[ https://issues.apache.org/jira/browse/WSS-697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17535116#comment-17535116 ]
Colm O hEigeartaigh commented on WSS-697: ----------------------------------------- What change do you suggest to be made to how the manually configured pool is created in WSS4J? > OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s InitializationService > ------------------------------------------------------------------------------ > > Key: WSS-697 > URL: https://issues.apache.org/jira/browse/WSS-697 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core > Affects Versions: 2.2.7, 2.3.3, 2.4.1 > Reporter: Alex Wolfe > Assignee: Colm O hEigeartaigh > Priority: Minor > > When using WSS4J alongside other dependencies which also rely on OpenSAML, > the OpenSAMLUtil.initSamlEngine() can override the existing configuration of > OpenSAML, potentially causing issues with how the parser pool is configured. > In my use case: > * OpenSAML is initialized first with the > org.opensaml.core.config.InitializationService introduced in OpenSAML 3 > * XMLSec is used for decryption, so > org.opensaml.xmlsec.config.DecryptionParserPoolInitializer adds a > decryption-specific feature to the parser pool at this time. > * Later, an interceptor in cxf-rt-ws-security called into > OpenSAMLUtil.initSamlEngine(), overriding the OpenSAML configuration and > parser pool. > In WSS4J 2.2.6, due to WSS-678, this caused the DecryptionParserPool to be > completely removed, but after upgrading to 2.3.1+ or 2.4.0+, this causes it > to be replaced with the manually configured pool from OpenSAMLUtil without > the needed feature. > I have been able to work around this by explicitly calling OpenSAML’s > InitializationService after WSS4J’s OpenSAMLUtil. > Relevant dependencies and versions in my project include: > * Java 8 > * OpenSAML 3.4.6 (including org.opensaml:opensaml-xmlsec-api) > * org.apache.cxf:cxf-rt-ws-security:3.3.11 > * org.apache.santuario:xmlsec:2.1.7 > * net.shibboleth.utilities:java-support:7.5.2 -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org