On Mon May 11 2009 7:16:46 pm David Jencks wrote:
Version 140 and later in maven have the patent covered algorithms removed.
> On May 11, 2009, at 3:24 PM, rahul.soa wrote:
> > Hello everyone,
> > As you know I am working on the support of ws-security module, so I
> > did some research about integrating the modules in Apache Geronimo
> > for the same.
> > For the integrating/enabling WS-Security support, I think we need to
> > have the following jars and modules in Geronimo:
> > Apache CXF:
> > For WS-Security support we need to have following jar files from the
> > CXF:
> > - bcprov-jdk15.jar
> Previously when we used some bouncy castle classes the jar included
> some classes that may well have infringed some us patents. I think I
> saw somewhere that bouncy castle had finally released a jar without
> thses classes. We should verify that this jar does not contain these
> classes. Also, we have copies of a bunch of the bc classes we need
> for other purposes in the geronimo-crypto module, so we should check
> that we don't already have the needed classes.
Not an issue anymore.
xmlsec uses some of the internal xalan classes. I could never get a good
> > - xalan.jar
> really? I'd like to know why the xml transform support in the jdk is
> not sufficient.
reason as to why.
> > - serializer.jar
This goes with Xalan.
> > - wss4j.jar
> > - xmlsec.jar
Note: all of those jars will be required for Axis2 as well.
Correct. However, for unit tests and such, we can PROBABLY use less secure
> > Apache Axis2
> > 1. We need to integrate "Rampart*" module of axis2,
> > 2. for step 1, need to download the Java Cryptography Extension
> > (JCE) Unlimited Strength Jurisdiction Policy Files corresponding to
> > JDK version and extract the jar files local_policy.jar and
> > US_export_policy.jar to $JAVA_HOME/jre/lib/security
> These are not something we can include, right? they'd have to be
> installed by the end user?
algorithms. I have someone looking into the same issue for the CXF test
cases. We don't want to make every developer have to install the strong
crypto libraries. Basically, if the user needs the strong crypto stuff, they
WILL need to download and install the strong crypto libs from Sun.
> > 3. for step 1, need to download bouncycastle according to java
> > version separately
> > *Rampart is the security module of Axis2
> > Please let me know if I am missing something and please also guide
> > me how can I get them in Geronimo.
> That depends partly on the classloader relationships needed between
> the main cxf/axis2 jars and these new ones. If appropriate cxf/axis2
> jars and these jars can be in a classloader that is a child of the cxf/
> axis2 "main" plugin classloaders, you should probably make cxf-wss and
> axis2-wss plugins with all the security related jars as dependencies.
> If this doesn't work and the classes need to be in the main cxf/axis2
> plugin classloader then you probably need to just add these as
> david jencks
> > Thanks in advance.
> > Regards,
> > Rahul