You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ws.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2022/05/11 21:15:00 UTC

[jira] [Commented] (WSS-697) OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s InitializationService

    [ https://issues.apache.org/jira/browse/WSS-697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17535116#comment-17535116 ] 

Colm O hEigeartaigh commented on WSS-697:
-----------------------------------------

What change do you suggest to be made to how the manually configured pool is created in WSS4J?

> OpenSAMLUtil overrides OpenSAML configured by OpenSAML’s InitializationService
> ------------------------------------------------------------------------------
>
>                 Key: WSS-697
>                 URL: https://issues.apache.org/jira/browse/WSS-697
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.2.7, 2.3.3, 2.4.1
>            Reporter: Alex Wolfe
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>
> When using WSS4J alongside other dependencies which also rely on OpenSAML, the OpenSAMLUtil.initSamlEngine() can override the existing configuration of OpenSAML, potentially causing issues with how the parser pool is configured.
> In my use case:
>  * OpenSAML is initialized first with the org.opensaml.core.config.InitializationService introduced in OpenSAML 3
>  * XMLSec is used for decryption, so org.opensaml.xmlsec.config.DecryptionParserPoolInitializer adds a decryption-specific feature to the parser pool at this time.
>  * Later, an interceptor in cxf-rt-ws-security called into OpenSAMLUtil.initSamlEngine(), overriding the OpenSAML configuration and parser pool.
> In WSS4J 2.2.6, due to WSS-678, this caused the DecryptionParserPool to be completely removed, but after upgrading to 2.3.1+ or 2.4.0+, this causes it to be replaced with the manually configured pool from OpenSAMLUtil without the needed feature.
> I have been able to work around this by explicitly calling OpenSAML’s InitializationService after WSS4J’s OpenSAMLUtil.
> Relevant dependencies and versions in my project include:
>  * Java 8
>  * OpenSAML 3.4.6 (including org.opensaml:opensaml-xmlsec-api)
>  * org.apache.cxf:cxf-rt-ws-security:3.3.11
>  * org.apache.santuario:xmlsec:2.1.7
>  * net.shibboleth.utilities:java-support:7.5.2



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org