[
https://issues.apache.org/jira/browse/CXF-6237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14303951#comment-14303951
]
Sergey Beryozkin commented on CXF-6237:
---------------------------------------
The only thing you will achieve with this is to block yourself from upgrading
to newer/better CXF version whose only 'fault' is that it ships a newer version
of XmlSec. It is not a CXF issue, something you need to accept. CXF is likely
uses a different OpenSaml execution path or it may've been updated to be able
to work with XMLSec 2.0.2.
But I can see that this issue can present a challenge in some cases such as
yours where CXF is combined with other solutions where OpenSaml and/or XmlSec
are also used.
The right thing to do is to get the source of OpenSaml 2.6.1 (you have it),
XmlSec (1.5, 2.0.2, easy to get) and the relevant Spring code.
Next - debug the execution chain with XmlSec 1.5 first, starting from the top
Spring filter and check all the relevant details (the interaction between
Spring, OpenSaml, XmlSec, and note why exactly a list of credentials is not
empty there). Next repeat the same with XmlSec 2.0.2 and narrow down where
exactly the problem lies. Somehow the inclusion of XmlSec 2.0.2 affects Spring
filters or OpenSaml - but it is only yourself who can identify the issue. Pay
the specific attention to any interactions between Spring/OpenSaml and XmlSec.
I encourage you to spend the time on debugging as suggested and let us know the
actual course of the problem.
> CXF 3.0.3 rt-security has problems working with latest open saml version
> (2.6.1)
> --------------------------------------------------------------------------------
>
> Key: CXF-6237
> URL: https://issues.apache.org/jira/browse/CXF-6237
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security, WS-* Components
> Affects Versions: 3.0.3
> Reporter: moshiko kasirer
> Assignee: Colm O hEigeartaigh
>
> Hi,
> CXF-rt-ws-security 3.0.3 is working with wss4j of version:
> <cxf.wss4j.version>2.0.2</cxf.wss4j.version>
> an xmlsec version of version:
> <cxf.xmlsec.bundle.version>2.0.2</cxf.xmlsec.bundle.version>
> and open SAML of version:
> <cxf.opensaml.version>2.6.1</cxf.opensaml.version>
> that is problematic as from one hand CXF 3.0.3 is dependent on XMLSEC version
> 2.*+ and throws multiple no method exist exceptions when working with 1.5.5*
> XMLSEC versions
> and on the other hand the latest open SAML which is the CXF open saml version
> (2.6.1) fails on validating the SAML token when working with XMLSEC version
> 2.*
> so actually when working with both CXF 3 and OPEN SAML 2.6.1
> this will happen
> when working with xmlsec 1.5.* OPEN SAML works CXF fails
> when working with xmlsec 2.0.* CXF works OPEN SAML fails...
> you can see under open saml 2.6.1 that it holds xmlsec version 1.5.6 which is
> overrided by CXF and wss4j (2.0.2)
> can you please help me figure out a way to overcome this issue?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
