[ https://issues.apache.org/jira/browse/CXF-6237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14303951#comment-14303951 ]
Sergey Beryozkin commented on CXF-6237: --------------------------------------- The only thing you will achieve with this is to block yourself from upgrading to newer/better CXF version whose only 'fault' is that it ships a newer version of XmlSec. It is not a CXF issue, something you need to accept. CXF is likely uses a different OpenSaml execution path or it may've been updated to be able to work with XMLSec 2.0.2. But I can see that this issue can present a challenge in some cases such as yours where CXF is combined with other solutions where OpenSaml and/or XmlSec are also used. The right thing to do is to get the source of OpenSaml 2.6.1 (you have it), XmlSec (1.5, 2.0.2, easy to get) and the relevant Spring code. Next - debug the execution chain with XmlSec 1.5 first, starting from the top Spring filter and check all the relevant details (the interaction between Spring, OpenSaml, XmlSec, and note why exactly a list of credentials is not empty there). Next repeat the same with XmlSec 2.0.2 and narrow down where exactly the problem lies. Somehow the inclusion of XmlSec 2.0.2 affects Spring filters or OpenSaml - but it is only yourself who can identify the issue. Pay the specific attention to any interactions between Spring/OpenSaml and XmlSec. I encourage you to spend the time on debugging as suggested and let us know the actual course of the problem. > CXF 3.0.3 rt-security has problems working with latest open saml version > (2.6.1) > -------------------------------------------------------------------------------- > > Key: CXF-6237 > URL: https://issues.apache.org/jira/browse/CXF-6237 > Project: CXF > Issue Type: Bug > Components: JAX-RS Security, WS-* Components > Affects Versions: 3.0.3 > Reporter: moshiko kasirer > Assignee: Colm O hEigeartaigh > > Hi, > CXF-rt-ws-security 3.0.3 is working with wss4j of version: > <cxf.wss4j.version>2.0.2</cxf.wss4j.version> > an xmlsec version of version: > <cxf.xmlsec.bundle.version>2.0.2</cxf.xmlsec.bundle.version> > and open SAML of version: > <cxf.opensaml.version>2.6.1</cxf.opensaml.version> > that is problematic as from one hand CXF 3.0.3 is dependent on XMLSEC version > 2.*+ and throws multiple no method exist exceptions when working with 1.5.5* > XMLSEC versions > and on the other hand the latest open SAML which is the CXF open saml version > (2.6.1) fails on validating the SAML token when working with XMLSEC version > 2.* > so actually when working with both CXF 3 and OPEN SAML 2.6.1 > this will happen > when working with xmlsec 1.5.* OPEN SAML works CXF fails > when working with xmlsec 2.0.* CXF works OPEN SAML fails... > you can see under open saml 2.6.1 that it holds xmlsec version 1.5.6 which is > overrided by CXF and wss4j (2.0.2) > can you please help me figure out a way to overcome this issue? -- This message was sent by Atlassian JIRA (v6.3.4#6332)