In POI's EncryptionInfo, there is this reflection-based provider loading going on: protected static EncryptionInfoBuilder getBuilder(EncryptionMode encryptionMode) throws ClassNotFoundException, IllegalAccessException, InstantiationException { ClassLoader cl = Thread.currentThread().getContextClassLoader(); EncryptionInfoBuilder eib = (EncryptionInfoBuilder)cl.loadClass(encryptionMode.builder).newInstance(); return eib; } This ends up trying to load a class called org.apache.poi.poifs.crypt.agile.AgileEncryptionInfoBuilder and getting a ClassNotFoundException. This class is in the poi-ooxml jar, but this jar is *not* listed as a dependency of poi, even as a runtime dependency, despite the fact that EncryptionInfo cannot work without it. We're not using POI to support OOXML, only for OLE2-based formats, so we should not have to depend on OOXML directly ourselves either.
Hmm, pesky. Some of the OOXML CT schema classes seem to be needed to power the agile encryption code. You *ought* to be able to use HSSF without needing poi-ooxml or poi-scratchpad, and you *ought* to be able to use HWPF + HSLF without needing poi-ooxml. However, this looks to be one edge case, where an apparently OLE2-only thing actually turns out to be partly OOXML under the hood. We don't want to make almost all POI OLE2-only users suck in the OOXML stuff when they don't need to Would updating the documentation, to help people know that they're accidentally roaming into OOXML territory when they might think they're still in pure-OLE2 land, be enough do you think?
Maybe I just throw out that xmlbeans and update the encryption xml elements with plain DOM calls ...
I updated the Javadocs in r1763944 to mention that poi-ooxml may be required.