[jira] [Commented] (CXF-8621) cxf-rt-ws-security contains velocity:1.7 from 2010 which has overlapping classes with velocity-engine-core:2.3 and breaks velocity-tools 3.1

Thu, 02 Dec 2021 02:13:04 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-8621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452286#comment-17452286
 ] 

Colm O hEigeartaigh commented on CXF-8621:
------------------------------------------

The dependency to Velocity actually is removed in WSS4J:

[https://github.com/apache/ws-wss4j/blob/2e7bc5398b2f5522269977690d36474c4bd1d908/ws-security-common/pom.xml#L123]

If you do a dependency tree in CXF's rt-ws-security module you won't see 
Velocity. The problem is in dependency exclusion works in Gradle. We have an 
open Jira for it in WSS4J - https://issues.apache.org/jira/browse/WSS-683

In your project you can just exclude Velocity manually.

> cxf-rt-ws-security contains velocity:1.7 from 2010 which has overlapping 
> classes with velocity-engine-core:2.3 and breaks velocity-tools 3.1
> --------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-8621
>                 URL: https://issues.apache.org/jira/browse/CXF-8621
>             Project: CXF
>          Issue Type: Task
>          Components: WS-* Components
>    Affects Versions: 3.4.5
>            Reporter: Gernot Hueller
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> please see this gradle dependency tree:
> \--- org.apache.cxf:cxf-rt-ws-security:3.4.5
>      +--- org.apache.cxf:cxf-rt-security-saml:3.4.5
>      |    \--- org.apache.wss4j:wss4j-ws-security-dom:2.3.3
>      |         +--- org.apache.wss4j:wss4j-ws-security-common:2.3.3
>      |         |    +--- org.opensaml:opensaml-saml-impl:3.4.6
>      |         |    |    +--- org.apache.velocity:velocity:1.7
> Velocity 1.7 and 2.3 have sometimes the same class names, with different 
> contents.
> In the end, the presence of velocity:1.7 classes breaks stuff from velocity 
> 2.3.
>  
> details from my case: I have an application that uses cxf for SOAP and 
> velocity for html rendering.
> In that application, I extend the VelocityViewServlet from velocity-tools, 
> which on initialization looks at all field declarations of interface 
> org.apache.velocity.runtime.RuntimeConstants. This interface class exists in 
> both versions of velocity, but with different contents, which make my 
> application unuseable (Exception on startup).
>  
> it would be great if the dependency to velocity inside cxf could be removed.
> Especially when it is in the ws-security package and that uses a totally 
> outdated (2010) velocity package with known vulnerabilities...



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to