java.lang.IllegalStateException: SpringJUnit4ClassRunner requires JUnit 4.12 or higher

Hello everyone! i am working on an issue in which am trying to prevent attacks through CSRF. I was advised to first implement this in some of the openmrs-modules, there after migrate it to core or any other module.

i have decided to start with openmrs-referenceapplication module since it is the one that manages login and logout. Below is how I wish to attain this…

  1. Add spring security dependencies to the reference module…

  2. Adding a CSRF repository and the corresponding filter

  3. List some configurations in the xml files.

  4. Add a hidden input element containing the csrf token to the login page

However, with step 1 I used spring security bom dependency to manage my spring security dependencies in the pom file

<project xmlns="http://maven.apache.org/POM/4.0.0" ......>
	
	<properties>
		.....
		<spring-security.version>5.5.1</spring-security.version>
        ....
	</properties>

	<dependencyManagement>
        <dependencies>
      .......
			<dependency>
		        <groupId>org.springframework.security</groupId>
			    <artifactId>spring-security-bom</artifactId>
		        <version>${spring-security.version}</version>
			    <type>pom</type>
			    <scope>import</scope>
		    </dependency>
      .......	
        </dependencies>
</dependencyManagement>
......
</project>

and the mood/pom file

<dependencies>
    ......
        <dependency>
			<groupId>javax.servlet</groupId>
			<artifactId>javax.servlet-api</artifactId>
			<version>4.0.1</version>
			<scope>provided</scope>
		</dependency>
			<dependency>
			    <groupId>org.springframework.security</groupId>
				<artifactId>spring-security-core</artifactId>
			</dependency>
			<dependency>
				<groupId>org.springframework.security</groupId>
				<artifactId>spring-security-config</artifactId>
			</dependency>
			<dependency>
				<groupId>org.springframework.security</groupId>
			    <artifactId>spring-security-web</artifactId>
			</dependency>				
			<dependency>
			    <groupId>org.springframework.security</groupId>
			    <artifactId>spring-security-test</artifactId>
			    <scope>test</scope>
			</dependency>
	</dependencies>

However, when i run mvn clean install i get a java.lang.ExceptionInInitializerError Caused by: java.lang.IllegalStateException: SpringJUnit4ClassRunner requires JUnit 4.12 or higher. in the openmrs-module-referenceapplication/HomePageControllerTest.java at master · openmrs/openmrs-module-referenceapplication · GitHub

Even the LoginPageControllerTest.java tests were all failing until I changed the javax.servlet version to 4.0.1 as I showed above.

Does anyone know how I can bigo this blocker? I know the problem is because the version of JUnit used in this module is 4.11(i can see this from eclipse under the maven dependencies). However, am not seeing where this dependency is set because the JUnit version in openmrs-core module is 4.13, and this module has no reference for JUnit. Spring security dependencies are known to distort the class-path of the project. Maybe it is what is happening here.

cc @dkayiwa @mozzy @ibacher @isears @sharif and anyone else

Thank you so much

Have you tried changing the openmrsVersion of referenceapplication module to 2.2.0 since openmrs-core/pom.xml at 2.2.x · openmrs/openmrs-core · GitHub provided the same version, Not Exactly sure whether this was compatible to single junit version

1 Like

Thank you @sharif There is something I got to think about. Before, I was aiming at using spring security 5, the later release. However, reference-application-module users openmrs 2.0.1 which uses 4.2.1.RELEASE spring version.

But spring version 4 might not be compatible with spring-security 5. Just downgrading the spring security version to 4.1.3.RELEASE solved everything, where I was able to see that green build success message with mvn clean install

Before I did this, I attempted a number of alternatives, one of which was changing the version of openmrs-core (as @sharif had advised me) used in this module. In this case, I had to overwrite almost all tests because a lot of modifications had been made in these later releases. As a matter of fact, I had to change the versions of almost all referenced modules like the emr-api module, appointments module, etc. This required a number of configurations, so I decided to drop this alternative.

1 Like

This really needs to go into core rather than the RefApp module. Presumably being in core would make it easier to track the right Spring version (e.g. 2.4.0 uses Spring 5.x).

1 Like

hey @ibacher!

this makes alot of sense to me. From my point of view, i really thought that it might take some time for the next release of openmrs-core which is CSRF attack-free and security configured.

cc @isears