Bug 60021 - Apache POI POM should include runtime dependency on poi-ooxml
Summary: Apache POI POM should include runtime dependency on poi-ooxml
Alias: None
Product: POI
Classification: Unclassified
Component: POI Overall (show other bugs)
Version: unspecified
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2016-08-19 01:12 UTC by Trejkaz (pen name)
Modified: 2018-09-29 11:47 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Trejkaz (pen name) 2016-08-19 01:12:02 UTC
In POI's EncryptionInfo, there is this reflection-based provider loading going on:

    protected static EncryptionInfoBuilder getBuilder(EncryptionMode encryptionMode) throws ClassNotFoundException, IllegalAccessException, InstantiationException {
        ClassLoader cl = Thread.currentThread().getContextClassLoader();
        EncryptionInfoBuilder eib = (EncryptionInfoBuilder)cl.loadClass(encryptionMode.builder).newInstance();
        return eib;

This ends up trying to load a class called org.apache.poi.poifs.crypt.agile.AgileEncryptionInfoBuilder and getting a ClassNotFoundException.

This class is in the poi-ooxml jar, but this jar is *not* listed as a dependency of poi, even as a runtime dependency, despite the fact that EncryptionInfo cannot work without it. We're not using POI to support OOXML, only for OLE2-based formats, so we should not have to depend on OOXML directly ourselves either.
Comment 1 Nick Burch 2016-08-20 14:55:33 UTC
Hmm, pesky. Some of the OOXML CT schema classes seem to be needed to power the agile encryption code. 

You *ought* to be able to use HSSF without needing poi-ooxml or poi-scratchpad, and you *ought* to be able to use HWPF + HSLF without needing poi-ooxml. However, this looks to be one edge case, where an apparently OLE2-only thing actually turns out to be partly OOXML under the hood.

We don't want to make almost all POI OLE2-only users suck in the OOXML stuff when they don't need to

Would updating the documentation, to help people know that they're accidentally roaming into OOXML territory when they might think they're still in pure-OLE2 land, be enough do you think?
Comment 2 Andreas Beeker 2016-08-20 16:20:51 UTC
Maybe I just throw out that xmlbeans and update the encryption xml elements with plain DOM calls ...
Comment 3 Javen O'Neal 2016-10-09 05:41:59 UTC
I updated the Javadocs in r1763944 to mention that poi-ooxml may be required.