From: http://zhentao-li.blogspot.com/2012/06/maven-shade-plugin-invalid-signature.html
<configuration>
<filters>
<filter>
<artifact>*:*</artifact>
<excludes>
<exclude>META-INF/*.SF</exclude>
<exclude>META-INF/*.DSA</exclude>
<exclude>META-INF/*.RSA</exclude>
</excludes>
</filter>
</filters>
</configuration>
The above configuration filters all files in META-INF ending with .SF, .DSA, and .RSA for all artifacts (:) when creating uber-jar file.
The reason java.lang.SecurityException is raised is because some dependency jar files are signed jar files. A jar file is signed by using jarsigner, which creates 2 additional files and places them in META-INF: a signature file, with a .SF extension, and a signature block file, with a .DSA, .RSA, or .EC extension. Since the uber-jar file is created, the signatures and integrity of signed JAR files are no longer valid. When the uber-jar file is executed, java.lang.SecurityException is thrown.