[jboss-jira] [JBoss JIRA] (WFLY-13059) org.apache.ws.security exports Jasypt

Jim Ma (Jira) issues at jboss.org
Mon Mar 16 06:27:40 EDT 2020 

    [ https://issues.redhat.com/browse/WFLY-13059?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13998289#comment-13998289 ] 

Jim Ma edited comment on WFLY-13059 at 3/16/20 6:24 AM:
--------------------------------------------------------

[~pmm]  I think this would be good that we provide a dedicated module for Jasypt and still export to ws security module. This will allow the old application with jbossws-cxf-client module dependency added can still access jasypt classes. If other application likes yours doesn't want this jasypt export dependency , it can be excluded with one line exclusion config in jboss-deployment-structure.xml.


was (Author: jim.ma):
[~pmm]  I think this would be good if we provide a dedicated module for Jasypt and still export to ws security module. This will allow the application with jbossws-cxf-client module dependency  can still access jasypt  classes. If other the application likes yours doesn't want this jasypt export dependency , it can be excluded with one line exclusion config  in jboss-deployment-structure.xml.  

> org.apache.ws.security exports Jasypt
> -------------------------------------
>
>                 Key: WFLY-13059
>                 URL: https://issues.redhat.com/browse/WFLY-13059
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web Services
>            Reporter: Philippe Marschall
>            Assignee: Jim Ma
>            Priority: Major
>
> The {{org.apache.ws.security}} module contains the Jasypt JAR and exports it. Jasypt is only used internally by {{org.apache.wss4j.common.crypto.JasyptPasswordEncryptor}} and not used externally.
> Our application has a dependency on {{org.jboss.ws.cxf.jbossws-cxf-client}} which has an exported dependency on {{org.apache.ws.security}} which exports Jasypt. As a consequence the Jasypt from the {{org.apache.ws.security}} module is used instead of the Jasypt from our application.
> We would be willing to work on a patch. We see two possible options:
> # Introduce a dedicated Jasypt module and make {{org.apache.ws.security}} depend on it without exporting it
> # Add a resource filter to the {{org.apache.ws.security}} module like this {code}
>     <exports>
> 	    <exclude path="org/jasypt/**"/>
>     </exports>
>   {code}



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list