Yep it's backported now. Colm.
On Thu, May 14, 2026 at 2:02 PM Fabio Burzigotti via dev <[email protected]> wrote: > > Thanks for this fix, Colm! > I haven't found evidence of use cases that would rely on > TLSParameterJaxBUtils, yet. > > BTW - can the fix be back-ported to the 4.1.x-fixes branch? > > Cheers, > Fabio. > > > ________________________________ > From: Colm O hEigeartaigh <[email protected]> > Sent: Thursday, May 14, 2026 2:44 PM > To: [email protected] <[email protected]> > Cc: Fabio Burzigotti <[email protected]> > Subject: [EXTERNAL] Re: "Restrict valid URL protocols in > TLSParameterJaxBUtils and URIResolver" PR issue tracker > > PR submitted, I'll merge after the tests pass. > > Do you need vfs added to the TLSParameterJaxBUtils default schemes as > well, or just URIResolver? > > Colm. > > On Thu, May 14, 2026 at 1:27 PM Colm O hEigeartaigh <[email protected]> > wrote: > > > > Hi, > > > > Thanks for reporting, I'll get this fixed for the current releases. > > > > Colm. > > > > On Thu, May 14, 2026 at 12:52 PM Andriy Redko <[email protected]> wrote: > > > > > > Hello Fabio, > > > > > > Thanks a lot for promptly reporting the issue, it is clearly an oversight > > > on our side. > > > I created this JIRA ticket (we should have started with it) [1] to track > > > the change, > > > please feel free to comment on it, the release vote has not started yet. > > > Thanks! > > > > > > [1] > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_CXF-2D9212&d=DwIFaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=d5u2YU6oJ0bWkS_pST-zLneFAEtO4-KBRrFZLIW-rCtbYPhswHDz3tzm0PbE_vpS&s=5K-1t2xKZXg0svyAIDqpJRFTHsODwDw6wtrRC8s9XVE&e= > > > > > > Best Regards, > > > Andriy Redko > > > > > > > Hello, > > > > I am reaching out because the changes in > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_cxf_pull_3091&d=DwIFaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=d5u2YU6oJ0bWkS_pST-zLneFAEtO4-KBRrFZLIW-rCtbYPhswHDz3tzm0PbE_vpS&s=hlLyBDHRRdW3Vp0rF0TzIg9a8oGeFzXJYRGZREwJQb4&e= > > > > would make WildFly deployments fail in most cases. > > > > This could be bypassed by allowing "vfs" via the > > > > "org.apache.cxf.resource.uriresolver.allowedSchemes" property, but it > > > > is indeed a regression which will affect WildFly deployments as soon as > > > > it will consume 4.1.x releases. > > > > I didn't find any discussion about this change. Is there any Apache CXF > > > > Jira issue that tracks it? > > > > > > > Cheers, > > > > Fabio. > > > > > > > --- > > > > Fabio Burzigotti > > > > Software Developer > > > > IBM Software > > > > [email protected] > > > > > > > IBM > > > > > > > Unless otherwise stated above: > > > > > > > IBM Italia S.p.A. > > > > Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) > > > > Cap. Soc. euro 247.656.998.20 > > > > C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 > > > > Società con unico azionista > > > > Società soggetta all'attività di direzione e coordinamento di > > > > International Business Machines Corporation > > > > > Unless otherwise stated above: > > IBM Italia S.p.A. > Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) > Cap. Soc. euro 247.656.998.20 > C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 > Società con unico azionista > Società soggetta all'attività di direzione e coordinamento di International > Business Machines Corporation
