java", "org.jsoup.Jsoup", "org.jsoup", "1.15.3" )

I still get v1.9.2.

Even if I delete the 1.9.2 jar it still returns that version.

I also tried switching to the newer version programmatically but it made no difference.

So it seems that once a bundle has been loaded as the first instance with that name, it can only be replaced via a restart. Not the fully dynamic java loading I thought we had these days.

@Vintic Presumably you don’t actually need to call both versions of jsoup? As I say v1.9.2 is very old and there’s been at least one CVE meaning you should be using the latest version only.

Assuming that’s the case, then the solution for now would be to remove the 1.9.2 jar from the /bundles folder, replace it with 1.15.3 and then restart Lucee, after which your CreateObject() calls should return the current version.

Can you guys put in a ticket for this? cc @micstriit

I put together a test case for a ticket by creating a simple dummy osgi bundle from scratch in 2 different versions, but couldn’t replicate the issue: I was able to switch between the loaded versions using CreateObject() as per the docs.

Which is a relief.

I guess it’s something specific to jSoup, but we are using it in production, loaded via osgi, and not having any problems.

@Vintic for workaround use the path of the jar file

jsoup = CreateObject( "java", "org.jsoup.Jsoup", "path-of-the-jar-file-palced\jsoup-1.15.3.jar");

I tried to use:
<cfset THIS.javaSettings = {
LoadPaths = ["#THIS.mappings[’/vendor’]#/lib/"],
loadColdFusionClassPath = TRUE,
reloadOnChange = TRUE,
watchExtensions = “jar,class”

But, the main problem with that, is that file become locked, so I can’t remove it (switch to another branch). And only Lucee restart helps.

Thank, will try your solution.

Can you try using bundles for OSGI bundle paths? loadPaths is for jars

some changes have been made recently