[jboss-jira] [JBoss JIRA] (WFLY-13059) org.apache.ws.security exports Jasypt

Brian Stansberry (Jira) issues at jboss.org
Tue Feb 4 13:40:55 EST 2020 

    [ https://issues.redhat.com/browse/WFLY-13059?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13963544#comment-13963544 ] 

Brian Stansberry commented on WFLY-13059:
-----------------------------------------

[~jim.ma] I'm passing this one over to you as this module only seems relevant to Webservices.

The difficulty I see here is the org.apache.ws.security module is not a private one so removing resources from it is a breaking API change.

The org.jboss.as.webservices.server.integration module also depends on and exports org.apache.ws.security, so if jasypt was no longer available via that module that would also be a breaking change. That module is private though so that only matters if projects that can layer on top of WildFly like keycloak would care. (That module could also export any new jasypt module if that is what happens.)

> org.apache.ws.security exports Jasypt
> -------------------------------------
>
>                 Key: WFLY-13059
>                 URL: https://issues.redhat.com/browse/WFLY-13059
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web Services
>            Reporter: Philippe Marschall
>            Assignee: Jim Ma
>            Priority: Major
>
> The {{org.apache.ws.security}} module contains the Jasypt JAR and exports it. Jasypt is only used internally by {{org.apache.wss4j.common.crypto.JasyptPasswordEncryptor}} and not used externally.
> Our application has a dependency on {{org.jboss.ws.cxf.jbossws-cxf-client}} which has an exported dependency on {{org.apache.ws.security}} which exports Jasypt. As a consequence the Jasypt from the {{org.apache.ws.security}} module is used instead of the Jasypt from our application.
> We would be willing to work on a patch. We see two possible options:
> # Introduce a dedicated Jasypt module and make {{org.apache.ws.security}} depend on it without exporting it
> # Add a resource filter to the {{org.apache.ws.security}} module like this {code}
>     <exports>
> 	    <exclude path="org/jasypt/**"/>
>     </exports>
>   {code}



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list