[
https://issues.apache.org/jira/browse/WSS-697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17541686#comment-17541686
]
Alex Wolfe commented on WSS-697:
--------------------------------
[~coheigea], I'm not an expert on either WSS4J or OpenSAML, but from what I
understand I think this may be resolved if WSS4J can use the OpenSAML
InitializationService to initialize itself. If there are WSS4J-specific items
being configured, I believe the "partitions" in the OpenSAML
ConfigurationService could be utilized to avoid overriding the "default"
configuration partition containing the DecryptionParserPool needed by the other
dependency in my use case.
Here is the documentation describing the OpenSAML InitializationService and
ConfigurationService:
[https://shibboleth.atlassian.net/wiki/spaces/OSAML/pages/1828356994/Initialization+and+Configuration]
> OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s InitializationService
> ------------------------------------------------------------------------------
>
> Key: WSS-697
> URL: https://issues.apache.org/jira/browse/WSS-697
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.2.7, 2.3.3, 2.4.1
> Reporter: Alex Wolfe
> Assignee: Colm O hEigeartaigh
> Priority: Minor
>
> When using WSS4J alongside other dependencies which also rely on OpenSAML,
> the OpenSAMLUtil.initSamlEngine() can override the existing configuration of
> OpenSAML, potentially causing issues with how the parser pool is configured.
> In my use case:
> * OpenSAML is initialized first with the
> org.opensaml.core.config.InitializationService introduced in OpenSAML 3
> * XMLSec is used for decryption, so
> org.opensaml.xmlsec.config.DecryptionParserPoolInitializer adds a
> decryption-specific feature to the parser pool at this time.
> * Later, an interceptor in cxf-rt-ws-security called into
> OpenSAMLUtil.initSamlEngine(), overriding the OpenSAML configuration and
> parser pool.
> In WSS4J 2.2.6, due to WSS-678, this caused the DecryptionParserPool to be
> completely removed, but after upgrading to 2.3.1+ or 2.4.0+, this causes it
> to be replaced with the manually configured pool from OpenSAMLUtil without
> the needed feature.
> I have been able to work around this by explicitly calling OpenSAML’s
> InitializationService after WSS4J’s OpenSAMLUtil.
> Relevant dependencies and versions in my project include:
> * Java 8
> * OpenSAML 3.4.6 (including org.opensaml:opensaml-xmlsec-api)
> * org.apache.cxf:cxf-rt-ws-security:3.3.11
> * org.apache.santuario:xmlsec:2.1.7
> * net.shibboleth.utilities:java-support:7.5.2
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
