You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Gernot Hueller (Jira)" <ji...@apache.org> on 2021/12/01 15:56:00 UTC

[jira] [Updated] (CXF-8621) cxf-rt-ws-security contains velocity:1.7 from 2010 which has overlapping classes with velocity-engine-core:2.3 and breaks velocity-tools 3.1

     [ https://issues.apache.org/jira/browse/CXF-8621?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gernot Hueller updated CXF-8621:
--------------------------------
    Summary: cxf-rt-ws-security contains velocity:1.7 from 2010 which has overlapping classes with velocity-engine-core:2.3 and breaks velocity-tools 3.1  (was: cxf-rt-ws-security contains velocity:1.7 from 2010 which has overlapping classes with velocity-engine-core 2 and breaks velocity-tools 3.1)

> cxf-rt-ws-security contains velocity:1.7 from 2010 which has overlapping classes with velocity-engine-core:2.3 and breaks velocity-tools 3.1
> --------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-8621
>                 URL: https://issues.apache.org/jira/browse/CXF-8621
>             Project: CXF
>          Issue Type: Task
>          Components: WS-* Components
>    Affects Versions: 3.4.5
>            Reporter: Gernot Hueller
>            Priority: Major
>
> please see this gradle dependency tree:
> \--- org.apache.cxf:cxf-rt-ws-security:3.4.5
>      +--- org.apache.cxf:cxf-rt-security-saml:3.4.5
>      |    \--- org.apache.wss4j:wss4j-ws-security-dom:2.3.3
>      |         +--- org.apache.wss4j:wss4j-ws-security-common:2.3.3
>      |         |    +--- org.opensaml:opensaml-saml-impl:3.4.6
>      |         |    |    +--- org.apache.velocity:velocity:1.7
> Velocity 1.7 and 2.3 have sometimes the same class names, with different contents.
> In the end, the presence of velocity:1.7 classes breaks stuff from velocity 2.3.
>  
> details from my case: I have an application that uses cxf for SOAP and velocity for html rendering.
> In that application, I extend the VelocityViewServlet from velocity-tools, which on initialization looks at all field declarations of interface org.apache.velocity.runtime.RuntimeConstants. This interface class exists in both versions of velocity, but with different contents, which make my application unuseable (Exception on startup).
>  
> it would be great if the dependency to velocity inside cxf could be removed.
> Especially when it is in the ws-security package and that uses a totally outdated (2010) velocity package with known vulnerabilities...



--
This message was sent by Atlassian Jira
(v8.20.1#820001)