DefaultSecurityTokenServiceProvider need to use the cxf-rt-ws-security module.
If we remove the import package, it will cause some trouble for us to load the
DefaultSecurityTokenServiceProvider.
On Friday, October 19, 2012 at 8:24 PM, Colm O hEigeartaigh wrote:
> > I'm also wondering why it
Hi Dan,
I'm sorry, I just saw the mail.
For the wsn service stuff, as it is not tied with CXF version which we ship, so
it should be fine.
I will revert the sts-service part, as it could introduce some security related
issue.
--
Willem Jiang
Red Hat, Inc.
FuseSource is now part of Red Hat
We
> I'm also wondering why its importing org.apache.cxf.sts.provider which
it's also exporting.Isn't that something it shouldn't be
> doing? Colm, know why?
No idea. At a guess it was put there to add the STS provider framework
(should be "org.apache.cxf.ws.security.sts.provider") in the
cxf-rt
I'm -1 to this change (and to the similar change done to the wsn stuff). I
KNOW the latest sts stuff doesn't work with 2.6.0 due to the security
enhancements done in 2.6.1. As we move forward, I'm 95% confident that other
security related things will prevent it from working in the future.
