You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2022/05/11 21:15:00 UTC
[jira] [Commented] (WSS-697) OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s InitializationService
[ https://issues.apache.org/jira/browse/WSS-697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17535116#comment-17535116 ]
Colm O hEigeartaigh commented on WSS-697:
-----------------------------------------
What change do you suggest to be made to how the manually configured pool is created in WSS4J?
> OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s InitializationService
> ------------------------------------------------------------------------------
>
> Key: WSS-697
> URL: https://issues.apache.org/jira/browse/WSS-697
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.2.7, 2.3.3, 2.4.1
> Reporter: Alex Wolfe
> Assignee: Colm O hEigeartaigh
> Priority: Minor
>
> When using WSS4J alongside other dependencies which also rely on OpenSAML, the OpenSAMLUtil.initSamlEngine() can override the existing configuration of OpenSAML, potentially causing issues with how the parser pool is configured.
> In my use case:
> * OpenSAML is initialized first with the org.opensaml.core.config.InitializationService introduced in OpenSAML 3
> * XMLSec is used for decryption, so org.opensaml.xmlsec.config.DecryptionParserPoolInitializer adds a decryption-specific feature to the parser pool at this time.
> * Later, an interceptor in cxf-rt-ws-security called into OpenSAMLUtil.initSamlEngine(), overriding the OpenSAML configuration and parser pool.
> In WSS4J 2.2.6, due to WSS-678, this caused the DecryptionParserPool to be completely removed, but after upgrading to 2.3.1+ or 2.4.0+, this causes it to be replaced with the manually configured pool from OpenSAMLUtil without the needed feature.
> I have been able to work around this by explicitly calling OpenSAML’s InitializationService after WSS4J’s OpenSAMLUtil.
> Relevant dependencies and versions in my project include:
> * Java 8
> * OpenSAML 3.4.6 (including org.opensaml:opensaml-xmlsec-api)
> * org.apache.cxf:cxf-rt-ws-security:3.3.11
> * org.apache.santuario:xmlsec:2.1.7
> * net.shibboleth.utilities:java-support:7.5.2
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org