[jboss-jira] [JBoss JIRA] (WFLY-3253) CXF should not be installing BouncyCastle
[
https://issues.jboss.org/browse/WFLY-3253?page=com.atlassian.jira.plugin....
]
Alessio Soldano commented on WFLY-3253:
---------------------------------------
Unfortunately, having Apache Santuario and Apache WSS4J change to avoid relying on the
global security providers is not an option. It is however possible to prevent WSS4J from
installing BC at all, which leaves us with the need for always making available the
algorithms currently provided by BC. This needs to be the default situation, as explained
above. Hence the idea of a custom provider proxying other providers (BC in this case) on a
classloading base could be a valid solution.
CXF should not be installing BouncyCastle
-----------------------------------------
Key: WFLY-3253
URL: https://issues.jboss.org/browse/WFLY-3253
Project: WildFly
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Web Services
Reporter: David Lloyd
Assignee: Alessio Soldano
Priority: Critical
Fix For: 9.0.0.Beta1
CXF installs a BouncyCastle provider globally into the security providers list. This is
causes performance and other problems when this provider gets chosen for whatever reason
to be the system crypto provider for e.g. TLS.
The list of globally installed security providers should be a user concern only. If CXF
requires a specific provider for a specific purpose, it should be selecting that provider
when constructing the crytpo API object, though generally this is to be discouraged.
Ultimately we want to introduce a configuration in the app server that allows the list of
security providers to be specified in some way, without interference from any frameworks
that we happen to have installed.
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)