[
https://issues.redhat.com/browse/WFLY-13059?page=com.atlassian.jira.plugi...
]
Brian Stansberry commented on WFLY-13059:
-----------------------------------------
[~jim.ma] I'm passing this one over to you as this module only seems relevant to
Webservices.
The difficulty I see here is the org.apache.ws.security module is not a private one so
removing resources from it is a breaking API change.
The org.jboss.as.webservices.server.integration module also depends on and exports
org.apache.ws.security, so if jasypt was no longer available via that module that would
also be a breaking change. That module is private though so that only matters if projects
that can layer on top of WildFly like keycloak would care. (That module could also export
any new jasypt module if that is what happens.)
org.apache.ws.security exports Jasypt
-------------------------------------
Key: WFLY-13059
URL:
https://issues.redhat.com/browse/WFLY-13059
Project: WildFly
Issue Type: Bug
Components: Web Services
Reporter: Philippe Marschall
Assignee: Jim Ma
Priority: Major
The {{org.apache.ws.security}} module contains the Jasypt JAR and exports it. Jasypt is
only used internally by {{org.apache.wss4j.common.crypto.JasyptPasswordEncryptor}} and not
used externally.
Our application has a dependency on {{org.jboss.ws.cxf.jbossws-cxf-client}} which has an
exported dependency on {{org.apache.ws.security}} which exports Jasypt. As a consequence
the Jasypt from the {{org.apache.ws.security}} module is used instead of the Jasypt from
our application.
We would be willing to work on a patch. We see two possible options:
# Introduce a dedicated Jasypt module and make {{org.apache.ws.security}} depend on it
without exporting it
# Add a resource filter to the {{org.apache.ws.security}} module like this {code}
<exports>
<exclude path="org/jasypt/**"/>
</exports>
{code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)