from:"Colm O hEigeartaigh"

[jira] [Updated] (WSS-710) Implementation of the configuration options to set KeyDerivation parameters

2024-03-20 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-710?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-710:

Fix Version/s: 4.0.0
   3.0.4

> Implementation of the configuration options to set KeyDerivation parameters 
> 
>
> Key: WSS-710
> URL: https://issues.apache.org/jira/browse/WSS-710
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Affects Versions: 4.0.0, 3.0.3
>Reporter: Joze Rihtarsic
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 4.0.0, 3.0.4
>
>
> The santuarion/xmlsec library  has (will have) 
> [https://github.com/apache/santuario-xml-security-java/pull/271]
>  two options for key agreement to set key derivation methods
> The existing ConcatKDF (see the scheme:  
> [xmlenc-core1|https://www.w3.org/TR/xmlenc-core1/#sec-ConcatKDF]  
> The HKDF  (see the scheme from upcoming standard 
> [draft-eastlake-rfc9231bis|https://www.ietf.org/archive/id/draft-eastlake-rfc9231bis-xmlsec-uris-03.html]
>  )
> The purpose of this task is to enable  configurations for  the key agreement 
> method , to  be able to configure one of the two options
>  * ConcatKDF with parameter : 
> {{{}AlgorithmID{}}}, {{{}PartyUInfo{}}}, {{{}PartyVInfo{}}}, {{SuppPubInfo}} 
> and {{SuppPrivInfo}}  amd digest
>  * HKDF with parameter : PRF, Salt and Info



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 3.0.3

2024-02-28 Thread Colm O hEigeartaigh

With 3 binding +1 votes, and 2 non-binding +1 votes, this vote passes.
I'll do the release.

Colm.

On Mon, Feb 26, 2024 at 12:18 PM Jim Ma  wrote:
>
> +1
>
> Jim
>
> On Thu, Feb 22, 2024 at 10:25 PM Colm O hEigeartaigh  
> wrote:
>>
>> This is a vote to release Apache WSS4J 3.0.3. It contains an update to
>> use XML Security for Java 3.0.4 and functionality to support key
>> agreement using ECDH-ES.
>>
>> Release notes: https://issues.apache.org/jira/projects/WSS/versions/12353796
>> Artifacts: 
>> https://repository.apache.org/content/repositories/orgapachews-1101/
>> Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-3.0.3
>>
>> +1 from me.
>>
>> Colm.
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>> For additional commands, e-mail: dev-h...@ws.apache.org
>>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[VOTE] - Release Apache WSS4J 3.0.3

2024-02-22 Thread Colm O hEigeartaigh

This is a vote to release Apache WSS4J 3.0.3. It contains an update to
use XML Security for Java 3.0.4 and functionality to support key
agreement using ECDH-ES.

Release notes: https://issues.apache.org/jira/projects/WSS/versions/12353796
Artifacts: https://repository.apache.org/content/repositories/orgapachews-1101/
Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-3.0.3

+1 from me.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-706) Support for Key Agreement using ECDH-ES

2024-01-26 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-706?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-706.
-
Resolution: Fixed

> Support for Key Agreement using ECDH-ES
> ---
>
> Key: WSS-706
> URL: https://issues.apache.org/jira/browse/WSS-706
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Reporter: Joze Rihtarsic
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 4.0.0, 3.0.3
>
>
> Recently a PR was opened for the 
> [ECDH-ES|https://www.w3.org/TR/xmlenc-core1/#sec-ECDH-ES]  implementation in 
> the santuario library.
> See the ticket:
> [https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-511]
> The purpose of this request/ticket is to update the wss4j library so that it 
> can use the new Key Agreement method  ECDH-ES. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-709) Add more setter methods for AlgorithmSuite$AlgorithmSuiteType

2024-01-25 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-709.
-
Resolution: Fixed

> Add more setter methods for AlgorithmSuite$AlgorithmSuiteType
> -
>
> Key: WSS-709
> URL: https://issues.apache.org/jira/browse/WSS-709
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Freeman Yue Fang
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 4.0.0, 3.0.3
>
>
> So that it's more flexible to configure/override fields of 
> AlgorithmSuite$AlgorithmSuiteType during runtime, just like what has been 
> done by this commit
> https://github.com/apache/ws-wss4j/commit/2a5dff9ebb0b7b809cc3d4c75139b9b7e20604ce
> And we need this by CXF-8971



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-709) Add more setter methods for AlgorithmSuite$AlgorithmSuiteType

2024-01-25 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-709:

Fix Version/s: 4.0.0
   3.0.3

> Add more setter methods for AlgorithmSuite$AlgorithmSuiteType
> -
>
> Key: WSS-709
> URL: https://issues.apache.org/jira/browse/WSS-709
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Freeman Yue Fang
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 4.0.0, 3.0.3
>
>
> So that it's more flexible to configure/override fields of 
> AlgorithmSuite$AlgorithmSuiteType during runtime, just like what has been 
> done by this commit
> https://github.com/apache/ws-wss4j/commit/2a5dff9ebb0b7b809cc3d4c75139b9b7e20604ce
> And we need this by CXF-8971



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-706) Support for Key Agreement using ECDH-ES

2024-01-25 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-706?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17810963#comment-17810963
 ] 

Colm O hEigeartaigh commented on WSS-706:
-

Yes that kind of workaround would be fine [~jrihtarsic] , please open a PR 
against 3.0.x

> Support for Key Agreement using ECDH-ES
> ---
>
> Key: WSS-706
> URL: https://issues.apache.org/jira/browse/WSS-706
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Reporter: Joze Rihtarsic
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 4.0.0, 3.0.3
>
>
> Recently a PR was opened for the 
> [ECDH-ES|https://www.w3.org/TR/xmlenc-core1/#sec-ECDH-ES]  implementation in 
> the santuario library.
> See the ticket:
> [https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-511]
> The purpose of this request/ticket is to update the wss4j library so that it 
> can use the new Key Agreement method  ECDH-ES. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-706) Support for Key Agreement using ECDH-ES

2024-01-25 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-706?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-706:

Fix Version/s: 3.0.3

> Support for Key Agreement using ECDH-ES
> ---
>
> Key: WSS-706
> URL: https://issues.apache.org/jira/browse/WSS-706
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Reporter: Joze Rihtarsic
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 4.0.0, 3.0.3
>
>
> Recently a PR was opened for the 
> [ECDH-ES|https://www.w3.org/TR/xmlenc-core1/#sec-ECDH-ES]  implementation in 
> the santuario library.
> See the ticket:
> [https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-511]
> The purpose of this request/ticket is to update the wss4j library so that it 
> can use the new Key Agreement method  ECDH-ES. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-706) Support for Key Agreement using ECDH-ES

2024-01-25 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-706?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17810920#comment-17810920
 ] 

Colm O hEigeartaigh commented on WSS-706:
-

[~jrihtarsic] I committed it to 3.0.x-fixes, however there's a test failure on 
JDK11:
{code:java}
[ERROR] Tests run: 18, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 0.578 
s <<< FAILURE! -- in org.apache.wss4j.dom.message.EncryptionTest[ERROR] 
org.apache.wss4j.dom.message.EncryptionTest.testEncryptionDecryptionECDSA_ES(String,
 String)[1] -- Time elapsed: 0.118 s <<< 
ERROR!org.apache.wss4j.common.ext.WSSecurityException: The private key for the 
supplied alias does not exist in the keystoreOriginal Exception was 
org.apache.wss4j.common.ext.WSSecurityException: The private key for the 
supplied alias does not exist in the keystoreOriginal Exception was 
java.security.UnrecoverableKeyException: Get Key failed: 
java.security.InvalidKeyException: key length must be 32   at 
org.apache.wss4j.dom.processor.EncryptedKeyProcessor.getPrivateKey(EncryptedKeyProcessor.java:301)
   at 
org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:203)
 at 
org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:91)
  at 
org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
at 
org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)
at 
org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168)
at 
org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127)
at 
org.apache.wss4j.dom.message.EncryptionTest.testEncryptionDecryptionECDSA_ES(EncryptionTest.java:372)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)   at 
java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183)
at 
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
  at 
java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:177)
  at 
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
  at 
java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183)
at 
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
  at 
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
  at 
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
  at 
java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
 at 
java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:658)
at 
java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:274)
  at 
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
  at 
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
  at 
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
  at 
java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
 at 
java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) 
 at 
java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
   at 
java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
  at 
java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at 
java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) 
 at 
java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:497)
 at 
java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:274)
  at 
java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
 at 
java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) 
 at 
java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
   at 
java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
  at 
java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at 
java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) 
 at 
java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:497)
 at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)   at 
java.base/java.util.ArrayList.forEach(ArrayList.java:1541)Caused by: 
org.apache.wss4j.common.ext.WSSecurityException: The private key for the 
supplied alias does not exist in the keystoreOriginal Exception was 
java.security.UnrecoverableKeyExcepti

[jira] [Updated] (WSS-706) Support for Key Agreement using ECDH-ES

2024-01-25 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-706?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-706:

Fix Version/s: 4.0.0

> Support for Key Agreement using ECDH-ES
> ---
>
> Key: WSS-706
> URL: https://issues.apache.org/jira/browse/WSS-706
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Reporter: Joze Rihtarsic
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 4.0.0
>
>
> Recently a PR was opened for the 
> [ECDH-ES|https://www.w3.org/TR/xmlenc-core1/#sec-ECDH-ES]  implementation in 
> the santuario library.
> See the ticket:
> [https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-511]
> The purpose of this request/ticket is to update the wss4j library so that it 
> can use the new Key Agreement method  ECDH-ES. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-708) Support for EdDSA keys and ED25519 ED448 and signature algorithm

2024-01-15 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-708?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-708.
-
Resolution: Fixed

> Support for EdDSA keys and ED25519 ED448 and signature algorithm
> 
>
> Key: WSS-708
> URL: https://issues.apache.org/jira/browse/WSS-708
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Reporter: Joze Rihtarsic
>    Assignee: Colm O hEigeartaigh
>Priority: Minor
> Fix For: 4.0.0, 3.0.3
>
>
> The purpose of this ticket is to request support for Pure EdDSA XML signature 
> algorithm:
> As defined in the https://www.rfc-editor.org/rfc/rfc9231.html 
> http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519
> http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448
> Explanation
> EdDSA is a modern digital signature algorithm that is designed to be faster 
> and more secure than existing schemes. It is based on elliptic curve 
> cryptography and is widely used in various applications, including secure 
> messaging, cryptocurrencies, and more.
> Support would enable to take advantage of the latest advancements in digital 
> security and cryptography, and provide them with a more secure and efficient 
> way to sign and verify data.
> Because the algorithm is already supported by the dependency: santuario 
> library, adding support for wss4j does not require much effort.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-706) Support for Key Agreement using ECDH-ES

2024-01-15 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-706?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17807076#comment-17807076
 ] 

Colm O hEigeartaigh commented on WSS-706:
-

Waiting for a new PR to be created against master branch

> Support for Key Agreement using ECDH-ES
> ---
>
> Key: WSS-706
> URL: https://issues.apache.org/jira/browse/WSS-706
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Reporter: Joze Rihtarsic
>    Assignee: Colm O hEigeartaigh
>Priority: Major
>
> Recently a PR was opened for the 
> [ECDH-ES|https://www.w3.org/TR/xmlenc-core1/#sec-ECDH-ES]  implementation in 
> the santuario library.
> See the ticket:
> [https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-511]
> The purpose of this request/ticket is to update the wss4j library so that it 
> can use the new Key Agreement method  ECDH-ES. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-708) Support for EdDSA keys and ED25519 ED448 and signature algorithm

2024-01-15 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-708?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-708:

Fix Version/s: 4.0.0
   3.0.3

> Support for EdDSA keys and ED25519 ED448 and signature algorithm
> 
>
> Key: WSS-708
> URL: https://issues.apache.org/jira/browse/WSS-708
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Reporter: Joze Rihtarsic
>    Assignee: Colm O hEigeartaigh
>Priority: Minor
> Fix For: 4.0.0, 3.0.3
>
>
> The purpose of this ticket is to request support for Pure EdDSA XML signature 
> algorithm:
> As defined in the https://www.rfc-editor.org/rfc/rfc9231.html 
> http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519
> http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448
> Explanation
> EdDSA is a modern digital signature algorithm that is designed to be faster 
> and more secure than existing schemes. It is based on elliptic curve 
> cryptography and is widely used in various applications, including secure 
> messaging, cryptocurrencies, and more.
> Support would enable to take advantage of the latest advancements in digital 
> security and cryptography, and provide them with a more secure and efficient 
> way to sign and verify data.
> Because the algorithm is already supported by the dependency: santuario 
> library, adding support for wss4j does not require much effort.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Closed] (WSS-707) Update Santuario to fix CVE-2023-44483

2023-11-01 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed WSS-707.
---

> Update Santuario to fix CVE-2023-44483
> --
>
> Key: WSS-707
> URL: https://issues.apache.org/jira/browse/WSS-707
> Project: WSS4J
>  Issue Type: Bug
>        Reporter: Colm O hEigeartaigh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.2, 2.4.3, 2.3.5, 4.0.0
>
>
> Versions 4.0.0, 3.0.3, 2.3.4 and 2.2.6 of the Apache XML Security for Java 
> library have been released. A security advisory has been fixed in these 
> releases:
>  * CVE-2023-44483: Apache Santuario: Private Key disclosure in debug-log 
> output



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Closed] (WSS-705) Add SBOMs to published packages

2023-11-01 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed WSS-705.
---

> Add SBOMs to published packages
> ---
>
> Key: WSS-705
> URL: https://issues.apache.org/jira/browse/WSS-705
> Project: WSS4J
>  Issue Type: Task
>        Reporter: Colm O hEigeartaigh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.2, 2.4.3, 4.0.0
>
>
> Add CycloneDX SBOMs to the published packages in Maven Central.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 3.0.2 / 2.4.3

2023-11-01 Thread Colm O hEigeartaigh

With 3 binding +1 votes, and no other votes, this vote passes. I'll do
the release.

Colm.

On Tue, Oct 31, 2023 at 9:11 AM Alessio Soldano  wrote:
>
> +1
>
> thanks!
>
> On Tue, Oct 24, 2023 at 10:59 AM Colm O hEigeartaigh  
> wrote:
>>
>> This is a vote to release Apache WSS4J 3.0.2 and 2.4.3. The main fix
>> is an upgrade to XML Security to pick up a recent CVE fix.
>>
>> 3.0.2:
>>
>> Artifacts: 
>> https://repository.apache.org/content/repositories/orgapachews-1099/
>> Issues Fixed: 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12353427
>> Git Tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-3.0.2
>>
>> 2.4.3:
>>
>> Artifacts: 
>> https://repository.apache.org/content/repositories/orgapachews-1100/
>> Issued Fixed: 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12353428
>> Git Tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.4.3
>>
>> +1 from me.
>>
>> Colm.
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>> For additional commands, e-mail: dev-h...@ws.apache.org
>>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[VOTE] - Release Apache WSS4J 3.0.2 / 2.4.3

2023-10-24 Thread Colm O hEigeartaigh

This is a vote to release Apache WSS4J 3.0.2 and 2.4.3. The main fix
is an upgrade to XML Security to pick up a recent CVE fix.

3.0.2:

Artifacts: https://repository.apache.org/content/repositories/orgapachews-1099/
Issues Fixed: 
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12353427
Git Tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-3.0.2

2.4.3:

Artifacts: https://repository.apache.org/content/repositories/orgapachews-1100/
Issued Fixed: 
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12353428
Git Tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.4.3

+1 from me.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-707) Update Santuario to fix CVE-2023-44483

2023-10-23 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-707.
-
Resolution: Fixed

> Update Santuario to fix CVE-2023-44483
> --
>
> Key: WSS-707
> URL: https://issues.apache.org/jira/browse/WSS-707
> Project: WSS4J
>  Issue Type: Bug
>        Reporter: Colm O hEigeartaigh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.2, 2.4.3, 2.3.5, 4.0.0
>
>
> Versions 4.0.0, 3.0.3, 2.3.4 and 2.2.6 of the Apache XML Security for Java 
> library have been released. A security advisory has been fixed in these 
> releases:
>  * CVE-2023-44483: Apache Santuario: Private Key disclosure in debug-log 
> output



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Created] (WSS-707) Update Santuario to fix CVE-2023-44483

2023-10-23 Thread Colm O hEigeartaigh (Jira)

Colm O hEigeartaigh created WSS-707:
---

 Summary: Update Santuario to fix CVE-2023-44483
 Key: WSS-707
 URL: https://issues.apache.org/jira/browse/WSS-707
 Project: WSS4J
  Issue Type: Bug
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
 Fix For: 3.0.2, 2.4.3, 2.3.5, 4.0.0


Versions 4.0.0, 3.0.3, 2.3.4 and 2.2.6 of the Apache XML Security for Java 
library have been released. A security advisory has been fixed in these 
releases:
 * CVE-2023-44483: Apache Santuario: Private Key disclosure in debug-log output



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-705) Add SBOMs to published packages

2023-10-10 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-705.
-
Resolution: Fixed

> Add SBOMs to published packages
> ---
>
> Key: WSS-705
> URL: https://issues.apache.org/jira/browse/WSS-705
> Project: WSS4J
>  Issue Type: Task
>        Reporter: Colm O hEigeartaigh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.2, 2.4.3, 4.0.0
>
>
> Add CycloneDX SBOMs to the published packages in Maven Central.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-705) Add SBOMs to published packages

2023-10-10 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-705:

Fix Version/s: (was: 2.3.5)

> Add SBOMs to published packages
> ---
>
> Key: WSS-705
> URL: https://issues.apache.org/jira/browse/WSS-705
> Project: WSS4J
>  Issue Type: Task
>        Reporter: Colm O hEigeartaigh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.2, 2.4.3, 4.0.0
>
>
> Add CycloneDX SBOMs to the published packages in Maven Central.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Created] (WSS-705) Add SBOMs to published packages

2023-10-10 Thread Colm O hEigeartaigh (Jira)

Colm O hEigeartaigh created WSS-705:
---

 Summary: Add SBOMs to published packages
 Key: WSS-705
 URL: https://issues.apache.org/jira/browse/WSS-705
 Project: WSS4J
  Issue Type: Task
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
 Fix For: 3.0.2, 2.4.3, 2.3.5, 4.0.0


Add CycloneDX SBOMs to the published packages in Maven Central.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-704) Upgrade to XML Security 4.0.0

2023-09-19 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-704?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-704:

Fix Version/s: 4.0.0

> Upgrade to XML Security 4.0.0
> -
>
> Key: WSS-704
> URL: https://issues.apache.org/jira/browse/WSS-704
> Project: WSS4J
>  Issue Type: Task
>        Reporter: Colm O hEigeartaigh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 4.0.0
>
>
> Upgrade to XML Security 4.0.0



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Created] (WSS-704) Upgrade to XML Security 4.0.0

2023-09-19 Thread Colm O hEigeartaigh (Jira)

Colm O hEigeartaigh created WSS-704:
---

 Summary: Upgrade to XML Security 4.0.0
 Key: WSS-704
 URL: https://issues.apache.org/jira/browse/WSS-704
 Project: WSS4J
  Issue Type: Task
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh


Upgrade to XML Security 4.0.0



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-703) Upgrade to OpenSAML v5

2023-09-19 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-703.
-
Resolution: Fixed

> Upgrade to OpenSAML v5
> --
>
> Key: WSS-703
> URL: https://issues.apache.org/jira/browse/WSS-703
> Project: WSS4J
>  Issue Type: Task
>        Reporter: Colm O hEigeartaigh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 4.0.0
>
>
>  Upgrade to OpenSAML v5. Requires Java 17.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Created] (WSS-703) Upgrade to OpenSAML v5

2023-09-19 Thread Colm O hEigeartaigh (Jira)

Colm O hEigeartaigh created WSS-703:
---

 Summary: Upgrade to OpenSAML v5
 Key: WSS-703
 URL: https://issues.apache.org/jira/browse/WSS-703
 Project: WSS4J
  Issue Type: Task
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
 Fix For: 4.0.0


 Upgrade to OpenSAML v5. Requires Java 17.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-702) Process hangs when a signature is added and server not reachable

2023-09-18 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766266#comment-17766266
 ] 

Colm O hEigeartaigh commented on WSS-702:
-

OK closing ticket.

> Process hangs when a signature is added and server not reachable
> 
>
> Key: WSS-702
> URL: https://issues.apache.org/jira/browse/WSS-702
> Project: WSS4J
>  Issue Type: Bug
>Affects Versions: 3.0.1
> Environment: Linux Debian
> JDK 17
> Apache CXF 4.0.2
> WSS4j 3.0.1 (and also 3.0.0)
>Reporter: Cedric Tabin
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Attachments: sample.zip
>
>
> Hello,
> We are using wss4j with the Apache CXF library to connect to a SOAP web 
> service. The latter has some security-enabled methods which involves 
> signature and encryption.
> When writing the unit tests related to this, we hit a strange problem: if the 
> signature is enabled (through `WSS4JOutInterceptor`), then the process hangs 
> indefinitely during marshalling without any exception regardless of any 
> timeout set in the configuration (although a "Connection refused" exception 
> should have been thrown right away since we are pointing to localhost:1234 
> but this is the case for any host).
> The main problem is if there is any connection issue on the client side and 
> the server is unreachable, the process will wait forever.
> Here is the code snipped involved:
> {code:java}
> final ClientImpl client = (ClientImpl) ClientProxy.getClient(port);
> //url points to localhost:1234 on which nothing is listening => connection 
> should be refused immediately
> client.getRequestContext().put(Message.ENDPOINT_ADDRESS, url);
> client.setThreadLocalRequestContext(true);
> client.setSynchronousTimeout(1);
> final HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
> HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
> httpClientPolicy.setReceiveTimeout(120);
> httpClientPolicy.setAllowChunking(true);
> httpClientPolicy.setMaxRetransmits(0);
> httpConduit.setClient(httpClientPolicy);
> TLSClientParameters tlsClientParameters = new TLSClientParameters();
> tlsClientParameters.setSecureSocketProtocol("TLSv1.3");
> tlsClientParameters.setDisableCNCheck(true);
> httpConduit.setTlsClientParameters(tlsClientParameters);
> {    
>     WSEncryptionPart sigTimestamp = new WSEncryptionPart("Timestamp", 
> WSConstants.WSU_NS, "");   
> WSEncryptionPart sigBody = new WSEncryptionPart("Body", 
> WSConstants.URI_SOAP11_ENV, "");   
>     SignatureActionToken erpSignature = new SignatureActionToken();
>     erpSignature.setUser(getSignatureUser());      
>     erpSignature.setCryptoProperties(getOutSecurityPropFile());    
>     erpSignature.setKeyIdentifierId(WSConstants.BST_DIRECT_REFERENCE);   
>     erpSignature.setSignatureAlgorithm(WSConstants.RSA_SHA256);   
>     erpSignature.setDigestAlgorithm(WSConstants.SHA256);    
>     erpSignature.setParts(Arrays.asList(sigTimestamp, sigBody));
>     List actions = new ArrayList<>();    
>     actions.add(new HandlerAction(WSConstants.TS, null));    
>     actions.add(new HandlerAction(WSConstants.SIGN, erpSignature));    
>     Map properties = getOutSecurityProperties();
>     properties.put(WSHandlerConstants.HANDLER_ACTIONS, actions);    
>     ExtensibleWSS4JOutInterceptor wss4JOutInterceptor = new 
> ExtensibleWSS4JOutInterceptor(properties, getAfterSignatureCallbacks());    
>     wss4JOutInterceptor.setId("WSS4JOutSignatureInterceptor");         
>     //if this line is commented => the process fails directly (which is 
> correct) because nothing is listening at the endpoint    
>    client.getOutInterceptors().add(wss4JOutInterceptor);
> }
> String operation = jaxbElement.getName().getLocalPart();
> Object[] object = client.invoke(operation, jaxbElement.getValue());
> return object[0];
> {code}
> If the `wss4JOutInterceptor` is not added, the the process immediately fails 
> (which is expected).
> {noformat}
> org.apache.cxf.interceptor.Fault: Could not send Message.
> at 
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:67)
> at 
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:528)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:439)
> at org.apache.cxf.endpoint.ClientImpl.inv

[jira] [Resolved] (WSS-702) Process hangs when a signature is added and server not reachable

2023-09-18 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-702?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-702.
-
Resolution: Fixed

> Process hangs when a signature is added and server not reachable
> 
>
> Key: WSS-702
> URL: https://issues.apache.org/jira/browse/WSS-702
> Project: WSS4J
>  Issue Type: Bug
>Affects Versions: 3.0.1
> Environment: Linux Debian
> JDK 17
> Apache CXF 4.0.2
> WSS4j 3.0.1 (and also 3.0.0)
>Reporter: Cedric Tabin
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Attachments: sample.zip
>
>
> Hello,
> We are using wss4j with the Apache CXF library to connect to a SOAP web 
> service. The latter has some security-enabled methods which involves 
> signature and encryption.
> When writing the unit tests related to this, we hit a strange problem: if the 
> signature is enabled (through `WSS4JOutInterceptor`), then the process hangs 
> indefinitely during marshalling without any exception regardless of any 
> timeout set in the configuration (although a "Connection refused" exception 
> should have been thrown right away since we are pointing to localhost:1234 
> but this is the case for any host).
> The main problem is if there is any connection issue on the client side and 
> the server is unreachable, the process will wait forever.
> Here is the code snipped involved:
> {code:java}
> final ClientImpl client = (ClientImpl) ClientProxy.getClient(port);
> //url points to localhost:1234 on which nothing is listening => connection 
> should be refused immediately
> client.getRequestContext().put(Message.ENDPOINT_ADDRESS, url);
> client.setThreadLocalRequestContext(true);
> client.setSynchronousTimeout(1);
> final HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
> HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
> httpClientPolicy.setReceiveTimeout(120);
> httpClientPolicy.setAllowChunking(true);
> httpClientPolicy.setMaxRetransmits(0);
> httpConduit.setClient(httpClientPolicy);
> TLSClientParameters tlsClientParameters = new TLSClientParameters();
> tlsClientParameters.setSecureSocketProtocol("TLSv1.3");
> tlsClientParameters.setDisableCNCheck(true);
> httpConduit.setTlsClientParameters(tlsClientParameters);
> {    
>     WSEncryptionPart sigTimestamp = new WSEncryptionPart("Timestamp", 
> WSConstants.WSU_NS, "");   
> WSEncryptionPart sigBody = new WSEncryptionPart("Body", 
> WSConstants.URI_SOAP11_ENV, "");   
>     SignatureActionToken erpSignature = new SignatureActionToken();
>     erpSignature.setUser(getSignatureUser());      
>     erpSignature.setCryptoProperties(getOutSecurityPropFile());    
>     erpSignature.setKeyIdentifierId(WSConstants.BST_DIRECT_REFERENCE);   
>     erpSignature.setSignatureAlgorithm(WSConstants.RSA_SHA256);   
>     erpSignature.setDigestAlgorithm(WSConstants.SHA256);    
>     erpSignature.setParts(Arrays.asList(sigTimestamp, sigBody));
>     List actions = new ArrayList<>();    
>     actions.add(new HandlerAction(WSConstants.TS, null));    
>     actions.add(new HandlerAction(WSConstants.SIGN, erpSignature));    
>     Map properties = getOutSecurityProperties();
>     properties.put(WSHandlerConstants.HANDLER_ACTIONS, actions);    
>     ExtensibleWSS4JOutInterceptor wss4JOutInterceptor = new 
> ExtensibleWSS4JOutInterceptor(properties, getAfterSignatureCallbacks());    
>     wss4JOutInterceptor.setId("WSS4JOutSignatureInterceptor");         
>     //if this line is commented => the process fails directly (which is 
> correct) because nothing is listening at the endpoint    
>    client.getOutInterceptors().add(wss4JOutInterceptor);
> }
> String operation = jaxbElement.getName().getLocalPart();
> Object[] object = client.invoke(operation, jaxbElement.getValue());
> return object[0];
> {code}
> If the `wss4JOutInterceptor` is not added, the the process immediately fails 
> (which is expected).
> {noformat}
> org.apache.cxf.interceptor.Fault: Could not send Message.
> at 
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:67)
> at 
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:528)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:439)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:354)
&

WSS4J branches

2023-09-18 Thread Colm O hEigeartaigh

FYI I created a new 3_0_x-fixes branch for WSS4J and bumped master to
4.0.0-SNAPSHOT. I am going to merge an update to XML Security
4.0.0-SNAPSHOT and also OpenSAML 5.x. WSS4J 4.0.0-SNAPSHOT will
require Java 17.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] XmlSchema 2.3.1

2023-09-08 Thread Colm O hEigeartaigh

+1, all CXF tests pass with it.

Colm.

On Fri, Sep 8, 2023 at 7:38 AM Oscar Westra van Holthe - Kind
 wrote:
>
> Hi all,
>
> +1 (non-binding) to release version 2.3.1.
>
> I've successfully run the tests on my project that depends on the 
> xmlschema-walker artefact, that requires one of the merged PRs.
>
>
> Kind Regards,
> Oscar
>
>
> On Thu, 7 Sept 2023 at 21:25, Daniel Kulp  wrote:
>>
>> This is a vote to release XmlSchema 2.3.1. There were a couple of user 
>> submitted PR’s that I’d like to get included into a release for CXF.Also 
>> a couple of minor dependency updates.
>>
>>
>> Tag:
>> https://github.com/apache/ws-xmlschema/commit/ed85af5a99b5eed716664a47c21c622c4d522770
>>
>> Staging area:
>> https://repository.apache.org/content/repositories/orgapachews-1098/
>>
>>
>> Here is my +1.
>>
>> --
>> Daniel Kulp
>> dk...@apache.org
>> Talend - https://talend.com
>>
>
>
> --
>
> ✉️ Oscar Westra van Holthe - Kind 

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-701) Support for X509PKIPathv1 in WSSecEncryptKey is missing

2023-07-26 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17747756#comment-17747756
 ] 

Colm O hEigeartaigh commented on WSS-701:
-

Hi, can you submit a pull request for the change?

> Support for X509PKIPathv1 in WSSecEncryptKey is missing
> ---
>
> Key: WSS-701
> URL: https://issues.apache.org/jira/browse/WSS-701
> Project: WSS4J
>  Issue Type: Improvement
>  Components: WSS4J Core
>Affects Versions: 3.0.1
>Reporter: Philip Helger
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> Hi Colm,
> We stumbled upon another small inconsistency between `WSSecSignature` and 
> `WSSecEncryptedKey`.
> Via `WSSecSignature.setUseSingleCertificate(boolean)` it is possible to 
> switch between the Binary Security Token types `#X509v3` and `#X509PKIPathv1`.
> In `WSSecEncryptedKey` the BST is always using the `#X509v3` type.
> Please add the respective switch between the 2 types also for 
> `WSSecEncryptedKey`.
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-700) WSSecEncrypt cannot set Security Provider

2023-07-18 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1772#comment-1772
 ] 

Colm O hEigeartaigh commented on WSS-700:
-

I've added it for WSSecSignature as requested.

> WSSecEncrypt cannot set Security Provider
> -
>
> Key: WSS-700
> URL: https://issues.apache.org/jira/browse/WSS-700
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Philip Helger
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.3.4, 2.4.2, 3.0.1
>
>
> Hi,
> The constructor of `{color:#00}WSSecEncrypt{color}` has no means to 
> provide the Security Provider as possible in the super class 
> `WSSecEncryptedKey` constructor.
> Can you please add another constructor to `WSSecEncryptedKey` that passes 
> through the Provider?
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-700) WSSecEncrypt cannot set Security Provider

2023-07-18 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1770#comment-1770
 ] 

Colm O hEigeartaigh commented on WSS-700:
-

[~phax] I'm not sure it makes sense to add a Provider for the WSSecHeader case, 
because Provider is only used with 
createEncryptedKeyElement which is called during the creation, not during the 
parsing of an existing security header.

> WSSecEncrypt cannot set Security Provider
> -
>
> Key: WSS-700
> URL: https://issues.apache.org/jira/browse/WSS-700
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Philip Helger
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.3.4, 2.4.2, 3.0.1
>
>
> Hi,
> The constructor of `{color:#00}WSSecEncrypt{color}` has no means to 
> provide the Security Provider as possible in the super class 
> `WSSecEncryptedKey` constructor.
> Can you please add another constructor to `WSSecEncryptedKey` that passes 
> through the Provider?
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Closed] (WSS-693) Check for CVE/CVSS scores and fail build is severity is over a threshold

2023-07-17 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed WSS-693.
---

> Check for CVE/CVSS scores and fail build is severity is over a threshold
> 
>
> Key: WSS-693
> URL: https://issues.apache.org/jira/browse/WSS-693
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Rob Leland
>    Assignee: Colm O hEigeartaigh
>Priority: Minor
> Fix For: 2.3.4, 2.4.2
>
>
> 1) Update use of dependency-check plugin to fail build if a component has a 
> CVE over 6.
> 2) Provide a suppression file to ignore findings
> 3) Exclude Runtime environments such a JDK version from consideration in 
> findings.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Closed] (WSS-699) org.apache.wss4j.dom.transform.STRTransform not compliant with Oracle spec

2023-07-17 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed WSS-699.
---

> org.apache.wss4j.dom.transform.STRTransform not compliant with Oracle spec
> --
>
> Key: WSS-699
> URL: https://issues.apache.org/jira/browse/WSS-699
> Project: WSS4J
>  Issue Type: Bug
>  Components: WSS4J Core
>Affects Versions: 2.4.1
>Reporter: Luigi De Masi
>Assignee: Colm O hEigeartaigh
>Priority: Blocker
> Fix For: 2.4.2, 3.0.1
>
>
> According to Oracle specification, implementor of transform method of class  
> javax.xml.crypto.dsig.Transform should return null if the data was written to 
> the OutputStream parameter: 
> https://docs.oracle.com/en/java/javase/17/docs/api/java.xml.crypto/javax/xml/crypto/dsig/Transform.html#transform(javax.xml.crypto.Data,javax.xml.crypto.XMLCryptoContext,java.io.OutputStream)
> but this commit break the specification, changing the return value from null 
> to an empty XMLSignatureInput object:
> https://github.com/apache/ws-wss4j/commit/20e8e4e0406b3053cf26f82b39e882d8dd33da9a
> This is causing some issues during signature validation:
> {code}
> Caused by: javax.xml.crypto.dsig.XMLSignatureException: 
> javax.xml.crypto.dsig.TransformException: java.lang.RuntimeException: 
> unrecoverable error retrieving nodeset
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:552)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:385)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:278)
> at 
> my.company.test.SignatureValidator.validateSignature(SignatureValidator.java:148)
> at 
> my.company.test.SignatureValidator.validateSecurityHeader(SignatureValidator.java:125)
> at 
> my.company.test.SignatureValidator.validate(SignatureValidator.java:82)
> at 
> my.company.test.SignatureValidatorTest.testSaml1Original(SignatureValidatorTest.java:66)
> ... 70 more
> Caused by: javax.xml.crypto.dsig.TransformException: 
> java.lang.RuntimeException: unrecoverable error retrieving nodeset
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:174)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:108)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMCanonicalXMLC14NMethod.transform(DOMCanonicalXMLC14NMethod.java:73)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:493)
> ... 76 more
> Caused by: java.lang.RuntimeException: unrecoverable error retrieving nodeset
> at 
> org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData.iterator(ApacheNodeSetData.java:53)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:159)
> ... 79 more
> Caused by: java.lang.RuntimeException: getNodeSet() called but no input data 
> present
> at 
> org.apache.xml.security.signature.XMLSignatureInput.getNodeSet(XMLSignatureInput.java:228)
> at 
> org.apache.xml.security.signature.XMLSignatureInput.getNodeSet(XMLSignatureInput.java:190)
> at 
> org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData.iterator(ApacheNodeSetData.java:50)
> ... 80 more
> {code}
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Closed] (WSS-700) WSSecEncrypt cannot set Security Provider

2023-07-17 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed WSS-700.
---

> WSSecEncrypt cannot set Security Provider
> -
>
> Key: WSS-700
> URL: https://issues.apache.org/jira/browse/WSS-700
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Philip Helger
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.3.4, 2.4.2, 3.0.1
>
>
> Hi,
> The constructor of `{color:#00}WSSecEncrypt{color}` has no means to 
> provide the Security Provider as possible in the super class 
> `WSSecEncryptedKey` constructor.
> Can you please add another constructor to `WSSecEncryptedKey` that passes 
> through the Provider?
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 3.0.1, 2.4.2, 2.3.4

2023-07-17 Thread Colm O hEigeartaigh

With 3 binding +1 votes, and two non-binding +1 votes, this vote
passes. I'll do the release.

Colm.

On Fri, Jul 14, 2023 at 1:48 AM Jim Ma  wrote:
>
> +1
>
> On Wed, Jul 12, 2023 at 11:55 PM Colm O hEigeartaigh  
> wrote:
>>
>> This is a vote to release Apache WSS4J 3.0.1, 2.4.2, 2.3.4.
>>
>> 3.0.1:
>>
>>  - Issues fixed:
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12352384
>>  - Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-3.0.1
>>  - Artifacts: 
>> https://repository.apache.org/content/repositories/orgapachews-1093/
>>
>> 2.4.2:
>>
>>  - Issues fixed:
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12351365
>>  - Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.4.2
>>  - Artifacts: 
>> https://repository.apache.org/content/repositories/orgapachews-1096/
>>
>> 2.3.4:
>>
>>  - Issues fixed:
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12350610
>>  - Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.3.4
>>  - Artifacts: 
>> https://repository.apache.org/content/repositories/orgapachews-1097/
>>
>> +1 from me.
>>
>> Colm.
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>> For additional commands, e-mail: dev-h...@ws.apache.org
>>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[VOTE] - Release Apache WSS4J 3.0.1, 2.4.2, 2.3.4

2023-07-12 Thread Colm O hEigeartaigh

This is a vote to release Apache WSS4J 3.0.1, 2.4.2, 2.3.4.

3.0.1:

 - Issues fixed:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12352384
 - Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-3.0.1
 - Artifacts: 
https://repository.apache.org/content/repositories/orgapachews-1093/

2.4.2:

 - Issues fixed:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12351365
 - Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.4.2
 - Artifacts: 
https://repository.apache.org/content/repositories/orgapachews-1096/

2.3.4:

 - Issues fixed:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12350610
 - Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.3.4
 - Artifacts: 
https://repository.apache.org/content/repositories/orgapachews-1097/

+1 from me.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-699) org.apache.wss4j.dom.transform.STRTransform not compliant with Oracle spec

2023-07-12 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-699.
-
Resolution: Fixed

> org.apache.wss4j.dom.transform.STRTransform not compliant with Oracle spec
> --
>
> Key: WSS-699
> URL: https://issues.apache.org/jira/browse/WSS-699
> Project: WSS4J
>  Issue Type: Bug
>  Components: WSS4J Core
>Affects Versions: 2.4.1
>Reporter: Luigi De Masi
>Assignee: Colm O hEigeartaigh
>Priority: Blocker
> Fix For: 2.4.2, 3.0.1
>
>
> According to Oracle specification, implementor of transform method of class  
> javax.xml.crypto.dsig.Transform should return null if the data was written to 
> the OutputStream parameter: 
> https://docs.oracle.com/en/java/javase/17/docs/api/java.xml.crypto/javax/xml/crypto/dsig/Transform.html#transform(javax.xml.crypto.Data,javax.xml.crypto.XMLCryptoContext,java.io.OutputStream)
> but this commit break the specification, changing the return value from null 
> to an empty XMLSignatureInput object:
> https://github.com/apache/ws-wss4j/commit/20e8e4e0406b3053cf26f82b39e882d8dd33da9a
> This is causing some issues during signature validation:
> {code}
> Caused by: javax.xml.crypto.dsig.XMLSignatureException: 
> javax.xml.crypto.dsig.TransformException: java.lang.RuntimeException: 
> unrecoverable error retrieving nodeset
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:552)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:385)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:278)
> at 
> my.company.test.SignatureValidator.validateSignature(SignatureValidator.java:148)
> at 
> my.company.test.SignatureValidator.validateSecurityHeader(SignatureValidator.java:125)
> at 
> my.company.test.SignatureValidator.validate(SignatureValidator.java:82)
> at 
> my.company.test.SignatureValidatorTest.testSaml1Original(SignatureValidatorTest.java:66)
> ... 70 more
> Caused by: javax.xml.crypto.dsig.TransformException: 
> java.lang.RuntimeException: unrecoverable error retrieving nodeset
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:174)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:108)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMCanonicalXMLC14NMethod.transform(DOMCanonicalXMLC14NMethod.java:73)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:493)
> ... 76 more
> Caused by: java.lang.RuntimeException: unrecoverable error retrieving nodeset
> at 
> org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData.iterator(ApacheNodeSetData.java:53)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:159)
> ... 79 more
> Caused by: java.lang.RuntimeException: getNodeSet() called but no input data 
> present
> at 
> org.apache.xml.security.signature.XMLSignatureInput.getNodeSet(XMLSignatureInput.java:228)
> at 
> org.apache.xml.security.signature.XMLSignatureInput.getNodeSet(XMLSignatureInput.java:190)
> at 
> org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData.iterator(ApacheNodeSetData.java:50)
> ... 80 more
> {code}
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-699) org.apache.wss4j.dom.transform.STRTransform not compliant with Oracle spec

2023-07-12 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-699:

Fix Version/s: 2.4.2
   3.0.1

> org.apache.wss4j.dom.transform.STRTransform not compliant with Oracle spec
> --
>
> Key: WSS-699
> URL: https://issues.apache.org/jira/browse/WSS-699
> Project: WSS4J
>  Issue Type: Bug
>  Components: WSS4J Core
>Affects Versions: 2.4.1
>Reporter: Luigi De Masi
>Assignee: Colm O hEigeartaigh
>Priority: Blocker
> Fix For: 2.4.2, 3.0.1
>
>
> According to Oracle specification, implementor of transform method of class  
> javax.xml.crypto.dsig.Transform should return null if the data was written to 
> the OutputStream parameter: 
> https://docs.oracle.com/en/java/javase/17/docs/api/java.xml.crypto/javax/xml/crypto/dsig/Transform.html#transform(javax.xml.crypto.Data,javax.xml.crypto.XMLCryptoContext,java.io.OutputStream)
> but this commit break the specification, changing the return value from null 
> to an empty XMLSignatureInput object:
> https://github.com/apache/ws-wss4j/commit/20e8e4e0406b3053cf26f82b39e882d8dd33da9a
> This is causing some issues during signature validation:
> {code}
> Caused by: javax.xml.crypto.dsig.XMLSignatureException: 
> javax.xml.crypto.dsig.TransformException: java.lang.RuntimeException: 
> unrecoverable error retrieving nodeset
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:552)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:385)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:278)
> at 
> my.company.test.SignatureValidator.validateSignature(SignatureValidator.java:148)
> at 
> my.company.test.SignatureValidator.validateSecurityHeader(SignatureValidator.java:125)
> at 
> my.company.test.SignatureValidator.validate(SignatureValidator.java:82)
> at 
> my.company.test.SignatureValidatorTest.testSaml1Original(SignatureValidatorTest.java:66)
> ... 70 more
> Caused by: javax.xml.crypto.dsig.TransformException: 
> java.lang.RuntimeException: unrecoverable error retrieving nodeset
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:174)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:108)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMCanonicalXMLC14NMethod.transform(DOMCanonicalXMLC14NMethod.java:73)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:493)
> ... 76 more
> Caused by: java.lang.RuntimeException: unrecoverable error retrieving nodeset
> at 
> org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData.iterator(ApacheNodeSetData.java:53)
> at 
> java.xml.crypto/org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.canonicalize(ApacheCanonicalizer.java:159)
> ... 79 more
> Caused by: java.lang.RuntimeException: getNodeSet() called but no input data 
> present
> at 
> org.apache.xml.security.signature.XMLSignatureInput.getNodeSet(XMLSignatureInput.java:228)
> at 
> org.apache.xml.security.signature.XMLSignatureInput.getNodeSet(XMLSignatureInput.java:190)
> at 
> org.apache.jcp.xml.dsig.internal.dom.ApacheNodeSetData.iterator(ApacheNodeSetData.java:50)
> ... 80 more
> {code}
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-700) WSSecEncrypt cannot set Security Provider

2023-07-12 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-700:

Fix Version/s: 3.0.1

> WSSecEncrypt cannot set Security Provider
> -
>
> Key: WSS-700
> URL: https://issues.apache.org/jira/browse/WSS-700
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Philip Helger
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.3.4, 2.4.2, 3.0.1
>
>
> Hi,
> The constructor of `{color:#00}WSSecEncrypt{color}` has no means to 
> provide the Security Provider as possible in the super class 
> `WSSecEncryptedKey` constructor.
> Can you please add another constructor to `WSSecEncryptedKey` that passes 
> through the Provider?
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-700) WSSecEncrypt cannot set Security Provider

2023-07-10 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-700.
-
Resolution: Fixed

> WSSecEncrypt cannot set Security Provider
> -
>
> Key: WSS-700
> URL: https://issues.apache.org/jira/browse/WSS-700
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Philip Helger
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.3.4, 2.4.2
>
>
> Hi,
> The constructor of `{color:#00}WSSecEncrypt{color}` has no means to 
> provide the Security Provider as possible in the super class 
> `WSSecEncryptedKey` constructor.
> Can you please add another constructor to `WSSecEncryptedKey` that passes 
> through the Provider?
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-700) WSSecEncrypt cannot set Security Provider

2023-07-10 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17741511#comment-17741511
 ] 

Colm O hEigeartaigh commented on WSS-700:
-

I added a new constructor for WSSecEncrypt that passes a Provider through to 
WSSecEncrypedKey.

> WSSecEncrypt cannot set Security Provider
> -
>
> Key: WSS-700
> URL: https://issues.apache.org/jira/browse/WSS-700
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Philip Helger
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.3.4, 2.4.2
>
>
> Hi,
> The constructor of `{color:#00}WSSecEncrypt{color}` has no means to 
> provide the Security Provider as possible in the super class 
> `WSSecEncryptedKey` constructor.
> Can you please add another constructor to `WSSecEncryptedKey` that passes 
> through the Provider?
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-700) WSSecEncrypt cannot set Security Provider

2023-07-10 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-700:

Fix Version/s: 2.3.4
   2.4.2

> WSSecEncrypt cannot set Security Provider
> -
>
> Key: WSS-700
> URL: https://issues.apache.org/jira/browse/WSS-700
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Philip Helger
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.3.4, 2.4.2
>
>
> Hi,
> The constructor of `{color:#00}WSSecEncrypt{color}` has no means to 
> provide the Security Provider as possible in the super class 
> `WSSecEncryptedKey` constructor.
> Can you please add another constructor to `WSSecEncryptedKey` that passes 
> through the Provider?
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-693) Check for CVE/CVSS scores and fail build is severity is over a threshold

2023-06-12 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-693.
-
Resolution: Fixed

> Check for CVE/CVSS scores and fail build is severity is over a threshold
> 
>
> Key: WSS-693
> URL: https://issues.apache.org/jira/browse/WSS-693
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Rob Leland
>    Assignee: Colm O hEigeartaigh
>Priority: Minor
> Fix For: 2.3.4, 2.4.2
>
>
> 1) Update use of dependency-check plugin to fail build if a component has a 
> CVE over 6.
> 2) Provide a suppression file to ignore findings
> 3) Exclude Runtime environments such a JDK version from consideration in 
> findings.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-693) Check for CVE/CVSS scores and fail build is severity is over a threshold

2023-06-12 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-693:

Fix Version/s: 2.3.4
   2.4.2

> Check for CVE/CVSS scores and fail build is severity is over a threshold
> 
>
> Key: WSS-693
> URL: https://issues.apache.org/jira/browse/WSS-693
> Project: WSS4J
>  Issue Type: Improvement
>Reporter: Rob Leland
>    Assignee: Colm O hEigeartaigh
>Priority: Minor
> Fix For: 2.3.4, 2.4.2
>
>
> 1) Update use of dependency-check plugin to fail build if a component has a 
> CVE over 6.
> 2) Provide a suppression file to ignore findings
> 3) Exclude Runtime environments such a JDK version from consideration in 
> findings.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: Regarding No message with ID "badElement" found in resource bundle "org/apache/xml/security/resource/xmlsecurity"

2023-03-27 Thread Colm O hEigeartaigh

Hi,

You need to call WSSConfig.init() before any call to
org.apache.xml.security.Init.init(). For example see:

https://github.com/apache/ws-wss4j/blob/4c5dda00904ea7217b4e0add80024973313466ea/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignatureWSS651Test.java#L65

Colm.

On Wed, Mar 15, 2023 at 9:08 AM Sreenivas Somavarapu
 wrote:
>
> Hi Team,
>
>
>
> <>
>
> While using org.apache.wss4j.common.token.SecurityTokenReference (Currently 
> using wss4j 2.3.2 and xmlsec 2.2.3) constructor in one of our tests we are 
> getting below exception. There is no functional impact due to this error but 
> it refers to some string missing in properties file which we think is 
> incorrect and it suppress actual cause of the issue. Wanted to know if 
> anything else needs to be done before calling the below code (like WSS4J 
> initialization or something else)?
>
>
>
> org.apache.wss4j.common.ext.WSSecurityException: No message with ID 
> "badElement" found in resource bundle 
> "org/apache/xml/security/resource/xmlsecurity"
>
>
>
> Code snippet
>
> org.apache.xml.security.Init.init();
>
> String xmlContent
>
> = " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\;
>  \r\n"
>
> + "   
> xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\;>\r\n"
>
> + "   wsu:Id=\"usernametoken\">\r\n"
>
> + "
> user1025\r\n"
>
> + "
> user1025\r\n" + "  
> \r\n"
>
> + "";
>
> DocumentBuilderFactory documentBuilderFactory = 
> DocumentBuilderFactory.newInstance();
>
> documentBuilderFactory.setNamespaceAware(true);
>
>Document doc = documentBuilderFactory.newDocumentBuilder().parse(new 
> InputSource(new StringReader(xmlContent)));
>
>
>
> SecurityTokenReference secTokRef = new 
> SecurityTokenReference(doc.getDocumentElement(), new BSPEnforcer(false));
>
>
>
> Regards,
>
> Sreenivas
>
>
>
> - To 
> unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, 
> e-mail: dev-h...@ws.apache.org

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Closed] (WSS-687) Upgrade OpenSAML to v4.1.x

2022-10-10 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed WSS-687.
---

> Upgrade OpenSAML to v4.1.x
> --
>
> Key: WSS-687
> URL: https://issues.apache.org/jira/browse/WSS-687
> Project: WSS4J
>  Issue Type: Task
>  Components: WSS4J Core
>Affects Versions: 3.0.0
>Reporter: Misagh Moayyed
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.0
>
>
> wss4j 2.5.0.SNAPSHOT currently uses OpenSAML v4.0.x. Current release of 
> OpenSAML is 4.1.1 and wss4j should upgrade to this version. No breaking 
> changes are expected.
> I can assist with a patch or pull request.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Closed] (WSS-695) Unmarshalling failure with OpenSAML 4

2022-10-10 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-695?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed WSS-695.
---

> Unmarshalling failure with OpenSAML 4
> -
>
> Key: WSS-695
> URL: https://issues.apache.org/jira/browse/WSS-695
> Project: WSS4J
>  Issue Type: Improvement
>        Reporter: Colm O hEigeartaigh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.0
>
>
> There is an unmarshalling failure of an X509Certificate element with OpenSAML 
> 4 (CXF's STS SAMLRenewTest), caused by the fact that the default OpenSAML 
> BASE-64 unmarshaller uses Text.getData() instead of Text.getWholeText().
> The fix is to override the unmarshaller and call getWholeText instead.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Closed] (WSS-694) Move wss4j to native jakarta namespace

2022-10-10 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-694?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed WSS-694.
---

> Move wss4j to native jakarta namespace
> --
>
> Key: WSS-694
> URL: https://issues.apache.org/jira/browse/WSS-694
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Affects Versions: 2.4.2
>Reporter: Rebecca Searls
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.0
>
>
> Migrate wss4j to use the jakarta namespace.
> This upgrade is needed by CXF and other referencing components moving to 
> jakarta.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Closed] (WSS-696) Upgrade ehcache to 3.10.0 with jakarta classfier

2022-10-10 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed WSS-696.
---

> Upgrade ehcache to 3.10.0 with jakarta classfier
> 
>
> Key: WSS-696
> URL: https://issues.apache.org/jira/browse/WSS-696
> Project: WSS4J
>  Issue Type: Task
>  Components: WSS4J Core
>Affects Versions: 2.4.1
>Reporter: Jim Ma
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.0
>
>
> Ehache 3.10.0 is released with a new variant jar which support jakarta 
> namespace. 
> We can include this jakarta version in wss4j now. 
> This upgrade mainly contains the 3.10.0 version upgrade  along with  the 
> jakarta classfier change. 
>  
> {code:java}
>  
> --- a/parent/pom.xml
> +++ b/parent/pom.xml
> @@ -35,7 +35,7 @@
>          1.70
>          1.21
>          1.2.4
> -        3.9.6
> +        3.10.0
>          2.2
>          1.9.3
>          5.8.1
> @@ -123,6 +123,13 @@
>                  org.ehcache
>                  ehcache
>                  ${ehcache.version}
> +                jakarta
> +                
> +                    
> +                        org.glassfish.jaxb
> +                        jaxb-runtime
> +                    
> +                
>              
>  
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 3.0.0

2022-10-10 Thread Colm O hEigeartaigh

With 5 +1 votes, and no other votes, this vote passes. I'll do the release.

Colm.

On Sun, Oct 9, 2022 at 3:43 AM Jim Ma  wrote:
>
> +1
>
> On Thu, Oct 6, 2022 at 4:39 PM Alessio Soldano  wrote:
>>
>> +1
>>
>> Thanks!
>>
>> On Tue, Oct 4, 2022 at 2:33 PM Colm O hEigeartaigh  
>> wrote:
>>>
>>> This is a vote to release Apache WSS4J 3.0.0. This is a new major
>>> release which has transitioned to the jakarta namespace, and contains
>>> new major dependency upgrades for OpenSAML (4.x) and XML Security
>>> (3.x). It is designed to be used with CXF 4.0.0.
>>>
>>> Artifacts: 
>>> https://repository.apache.org/content/repositories/orgapachews-1092/
>>> Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-3.0.0
>>> Issues: 
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12350043
>>>
>>> +1 from me.
>>>
>>> Colm.
>>>
>>> -
>>> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>>> For additional commands, e-mail: dev-h...@ws.apache.org
>>>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[VOTE] - Release Apache WSS4J 3.0.0

2022-10-04 Thread Colm O hEigeartaigh

This is a vote to release Apache WSS4J 3.0.0. This is a new major
release which has transitioned to the jakarta namespace, and contains
new major dependency upgrades for OpenSAML (4.x) and XML Security
(3.x). It is designed to be used with CXF 4.0.0.

Artifacts: https://repository.apache.org/content/repositories/orgapachews-1092/
Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-3.0.0
Issues: 
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12350043

+1 from me.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-698) No way to call requestData.setSignatureProvider() in WSS4JOutInterceptor and WSS4JInInterceptor

2022-10-03 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-698.
-
Resolution: Not A Problem

You have the option of overriding the WSHandler doSenderAction/doReceiverAction 
methods, by subclassing WSS4JOut/InInterceptor. Otherwise, please submit a PR 
to CXF to add support to manually configure the signature provider via 
configuration.

> No way to call requestData.setSignatureProvider() in WSS4JOutInterceptor and 
> WSS4JInInterceptor
> ---
>
> Key: WSS-698
> URL: https://issues.apache.org/jira/browse/WSS-698
> Project: WSS4J
>  Issue Type: Bug
>Reporter: Stefan Berger
>    Assignee: Colm O hEigeartaigh
>Priority: Major
>
> In WSS-656, the ability to set the signatureProvider was added, but when 
> using the WSS4JOutInterceptor, the RequestData object is created inside of 
> handleMessageInternal() and cannot be modified from the outside.
> WSS4JInInterceptor.handleMessageInternal() behaves similarly.
> Users should be able to influence the behavior via the SoapMessage. (Either 
> in the SoapMessage or in the Exchange)
> My use case is that I want to sign with brainpoolP256r1 Certificates in Java 
> 17. Oracle removed brainpool support in JDK 15, so now I have to use 
> BouncyCastle to sign requests.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: WSS4j 3.0.0

2022-08-30 Thread Colm O hEigeartaigh

Hi Jim,

At this point I don't have anything else to do for WSS4J itself. I
have some work to do on a new Santuario release, I'm hoping to get
this done over the next 2/3 weeks. I also want to review some
outstanding CXF issues to see if there's anything that needs to go
into WSS4J before the release.

I'm hoping to get WSS4J 3.0.0 out in about a month or so.

Colm.

On Mon, Aug 29, 2022 at 3:25 AM Jim Ma  wrote:
>
> Thanks Martin, I saw the 3.0 SNAPSHOT tests are all passed, then let's wait 
> for Colm for more updates about the 3.0 release plan.
>
>
>
> On Sat, Aug 20, 2022 at 8:30 PM Martin Gainty  wrote:
>>
>> Usually snapshots have to pass all unit-tests and then be voted +1 for 
>> "official release" by wss4j commitee
>> the lead is Colm O hEigearhtaigh so I am including him in for those release 
>> dates
>> In the meanwhile I would suggest vetting the 3.0 SNAPSHOT
>>
>> Index of 
>> /repositories/snapshots/org/apache/wss4j/wss4j-ws-security-dom/3.0.0-SNAPSHOT
>>
>> Keep me apprised !
>> m~
>> 
>> From: Jim Ma 
>> Sent: Friday, August 19, 2022 7:45 AM
>> To: dev@ws.apache.org 
>> Subject: WSS4j 3.0.0
>>
>> Is it close to a WSS4j 3.0.0 release , and any plan date ? Are there some 
>> issues left we need to address for this major release ?
>>
>> Thanks,
>> Jim

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: javax servlet class in opensaml 4.2.0

2022-05-31 Thread Colm O hEigeartaigh

Hi Jim,

>From a quick glance, most if not all of these are in parts of OpenSAML
that aren't used by WSS4J. Ultimately if all the tests (including CXF)
pass without any problems then I suppose we're OK?

Colm.

On Mon, May 30, 2022 at 7:22 AM Jim Ma  wrote:
>
> Hi Colm,
> I searched the javax namespace classes which are used in opensaml 4.2.0 and I 
> got this list :
> https://paste.apache.org/lhks3
>
> Now wss4j 3.0.0 jakart version already includes opensaml 4.2.0,  is javax 
> imported class in opensaml a problem for wss4j ?
>
> Thanks,
> Jim

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] Release Apache Axiom 1.4.0

2022-05-24 Thread Colm O hEigeartaigh

+1.

The year in the NOTICE file should be updated to 2022 for the next release.

Colm.

On Tue, May 24, 2022 at 12:30 AM Daniel Kulp  wrote:
>
> +1
>
> Dan
>
>
> On May 14, 2022, at 5:11 PM, robertlazarski  wrote:
>
> This is a vote to release Apache Axiom 1.4.0
>
> Git tag: https://github.com/apache/ws-axiom/releases/tag/1.4.0
>
> Distributions: https://dist.apache.org/repos/dist/dev/ws/axiom/
>
> Maven artifacts: 
> https://repository.apache.org/content/repositories/orgapachews-1089
>
> Site: http://ws.apache.org/axiom-staging/
>
> +1 from me.
>
> Robert
>
>
> --
> Daniel Kulp
> dk...@apache.org
> Talend - https://talend.com
>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-697) OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s InitializationService

2022-05-11 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17535116#comment-17535116
 ] 

Colm O hEigeartaigh commented on WSS-697:
-

What change do you suggest to be made to how the manually configured pool is 
created in WSS4J?

> OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s InitializationService
> --
>
> Key: WSS-697
> URL: https://issues.apache.org/jira/browse/WSS-697
> Project: WSS4J
>  Issue Type: Bug
>  Components: WSS4J Core
>Affects Versions: 2.2.7, 2.3.3, 2.4.1
>Reporter: Alex Wolfe
>Assignee: Colm O hEigeartaigh
>Priority: Minor
>
> When using WSS4J alongside other dependencies which also rely on OpenSAML, 
> the OpenSAMLUtil.initSamlEngine() can override the existing configuration of 
> OpenSAML, potentially causing issues with how the parser pool is configured.
> In my use case:
>  * OpenSAML is initialized first with the 
> org.opensaml.core.config.InitializationService introduced in OpenSAML 3
>  * XMLSec is used for decryption, so 
> org.opensaml.xmlsec.config.DecryptionParserPoolInitializer adds a 
> decryption-specific feature to the parser pool at this time.
>  * Later, an interceptor in cxf-rt-ws-security called into 
> OpenSAMLUtil.initSamlEngine(), overriding the OpenSAML configuration and 
> parser pool.
> In WSS4J 2.2.6, due to WSS-678, this caused the DecryptionParserPool to be 
> completely removed, but after upgrading to 2.3.1+ or 2.4.0+, this causes it 
> to be replaced with the manually configured pool from OpenSAMLUtil without 
> the needed feature.
> I have been able to work around this by explicitly calling OpenSAML’s 
> InitializationService after WSS4J’s OpenSAMLUtil.
> Relevant dependencies and versions in my project include:
>  * Java 8
>  * OpenSAML 3.4.6 (including org.opensaml:opensaml-xmlsec-api)
>  * org.apache.cxf:cxf-rt-ws-security:3.3.11
>  * org.apache.santuario:xmlsec:2.1.7
>  * net.shibboleth.utilities:java-support:7.5.2



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-696) Upgrade ehcache to 3.10.0 with jakarta classfier

2022-04-25 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-696.
-
Resolution: Fixed

> Upgrade ehcache to 3.10.0 with jakarta classfier
> 
>
> Key: WSS-696
> URL: https://issues.apache.org/jira/browse/WSS-696
> Project: WSS4J
>  Issue Type: Task
>  Components: WSS4J Core
>Affects Versions: 2.4.1
>Reporter: Jim Ma
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.0
>
>
> Ehache 3.10.0 is released with a new variant jar which support jakarta 
> namespace. 
> We can include this jakarta version in wss4j now. 
> This upgrade mainly contains the 3.10.0 version upgrade  along with  the 
> jakarta classfier change. 
>  
> {code:java}
>  
> --- a/parent/pom.xml
> +++ b/parent/pom.xml
> @@ -35,7 +35,7 @@
>          1.70
>          1.21
>          1.2.4
> -        3.9.6
> +        3.10.0
>          2.2
>          1.9.3
>          5.8.1
> @@ -123,6 +123,13 @@
>                  org.ehcache
>                  ehcache
>                  ${ehcache.version}
> +                jakarta
> +                
> +                    
> +                        org.glassfish.jaxb
> +                        jaxb-runtime
> +                    
> +                
>              
>  
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-687) Upgrade OpenSAML to v4.1.x

2022-04-19 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-687.
-
Resolution: Fixed

> Upgrade OpenSAML to v4.1.x
> --
>
> Key: WSS-687
> URL: https://issues.apache.org/jira/browse/WSS-687
> Project: WSS4J
>  Issue Type: Task
>  Components: WSS4J Core
>Affects Versions: 3.0.0
>Reporter: Misagh Moayyed
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.0
>
>
> wss4j 2.5.0.SNAPSHOT currently uses OpenSAML v4.0.x. Current release of 
> OpenSAML is 4.1.1 and wss4j should upgrade to this version. No breaking 
> changes are expected.
> I can assist with a patch or pull request.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-687) Upgrade OpenSAML to v4.1.x

2022-04-19 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-687:

Fix Version/s: 3.0.0

> Upgrade OpenSAML to v4.1.x
> --
>
> Key: WSS-687
> URL: https://issues.apache.org/jira/browse/WSS-687
> Project: WSS4J
>  Issue Type: Task
>  Components: WSS4J Core
>Affects Versions: 3.0.0
>Reporter: Misagh Moayyed
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.0
>
>
> wss4j 2.5.0.SNAPSHOT currently uses OpenSAML v4.0.x. Current release of 
> OpenSAML is 4.1.1 and wss4j should upgrade to this version. No breaking 
> changes are expected.
> I can assist with a patch or pull request.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-687) Upgrade OpenSAML to v4.1.x

2022-04-15 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17522800#comment-17522800
 ] 

Colm O hEigeartaigh commented on WSS-687:
-

That's a good idea Rob. I'm not concerned about the issue raised by OpenSAML 
devs.

[~dkulp] Is it acceptable? [https://github.com/apache/ws-wss4j/pull/49/files]

 

> Upgrade OpenSAML to v4.1.x
> --
>
> Key: WSS-687
> URL: https://issues.apache.org/jira/browse/WSS-687
> Project: WSS4J
>  Issue Type: Task
>  Components: WSS4J Core
>Affects Versions: 3.0.0
>Reporter: Misagh Moayyed
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> wss4j 2.5.0.SNAPSHOT currently uses OpenSAML v4.0.x. Current release of 
> OpenSAML is 4.1.1 and wss4j should upgrade to this version. No breaking 
> changes are expected.
> I can assist with a patch or pull request.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-687) Upgrade OpenSAML to v4.1.x

2022-04-14 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17522265#comment-17522265
 ] 

Colm O hEigeartaigh commented on WSS-687:
-

Is there a way we can only get the Opensaml artifacts from their Maven repo and 
block any other artifacts from being downloaded from it?

> Upgrade OpenSAML to v4.1.x
> --
>
> Key: WSS-687
> URL: https://issues.apache.org/jira/browse/WSS-687
> Project: WSS4J
>  Issue Type: Task
>  Components: WSS4J Core
>Affects Versions: 3.0.0
>Reporter: Misagh Moayyed
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> wss4j 2.5.0.SNAPSHOT currently uses OpenSAML v4.0.x. Current release of 
> OpenSAML is 4.1.1 and wss4j should upgrade to this version. No breaking 
> changes are expected.
> I can assist with a patch or pull request.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-695) Unmarshalling failure with OpenSAML 4

2022-04-14 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-695?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-695.
-
Resolution: Fixed

> Unmarshalling failure with OpenSAML 4
> -
>
> Key: WSS-695
> URL: https://issues.apache.org/jira/browse/WSS-695
> Project: WSS4J
>  Issue Type: Improvement
>        Reporter: Colm O hEigeartaigh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.0
>
>
> There is an unmarshalling failure of an X509Certificate element with OpenSAML 
> 4 (CXF's STS SAMLRenewTest), caused by the fact that the default OpenSAML 
> BASE-64 unmarshaller uses Text.getData() instead of Text.getWholeText().
> The fix is to override the unmarshaller and call getWholeText instead.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Created] (WSS-695) Unmarshalling failure with OpenSAML 4

2022-04-14 Thread Colm O hEigeartaigh (Jira)

Colm O hEigeartaigh created WSS-695:
---

 Summary: Unmarshalling failure with OpenSAML 4
 Key: WSS-695
 URL: https://issues.apache.org/jira/browse/WSS-695
 Project: WSS4J
  Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
 Fix For: 3.0.0


There is an unmarshalling failure of an X509Certificate element with OpenSAML 4 
(CXF's STS SAMLRenewTest), caused by the fact that the default OpenSAML BASE-64 
unmarshaller uses Text.getData() instead of Text.getWholeText().

The fix is to override the unmarshaller and call getWholeText instead.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-655) Support outbound Streaming WS-Security MTOM

2022-04-04 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17516927#comment-17516927
 ] 

Colm O hEigeartaigh commented on WSS-655:
-

It can be tested against the "DOM" implementation, which has been tested 
previously against .NET by various users of CXF.

> Support outbound Streaming WS-Security MTOM
> ---
>
> Key: WSS-655
> URL: https://issues.apache.org/jira/browse/WSS-655
> Project: WSS4J
>  Issue Type: Improvement
>    Reporter: Colm O hEigeartaigh
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> WSS4J currently only supports streaming WS-Security MTOM on the inbound side, 
> not the outbound side (see: 
> [https://coheigea.blogspot.com/2018/05/streaming-ws-security-mtom-support-in.html|https://coheigea.blogspot.com/2018/05/streaming-ws-security-mtom-support-in.html).]).This
>  task is to support it on the outbound side.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-694) Move wss4j to native jakarta namespace

2022-03-15 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-694?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-694.
-
Resolution: Fixed

> Move wss4j to native jakarta namespace
> --
>
> Key: WSS-694
> URL: https://issues.apache.org/jira/browse/WSS-694
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Affects Versions: 2.4.2
>Reporter: Rebecca Searls
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.0
>
>
> Migrate wss4j to use the jakarta namespace.
> This upgrade is needed by CXF and other referencing components moving to 
> jakarta.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Updated] (WSS-694) Move wss4j to native jakarta namespace

2022-03-07 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-694?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated WSS-694:

Fix Version/s: 3.0.0

> Move wss4j to native jakarta namespace
> --
>
> Key: WSS-694
> URL: https://issues.apache.org/jira/browse/WSS-694
> Project: WSS4J
>  Issue Type: New Feature
>  Components: WSS4J Core
>Affects Versions: 2.4.2
>Reporter: Rebecca Searls
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 3.0.0
>
>
> Migrate wss4j to use the jakarta namespace.
> This upgrade is needed by CXF and other referencing components moving to 
> jakarta.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 2.4.1

2022-02-17 Thread Colm O hEigeartaigh

With 3 binding +1 votes, and no other votes, this vote passes.

Colm.

On Thu, Feb 17, 2022 at 11:27 PM Alessio Soldano  wrote:
>
> +1
>
> Thanks!
>
> On Fri, Feb 11, 2022 at 3:26 PM Colm O hEigeartaigh  
> wrote:
>>
>> This is a vote to release Apache WSS4J 2.4.1. It fixes an issue with
>> the timestamp in the WSS4J jars being invalid.
>>
>> Artifacts: 
>> https://repository.apache.org/content/repositories/orgapachews-1088/
>> Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.4.1
>>
>> +1 from me.
>>
>> Colm.
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>> For additional commands, e-mail: dev-h...@ws.apache.org
>>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: Should WSS4J fail release builds for High CVE findings ?

2022-02-14 Thread Colm O hEigeartaigh

Hi Rob,

Yes please prepare a PR and I'll review. If you could add an empty
file as well so that we can easily add false positives, that would be
great.

Colm.

On Sat, Feb 12, 2022 at 11:10 PM Rob Leland  wrote:
>
> I noticed that the wss4J build mainly uses the OWASP dependency-check-plugin 
> for generating a report, but those are easy to forget to review.
> Similar to the PMD and Checkstyle enforcement would it be useful to add a 
> maven profile to fail the build if there is a CVE/CVSS score above a certain 
> level ?
>
> This could be enforced  just for releases, snapshots or both.
>
> I'll be happy to prepare PR.
>
> -Rob
>
>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[VOTE] - Release Apache WSS4J 2.4.1

2022-02-11 Thread Colm O hEigeartaigh

This is a vote to release Apache WSS4J 2.4.1. It fixes an issue with
the timestamp in the WSS4J jars being invalid.

Artifacts: https://repository.apache.org/content/repositories/orgapachews-1088/
Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.4.1

+1 from me.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: A jakarta namespace version

2021-11-29 Thread Colm O hEigeartaigh

Hi,

I've already followed up with Rebecca on this topic on the Apache Santuario
mailing list -
https://lists.apache.org/thread/3jr9zj92boq9r90k05g0f1tpow74sdwq
WSS4J only uses the javax.xml.bind dependencies for the streaming
implementation, which is currently only consumed by CXF. CXF won't switch
to using Jakarta for a while, so until then I think there's not much point
in updating WSS4J.

Colm.

On Tue, Nov 23, 2021 at 11:47 PM robertlazarski 
wrote:

> Rebecca,
>
> This is a public mailing list and anyone can respond - including those who
> are not committers nor PMC members i.e project leadership.
>
> I'm on the PMC however I help maintain another Web Services project: Axiom.
>
> For the WSS4J project, the release manager has been this individual below.
>
> Colm O hEigeartaigh 
>
> You may want to wait for him to respond. Or the VP of the Web Services
> project as a whole, who also makes commits to WSS4J
>
> Daniel Kulp 
>
> Anyways, I am personally maintaining a large number of Wildfly servers at
> my day job so I have an interest here.
>
> I am a little confused though on the subject since I am not aware of any
> apache project using the Jakarta namespace for releases - which is an
> Eclipse foundation thing these days AFAIK.
>
> Regards,
> Robert
>
>
>
>
> On Tue, Nov 23, 2021 at 1:26 PM Rebecca Searls  wrote:
>
>> Do you have a schedule to update the imports to the jakarta namespace?
>>
>> On Tue, Nov 23, 2021 at 6:16 PM Martin Gainty 
>> wrote:
>>
>>> looks like you will have to transform wsss4j jar to jakarta using
>>> eclipse jakarta transformer:
>>>
>>> GitHub - eclipse/transformer: Eclipse Transformer provides tools and
>>> runtime components that transform Java binaries, such as individual class
>>> files and complete JARs and WARs, mapping changes to Java packages, type
>>> names, and related resource names.
>>> <https://github.com/eclipse/transformer>
>>> <https://github.com/eclipse/transformer>
>>> GitHub - eclipse/transformer: Eclipse Transformer provides tools and
>>> runtime components that transform Java binaries, such as individual class
>>> files and complete JARs and WARs, mapping changes to Java packages, type
>>> names, and related resource names.
>>> <https://github.com/eclipse/transformer>
>>> Eclipse Transformer. The Eclipse Transformer project is part of the
>>> Eclipse Technology top-level project.. Eclipse Transformer provides tools
>>> and runtime components that transform Java binaries, such as individual
>>> class files and complete JARs and WARs, mapping changes to Java packages,
>>> type names, and related resource names.
>>> github.com
>>>
>>>
>>> Eclipse Transformer
>>>
>>> The Eclipse Transformer project <https://github.com/eclipse/transformer> 
>>> converts
>>> the namespace of the compiled Java resources. Also, JAR artifacts as WAR
>>> and EAR files containing entire applications are supported. The project is
>>> generic in the sense that it can handle all kinds of conversions and not
>>> only the one related to the changes for Jakarta EE 9.
>>> Using this transformer project, you can create an updated version of the
>>> JAR file that you use as a dependency in your application. And when making
>>> use of the Maven Classifier feature, you can convert a JAR file in your
>>> local maven repository and the Jakarta transformed version can easily be
>>> picked up.
>>>
>>> How to Convert a 3rd Party Library to the New Jakarta Namespace | foojay
>>> <https://foojay.io/today/how-to-use-eclipse-transformer-to-convert-a-3rd-party-library-to-the-new-jakarta-namespace/>
>>>
>>> <https://foojay.io/today/how-to-use-eclipse-transformer-to-convert-a-3rd-party-library-to-the-new-jakarta-namespace/>
>>> How to Convert a 3rd Party Library to the New Jakarta Namespace | foojay
>>> <https://foojay.io/today/how-to-use-eclipse-transformer-to-convert-a-3rd-party-library-to-the-new-jakarta-namespace/>
>>> The release of Jakarta EE 9 breaks a tradition of Java Enterprise. A
>>> legal requirement of the Java EE code donation from Oracle to the Eclipse
>>> Foundation is the change of the namespace of javax to jakarta.. But the
>>> change of the package and XML namespace in Jakarta EE 9 is only the
>>> beginning.
>>> foojay.io
>>>
>>> JakartaTransformer
>>> /⁨org⁩/apache/ws/security⁩/1.6.19⁩/wss4j-1.6.19.
>>> jar
>>> /⁨org⁩/apache/ws/security⁩/1.6.19⁩/

[jira] [Resolved] (WSS-690) No bundle jar available for Apache WSS4J » 2.4.0

2021-11-18 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-690?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-690.
-
Resolution: Won't Fix

> No bundle jar available for Apache WSS4J » 2.4.0
> 
>
> Key: WSS-690
> URL: https://issues.apache.org/jira/browse/WSS-690
> Project: WSS4J
>  Issue Type: Task
>  Components: WSS4J Axis Integration, WSS4J Core
>Reporter: Rajesh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
>
> In maven repository, I could not able to find out any bundle jar for 
> h2. [Apache WSS4J|https://mvnrepository.com/artifact/org.apache.wss4j/wss4j] 
> » [2.4.0|https://mvnrepository.com/artifact/org.apache.wss4j/wss4j/2.4.0]
> do we have any mechanism to build the bundle jar or apache has different 
> repository where staging for this artifact?
> Earlier WSS 1.6.x version, has bundle jar available.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-690) No bundle jar available for Apache WSS4J » 2.4.0

2021-11-18 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-690?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17445760#comment-17445760
 ] 

Colm O hEigeartaigh commented on WSS-690:
-

We don't ship a binary distribution any more, as projects consume WSS4J via 
Maven/Git instead.

> No bundle jar available for Apache WSS4J » 2.4.0
> 
>
> Key: WSS-690
> URL: https://issues.apache.org/jira/browse/WSS-690
> Project: WSS4J
>  Issue Type: Task
>  Components: WSS4J Axis Integration, WSS4J Core
>Reporter: Rajesh
>    Assignee: Colm O hEigeartaigh
>Priority: Major
>
> In maven repository, I could not able to find out any bundle jar for 
> h2. [Apache WSS4J|https://mvnrepository.com/artifact/org.apache.wss4j/wss4j] 
> » [2.4.0|https://mvnrepository.com/artifact/org.apache.wss4j/wss4j/2.4.0]
> do we have any mechanism to build the bundle jar or apache has different 
> repository where staging for this artifact?
> Earlier WSS 1.6.x version, has bundle jar available.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 2.4.0

2021-11-14 Thread Colm O hEigeartaigh

For RequiredPartsBuilder, the String in question is returned from
getAttributeNS which returns an empty String if there is no Attribute
Namespace. That being said I did find one place in the code where a
null check makes sense.

Colm.

On Sun, Nov 14, 2021 at 4:19 AM Rob Leland  wrote:
>
> This is actually a set of changes from last year, Oct  8 2020, I didn't 
> realize I had read that far back through the commits  trying determine 2.4.0 
> changes:
> commit 7923539117127296a65392f4c83ebd885386b7e4
>
> The RequiredPartsBuilder change in particular does not seem to check for 
> null, so I would need to look at the change in a larger context to determine 
> if an issue was introduced.
>
> On Fri, Nov 12, 2021 at 4:40 AM Colm O hEigeartaigh  
> wrote:
>>
>> What change are you referring to, can you point me to a line of code?
>> Colm.
>>
>> On Tue, Nov 9, 2021 at 9:50 PM Rob Leland  wrote:
>> >
>> > Was the change from "".equals(var) to var.length evaluated for NPE errors? 
>> > The previous method NPE were avoided.
>> >
>> > On Tue, Nov 9, 2021, 09:33 Colm O hEigeartaigh  wrote:
>> >>
>> >> Thanks everyone, the vote passes with 6 +1 votes, at least 3 of them 
>> >> binding.
>> >>
>> >> Colm.
>> >>
>> >> On Mon, Nov 8, 2021 at 11:26 PM Sagara Gunathunga
>> >>  wrote:
>> >> >
>> >> > +1
>> >> >
>> >> > Thanks!
>> >> >
>> >> > On Tuesday, November 2, 2021, Colm O hEigeartaigh  
>> >> > wrote:
>> >> >>
>> >> >> This is a vote to release Apache WSS4J 2.4.0. Even though this is a
>> >> >> new major release, the changes are somewhat minimal - the main purpose
>> >> >> of the release is to pick up a new major version of Apache Santuario
>> >> >> (2.3.0).
>> >> >>
>> >> >> Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.4.0
>> >> >> Artifacts: 
>> >> >> https://repository.apache.org/content/repositories/orgapachews-1087/
>> >> >>
>> >> >> +1 from me.
>> >> >>
>> >> >> Colm.
>> >> >>
>> >> >> -
>> >> >> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>> >> >> For additional commands, e-mail: dev-h...@ws.apache.org
>> >> >>
>> >> >
>> >> >
>> >> > --
>> >> > Sent from Gmail Mobile
>> >>
>> >> -
>> >> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>> >> For additional commands, e-mail: dev-h...@ws.apache.org
>> >>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 2.4.0

2021-11-12 Thread Colm O hEigeartaigh

What change are you referring to, can you point me to a line of code?
Colm.

On Tue, Nov 9, 2021 at 9:50 PM Rob Leland  wrote:
>
> Was the change from "".equals(var) to var.length evaluated for NPE errors? 
> The previous method NPE were avoided.
>
> On Tue, Nov 9, 2021, 09:33 Colm O hEigeartaigh  wrote:
>>
>> Thanks everyone, the vote passes with 6 +1 votes, at least 3 of them binding.
>>
>> Colm.
>>
>> On Mon, Nov 8, 2021 at 11:26 PM Sagara Gunathunga
>>  wrote:
>> >
>> > +1
>> >
>> > Thanks!
>> >
>> > On Tuesday, November 2, 2021, Colm O hEigeartaigh  
>> > wrote:
>> >>
>> >> This is a vote to release Apache WSS4J 2.4.0. Even though this is a
>> >> new major release, the changes are somewhat minimal - the main purpose
>> >> of the release is to pick up a new major version of Apache Santuario
>> >> (2.3.0).
>> >>
>> >> Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.4.0
>> >> Artifacts: 
>> >> https://repository.apache.org/content/repositories/orgapachews-1087/
>> >>
>> >> +1 from me.
>> >>
>> >> Colm.
>> >>
>> >> -
>> >> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>> >> For additional commands, e-mail: dev-h...@ws.apache.org
>> >>
>> >
>> >
>> > --
>> > Sent from Gmail Mobile
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>> For additional commands, e-mail: dev-h...@ws.apache.org
>>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 2.4.0

2021-11-09 Thread Colm O hEigeartaigh

Thanks everyone, the vote passes with 6 +1 votes, at least 3 of them binding.

Colm.

On Mon, Nov 8, 2021 at 11:26 PM Sagara Gunathunga
 wrote:
>
> +1
>
> Thanks!
>
> On Tuesday, November 2, 2021, Colm O hEigeartaigh  wrote:
>>
>> This is a vote to release Apache WSS4J 2.4.0. Even though this is a
>> new major release, the changes are somewhat minimal - the main purpose
>> of the release is to pick up a new major version of Apache Santuario
>> (2.3.0).
>>
>> Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.4.0
>> Artifacts: 
>> https://repository.apache.org/content/repositories/orgapachews-1087/
>>
>> +1 from me.
>>
>> Colm.
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>> For additional commands, e-mail: dev-h...@ws.apache.org
>>
>
>
> --
> Sent from Gmail Mobile

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[VOTE] - Release Apache WSS4J 2.4.0

2021-11-01 Thread Colm O hEigeartaigh

This is a vote to release Apache WSS4J 2.4.0. Even though this is a
new major release, the changes are somewhat minimal - the main purpose
of the release is to pick up a new major version of Apache Santuario
(2.3.0).

Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.4.0
Artifacts: https://repository.apache.org/content/repositories/orgapachews-1087/

+1 from me.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-643) NullPointerException in getCacheManager

2021-10-26 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17434353#comment-17434353
 ] 

Colm O hEigeartaigh commented on WSS-643:
-

The NPE only happens when there is a problem with setting up the CacheManager, 
it's not the cause of the problem. Maybe you are using an old EhCache version 
like https://issues.apache.org/jira/browse/CXF-7958 ?

> NullPointerException in getCacheManager
> ---
>
> Key: WSS-643
> URL: https://issues.apache.org/jira/browse/WSS-643
> Project: WSS4J
>  Issue Type: Bug
>Affects Versions: 2.2.2
>Reporter: Mahdi Karami
>    Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.3.0
>
>
> Hi
> when I run my code with wss4j in my pc its worked good but when I deploy on 
> server its return Nullpointerexception from linenumber 106 in 
> EHCacheManagerHolder.java file. it seems it have problem to create cache! 
> where is problem!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Dependabot

2021-09-20 Thread Colm O hEigeartaigh

Hi,

I am disabling dependabot for Axiom + WSS4J, as it was brought to my
attention recently that it's against ASF policy to allow a tool
write-access to code repositories:

https://lists.apache.org/thread.html/r5b376dd196b84a54e0e08ffa371233a2fa9c65c4ce25c97bd27c666a%40%3Cbuilds.apache.org%3E

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 2.2.7

2021-09-20 Thread Colm O hEigeartaigh

With 5 +1 votes, including at least 3 binding +1 votes, this vote
passes - I'll do the release.

Colm.

On Fri, Sep 17, 2021 at 8:17 PM Alessio Soldano  wrote:
>
> +1
> Thanks
>
> On Tuesday, September 14, 2021, Colm O hEigeartaigh  
> wrote:
> > This is a vote to release Apache WSS4J 2.2.7. It contains a few
> > trivial code changes as well as updates to fix CVE issues in a few
> > dependencies. This is the last anticipated release of WSS4J 2.2.x.
> >
> > Artifacts: 
> > https://repository.apache.org/content/repositories/orgapachews-1082/
> > Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.2.7
> >
> > +1 from me.
> >
> > Colm.
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
> > For additional commands, e-mail: dev-h...@ws.apache.org
> >
> >

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 2.3.3

2021-09-20 Thread Colm O hEigeartaigh

With 5 +1 votes, including at least 3 binding +1 votes, this vote
passes - I'll do the release.

Colm.

On Fri, Sep 17, 2021 at 8:17 PM Alessio Soldano  wrote:
>
> +1
> Thanks
>
> On Tuesday, September 14, 2021, Colm O hEigeartaigh  
> wrote:
> > This is a vote to release Apache WSS4J 2.3.3. It contains a few
> > trivial code changes as well as updates to fix CVE issues in a few
> > dependencies.
> >
> > Artifacts: 
> > https://repository.apache.org/content/repositories/orgapachews-1081/
> > Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.3.3
> >
> > +1 from me.
> >
> > Colm.
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
> > For additional commands, e-mail: dev-h...@ws.apache.org
> >
> >

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] Apache XMLSchema-2.3.0

2021-09-16 Thread Colm O hEigeartaigh

+1.

Colm.

On Wed, Sep 15, 2021 at 12:32 PM Freeman Fang  wrote:
>
> +1
>
> Thanks!
> Freeman
>
> On Tue, Sep 14, 2021 at 2:49 PM Daniel Kulp  wrote:
>>
>> The primary change in this release is adding support for Java 17 and
>> dropping support for Java 7.   It also contains a few bug fixes:
>>
>> [XMLSCHEMA-57] Fix namespace prefixes not being defined for unions
>> [XMLSCHEMA-59] Make setVersion public
>>
>>
>> Artifacts: 
>> https://repository.apache.org/content/repositories/orgapachews-1086/
>> Tag: 
>> https://gitbox.apache.org/repos/asf?p=ws-xmlschema.git;a=tag;h=d2e3aee8bab2ebbf99fe05394d74e4f4de5d43eb
>>
>>
>> Here is my +1
>>
>>
>> --
>> Daniel Kulp
>> dk...@apache.org - http://dankulp.com/blog
>> Talend - http://talend.com
>>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] Release Apache Neethi 3.2.0

2021-09-16 Thread Colm O hEigeartaigh

+1.

Colm.

On Wed, Sep 15, 2021 at 12:31 PM Freeman Fang  wrote:
>
> +1
>
> Thanks
> Freeman
>
> On Tue, Sep 14, 2021 at 2:47 PM Daniel Kulp  wrote:
>>
>> This is a vote to release Neethi 3.2.0.  Updates include:
>>
>>
>> 1) Support Java 7 has been dropped, but support for Java 17 has been
>> added.  3.1.0 now required Java8 or newer.
>>
>> 2) Source control for Neethi has also moved from Subversion to GIT:
>> https://gitbox.apache.org/repos/asf/ws-neethi.git
>>
>> 3) XML parsing now enables the FEATURE_SECURE_PROCESSING flag
>>
>>
>> Artifacts:  
>> https://repository.apache.org/content/repositories/orgapachews-1085/
>> Tag: 
>> https://gitbox.apache.org/repos/asf?p=ws-neethi.git;a=tag;h=cac923a4a8116a6ef88cc22a6bed0ba7c55a91d1
>>
>>
>> Here is my +1.
>>
>> --
>> Daniel Kulp
>> dk...@apache.org - http://dankulp.com/blog
>> Talend - http://talend.com
>>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-688) Signatures created with Merlin start being invalid after changing key-store a few times

2021-09-15 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17415406#comment-17415406
 ] 

Colm O hEigeartaigh commented on WSS-688:
-

The signature verification errors would appear in Apache Santuario - XML 
Security for Java. Is there any chance of a project to reproduce the error? 
Otherwise I think we are going to struggle with fixing this.

> Signatures created with Merlin start being invalid after changing key-store a 
> few times
> ---
>
> Key: WSS-688
> URL: https://issues.apache.org/jira/browse/WSS-688
> Project: WSS4J
>  Issue Type: Bug
>  Components: WSS4J Core
>Affects Versions: 2.3.2
> Environment: Java 11 (version 11.0.11.0.9)
> org.apache.cxf:cxf-rt-frontend-jaxws:3.4.4
> org.apache.cxf:cxf-rt-ws-security:3.4.4
> org.apache.cxf:cxf-rt-transports-http:3.4.4
> org.apache.cxf:cxf-rt-features-logging:3.4.4
> javax.xml.ws:jaxws-api:2.3.1
> javax.jws:javax.jws-api:1.1
> com.sun.xml.messaging.saaj:saaj-impl:1.5.3
>    Reporter: Tor Ranfelt
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> In our system we can't use a static certificate because it's a service that 
> many users use, and they need to use their own certificate to communicate 
> with a third-party SOAP-service.
> I used to be able to change Merlin's keystore whenever a new certificate was 
> needed, but after upgrading from Apache CXF 3.3.7 to 3.4.4 (and other third 
> party libraries that CXF depends on) a problem arose:
> Signatures created by some certificates would be invalid. It was never the 
> certificate that was the problem, but which number of replacing key-store it 
> was put into.
> So for instance number 1 and 2 would be fine, but 3 would fail, and 4 would 
> be fine. - After which any new key-store with either certificate 1, 2 and 4 
> would keep working, but 3 would fail every time. Probably due to some cache.
> I have circumvented the problem by creating a new Merlin instance every time, 
> instead of just a new key-store instance. This works because the problem 
> never manifest with the first key-store.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[VOTE] - Release Apache WSS4J 2.2.7

2021-09-14 Thread Colm O hEigeartaigh

This is a vote to release Apache WSS4J 2.2.7. It contains a few
trivial code changes as well as updates to fix CVE issues in a few
dependencies. This is the last anticipated release of WSS4J 2.2.x.

Artifacts: https://repository.apache.org/content/repositories/orgapachews-1082/
Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.2.7

+1 from me.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[VOTE] - Release Apache WSS4J 2.3.3

2021-09-14 Thread Colm O hEigeartaigh

This is a vote to release Apache WSS4J 2.3.3. It contains a few
trivial code changes as well as updates to fix CVE issues in a few
dependencies.

Artifacts: https://repository.apache.org/content/repositories/orgapachews-1081/
Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.3.3

+1 from me.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-688) Signatures created with Merlin start being invalid after changing key-store a few times

2021-09-02 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17408865#comment-17408865
 ] 

Colm O hEigeartaigh commented on WSS-688:
-

If you turn on debug logging you should see exactly where the error is.

> Signatures created with Merlin start being invalid after changing key-store a 
> few times
> ---
>
> Key: WSS-688
> URL: https://issues.apache.org/jira/browse/WSS-688
> Project: WSS4J
>  Issue Type: Bug
>  Components: WSS4J Core
>Affects Versions: 2.3.2
> Environment: Java 11 (version 11.0.11.0.9)
> org.apache.cxf:cxf-rt-frontend-jaxws:3.4.4
> org.apache.cxf:cxf-rt-ws-security:3.4.4
> org.apache.cxf:cxf-rt-transports-http:3.4.4
> org.apache.cxf:cxf-rt-features-logging:3.4.4
> javax.xml.ws:jaxws-api:2.3.1
> javax.jws:javax.jws-api:1.1
> com.sun.xml.messaging.saaj:saaj-impl:1.5.3
>    Reporter: Tor Ranfelt
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> In our system we can't use a static certificate because it's a service that 
> many users use, and they need to use their own certificate to communicate 
> with a third-party SOAP-service.
> I used to be able to change Merlin's keystore whenever a new certificate was 
> needed, but after upgrading from Apache CXF 3.3.7 to 3.4.4 (and other third 
> party libraries that CXF depends on) a problem arose:
> Signatures created by some certificates would be invalid. It was never the 
> certificate that was the problem, but which number of replacing key-store it 
> was put into.
> So for instance number 1 and 2 would be fine, but 3 would fail, and 4 would 
> be fine. - After which any new key-store with either certificate 1, 2 and 4 
> would keep working, but 3 would fail every time. Probably due to some cache.
> I have circumvented the problem by creating a new Merlin instance every time, 
> instead of just a new key-store instance. This works because the problem 
> never manifest with the first key-store.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-688) Signatures created with Merlin start being invalid after changing key-store a few times

2021-08-31 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17407094#comment-17407094
 ] 

Colm O hEigeartaigh commented on WSS-688:
-

What stack trace do you see in the logs when it starts failing?

> Signatures created with Merlin start being invalid after changing key-store a 
> few times
> ---
>
> Key: WSS-688
> URL: https://issues.apache.org/jira/browse/WSS-688
> Project: WSS4J
>  Issue Type: Bug
>  Components: WSS4J Core
>Affects Versions: 2.3.2
> Environment: Java 11 (version 11.0.11.0.9)
> org.apache.cxf:cxf-rt-frontend-jaxws:3.4.4
> org.apache.cxf:cxf-rt-ws-security:3.4.4
> org.apache.cxf:cxf-rt-transports-http:3.4.4
> org.apache.cxf:cxf-rt-features-logging:3.4.4
> javax.xml.ws:jaxws-api:2.3.1
> javax.jws:javax.jws-api:1.1
> com.sun.xml.messaging.saaj:saaj-impl:1.5.3
>    Reporter: Tor Ranfelt
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> In our system we can't use a static certificate because it's a service that 
> many users use, and they need to use their own certificate to communicate 
> with a third-party SOAP-service.
> I used to be able to change Merlin's keystore whenever a new certificate was 
> needed, but after upgrading from Apache CXF 3.3.7 to 3.4.4 (and other third 
> party libraries that CXF depends on) a problem arose:
> Signatures created by some certificates would be invalid. It was never the 
> certificate that was the problem, but which number of replacing key-store it 
> was put into.
> So for instance number 1 and 2 would be fine, but 3 would fail, and 4 would 
> be fine. - After which any new key-store with either certificate 1, 2 and 4 
> would keep working, but 3 would fail every time. Probably due to some cache.
> I have circumvented the problem by creating a new Merlin instance every time, 
> instead of just a new key-store instance. This works because the problem 
> never manifest with the first key-store.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-687) Upgrade OpenSAML to v4.1.x

2021-08-10 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17396679#comment-17396679
 ] 

Colm O hEigeartaigh commented on WSS-687:
-

WSS4J master (2.5.0-SNAPSHOT) has moved to Java 11 already, so that part at 
least isn't a blocker.

> Upgrade OpenSAML to v4.1.x
> --
>
> Key: WSS-687
> URL: https://issues.apache.org/jira/browse/WSS-687
> Project: WSS4J
>  Issue Type: Task
>  Components: WSS4J Core
>Affects Versions: 2.5.0
>Reporter: Misagh Moayyed
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> wss4j 2.5.0.SNAPSHOT currently uses OpenSAML v4.0.x. Current release of 
> OpenSAML is 4.1.1 and wss4j should upgrade to this version. No breaking 
> changes are expected.
> I can assist with a patch or pull request.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: DOMX509IssuerSerial WCF compatability

2021-07-19 Thread Colm O hEigeartaigh

Hi Rob,

Any contributions are welcome! I would prefer not to introduce a
dependency on powermock, it shouldn't be too much extra work to verify
the changes in a test.

Colm.

On Wed, Jul 14, 2021 at 11:07 PM Rob Leland  wrote:
>
> For instance,
>
> Would the developers be open to adding a dependency for the PowerMock 
> reflection library so private methods could be tested, that way JUnits tests 
> could be smaller and easier to understand.
>
> On Wed, Jul 14, 2021, 17:23 Rob Leland  wrote:
>>
>> I am in the early stages of making changes based on 2.3.3 to make this class 
>> optionally emit the DN name in a way that WCF likes.
>>
>> Specifically it will:
>> 1) place spaces before each RDN.
>> 2) Instead of escaping embedded  commas and semicolons with a back slash to 
>> use quotes around the RDN text.
>>
>> so
>> OU=(c) 2021 Entrust\, Inc.
>>
>> becomes
>> OU="(c) 2021 Entrust, Inc."
>>
>> The first pass is using the underlying needed oracle code which is almost 
>> done , and the next pass would be a clean implementation.
>>
>> There are a few basic tests to cover my use case.
>>
>> The default behaviour would be unchanged.
>>
>> My question is this, beyond the contrib agreement, I was formally 
>> rlel...@apache.org
>> what other hurdles  other than PR review would there be to eventually 
>> integrating this change to the baseline ?
>>
>> Thanks for your time and wss4j!

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] Release Apache Axiom 1.3.0

2021-07-06 Thread Colm O hEigeartaigh

+1.

Colm.

On Thu, Jul 1, 2021 at 10:29 PM robertlazarski  wrote:
>
> This is a vote to release Apache Axiom 1.3.0
>
> Git tag: https://github.com/apache/ws-axiom/releases/tag/1.3.0
>
> Distributions: https://dist.apache.org/repos/dist/dev/ws/axiom/
>
> Maven artifacts: 
> https://repository.apache.org/content/repositories/orgapachews-1080
>
> Site: http://ws.apache.org/axiom-staging/
>
> +1 from me.
>
> Robert

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-686) org.apache.ws.security.util.XmlSchemaDateFormat no longer in 2.3.x

2021-06-09 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-686?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-686.
-
Resolution: Won't Fix

> org.apache.ws.security.util.XmlSchemaDateFormat no longer in 2.3.x
> --
>
> Key: WSS-686
> URL: https://issues.apache.org/jira/browse/WSS-686
> Project: WSS4J
>  Issue Type: Bug
>Affects Versions: 2.3.1, 2.3.2
>Reporter: Troy Harris
>    Assignee: Colm O hEigeartaigh
>Priority: Major
>
> The class org.apache.ws.security.util.XmlSchemaDateFormat was previously in 
> versions of WSS4J, at least including version 2.0.0.  The class no longer 
> exists in the latest versions and there is no mention of its removal in the 
> release notes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Commented] (WSS-686) org.apache.ws.security.util.XmlSchemaDateFormat no longer in 2.3.x

2021-06-09 Thread Colm O hEigeartaigh (Jira)



[ 
https://issues.apache.org/jira/browse/WSS-686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17359817#comment-17359817
 ] 

Colm O hEigeartaigh commented on WSS-686:
-

It was removed as part of https://issues.apache.org/jira/browse/WSS-599

 

> org.apache.ws.security.util.XmlSchemaDateFormat no longer in 2.3.x
> --
>
> Key: WSS-686
> URL: https://issues.apache.org/jira/browse/WSS-686
> Project: WSS4J
>  Issue Type: Bug
>Affects Versions: 2.3.1, 2.3.2
>Reporter: Troy Harris
>    Assignee: Colm O hEigeartaigh
>Priority: Major
>
> The class org.apache.ws.security.util.XmlSchemaDateFormat was previously in 
> versions of WSS4J, at least including version 2.0.0.  The class no longer 
> exists in the latest versions and there is no mention of its removal in the 
> release notes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: Axis2 needs an Axiom release

2021-06-02 Thread Colm O hEigeartaigh

Hi Robert,

I am active on some of the Apache WS projects (e.g. WSS4J), but I'm
not involved with Axiom. Andreas (https://github.com/veithen) is the
only active participant in Axiom in the project.

Does the current 1.2.x branch
(https://github.com/apache/ws-axiom/commits/1.2.x) have everything you
need from an Axis point of view, or is it missing fixes you need?

Colm.

On Wed, Jun 2, 2021 at 4:33 PM robertlazarski  wrote:
>
> Bump again.
>
> To reiterate, Axis2 needs an Axiom release and I am willing to become a 
> committer to push that forward. See AXIOM-506 for the help I may be able to 
> offer the project.
>
> I will be submitting the Axis board report to bo...@apache.org this upcoming 
> Monday, June 7th. It'd be great if I had some type of response to mention, 
> and not "no one responded on dev@ws.apache.org after 3 emails starting on May 
> 14th".
>
> Regards,
> Robert
>
> On Tue, May 25, 2021 at 3:38 AM robertlazarski  
> wrote:
>>
>> Bump.
>>
>> The situation here is that Axis2 is getting a lot of community requests for 
>> a release due to security scanners showing outdated jars - rightly or 
>> wrongly. We are getting several Jira issues related to security opened per 
>> month.
>>
>> I'd be willing to become a committer to help push an Axiom release forward.
>>
>> Furthermore, Axis needs to file a quarterly report to the Apache board next 
>> week. Project chairs are required to subscribe to the board list, and my 
>> take is that a large portion of what the board does is roll calls on low 
>> activity projects. Moving projects to the attic happens every month.
>>
>> I mention that because I don't want to have to put things in the Axis board 
>> report such as "we are awaiting an Axiom release but got no response on 
>> their dev list".
>>
>> Regards,
>> Robert
>>
>> On Fri, May 14, 2021 at 10:44 AM robertlazarski  
>> wrote:
>>>
>>> Hello Web Services project,
>>>
>>> I am the current chair of Axis, and the Axis2 Java project is preparing for 
>>> an upcoming release of 1.8.
>>>
>>> Axis2 requires snapshots builds of these Web Services projects below. 
>>> Ideally, Axis2 wouldn't release with snapshots since the source of the 
>>> release would compile with changing dependencies.
>>>
>>> neethi: 3.1.2-SNAPSHOT
>>> woden.version: 1.0M11-SNAPSHOT
>>> axiom.version: 1.3.0-SNAPSHOT
>>>
>>> Axis2 builds ok with neethi 3.1.1 and woden.version 1.0M10; so really we 
>>> just need an Axiom release.
>>>
>>> BTW, I am trying to upgrade Axis2 to the current Glassfish release, 3.0.1. 
>>> Concerning Axiom, the problem is that one of our Axis2 classes extends the 
>>> Axiom DataHandlerWrapper class.
>>>
>>> I got stuck on the xjc tests, so I created AXIOM-506 that lists the steps I 
>>> took.
>>>
>>> Thanks,
>>> Robert

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Closed] (WSS-685) Signature before timestamp results in signing after encryption

2021-05-25 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed WSS-685.
---

> Signature before timestamp results in signing after encryption
> --
>
> Key: WSS-685
> URL: https://issues.apache.org/jira/browse/WSS-685
> Project: WSS4J
>  Issue Type: Bug
>Affects Versions: 2.2.4
>Reporter: Michael Nørskov
>    Assignee: Colm O hEigeartaigh
>Priority: Minor
> Fix For: 2.3.2
>
>
> Having the following actions for securement "Signature Timstamp Encryption" 
> will result in signing after encryption when Timestamp is specified in 
> signature parts.
>  
> Due to the implementation in WSHandler.java where signingActions is removed 
> from actionsToPerform and readded when timestamp needs to be signed, signing 
> will be performed after encryption.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Re: [VOTE] - Release Apache WSS4J 2.3.2

2021-05-25 Thread Colm O hEigeartaigh

With 3 binding +1 votes, and no other votes, this vote passes - I'll
do the release.

Colm.

On Mon, May 24, 2021 at 10:05 AM Alessio Soldano  wrote:
>
> +1
>
> Thanks!
>
> On Tue, May 18, 2021 at 10:41 AM Colm O hEigeartaigh  
> wrote:
>>
>> This is a vote to release Apache WSS4J 2.3.2. It only fixes a single
>> bug 
>> (https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12349519),
>> but it contains OpenSAML and Apache Santuario upgrades, as well as a
>> security fix for Guava, and an update for Joda-Time.
>>
>> Artifacts: 
>> https://repository.apache.org/content/repositories/orgapachews-1077/
>> Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.3.2
>>
>> +1 from me.
>>
>> Colm.
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
>> For additional commands, e-mail: dev-h...@ws.apache.org
>>

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[VOTE] - Release Apache WSS4J 2.3.2

2021-05-18 Thread Colm O hEigeartaigh

This is a vote to release Apache WSS4J 2.3.2. It only fixes a single
bug 
(https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310063=12349519),
but it contains OpenSAML and Apache Santuario upgrades, as well as a
security fix for Guava, and an update for Joda-Time.

Artifacts: https://repository.apache.org/content/repositories/orgapachews-1077/
Git tag: https://github.com/apache/ws-wss4j/releases/tag/wss4j-2.3.2

+1 from me.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

WSS4J 2.3.2 release next week

2021-05-14 Thread Colm O hEigeartaigh

Hi,

I plan to call a vote on WSS4J 2.3.2 early next week. Let me know ASAP
if there are any other changes required.

Colm.

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

[jira] [Resolved] (WSS-685) Signature before timestamp results in signing after encryption

2021-05-14 Thread Colm O hEigeartaigh (Jira)



 [ 
https://issues.apache.org/jira/browse/WSS-685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-685.
-
Resolution: Fixed

> Signature before timestamp results in signing after encryption
> --
>
> Key: WSS-685
> URL: https://issues.apache.org/jira/browse/WSS-685
> Project: WSS4J
>  Issue Type: Bug
>Affects Versions: 2.2.4
>Reporter: Michael Nørskov
>    Assignee: Colm O hEigeartaigh
>Priority: Minor
> Fix For: 2.3.2
>
>
> Having the following actions for securement "Signature Timstamp Encryption" 
> will result in signing after encryption when Timestamp is specified in 
> signature parts.
>  
> Due to the implementation in WSHandler.java where signingActions is removed 
> from actionsToPerform and readded when timestamp needs to be signed, signing 
> will be performed after encryption.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

1 2 3 4 5 6 7 8 9 10 >

1 - 100 of 2234 matches

Mail list logo