[jboss-jira] [JBoss JIRA] (WFLY-3253) CXF should not be installing BouncyCastle

Alessio Soldano (JIRA) issues at jboss.org
Thu Nov 13 09:59:29 EST 2014 

    [ https://issues.jboss.org/browse/WFLY-3253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13019646#comment-13019646 ] 

Alessio Soldano edited comment on WFLY-3253 at 11/13/14 9:58 AM:
-----------------------------------------------------------------

Marking as solved; WFLY-4019 pulls Apache CXF 3.0.2 which is not installing BouncyCastle anymore (it's installing a ThreadLocalSecurityProvider which the ws stack sets and unsets a BC provider instance in, just before and after actual need)


was (Author: asoldano):
Marking as solved; WFLY-4019 pulls Apache CXF 3.0.2 and is not installing BouncyCastle anymore (it's installing a ThreadLocalSecurityProvider which the ws stack sets and unsets a BC provider instance just before and after actual need)

> CXF should not be installing BouncyCastle
> -----------------------------------------
>
>                 Key: WFLY-3253
>                 URL: https://issues.jboss.org/browse/WFLY-3253
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web Services
>            Reporter: David Lloyd
>            Assignee: Alessio Soldano
>            Priority: Critical
>             Fix For: 9.0.0.Beta1
>
>
> CXF installs a BouncyCastle provider globally into the security providers list.  This is causes performance and other problems when this provider gets chosen for whatever reason to be the system crypto provider for e.g. TLS.
> The list of globally installed security providers should be a user concern only.  If CXF requires a specific provider for a specific purpose, it should be selecting that provider when constructing the crytpo API object, though generally this is to be discouraged.
> Ultimately we want to introduce a configuration in the app server that allows the list of security providers to be specified in some way, without interference from any frameworks that we happen to have installed.



--
This message was sent by Atlassian JIRA
(v6.3.8#6338)

More information about the jboss-jira mailing list