[jboss-jira] [JBoss JIRA] (WFLY-3253) CXF should not be installing BouncyCastle

David Lloyd (JIRA) issues at jboss.org
Tue May 13 14:12:56 EDT 2014 

    [ https://issues.jboss.org/browse/WFLY-3253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12967594#comment-12967594 ] 

David Lloyd commented on WFLY-3253:
-----------------------------------

It still needs to be possible to let the application server define what security providers exist and are visible.  Maybe it is possible to have CXF use a security provider that is not globally installed.  In this case you'd be able to use the specific implementation without affecting what other frameworks are using.

The following statements are all true:

* GCM is provided by some JDKs (maybe even Sun JDK 8, I don't recall)
* GCM may be provided by other providers other than BC or JDK
* Our frameworks (especially those in the app server) should not rely on the global security providers (instead it should be configurable to be overridden, preferably by module even)
* User deployments should only see security providers that they want to see


> CXF should not be installing BouncyCastle
> -----------------------------------------
>
>                 Key: WFLY-3253
>                 URL: https://issues.jboss.org/browse/WFLY-3253
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web Services
>            Reporter: David Lloyd
>            Assignee: Alessio Soldano
>            Priority: Critical
>             Fix For: 8.1.0.Final
>
>
> CXF installs a BouncyCastle provider globally into the security providers list.  This is causes performance and other problems when this provider gets chosen for whatever reason to be the system crypto provider for e.g. TLS.
> The list of globally installed security providers should be a user concern only.  If CXF requires a specific provider for a specific purpose, it should be selecting that provider when constructing the crytpo API object, though generally this is to be discouraged.
> Ultimately we want to introduce a configuration in the app server that allows the list of security providers to be specified in some way, without interference from any frameworks that we happen to have installed.



--
This message was sent by Atlassian JIRA
(v6.2.3#6260)

More information about the jboss-jira mailing list