I recently was called in to help troubleshoot an application. It was a java web app: a war. When I looked inside the WEB-INF/lib directory, here is what I saw:
- activation-1.1.jar
- asm-3.1.jar
- axiom-api-1.2.12.jar
- axiom-dom-1.2.12.jar
- axiom-impl-1.2.12.jar
- axis-1.1.jar
- axis2-adb-1.6.1.jar
- axis2-codegen-1.6.1.jar
- axis2-kernel-1.6.1.jar
- axis2-mtompolicy-1.6.1.jar
- axis2-transport-http-1.6.1.jar
- axis2-transport-local-1.6.1.jar
- axis2-xmlbeans-1.6.1.jar
- commons-beanutils-1.7.0.jar
- commons-beanutils-core-1.7.0.jar
- commons-codec-1.3.jar
- commons-collections-3.2.jar
- commons-configuration-1.2.jar
- commons-digester-1.7.jar
- commons-discovery-0.2.jar
- commons-fileupload-1.2.jar
- commons-httpclient-3.0.1.jar
- commons-lang-2.1.jar
- commons-logging-1.0.4.jar
- commons-logging-api-1.0.4.jar
- dac-client.jar
- dealer-locator-pojos.jar
- DealerLocatorWebServices-client-1.1.4.jar
- dom4j-1.4.jar
- ehcache-core-2.3.0.jar
- ehcache-web-2.0.3.jar
- ejb-api-3.0.jar
- httpcore-4.0.jar
- isorelax-20020414.jar
- jackson-core-asl-1.7.1.jar
- jackson-jaxrs-1.7.1.jar
- jackson-mapper-asl-1.7.1.jar
- jackson-xc-1.7.1.jar
- javax.ejb_3.0.1.jar
- javax.jms.jar
- jaxb-api-2.2.2.jar
- jaxb-impl-2.2.3-1.jar
- jaxen-1.1.1.jar
- jaxrpc.jar
- jersey-core-1.6.jar
- jersey-json-1.6.jar
- jersey-server-1.6.jar
- jettison-1.1.jar
- log4j-1.2.8.jar
- mex-1.6.1-impl.jar
- msv-20020414.jar
- neethi-3.0.1.jar
- ojdbc6.jar
- opensaml-2.2.3.jar
- pagination-lib.jar
- quartz-1.6.6.jar
- quartz-1.7.2.jar
- rampart-core-1.6.1.jar
- rampart-policy-1.6.1.jar
- rampart-trust-1.6.1.jar
- relaxngDatatype-20020414.jar
- saxpath-1.0-FCS.jar
- service-pojos.jar
- slf4j-api-1.5.11.jar
- slf4j-jdk14-1.6.1.jar
- stax-api-1.0-2.jar
- stax-api-1.0.1.jar
- tbgv2util.jar
- TMSFramework-2.2.46.jar
- TMSIntegrationFramework-0.0.216.jar
- TMSMessagingFramework-0.0.11.jar
- TMSUserMgmtFramework-1.0.108.154.jar
- warranty-maintainence-pojos.jar
- wiztools-commons-lib-0.2.0.jar
- woden-api-1.0M9.jar
- woden-impl-dom-1.0M9.jar
- wsdl4j-1.6.2.jar
- wss4j-1.5.12.jar
- xalan-2.7.0.jar
- xercesImpl-2.2.1.jar
- xml-apis-1.0.b2.jar
- xmlbeans-2.2.0.jar
- XmlSchema-1.4.7.jar
- xmlsec-1.4.5.jar
- xmltooling-1.2.0.jar
I, myself, have never created an application that uses 85 jars.
Making things worse, the app was running on a heavy weight app server (Web Logic) that added many more classes to the classpath, classes that do not show up in the above list. These included the entire stack of J2EE classes. Plus other classes that WebLogic thinks you might need.
Problem: Any app with this many classes in the classpath will surely have some accidental duplicate classes, possibly even multiple versions of the same class. This can be the source of very hard to track bugs.
This was, in fact, the source of the bugs in this particular application.
Moving forward, I would recommend the following:
- Add libraries and jars to your app very judiciously.
- Be careful of build tools that might recursively suck in unneeded library dependencies.
- Beware of any 3rd party libraries that require a whole bunch of other 3rd party libraries to work.
- When a 3rd party library comes with 10 other 3rd party libraries that it depends on, those other libraries might be optional libraries and not needed for your app.
- Avoid app servers that litter the classpath with unneeded libraries.
- Be especially cautious of putting classes in your app servers global (cross-web-app) lib folder.
- This entire problem starts to goes away as we move toward a more micro-service style architecture.