Thanks for this fix, Colm! I haven't found evidence of use cases that would rely on TLSParameterJaxBUtils, yet.
BTW - can the fix be back-ported to the 4.1.x-fixes branch? Cheers, Fabio. ________________________________ From: Colm O hEigeartaigh <[email protected]> Sent: Thursday, May 14, 2026 2:44 PM To: [email protected] <[email protected]> Cc: Fabio Burzigotti <[email protected]> Subject: [EXTERNAL] Re: "Restrict valid URL protocols in TLSParameterJaxBUtils and URIResolver" PR issue tracker PR submitted, I'll merge after the tests pass. Do you need vfs added to the TLSParameterJaxBUtils default schemes as well, or just URIResolver? Colm. On Thu, May 14, 2026 at 1:27 PM Colm O hEigeartaigh <[email protected]> wrote: > > Hi, > > Thanks for reporting, I'll get this fixed for the current releases. > > Colm. > > On Thu, May 14, 2026 at 12:52 PM Andriy Redko <[email protected]> wrote: > > > > Hello Fabio, > > > > Thanks a lot for promptly reporting the issue, it is clearly an oversight > > on our side. > > I created this JIRA ticket (we should have started with it) [1] to track > > the change, > > please feel free to comment on it, the release vote has not started yet. > > Thanks! > > > > [1] > > https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_CXF-2D9212&d=DwIFaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=d5u2YU6oJ0bWkS_pST-zLneFAEtO4-KBRrFZLIW-rCtbYPhswHDz3tzm0PbE_vpS&s=5K-1t2xKZXg0svyAIDqpJRFTHsODwDw6wtrRC8s9XVE&e= > > > > Best Regards, > > Andriy Redko > > > > > Hello, > > > I am reaching out because the changes in > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_cxf_pull_3091&d=DwIFaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=d5u2YU6oJ0bWkS_pST-zLneFAEtO4-KBRrFZLIW-rCtbYPhswHDz3tzm0PbE_vpS&s=hlLyBDHRRdW3Vp0rF0TzIg9a8oGeFzXJYRGZREwJQb4&e= > > > would make WildFly deployments fail in most cases. > > > This could be bypassed by allowing "vfs" via the > > > "org.apache.cxf.resource.uriresolver.allowedSchemes" property, but it is > > > indeed a regression which will affect WildFly deployments as soon as it > > > will consume 4.1.x releases. > > > I didn't find any discussion about this change. Is there any Apache CXF > > > Jira issue that tracks it? > > > > > Cheers, > > > Fabio. > > > > > --- > > > Fabio Burzigotti > > > Software Developer > > > IBM Software > > > [email protected] > > > > > IBM > > > > > Unless otherwise stated above: > > > > > IBM Italia S.p.A. > > > Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) > > > Cap. Soc. euro 247.656.998.20 > > > C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 > > > Società con unico azionista > > > Società soggetta all'attività di direzione e coordinamento di > > > International Business Machines Corporation > > Unless otherwise stated above: IBM Italia S.p.A. Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) Cap. Soc. euro 247.656.998.20 C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 Società con unico azionista Società soggetta all'attività di direzione e coordinamento di International Business Machines Corporation
