[jira] [Commented] (WSS-697) OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s InitializationService

Wed, 11 May 2022 14:15:05 -0700 


    [ 
https://issues.apache.org/jira/browse/WSS-697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17535116#comment-17535116
 ] 

Colm O hEigeartaigh commented on WSS-697:
-----------------------------------------

What change do you suggest to be made to how the manually configured pool is 
created in WSS4J?

> OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s InitializationService
> ------------------------------------------------------------------------------
>
>                 Key: WSS-697
>                 URL: https://issues.apache.org/jira/browse/WSS-697
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.2.7, 2.3.3, 2.4.1
>            Reporter: Alex Wolfe
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>
> When using WSS4J alongside other dependencies which also rely on OpenSAML, 
> the OpenSAMLUtil.initSamlEngine() can override the existing configuration of 
> OpenSAML, potentially causing issues with how the parser pool is configured.
> In my use case:
>  * OpenSAML is initialized first with the 
> org.opensaml.core.config.InitializationService introduced in OpenSAML 3
>  * XMLSec is used for decryption, so 
> org.opensaml.xmlsec.config.DecryptionParserPoolInitializer adds a 
> decryption-specific feature to the parser pool at this time.
>  * Later, an interceptor in cxf-rt-ws-security called into 
> OpenSAMLUtil.initSamlEngine(), overriding the OpenSAML configuration and 
> parser pool.
> In WSS4J 2.2.6, due to WSS-678, this caused the DecryptionParserPool to be 
> completely removed, but after upgrading to 2.3.1+ or 2.4.0+, this causes it 
> to be replaced with the manually configured pool from OpenSAMLUtil without 
> the needed feature.
> I have been able to work around this by explicitly calling OpenSAML’s 
> InitializationService after WSS4J’s OpenSAMLUtil.
> Relevant dependencies and versions in my project include:
>  * Java 8
>  * OpenSAML 3.4.6 (including org.opensaml:opensaml-xmlsec-api)
>  * org.apache.cxf:cxf-rt-ws-security:3.3.11
>  * org.apache.santuario:xmlsec:2.1.7
>  * net.shibboleth.utilities:java-support:7.5.2



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to