Hi all,
We are doing static analysis on the jars delivered with TomEE 8 (latest snapshot). One of the things we do is that we scan all jars with jdeps (https://docs.oracle.com/en/java/javase/11/tools/jdeps.html) We see that opensaml jars are used. These jars use a lot of Google Guava code, see sources: https://git.shibboleth.net/view/?p=java-opensaml.git&a=search&h=HEAD&st=grep&s=google See also attachment (opensaml-core-3.3.0.jar.dot). You can see that is did not find a number of classes from Guava. Guava is not shipped with TomEE. Also the java code of java-support (net.shibboleth.utilities:java-support:jar:7.3.0) uses Guava. Both java-support and the opensaml jars are used by Apache WSS4J (wss4j-ws-security-common) Based on this it looks like either Apache WSS4J is not properly working with SAML, or the code paths in opensaml are not used. Or users fix this by adding guava themselves to the lib folder. Question: Shouldn't Guava be part of libraries shipped with TomEE, or is this all not used at all? With kind regards, Cees
opensaml-core-3.3.0.jar.dot
Description: opensaml-core-3.3.0.jar.dot
