[jboss-jira] [JBoss JIRA] (WFLY-3253) CXF should not be installing BouncyCastle

Alessio Soldano (JIRA) issues at jboss.org
Tue May 13 16:10:56 EDT 2014 

    [ https://issues.jboss.org/browse/WFLY-3253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12967631#comment-12967631 ] 

Alessio Soldano commented on WFLY-3253:
---------------------------------------

Apache CXF relies on Apache WSS4J for anything related to WS-Security. WSS4J registers the BC provider (as well as the ApacheXMLDSig provider) and then relies on Apache Santuario for anything related to crypto. So, what you're describing here would basically mean to figure out if there's a way for making Santuario use a custom set of algorithm impls / security providers, while disabling the registration methods currently in place in WSS4J.
I agree that GCM (and in general any additional required algorithm impl) should be consumable by different providers. By default, though, we should make that available, regardless of the JDK in use. By default we should provide a configuration that allows using the secure algorithms, etc.
Do you have anything specific in mind regarding how the providers visible to a given deployment or a given module should be configured? Should I have e.g. a module for security provider libraries and something in the webservices subsystem to specify the name of the providers to "use"?

> CXF should not be installing BouncyCastle
> -----------------------------------------
>
>                 Key: WFLY-3253
>                 URL: https://issues.jboss.org/browse/WFLY-3253
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web Services
>            Reporter: David Lloyd
>            Assignee: Alessio Soldano
>            Priority: Critical
>             Fix For: 8.1.0.Final
>
>
> CXF installs a BouncyCastle provider globally into the security providers list.  This is causes performance and other problems when this provider gets chosen for whatever reason to be the system crypto provider for e.g. TLS.
> The list of globally installed security providers should be a user concern only.  If CXF requires a specific provider for a specific purpose, it should be selecting that provider when constructing the crytpo API object, though generally this is to be discouraged.
> Ultimately we want to introduce a configuration in the app server that allows the list of security providers to be specified in some way, without interference from any frameworks that we happen to have installed.



--
This message was sent by Atlassian JIRA
(v6.2.3#6260)

More information about the jboss-jira mailing list