You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2021/12/02 10:13:00 UTC

[jira] [Commented] (CXF-8621) cxf-rt-ws-security contains velocity:1.7 from 2010 which has overlapping classes with velocity-engine-core:2.3 and breaks velocity-tools 3.1

    [ https://issues.apache.org/jira/browse/CXF-8621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452286#comment-17452286 ] 

Colm O hEigeartaigh commented on CXF-8621:
------------------------------------------

The dependency to Velocity actually is removed in WSS4J:

[https://github.com/apache/ws-wss4j/blob/2e7bc5398b2f5522269977690d36474c4bd1d908/ws-security-common/pom.xml#L123]

If you do a dependency tree in CXF's rt-ws-security module you won't see Velocity. The problem is in dependency exclusion works in Gradle. We have an open Jira for it in WSS4J - https://issues.apache.org/jira/browse/WSS-683

In your project you can just exclude Velocity manually.

> cxf-rt-ws-security contains velocity:1.7 from 2010 which has overlapping classes with velocity-engine-core:2.3 and breaks velocity-tools 3.1
> --------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-8621
>                 URL: https://issues.apache.org/jira/browse/CXF-8621
>             Project: CXF
>          Issue Type: Task
>          Components: WS-* Components
>    Affects Versions: 3.4.5
>            Reporter: Gernot Hueller
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> please see this gradle dependency tree:
> \--- org.apache.cxf:cxf-rt-ws-security:3.4.5
>      +--- org.apache.cxf:cxf-rt-security-saml:3.4.5
>      |    \--- org.apache.wss4j:wss4j-ws-security-dom:2.3.3
>      |         +--- org.apache.wss4j:wss4j-ws-security-common:2.3.3
>      |         |    +--- org.opensaml:opensaml-saml-impl:3.4.6
>      |         |    |    +--- org.apache.velocity:velocity:1.7
> Velocity 1.7 and 2.3 have sometimes the same class names, with different contents.
> In the end, the presence of velocity:1.7 classes breaks stuff from velocity 2.3.
>  
> details from my case: I have an application that uses cxf for SOAP and velocity for html rendering.
> In that application, I extend the VelocityViewServlet from velocity-tools, which on initialization looks at all field declarations of interface org.apache.velocity.runtime.RuntimeConstants. This interface class exists in both versions of velocity, but with different contents, which make my application unuseable (Exception on startup).
>  
> it would be great if the dependency to velocity inside cxf could be removed.
> Especially when it is in the ws-security package and that uses a totally outdated (2010) velocity package with known vulnerabilities...



--
This message was sent by Atlassian Jira
(v8.20.1#820001)