cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <>
Subject Re: On OpenSAML dependency
Date Fri, 13 Apr 2012 12:10:54 GMT
Hi Alessio,

OpenSAML is also required for adding or validating SAML Assertions in
the security runtime, and so I would say it is a required dependency.
For example, the AbstractBindingBuilder has a direct dependency on an
Opensaml import.

Previously (prior to CXF 2.5 iirc) it was an optional dependency. I
don't see any reason why it should be optional given that it's a core
component of both WSS4J and any SAML functionality in CXF.


On Fri, Apr 13, 2012 at 12:57 PM, Alessio Soldano <> wrote:
> Hi,
> I've just been running some tests with Apache CXF 2.5.3 tag and noticed
> that I have some failures in the JBossWS integration due to missing
> opensaml classes at runtime.
> AFAICS, the org.opensaml:opensaml dependency is pulled in through WSS4J
> 1.6.5 and I initially assumed it would have been required for WS-Trust /
> STS functionalities only. To be honest, I've been using almost all the
> WS-Security functionalities (except anything related to WS-Trust) of
> 2.5.2 and 2.5.x branch of a couple of weeks ago without that dependency
> available at runtime.
> However, the fix for CXF-4212 now causes the WSS4JInInterceptor to have
> a direct dependency to OpenSAML. When the Spring Bus is being used, any
> attempt to load a bus whose definition includes the WSS4JInInterceptor
> is going to early fail is OpenSaml is not available (as Spring inspects
> beans' classes when the bus is built up).
> Do we really want this behaviour? Are we trying to somehow define
> boundaries for this dependency (for instance considering its size,
> including transitive required sub-dependencies) or this is not perceived
> as an issue at all?
> Cheers
> Alessio
> --
> Alessio Soldano
> Web Service Lead, JBoss

Colm O hEigeartaigh

Talend Community Coder

View raw message