[
https://issues.apache.org/jira/browse/CXF-8621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452611#comment-17452611
]
Gernot Hueller commented on CXF-8621:
-------------------------------------
thanks for the quick reply!
> cxf-rt-ws-security contains velocity:1.7 from 2010 which has overlapping
> classes with velocity-engine-core:2.3 and breaks velocity-tools 3.1
> --------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-8621
> URL: https://issues.apache.org/jira/browse/CXF-8621
> Project: CXF
> Issue Type: Task
> Components: WS-* Components
> Affects Versions: 3.4.5
> Reporter: Gernot Hueller
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> please see this gradle dependency tree:
> \--- org.apache.cxf:cxf-rt-ws-security:3.4.5
> +--- org.apache.cxf:cxf-rt-security-saml:3.4.5
> | \--- org.apache.wss4j:wss4j-ws-security-dom:2.3.3
> | +--- org.apache.wss4j:wss4j-ws-security-common:2.3.3
> | | +--- org.opensaml:opensaml-saml-impl:3.4.6
> | | | +--- org.apache.velocity:velocity:1.7
> Velocity 1.7 and 2.3 have sometimes the same class names, with different
> contents.
> In the end, the presence of velocity:1.7 classes breaks stuff from velocity
> 2.3.
>
> details from my case: I have an application that uses cxf for SOAP and
> velocity for html rendering.
> In that application, I extend the VelocityViewServlet from velocity-tools,
> which on initialization looks at all field declarations of interface
> org.apache.velocity.runtime.RuntimeConstants. This interface class exists in
> both versions of velocity, but with different contents, which make my
> application unuseable (Exception on startup).
>
> it would be great if the dependency to velocity inside cxf could be removed.
> Especially when it is in the ws-security package and that uses a totally
> outdated (2010) velocity package with known vulnerabilities...
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
