Glen, It's a "bug" in the release notes for 2.1.5. Bouncycastle 1.40 has the patented algorithm removed so we are allowed to ship it. Thus, when we upgraded, we SHOULD have removed this from the release notes. I probably did it on 2.2 as part of all the security work I was doing. It should also be removed from the 2.1.5 release notes. Feel free to do it. :-)
On Fri May 29 2009 7:08:42 pm Glen Mazza wrote: > Hello, the release notes for CXF 2.1.5[1] state a need to externally > download BouncyCastle 1.4 for WSS, but no mention of BouncyCastle is given > in the Release Notes in CXF 2.2.1[2]. I've also noticed that BouncyCastle > 1.5 is already available in both the CXF 2.1.5 and the CXF 2.2.1 downloads > (lib folder). > > [The 2.1.5 Notes say: "To use the WS-Security features of CXF, you need to > obtain a JCE crypto provider > that implements the algorithms that you plan to use. One option is to > download > the Bouncy Castle jar from: > http://bouncycastle.org/download/bcprov-jdk14-136.jar > and add that to the lib directory or classpath."] > > I'm not sure what (if anything) to read into the fact that the above text > is not there for CXF 2.2. Was it omitted to say that no external JCE > provider is needed anymore with WS-Security (perhaps the Sun defaults are > now sufficient), or was it omitted simply because it should have been > omitted earlier, i.e., no special download is needed because it's already > in CXF's lib folder? No special download is needed anymore as we include bouncycastle. Dan > > Thanks, > Glen > > [1] http://cxf.apache.org/apache-cxf-215-release-notes.html > [2] http://cxf.apache.org/apache-cxf-221-release-notes.html -- Daniel Kulp [email protected] http://www.dankulp.com/blog
