Alex Wolfe created WSS-697:
------------------------------
Summary: OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s
InitializationService
Key: WSS-697
URL: https://issues.apache.org/jira/browse/WSS-697
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 2.4.1, 2.3.3, 2.2.7
Reporter: Alex Wolfe
Assignee: Colm O hEigeartaigh
When using WSS4J alongside other dependencies which also rely on OpenSAML, the
OpenSAMLUtil.initSamlEngine() can override the existing configuration of
OpenSAML, potentially causing issues with how the parser pool is configured.
In my use case:
* OpenSAML is initialized first with the
org.opensaml.core.config.InitializationService introduced in OpenSAML 3
* XMLSec is used for decryption, so
org.opensaml.xmlsec.config.DecryptionParserPoolInitializer adds a
decryption-specific feature to the parser pool at this time.
* Later, an interceptor in cxf-rt-ws-security called into
OpenSAMLUtil.initSamlEngine(), overriding the OpenSAML configuration and parser
pool.
In WSS4J 2.2.6, due to WSS-678, this caused the DecryptionParserPool to be
completely removed, but after upgrading to 2.3.1+ or 2.4.0+, this causes it to
be replaced with the manually configured pool from OpenSAMLUtil without the
needed feature.
I have been able to work around this by explicitly calling OpenSAML’s
InitializationService after WSS4J’s OpenSAMLUtil.
Relevant dependencies and versions in my project include:
* Java 8
* OpenSAML 3.4.6 (including org.opensaml:opensaml-xmlsec-api)
* org.apache.cxf:cxf-rt-ws-security:3.3.11
* org.apache.santuario:xmlsec:2.1.7
* net.shibboleth.utilities:java-support:7.5.2
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
