Upgrade from javax.servlet-api-3.1 to jakarta.servlet-api:4.0 and ban javax.servlet:javax.servlet-api (#693)

* Upgrade from javax.servlet-api-3.1 to jakarta.servlet-api:4.0.4
* Ban javax.servlet:javax.servlet-api

---------

Co-authored-by: Jesse Glick <[email protected]>

Author: jeromepochat

pom.xml

@@ -175,9 +175,9 @@
       </dependency>
       <dependency>
         <!-- used in JTH and jenkins core > 2.x -->
-        <groupId>javax.servlet</groupId>
-        <artifactId>javax.servlet-api</artifactId>
-        <version>3.1.0</version>
+        <groupId>jakarta.servlet</groupId>
+        <artifactId>jakarta.servlet-api</artifactId>
+        <version>4.0.4</version>
       </dependency>
       <dependency>
         <groupId>junit</groupId>
@@ -243,8 +243,8 @@
 
     <!-- dependencies provided by virtue of running in Jenkins -->
     <dependency>
-      <groupId>javax.servlet</groupId>
-      <artifactId>javax.servlet-api</artifactId>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
       <scope>provided</scope>
     </dependency>
 
@@ -556,6 +556,7 @@
                 </enforceBytecodeVersion>
                 <bannedDependencies>
                   <excludes>
+                    <exclude>javax.servlet:javax.servlet-api</exclude>
                     <exclude>javax.servlet:servlet-api</exclude>
                     <exclude>org.sonatype.sisu:sisu-guice</exclude>
                     <exclude>log4j:log4j:*:jar:compile</exclude>

src/it/servlet-api/invoker.properties

@@ -0,0 +1,3 @@
+# install, not verify, because we want to check the artifact as we would be about to deploy it
+# release.skipTests normally set in jenkins-release profile since release:perform would do the tests
+invoker.goals=-Dstyle.color=always -ntp -Pjenkins-release -Drelease.skipTests=false clean install

src/it/servlet-api/pom.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.jenkins-ci.plugins</groupId>
+    <artifactId>plugin</artifactId>
+    <version>@project.version@</version>
+    <relativePath />
+  </parent>
+  <groupId>org.jenkins-ci.plugins.its</groupId>
+  <artifactId>servlet-api</artifactId>
+  <version>1.0-SNAPSHOT</version>
+  <packaging>hpi</packaging>
+  <properties>
+    <jenkins.version>2.361.4</jenkins.version>
+  </properties>
+  <dependencies>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>structs</artifactId>
+      <version>1.5</version>
+    </dependency>
+  </dependencies>
+  <repositories>
+    <repository>
+      <id>repo.jenkins-ci.org</id>
+      <url>https://repo.jenkins-ci.org/public/</url>
+    </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>repo.jenkins-ci.org</id>
+      <url>https://repo.jenkins-ci.org/public/</url>
+    </pluginRepository>
+  </pluginRepositories>
+</project>

src/it/servlet-api/src/main/resources/index.jelly

@@ -0,0 +1,2 @@
+<?jelly escape-by-default='true'?>
+<div/>

src/it/servlet-api/src/test/java/test/ServletAPITest.java

@@ -0,0 +1,33 @@
+package test;
+
+import hudson.security.LegacySecurityRealm;
+import jenkins.model.Jenkins;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+
+public class ServletAPITest {
+
+    @Rule
+    public final JenkinsRule rule = new JenkinsRule();
+
+    /**
+     * When having both Servlet APIs 3.1 and 4.0 in classpath, the following error
+     * is logged on server side:
+     *
+     * <pre>
+     * WARNING	o.e.jetty.server.HttpChannel#handleException: /jenkins/j_security_check
+     * java.lang.AbstractMethodError: Receiver class org.eclipse.jetty.security.authentication.SessionAuthentication does not define or inherit an
+     * implementation of the resolved method 'abstract void valueBound(javax.servlet.http.HttpSessionBindingEvent)' of interface
+     * javax.servlet.http.HttpSessionBindingListener. at org.eclipse.jetty.server.session.Session.bindValue(Session.java:357)
+     * </pre>
+     *
+     * And then on client side getting "500 Server Error for
+     * http://localhost:.../jenkins/j_security_check"
+     */
+    @Test
+    public void involveHttpSessionBindingListener() throws Exception {
+        Jenkins.get().setSecurityRealm(new LegacySecurityRealm());
+        rule.createWebClient().login("bob");
+    }
+}