'=?utf-8?Q?[jira]_[Commented]_(WSS-697)_OpenSAMLUtil_overrides_O?= =?utf-8?Q?penSAML_configured_by_Op'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       jaxme-dev
Subject:    =?utf-8?Q?[jira]_[Commented]_(WSS-697)_OpenSAMLUtil_overrides_O?= =?utf-8?Q?penSAML_configured_by_Op
From:       "Alex Wolfe (Jira)" <jira () apache ! org>
Date:       2022-05-24 20:04:00
Message-ID: JIRA.13443151.1651679166000.141487.1653422640023 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WSS-697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17541686#comment-17541686 \
] 

Alex Wolfe commented on WSS-697:
--------------------------------

[~coheigea], I'm not an expert on either WSS4J or OpenSAML, but from what I \
understand I think this may be resolved if WSS4J can use the OpenSAML \
InitializationService to initialize itself. If there are WSS4J-specific items being \
configured, I believe the "partitions" in the OpenSAML ConfigurationService could be \
utilized to avoid overriding the "default" configuration partition containing the \
DecryptionParserPool needed by the other dependency in my use case.

Here is the documentation describing the OpenSAML InitializationService and \
ConfigurationService: \
[https://shibboleth.atlassian.net/wiki/spaces/OSAML/pages/1828356994/Initialization+and+Configuration] \


> OpenSAMLUtil overrides OpenSAML configured by OpenSAML's InitializationService
> ------------------------------------------------------------------------------
> 
> Key: WSS-697
> URL: https://issues.apache.org/jira/browse/WSS-697
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.2.7, 2.3.3, 2.4.1
> Reporter: Alex Wolfe
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> 
> When using WSS4J alongside other dependencies which also rely on OpenSAML, the \
> OpenSAMLUtil.initSamlEngine() can override the existing configuration of OpenSAML, \
> potentially causing issues with how the parser pool is configured. In my use case:
> * OpenSAML is initialized first with the \
>                 org.opensaml.core.config.InitializationService introduced in \
>                 OpenSAML 3
> * XMLSec is used for decryption, so \
> org.opensaml.xmlsec.config.DecryptionParserPoolInitializer adds a \
>                 decryption-specific feature to the parser pool at this time.
> * Later, an interceptor in cxf-rt-ws-security called into \
> OpenSAMLUtil.initSamlEngine(), overriding the OpenSAML configuration and parser \
> pool. In WSS4J 2.2.6, due to WSS-678, this caused the DecryptionParserPool to be \
> completely removed, but after upgrading to 2.3.1+ or 2.4.0+, this causes it to be \
> replaced with the manually configured pool from OpenSAMLUtil without the needed \
> feature. I have been able to work around this by explicitly calling OpenSAML's \
> InitializationService after WSS4J's OpenSAMLUtil. Relevant dependencies and \
>                 versions in my project include:
> * Java 8
> * OpenSAML 3.4.6 (including org.opensaml:opensaml-xmlsec-api)
> * org.apache.cxf:cxf-rt-ws-security:3.3.11
> * org.apache.santuario:xmlsec:2.1.7
> * net.shibboleth.utilities:java-support:7.5.2



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic