cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Commented] (CXF-6237) CXF 3.0.3 rt-security has problems working with latest open saml version (2.6.1)
Date Tue, 03 Feb 2015 20:48:36 GMT


Sergey Beryozkin commented on CXF-6237:

The only thing you will achieve with this is to block yourself from upgrading to newer/better
CXF version whose only 'fault' is that it ships a newer version of XmlSec. It is not a CXF
issue, something you need to accept. CXF is likely uses a different OpenSaml execution path
or it may've been updated to be able to work with XMLSec 2.0.2. 

But I can see that this issue can present a challenge in some cases such as yours where CXF
is combined with other solutions where OpenSaml and/or XmlSec are also used.  

The right thing to do is to get the source of OpenSaml 2.6.1 (you have it), XmlSec (1.5, 2.0.2,
easy to get) and the relevant Spring code.

Next - debug the execution chain with XmlSec 1.5 first, starting from the top Spring filter
and check all the relevant details (the interaction between Spring, OpenSaml, XmlSec, and
note why exactly a list of credentials is not empty there). Next repeat the same with XmlSec
2.0.2 and narrow down where exactly the problem lies. Somehow the inclusion of XmlSec 2.0.2
affects Spring filters or OpenSaml - but it is only yourself who can identify the issue. Pay
the specific attention to any interactions between Spring/OpenSaml and XmlSec. I encourage
you to spend the time on debugging as suggested and let us know the actual course of the problem.

> CXF 3.0.3 rt-security has problems working with latest open saml version (2.6.1)
> --------------------------------------------------------------------------------
>                 Key: CXF-6237
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security, WS-* Components
>    Affects Versions: 3.0.3
>            Reporter: moshiko kasirer
>            Assignee: Colm O hEigeartaigh
> Hi, 
> CXF-rt-ws-security 3.0.3 is working with wss4j of version: 
> <cxf.wss4j.version>2.0.2</cxf.wss4j.version>
> an xmlsec version of version:
> <cxf.xmlsec.bundle.version>2.0.2</cxf.xmlsec.bundle.version>
> and open SAML of version:
> <cxf.opensaml.version>2.6.1</cxf.opensaml.version>
> that is problematic as from one hand CXF 3.0.3 is dependent on XMLSEC version 2.*+ and
throws multiple no method exist exceptions when working with 1.5.5*  XMLSEC versions
> and on the other hand the latest open SAML which is the CXF open saml version (2.6.1)
fails on validating the SAML token when working with XMLSEC version 2.*
> so actually when working with both CXF 3 and OPEN SAML 2.6.1 
> this will happen 
> when working with xmlsec 1.5.*  OPEN SAML works CXF fails   
> when working with xmlsec 2.0.*  CXF works OPEN SAML fails...
> you can see under open saml 2.6.1 that it holds xmlsec version 1.5.6 which is overrided
by CXF and wss4j (2.0.2)
> can you please help me figure out a way to overcome this issue?

This message was sent by Atlassian JIRA

View raw message